package no.digipost.security.cert;

import java.io.IOException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import no.digipost.security.DigipostSecurity;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:no/digipost/security/cert/CertHelper.class */
public final class CertHelper {
    private static final Logger LOG = LoggerFactory.getLogger(OcspPolicy.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<X509Certificate> findTrustAnchorCert(X509Certificate x509Certificate, Set<TrustAnchor> set) throws SignatureException {
        return findTrustAnchor(x509Certificate, set).map((v0) -> {
            return v0.getTrustedCert();
        });
    }

    static Optional<TrustAnchor> findTrustAnchor(X509Certificate x509Certificate, Set<TrustAnchor> set) throws SignatureException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        try {
            x509CertSelector.setSubject(issuerX500Principal.getEncoded());
            SignatureException signatureException = null;
            for (TrustAnchor trustAnchor : set) {
                PublicKey publicKey = null;
                if (trustAnchor.getTrustedCert() != null) {
                    if (x509CertSelector.match(trustAnchor.getTrustedCert())) {
                        publicKey = trustAnchor.getTrustedCert().getPublicKey();
                    }
                } else if (trustAnchor.getCA() != null && trustAnchor.getCAPublicKey() != null && issuerX500Principal.equals(trustAnchor.getCA())) {
                    publicKey = trustAnchor.getCAPublicKey();
                }
                if (publicKey != null) {
                    try {
                        x509Certificate.verify(publicKey);
                        return Optional.of(trustAnchor);
                    } catch (Exception e) {
                        if (signatureException == null) {
                            signatureException = new SignatureException("TrustAnchor found, but certificate validation for " + DigipostSecurity.describe(x509Certificate) + " failed", e);
                        } else {
                            signatureException.addSuppressed(e);
                        }
                    }
                }
            }
            if (signatureException != null) {
                throw signatureException;
            }
            return Optional.empty();
        } catch (IOException e2) {
            throw new SignatureException("Cannot set subject search criteria for trust anchor.", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Stream<String> getOrganizationUnits(X509Certificate x509Certificate) {
        try {
            return Stream.of((Object[]) new JcaX509CertificateHolder(x509Certificate).getSubject().getRDNs(BCStyle.OU)).map((v0) -> {
                return v0.getTypesAndValues();
            }).flatMap((v0) -> {
                return Stream.of(v0);
            }).map((v0) -> {
                return v0.getValue();
            }).map(IETFUtils::valueToString);
        } catch (CertificateEncodingException e) {
            LOG.warn("Unable to resolve organizational units (OU=xyz) from " + DigipostSecurity.describe(x509Certificate) + ", because " + e.getClass().getSimpleName() + ": '" + e.getMessage() + "'", e);
            return Stream.empty();
        }
    }

    private CertHelper() {
    }
}
