package de.rub.nds.tlsscanner.serverscanner.probe.certificate;

import de.rub.nds.tlsattacker.core.constants.HashAlgorithm;
import de.rub.nds.tlsscanner.serverscanner.trust.TrustAnchorManager;
import de.rub.nds.tlsscanner.serverscanner.trust.TrustPlatform;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ContentVerifierProviderBuilder;
import org.bouncycastle.cert.path.CertPath;
import org.bouncycastle.cert.path.CertPathValidation;
import org.bouncycastle.cert.path.CertPathValidationException;
import org.bouncycastle.cert.path.CertPathValidationResult;
import org.bouncycastle.cert.path.validations.BasicConstraintsValidation;
import org.bouncycastle.cert.path.validations.KeyUsageValidation;
import org.bouncycastle.cert.path.validations.ParentCertIssuedValidation;
import org.bouncycastle.crypto.tls.Certificate;
import org.bouncycastle.est.jcajce.JsseDefaultHostnameAuthorizer;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/probe/certificate/CertificateChain.class */
public class CertificateChain {
    private static final Logger LOGGER = LogManager.getLogger();
    private final Certificate certificate;
    private Boolean generallyTrusted;
    private Boolean containsCustomTrustAnchor;
    private Boolean containsTrustAnchor;
    private Boolean chainIsComplete;
    private Boolean chainIsOrdered;
    private Boolean containsMultipleLeaves;
    private Boolean containsValidLeaf;
    private Boolean containsNotYetValid;
    private Boolean containsExpired;
    private Boolean containsWeakSignedNonTrustStoresCertificates;
    private List<TrustPlatform> platformsTrustingCertificate;
    private List<TrustPlatform> platformsNotTrustingCertificate;
    private List<TrustPlatform> platformsBlacklistingCertificate;
    private List<CertificateReport> certificateReportList;
    private CertificateReport trustAnchor;
    private List<CertificateIssue> certificateIssues;

    private CertificateChain() {
        this.generallyTrusted = null;
        this.containsCustomTrustAnchor = null;
        this.containsTrustAnchor = null;
        this.chainIsComplete = null;
        this.chainIsOrdered = null;
        this.containsMultipleLeaves = null;
        this.containsValidLeaf = null;
        this.certificate = null;
    }

