package com.sg.openews.api.crypto.impl;

import com.kica.crypto.config.CertValidation;
import com.kica.crypto.config.CryptoConfig;
import com.kica.security.KICAProvider;
import com.kica.security.certpath.CertPathCollector;
import com.kica.security.certpath.CollectorParameter;
import com.kica.security.certpath.exception.NoSuchStoreException;
import com.kica.security.certpath.store.X509CollectionStoreParameters;
import com.kica.security.x509.ExtendedPKIXBuilderParameters;
import com.kica.security.x509.ExtendedPKIXParameters;
import com.kica.security.x509.X509Store;
import com.sg.openews.api.crypto.CRLValidateParameter;
import com.sg.openews.api.crypto.CertValidatorSPI;
import com.sg.openews.api.crypto.ValidateParameter;
import com.sg.openews.api.exception.CertValidatorException;
import com.sg.openews.api.key.SGCertificate;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* loaded from: classes7.dex */
public class NPKICertValidator implements CertValidatorSPI {
    public String address;
    public String cachePath;
    public boolean cacheUse;
    public boolean initialAnyPolicyInhibit;
    public boolean initialExplcitPolicy;
    public boolean initialPolicyMappingInhibit;
    public Set initialPolicySet;
    public CertPath path;
    public int port;
    public boolean revocationEnabled;
    public HashSet trustAnchor = null;

    public NPKICertValidator() {
        this.initialPolicyMappingInhibit = false;
        this.initialExplcitPolicy = false;
        this.initialAnyPolicyInhibit = false;
        this.initialPolicySet = null;
        this.cachePath = "crl_cache";
        this.cacheUse = false;
        this.revocationEnabled = true;
        this.address = null;
        this.port = 389;
        if (CryptoConfig.getInstance() == null || CryptoConfig.getInstance().getCertValidation() == null) {
            return;
        }
        CertValidation certValidation = CryptoConfig.getInstance().getCertValidation();
        this.initialAnyPolicyInhibit = certValidation.isAnyPolicyInhibited();
        this.initialPolicyMappingInhibit = certValidation.isPolicyMappingInhibited();
        this.initialExplcitPolicy = certValidation.isExplicitPolicyRequired();
        this.revocationEnabled = certValidation.isRevocationEnabled();
        this.initialPolicySet = new HashSet(certValidation.getInitialPolicies());
        this.cachePath = certValidation.getCachePath();
        this.cacheUse = certValidation.isCacheEnabled();
        this.address = certValidation.getLdapAddress();
        this.port = certValidation.getLdapPort();
    }

    public CertPath getCertPath() {
        return this.path;
    }

    public CertPathCollector getCertPathCollector() throws NoSuchProviderException, NoSuchStoreException {
        String str;
        CollectorParameter collectorParameter = new CollectorParameter();
        String str2 = this.address;
        if (str2 != null) {
            collectorParameter.setLdapAddress(str2);
            collectorParameter.setLdapPort(this.port);
        }
        if (this.cacheUse && (str = this.cachePath) != null) {
            collectorParameter.setCachePath(str);
        }
        return new CertPathCollector(collectorParameter);
    }

    public Set getTrustAnchors(CertPathCollector certPathCollector) {
        HashSet hashSet = this.trustAnchor;
        if (hashSet != null) {
            return hashSet;
        }
        if (DefaultTrustAnchor.getInstance().getTrustAnchors().size() > 0) {
            return DefaultTrustAnchor.getInstance().getTrustAnchors();
        }
        HashSet hashSet2 = new HashSet();
        this.trustAnchor = hashSet2;
        hashSet2.add(new TrustAnchor((X509Certificate) certPathCollector.getCertificateChain().get(certPathCollector.getCertificateChain().size() - 1), null));
        return this.trustAnchor;
    }

    @Override // com.sg.openews.api.crypto.CertValidatorSPI
    public void init(ValidateParameter validateParameter) throws CertValidatorException {
        if (validateParameter == null) {
            return;
        }
        if (!(validateParameter instanceof CRLValidateParameter)) {
            throw new IllegalArgumentException("Parameter must be instance of CRLValidateParameter!");
        }
        CRLValidateParameter cRLValidateParameter = (CRLValidateParameter) validateParameter;
        this.address = cRLValidateParameter.getAddress();
        this.port = cRLValidateParameter.getPort();
        this.initialAnyPolicyInhibit = cRLValidateParameter.isInitialAnyPolicyInhibit();
        this.initialExplcitPolicy = cRLValidateParameter.isInitialExplcitPolicy();
        this.initialPolicyMappingInhibit = cRLValidateParameter.isInitialPolicyMappingInhibit();
        this.initialPolicySet = cRLValidateParameter.getInitialPolicySet();
        this.revocationEnabled = cRLValidateParameter.isRevocationEnabled();
        this.cacheUse = cRLValidateParameter.getCacheUse();
        this.cachePath = cRLValidateParameter.getCachePath();
        if (cRLValidateParameter.getTrustAnchor() == null || cRLValidateParameter.getTrustAnchor().size() <= 0) {
            return;
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", KICAProvider.PROVIDER_NAME);
            this.trustAnchor = new HashSet();
            Iterator it = cRLValidateParameter.getTrustAnchor().iterator();
            while (it.hasNext()) {
                this.trustAnchor.add(new TrustAnchor((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(((SGCertificate) it.next()).getEncoded())), null));
            }
        } catch (NoSuchProviderException e) {
            throw new CertValidatorException(e);
        } catch (CertificateException e2) {
            throw new CertValidatorException(e2);
        }
    }

