package de.culture4life.luca.document.provider.baercode;

import android.annotation.SuppressLint;
import android.content.Context;
import android.os.Build;
import de.culture4life.luca.LucaApplication;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: classes.dex */
public class BaercodeCertificate {
    private static final String AUTHORITY_BAERCODE_DE = "authority.baercode.de";
    private final List<X509Certificate> certificateChain;
    private final PublicKey publicKey;

    public BaercodeCertificate(byte[] bArr) {
        List<X509Certificate> createCertificateChain = createCertificateChain(bArr);
        this.certificateChain = createCertificateChain;
        this.publicKey = createCertificateChain.get(0).getPublicKey();
    }

    public static void checkServerTrusted(X509Certificate x509Certificate, List<X509Certificate> list) {
        x509Certificate.checkValidity();
        validateCertPath(x509Certificate, list);
    }

    public static X509Certificate createCertificate(InputStream inputStream) {
        return (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(inputStream);
    }

    public static List<X509Certificate> createCertificateChain(byte[] bArr) {
        return new ArrayList(CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(bArr)));
    }

    @SuppressLint({"NewApi"})
    private X509Certificate getRootCertificate(Context context) {
        return createCertificate(LucaApplication.isRunningUnitTests() ? Files.newInputStream(Paths.get("src/main/assets/le_root.crt", new String[0]), new OpenOption[0]) : context.getAssets().open("le_root.crt"));
    }

    private static void validateCertPath(X509Certificate x509Certificate, List<X509Certificate> list) {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        CertPath generateCertPath = certificateFactory.generateCertPath(list);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setCertificateEntry("baercode_root_ca", x509Certificate);
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).init(keyStore);
        PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
        if (Build.VERSION.SDK_INT >= 24) {
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
            HashSet hashSet = new HashSet();
            hashSet.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            hashSet.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            pKIXRevocationChecker.setOptions(hashSet);
            pKIXParameters.addCertPathChecker(pKIXRevocationChecker);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.addSubjectAlternativeName(2, AUTHORITY_BAERCODE_DE);
            x509CertSelector.setKeyUsage(new boolean[]{true, false, false, false, false, false, false, false, false});
            pKIXParameters.setTargetCertConstraints(x509CertSelector);
        } else {
            pKIXParameters.setRevocationEnabled(false);
        }
        certPathValidator.validate(generateCertPath, pKIXParameters);
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    public void verifySignedByLetsEncrypt(Context context) {
        checkServerTrusted(getRootCertificate(context), this.certificateChain);
    }
}
