package org.jivesoftware.openfire.keystore;

import java.io.IOException;
import java.security.KeyStoreException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.jivesoftware.openfire.trustanchor.TrustAnchor;
import org.jivesoftware.openfire.trustbundle.TrustBundle;
import org.jivesoftware.openfire.trustbundle.TrustBundleAnchor;
import org.jivesoftware.openfire.trustcircle.TrustCircle;
import org.jivesoftware.openfire.trustcircle.TrustCircleManager;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.crl.impl.CRLRevocationManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/keystore/TrustStore.class */
public class TrustStore extends CertificateStore {
    private static final Logger Log = LoggerFactory.getLogger(TrustStore.class);

    public TrustStore(CertificateStoreConfiguration certificateStoreConfiguration, boolean z) throws CertificateStoreConfigException {
        super(certificateStoreConfiguration, z);
    }

    public void installCertificate(String str, String str2) throws CertificateStoreConfigException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'alias' cannot be null or an empty String.");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("Argument 'pemRepresentation' cannot be null.");
        }
        String trim = str.trim();
        try {
            try {
                if (this.store.containsAlias(trim)) {
                    throw new CertificateStoreConfigException("Certificate already exists for alias: " + trim);
                }
                Collection<X509Certificate> parseCertificates = CertificateManager.parseCertificates(str2);
                if (parseCertificates.isEmpty()) {
                    throw new CertificateStoreConfigException("No certificate was found in the input.");
                }
                if (parseCertificates.size() != 1) {
                    throw new CertificateStoreConfigException("More than one certificate was found in the input.");
                }
                this.store.setCertificateEntry(trim, parseCertificates.iterator().next());
                persist();
                reload();
            } catch (IOException | KeyStoreException | CertificateException e) {
                throw new CertificateStoreConfigException("Unable to install a certificate into a trust store.", e);
            }
        } catch (Throwable th) {
            reload();
            throw th;
        }
    }

    public boolean isTrusted(Certificate[] certificateArr, String str) {
        return getEndEntityCertificate(certificateArr, str) != null;
    }

    public X509Certificate getEndEntityCertificate(Certificate[] certificateArr, String str) {
        CertPathBuilder certPathBuilder;
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        try {
            x509Certificate.checkValidity();
            if (CRLRevocationManager.getInstance().isRevoked(x509Certificate)) {
                Log.warn("TLS end enity certificate has been marked as revoked.  The connection is rejected.");
                return null;
            }
            ArrayList arrayList = new ArrayList();
            try {
                Collection<TrustCircle> circlesByDomain = !StringUtils.isEmpty(str) ? TrustCircleManager.getInstance().getCirclesByDomain(getTopDomain(str), true, true) : TrustCircleManager.getInstance().getTrustCircles(true, true);
                if (circlesByDomain == null || circlesByDomain.isEmpty()) {
                    return null;
                }
                for (TrustCircle trustCircle : circlesByDomain) {
                    Iterator<TrustBundle> it = trustCircle.getTrustBundles().iterator();
                    while (it.hasNext()) {
                        Iterator<TrustBundleAnchor> it2 = it.next().getTrustBundleAnchors().iterator();
                        while (it2.hasNext()) {
                            arrayList.add(it2.next().asX509Certificate());
                        }
                    }
                    Iterator<TrustAnchor> it3 = trustCircle.getAnchors().iterator();
                    while (it3.hasNext()) {
                        arrayList.add(it3.next().asX509Certificate());
                    }
                }
                HashSet hashSet = new HashSet();
                hashSet.addAll(arrayList);
                Set<java.security.cert.TrustAnchor> trustAnchors = CertificateUtils.toTrustAnchors(CertificateUtils.filterValid(hashSet));
                CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificate)));
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setCertificate(x509Certificate);
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustAnchors, x509CertSelector);
                pKIXBuilderParameters.addCertStore(certStore);
                pKIXBuilderParameters.setRevocationEnabled(false);
                try {
                    certPathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
                } catch (NoSuchProviderException e) {
                    Log.warn("Unable to use the BC provider! Trying to use a fallback provider.", e);
                    certPathBuilder = CertPathBuilder.getInstance("PKIX");
                }
                return (X509Certificate) certPathBuilder.build(pKIXBuilderParameters).getCertPath().getCertificates().get(0);
            } catch (CertPathBuilderException e2) {
                Log.warn("Path builder exception while validating certificate chain:", e2);
                return null;
            } catch (Exception e3) {
                Log.warn("Unknown exception while validating certificate chain:", e3);
                return null;
            }
        } catch (CertificateException e4) {
            Log.warn("EE Certificate not valid: " + e4.getMessage());
            return null;
        }
    }

    protected String getTopDomain(String str) {
        if (StringUtils.isEmpty(str)) {
            return "";
        }
        String lowerCase = str.toLowerCase();
        return lowerCase.startsWith("groupchat.") ? lowerCase.substring("groupchat.".length()) : lowerCase.startsWith("ftproxystream.") ? lowerCase.substring("ftproxystream.".length()) : lowerCase;
    }
}