    public CertificateChain(Certificate certificate, String str) {
        CertPathValidationException[] causes;
        this.generallyTrusted = null;
        this.containsCustomTrustAnchor = null;
        this.containsTrustAnchor = null;
        this.chainIsComplete = null;
        this.chainIsOrdered = null;
        this.containsMultipleLeaves = null;
        this.containsValidLeaf = null;
        this.certificateIssues = new LinkedList();
        LinkedList linkedList = new LinkedList();
        this.certificate = certificate;
        this.certificateReportList = new LinkedList();
        for (org.bouncycastle.asn1.x509.Certificate certificate2 : certificate.getCertificateList()) {
            this.certificateReportList.add(CertificateReportGenerator.generateReport(certificate2));
        }
        LOGGER.debug("Certificate Reports:" + this.certificateReportList.size());
        this.containsTrustAnchor = false;
        this.containsCustomTrustAnchor = false;
        for (CertificateReport certificateReport : this.certificateReportList) {
            if (Objects.equals(certificateReport.isTrustAnchor(), Boolean.TRUE)) {
                this.containsTrustAnchor = true;
            }
            if (Objects.equals(certificateReport.isCustomTrustAnchor(), Boolean.TRUE)) {
                this.containsCustomTrustAnchor = true;
            }
        }
        CertificateReport certificateReport2 = null;
        for (CertificateReport certificateReport3 : this.certificateReportList) {
            if (isCertificateSuitableForHost(certificateReport3.convertToX509Certificate(), str)) {
                certificateReport3.setLeafCertificate(true);
                if (certificateReport2 == null) {
                    certificateReport2 = certificateReport3;
                } else {
                    this.containsMultipleLeaves = true;
                }
            }
        }
        if (this.containsMultipleLeaves == null) {
            this.containsMultipleLeaves = false;
        }
        this.containsValidLeaf = Boolean.valueOf(certificateReport2 != null);
        if (certificateReport2 != null) {
            if (this.certificateReportList.isEmpty() || !this.certificateReportList.get(0).getSHA256Fingerprint().equals(certificateReport2.getSHA256Fingerprint())) {
                this.chainIsOrdered = false;
            } else {
                this.chainIsOrdered = Boolean.valueOf(checkCertificateChainIsOrdered(this.certificateReportList));
            }
            CertificateReport certificateReport4 = certificateReport2;
            linkedList.add(certificateReport4);
            while (true) {
                if (certificateReport4.getIssuer().equals(certificateReport4.getSubject())) {
                    break;
                }
                CertificateReport certificateReport5 = null;
                for (CertificateReport certificateReport6 : this.certificateReportList) {
                    if (certificateReport6.getSubject().equals(certificateReport4.getIssuer())) {
                        certificateReport5 = certificateReport6;
                    }
                }
                if (certificateReport5 != null) {
                    LOGGER.debug("Found next certificate");
                    linkedList.add(certificateReport5);
                    certificateReport4 = certificateReport5;
                } else {
                    LOGGER.debug("Could not find next certificate");
                    if (!TrustAnchorManager.getInstance().isInitialized()) {
                        LOGGER.error("Cannot check if the chain is complete since the trust manager is not initialized");
                    } else if (TrustAnchorManager.getInstance().isTrustAnchor(certificateReport4.convertToX509Certificate().getIssuerX500Principal())) {
                        LOGGER.debug("Could find issuer");
                        this.chainIsComplete = true;
                        org.bouncycastle.asn1.x509.Certificate trustAnchorCertificate = TrustAnchorManager.getInstance().getTrustAnchorCertificate(certificateReport4.convertToX509Certificate().getIssuerX500Principal());
                        if (trustAnchorCertificate != null) {
                            CertificateReport generateReport = CertificateReportGenerator.generateReport(trustAnchorCertificate);
                            linkedList.add(generateReport);
                            generateReport.setTrustAnchor(true);
                            this.trustAnchor = generateReport;
                        }
                    } else {
                        LOGGER.debug("Could not find issuer");
                        this.chainIsComplete = false;
                    }
                }
            }
        } else {
            this.chainIsOrdered = true;
            this.containsValidLeaf = false;
        }
        this.containsNotYetValid = false;
        this.containsExpired = false;
        this.containsWeakSignedNonTrustStoresCertificates = false;
        for (CertificateReport certificateReport7 : this.certificateReportList) {
            if (certificateReport7.getValidFrom().after(new Date())) {
                this.containsNotYetValid = true;
            }
            if (certificateReport7.getValidTo().before(new Date())) {
                this.containsExpired = true;
            }
            if (certificateReport7.getSignatureAndHashAlgorithm() != null && ((Objects.equals(certificateReport7.isTrustAnchor(), Boolean.FALSE) && Objects.equals(certificateReport7.getSelfSigned(), Boolean.FALSE) && certificateReport7.getSignatureAndHashAlgorithm().getHashAlgorithm() == HashAlgorithm.MD5) || certificateReport7.getSignatureAndHashAlgorithm().getHashAlgorithm() == HashAlgorithm.SHA1)) {
                this.containsWeakSignedNonTrustStoresCertificates = true;
            }
        }
        Iterator<CertificateReport> it = this.certificateReportList.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CertificateReport next = it.next();
            if (Objects.equals(next.isTrustAnchor(), Boolean.FALSE) && Objects.equals(next.getSelfSigned(), Boolean.TRUE) && Objects.equals(next.getLeafCertificate(), Boolean.TRUE)) {
                this.certificateIssues.add(CertificateIssue.SELF_SIGNED);
                break;
            }
        }
        if (Objects.equals(this.chainIsComplete, Boolean.FALSE)) {
            this.certificateIssues.add(CertificateIssue.CHAIN_NOT_COMPLETE);
        }
        if (Objects.equals(this.containsValidLeaf, Boolean.FALSE)) {
            this.certificateIssues.add(CertificateIssue.COMMON_NAME_MISMATCH);
        }
        if (Objects.equals(this.containsExpired, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.CHAIN_CONTAINS_EXPIRED);
        }
        if (Objects.equals(this.containsNotYetValid, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.CHAIN_CONTAINS_NOT_YET_VALID);
        }
        if (Objects.equals(this.containsMultipleLeaves, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.MULTIPLE_LEAVES);
        }
        if (Objects.equals(this.containsWeakSignedNonTrustStoresCertificates, Boolean.TRUE)) {
            this.certificateIssues.add(CertificateIssue.WEAK_SIGNATURE_OR_HASH_ALGORITHM);
        }
        if (!Objects.equals(this.chainIsComplete, Boolean.TRUE) || !Objects.equals(this.containsValidLeaf, Boolean.TRUE) || !Objects.equals(this.containsExpired, Boolean.FALSE) || !Objects.equals(this.containsNotYetValid, Boolean.FALSE) || !Objects.equals(this.containsCustomTrustAnchor, Boolean.FALSE)) {
            this.generallyTrusted = false;
            return;
        }
        CertPathValidationResult evaluateGeneralTrust = evaluateGeneralTrust(linkedList);
        this.generallyTrusted = Boolean.valueOf(evaluateGeneralTrust.isValid());
        if (this.generallyTrusted.booleanValue() || (causes = evaluateGeneralTrust.getCauses()) == null) {
            return;
        }
        for (CertPathValidationException certPathValidationException : causes) {
            if (certPathValidationException.getMessage().contains("Unhandled Critical Extensions") || !(certPathValidationException.getCause() == null || certPathValidationException.getCause().getMessage() == null || !certPathValidationException.getCause().getMessage().contains("Unhandled Critical Extensions"))) {
                this.certificateIssues.add(CertificateIssue.UNHANDLED_CRITICAL_EXTENSIONS);
            } else {
                LOGGER.error("Unknown path validation issue", certPathValidationException);
            }
        }
    }