    @Override // com.sg.openews.api.crypto.CertValidatorSPI
    public void validate(SGCertificate sGCertificate) throws CertValidatorException {
        try {
            X509Certificate x509Certificate = sGCertificate.getX509Certificate();
            CertPathCollector certPathCollector = getCertPathCollector();
            certPathCollector.downloadCertPath(0, x509Certificate);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal().getEncoded());
            validate(x509CertSelector, certPathCollector);
        } catch (NoSuchStoreException e) {
            throw new CertValidatorException("StoreError!", e);
        } catch (IOException e2) {
            throw new CertValidatorException("Certificate validation failure.", e2);
        } catch (NoSuchProviderException e3) {
            throw new CertValidatorException("ProviderError!", e3);
        } catch (CertPathBuilderException e4) {
            throw new CertValidatorException("Certificate Or CRL download failure!", e4);
        }
    }

    public void validate(X509CertSelector x509CertSelector, CertPathCollector certPathCollector) throws CertValidatorException {
        try {
            ExtendedPKIXParameters extendedPKIXBuilderParameters = ExtendedPKIXBuilderParameters.getInstance(new PKIXBuilderParameters((Set<TrustAnchor>) getTrustAnchors(certPathCollector), x509CertSelector));
            extendedPKIXBuilderParameters.setAdditionalLocationsEnabled(false);
            extendedPKIXBuilderParameters.setAnyPolicyInhibited(this.initialAnyPolicyInhibit);
            extendedPKIXBuilderParameters.setExplicitPolicyRequired(this.initialExplcitPolicy);
            extendedPKIXBuilderParameters.setPolicyMappingInhibited(this.initialPolicyMappingInhibit);
            extendedPKIXBuilderParameters.setInitialPolicies(this.initialPolicySet);
            extendedPKIXBuilderParameters.setDate(new Date());
            extendedPKIXBuilderParameters.setRevocationEnabled(this.revocationEnabled);
            extendedPKIXBuilderParameters.addStore(X509Store.getInstance("CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(certPathCollector.getCertificateChain())));
            extendedPKIXBuilderParameters.addStore(X509Store.getInstance("CRL/COLLECTION", new X509CollectionStoreParameters(certPathCollector.getCRLs())));
            this.path = ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", "KICA").build(extendedPKIXBuilderParameters)).getCertPath();
        } catch (NoSuchStoreException e) {
            throw new CertValidatorException("Certificate validation failure.", e);
        } catch (InvalidAlgorithmParameterException e2) {
            throw new CertValidatorException("Certificate validation failure.", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertValidatorException("Certificate validation failure.", e3);
        } catch (NoSuchProviderException e4) {
            throw new CertValidatorException("Certificate validation failure.", e4);
        } catch (CertPathBuilderException e5) {
            throw new CertValidatorException("Certificate validation failure: " + e5.getMessage(), e5);
        }
    }

    @Override // com.sg.openews.api.crypto.CertValidatorSPI
    public void validate(List list) throws CertValidatorException {
        ArrayList arrayList = new ArrayList(list.size());
        for (int i = 0; i < list.size(); i++) {
            arrayList.add(((SGCertificate) list.get(i)).getX509Certificate());
        }
        try {
            CertPathCollector certPathCollector = getCertPathCollector();
            certPathCollector.downloadCertPath(arrayList);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(((X509Certificate) arrayList.get(0)).getSubjectX500Principal().getEncoded());
            validate(x509CertSelector, certPathCollector);
        } catch (NoSuchStoreException e) {
            throw new CertValidatorException("StoreError!", e);
        } catch (IOException e2) {
            throw new CertValidatorException("Certificate validation failure.", e2);
        } catch (NoSuchProviderException e3) {
            throw new CertValidatorException("ProviderError!", e3);
        } catch (CertPathBuilderException e4) {
            throw new CertValidatorException("Certificate Or CRL download failure!", e4);
        }
    }
}
