package org.xwiki.crypto.pkix.internal;

import java.security.GeneralSecurityException;
import java.util.ArrayDeque;
import java.util.Arrays;
import java.util.Collection;
import java.util.Deque;
import java.util.Iterator;
import javax.inject.Named;
import javax.inject.Singleton;
import org.xwiki.component.annotation.Component;
import org.xwiki.crypto.pkix.CertificateChainBuilder;
import org.xwiki.crypto.pkix.CertificateProvider;
import org.xwiki.crypto.pkix.params.CertifiedPublicKey;
import org.xwiki.crypto.pkix.params.x509certificate.X509CertifiedPublicKey;
import org.xwiki.crypto.pkix.params.x509certificate.extension.KeyUsage;
import org.xwiki.crypto.pkix.params.x509certificate.extension.X509Extensions;

@Singleton
@Component
@Named("X509")
/* loaded from: input_file:WEB-INF/lib/xwiki-commons-crypto-pkix-10.2.jar:org/xwiki/crypto/pkix/internal/BcX509CertificateChainBuilder.class */
public class BcX509CertificateChainBuilder implements CertificateChainBuilder {
    @Override // org.xwiki.crypto.pkix.CertificateChainBuilder
    public Collection<CertifiedPublicKey> build(CertifiedPublicKey certifiedPublicKey, CertificateProvider certificateProvider) {
        if (certifiedPublicKey == null) {
            return null;
        }
        ArrayDeque arrayDeque = new ArrayDeque();
        build(arrayDeque, certifiedPublicKey, certificateProvider);
        return arrayDeque;
    }

    private Collection<CertifiedPublicKey> build(Deque<CertifiedPublicKey> deque, CertifiedPublicKey certifiedPublicKey, CertificateProvider certificateProvider) {
        if (deque.contains(certifiedPublicKey)) {
            return deque;
        }
        if (!(certifiedPublicKey instanceof X509CertifiedPublicKey)) {
            throw new IllegalArgumentException("Certificate of incompatible type [" + certifiedPublicKey.getClass().getName() + "] for subject [" + certifiedPublicKey.getSubject().getName() + "]");
        }
        deque.push(certifiedPublicKey);
        CertifiedPublicKey issuer = getIssuer((X509CertifiedPublicKey) certifiedPublicKey, certificateProvider);
        return (issuer == null || issuer.equals(certifiedPublicKey)) ? deque : build(deque, issuer, certificateProvider);
    }

    private CertifiedPublicKey getIssuer(X509CertifiedPublicKey x509CertifiedPublicKey, CertificateProvider certificateProvider) {
        byte[] authorityKeyIdentifier;
        X509Extensions extensions = x509CertifiedPublicKey.getExtensions();
        if (extensions != null && (authorityKeyIdentifier = extensions.getAuthorityKeyIdentifier()) != null) {
            return Arrays.equals(extensions.getSubjectKeyIdentifier(), authorityKeyIdentifier) ? x509CertifiedPublicKey : validatedIssuer(x509CertifiedPublicKey, certificateProvider.getCertificate(authorityKeyIdentifier));
        }
        Collection<CertifiedPublicKey> certificate = certificateProvider.getCertificate(x509CertifiedPublicKey.getIssuer());
        if (certificate == null) {
            return null;
        }
        Iterator<CertifiedPublicKey> it = certificate.iterator();
        while (it.hasNext()) {
            CertifiedPublicKey validatedIssuer = validatedIssuer(x509CertifiedPublicKey, it.next());
            if (validatedIssuer != null) {
                return validatedIssuer;
            }
        }
        return null;
    }

    private CertifiedPublicKey validatedIssuer(X509CertifiedPublicKey x509CertifiedPublicKey, CertifiedPublicKey certifiedPublicKey) {
        X509Extensions extensions;
        if (certifiedPublicKey == null || !(certifiedPublicKey instanceof X509CertifiedPublicKey)) {
            return null;
        }
        X509CertifiedPublicKey x509CertifiedPublicKey2 = (X509CertifiedPublicKey) certifiedPublicKey;
        if (x509CertifiedPublicKey2.getVersionNumber() == 3 && ((extensions = x509CertifiedPublicKey2.getExtensions()) == null || !extensions.hasCertificateAuthorityBasicConstraints() || !extensions.getKeyUsage().contains(KeyUsage.keyCertSign))) {
            return null;
        }
        try {
            if (x509CertifiedPublicKey.isSignedBy(x509CertifiedPublicKey2.getPublicKeyParameters())) {
                return x509CertifiedPublicKey2;
            }
            return null;
        } catch (GeneralSecurityException e) {
            return null;
        }
    }
}