    public List<CertificateIssue> getCertificateIssues() {
        return this.certificateIssues;
    }

    public void setCertificateIssues(List<CertificateIssue> list) {
        this.certificateIssues = list;
    }

    public Boolean getContainsNotYetValid() {
        return this.containsNotYetValid;
    }

    public void setContainsNotYetValid(Boolean bool) {
        this.containsNotYetValid = bool;
    }

    public Boolean getContainsExpired() {
        return this.containsExpired;
    }

    public void setContainsExpired(Boolean bool) {
        this.containsExpired = bool;
    }

    public Boolean getContainsWeakSignedNonTrustStoresCertificates() {
        return this.containsWeakSignedNonTrustStoresCertificates;
    }

    public void setContainsWeakSignedNonTrustStoresCertificates(Boolean bool) {
        this.containsWeakSignedNonTrustStoresCertificates = bool;
    }

    public CertificateReport getTrustAnchor() {
        return this.trustAnchor;
    }

    public void setTrustAnchor(CertificateReport certificateReport) {
        this.trustAnchor = certificateReport;
    }

    public Certificate getCertificate() {
        return this.certificate;
    }

    public Boolean getGenerallyTrusted() {
        return this.generallyTrusted;
    }

    public Boolean getContainsTrustAnchor() {
        return this.containsTrustAnchor;
    }

    public Boolean getChainIsComplete() {
        return this.chainIsComplete;
    }

    public Boolean getChainIsOrdered() {
        return this.chainIsOrdered;
    }

    public Boolean getContainsMultipleLeaves() {
        return this.containsMultipleLeaves;
    }

    public Boolean getContainsValidLeaf() {
        return this.containsValidLeaf;
    }

    public List<TrustPlatform> getPlatformsTrustingCertificate() {
        return this.platformsTrustingCertificate;
    }

