package mitm.common.security.crl;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import mitm.common.security.NoSuchProviderRuntimeException;
import mitm.common.security.SecurityFactory;
import mitm.common.security.SecurityFactoryFactory;
import mitm.common.security.certpath.CertificatePathBuilder;
import mitm.common.util.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes2.dex */
public class PKIXCRLPathBuilder implements CRLPathBuilder {
    public static final String CRL_ISSUER_NOT_FOUND = "CRL issuer could not be found.";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) PKIXCRLPathBuilder.class);
    private final CertificatePathBuilder pathBuilder;
    private final SecurityFactory securityFactory = SecurityFactoryFactory.getSecurityFactory();

    public PKIXCRLPathBuilder(CertificatePathBuilder certificatePathBuilder) {
        this.pathBuilder = certificatePathBuilder;
    }

    private CertPath createEmptyCertPath() throws CertificateException, NoSuchProviderException {
        return this.securityFactory.createCertificateFactory("X.509").generateCertPath(new LinkedList());
    }

    private Set<X509Certificate> getPossibleIssuers(X509CRL x509crl) {
        HashSet hashSet = new HashSet();
        Set<CertStore> certStores = this.pathBuilder.getCertStores();
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setKeyUsage(new boolean[]{false, false, false, false, false, false, true, false, false});
        x509CertSelector.setSubject(x509crl.getIssuerX500Principal());
        Iterator<CertStore> it = certStores.iterator();
        while (it.hasNext()) {
            try {
                CollectionUtils.copyCollectionFiltered(it.next().getCertificates(x509CertSelector), hashSet, X509Certificate.class);
            } catch (CertStoreException e) {
                logger.error("Error while getting certificates.", (Throwable) e);
            }
        }
        return hashSet;
    }

    private TrustAnchor getPossibleTrustAnchorIssuer(X509CRL x509crl) throws CertPathBuilderException, NoSuchProviderException, CertStoreException {
        X500Principal issuerX500Principal = x509crl.getIssuerX500Principal();
        for (TrustAnchor trustAnchor : this.pathBuilder.getTrustAnchors()) {
            if ((trustAnchor.getTrustedCert() != null ? trustAnchor.getTrustedCert().getSubjectX500Principal() : trustAnchor.getCA()).equals(issuerX500Principal)) {
                if (isSignedBy(x509crl, trustAnchor.getTrustedCert() != null ? trustAnchor.getTrustedCert().getPublicKey() : trustAnchor.getCAPublicKey())) {
                    return trustAnchor;
                }
            }
        }
        return null;
    }

    private boolean isSignedBy(X509CRL x509crl, PublicKey publicKey) throws NoSuchProviderException {
        try {
            x509crl.verify(publicKey, this.securityFactory.getNonSensitiveProvider());
            return true;
        } catch (InvalidKeyException e) {
            logger.error("Error verifying CRL.", (Throwable) e);
            return false;
        } catch (NoSuchAlgorithmException e2) {
            logger.error("Error verifying CRL.", (Throwable) e2);
            return false;
        } catch (SignatureException e3) {
            logger.debug("Error verifying CRL. Message: " + e3.getMessage());
            return false;
        } catch (CRLException e4) {
            logger.error("Error verifying CRL.", (Throwable) e4);
            return false;
        }
    }

    @Override // mitm.common.security.crl.CRLPathBuilder
    public CertPathBuilderResult buildPath(X509CRL x509crl) throws CertPathBuilderException, NoSuchProviderRuntimeException {
        try {
            TrustAnchor possibleTrustAnchorIssuer = getPossibleTrustAnchorIssuer(x509crl);
            X509Certificate x509Certificate = null;
            if (possibleTrustAnchorIssuer != null) {
                return new PKIXCertPathBuilderResult(createEmptyCertPath(), possibleTrustAnchorIssuer, null, possibleTrustAnchorIssuer.getTrustedCert() != null ? possibleTrustAnchorIssuer.getTrustedCert().getPublicKey() : possibleTrustAnchorIssuer.getCAPublicKey());
            }
            Iterator<X509Certificate> it = getPossibleIssuers(x509crl).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                X509Certificate next = it.next();
                if (next != null && isSignedBy(x509crl, next.getPublicKey())) {
                    x509Certificate = next;
                    break;
                }
            }
            if (x509Certificate != null) {
                return this.pathBuilder.buildPath(x509Certificate);
            }
            throw new CertPathBuilderException(CRL_ISSUER_NOT_FOUND);
        } catch (NoSuchProviderException e) {
            throw new NoSuchProviderRuntimeException(e);
        } catch (CertStoreException e2) {
            throw new CertPathBuilderException(e2);
        } catch (CertificateException e3) {
            throw new CertPathBuilderException(e3);
        }
    }
}
