package com.alipay.oasis.client.challenger.util;

import com.alipay.oasis.client.challenger.exception.AssertException;
import com.alipay.oasis.client.challenger.exception.CertificateVerificationException;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import sun.security.provider.certpath.OCSP;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:com/alipay/oasis/client/challenger/util/CertVerifier.class */
public final class CertVerifier {
    private CertVerifier() {
    }

    public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) throws CertificateVerificationException {
        try {
            if (isSelfSigned(x509Certificate)) {
                throw new CertificateVerificationException("The certificate is self-signed.");
            }
            if (z) {
                URI responderURI = OCSP.getResponderURI(X509CertImpl.toImpl(x509Certificate));
                if (null == responderURI) {
                    throw new CertPathValidatorException("No OCSP Responder URI in certificate");
                }
                OCSP.RevocationStatus check = OCSP.check(x509Certificate, x509Certificate2, responderURI, (X509Certificate) null, (Date) null);
                if (check.getCertStatus() != OCSP.RevocationStatus.CertStatus.GOOD) {
                    throw new CertificateVerificationException("The certificate status checked by OCSP is [" + check.getCertStatus() + "]");
                }
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            HashSet hashSet = new HashSet();
            hashSet.add(new TrustAnchor(x509Certificate2, null));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        } catch (IOException e) {
            throw new CertificateVerificationException("OCSP error", e);
        } catch (CertPathBuilderException e2) {
            throw new CertificateVerificationException("Error building certification path: " + x509Certificate.getSubjectX500Principal(), e2);
        } catch (CertPathValidatorException e3) {
            throw new CertificateVerificationException(e3);
        } catch (GeneralSecurityException e4) {
            throw new CertificateVerificationException("Error verifying the certificate: " + x509Certificate.getSubjectX500Principal(), e4);
        }
    }

    public static void verifyCertChain(List<X509Certificate> list, boolean z) throws AssertException, CertificateVerificationException {
        Assert.isTrue(list.size() >= 2);
        for (int size = list.size() - 1; size > 0; size--) {
            verifyCertificate(list.get(size - 1), list.get(size), z);
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            return false;
        } catch (SignatureException e2) {
            return false;
        }
    }
}