    public List<TrustPlatform> getPlatformsNotTrustingCertificate() {
        return this.platformsNotTrustingCertificate;
    }

    public List<TrustPlatform> getPlatformsBlacklistingCertificate() {
        return this.platformsBlacklistingCertificate;
    }

    public List<CertificateReport> getCertificateReportList() {
        return this.certificateReportList;
    }

    public Boolean getContainsCustomTrustAnchor() {
        return this.containsCustomTrustAnchor;
    }

    public final boolean checkCertificateChainIsOrdered(List<CertificateReport> list) {
        if (list.isEmpty()) {
            return true;
        }
        CertificateReport certificateReport = list.get(0);
        for (int i = 1; i < list.size(); i++) {
            if (!list.get(i).getSubject().equals(certificateReport.getIssuer())) {
                return false;
            }
            certificateReport = list.get(i);
        }
        return true;
    }

    public final boolean isCertificateSuitableForHost(X509Certificate x509Certificate, String str) {
        try {
            boolean verify = new JsseDefaultHostnameAuthorizer((Set) null).verify(str, x509Certificate);
            if (!verify) {
                LOGGER.debug("Hostname of Certificate is not valid for {}", str);
            }
            return verify;
        } catch (IOException e) {
            LOGGER.warn("Cert for {} caused IO Exception", str);
            return false;
        }
    }

    private CertPathValidationResult evaluateGeneralTrust(List<CertificateReport> list) {
        if (list.size() < 2) {
            return null;
        }
        X509CertificateHolder[] x509CertificateHolderArr = new X509CertificateHolder[list.size()];
        for (int i = 0; i < list.size(); i++) {
            x509CertificateHolderArr[i] = new X509CertificateHolder(list.get(i).getCertificate());
        }
        return new CertPath(x509CertificateHolderArr).validate(new CertPathValidation[]{new ParentCertIssuedValidation(new JcaX509ContentVerifierProviderBuilder().setProvider("BC")), new BasicConstraintsValidation(), new KeyUsageValidation()});
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        CertificateChain certificateChain = (CertificateChain) obj;
        if (this.certificateReportList.size() != certificateChain.getCertificateReportList().size() || !Objects.equals(this.generallyTrusted, certificateChain.getGenerallyTrusted()) || !Objects.equals(this.containsTrustAnchor, certificateChain.getContainsTrustAnchor()) || !Objects.equals(this.chainIsComplete, certificateChain.getChainIsComplete()) || !Objects.equals(this.chainIsOrdered, certificateChain.getChainIsOrdered()) || !Objects.equals(this.containsMultipleLeaves, certificateChain.getContainsMultipleLeaves()) || !Objects.equals(this.containsValidLeaf, certificateChain.getContainsValidLeaf()) || !Objects.equals(this.containsNotYetValid, certificateChain.getContainsNotYetValid()) || !Objects.equals(this.containsExpired, certificateChain.getContainsExpired()) || !Objects.equals(this.containsWeakSignedNonTrustStoresCertificates, certificateChain.getContainsWeakSignedNonTrustStoresCertificates())) {
            return false;
        }
        for (int i = 0; i < this.certificateReportList.size(); i++) {
            if (!this.certificateReportList.get(i).equals(certificateChain.getCertificateReportList().get(i))) {
                return false;
            }
        }
        return true;
    }

    public int hashCode() {
        return (29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * ((29 * 5) + Objects.hashCode(this.generallyTrusted))) + Objects.hashCode(this.containsTrustAnchor))) + Objects.hashCode(this.chainIsComplete))) + Objects.hashCode(this.chainIsOrdered))) + Objects.hashCode(this.containsMultipleLeaves))) + Objects.hashCode(this.containsValidLeaf))) + Objects.hashCode(this.containsNotYetValid))) + Objects.hashCode(this.containsExpired))) + Objects.hashCode(this.containsWeakSignedNonTrustStoresCertificates))) + Objects.hashCode(this.certificateReportList))) + Objects.hashCode(this.trustAnchor))) + Objects.hashCode(this.certificateIssues);
    }
}
