package org.icepdf.core.pobjects.acroform.signature.certificates;

import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.icepdf.core.pobjects.acroform.signature.exceptions.CertificateVerificationException;
import org.icepdf.core.pobjects.acroform.signature.exceptions.RevocationVerificationException;
import org.icepdf.core.pobjects.acroform.signature.exceptions.SelfSignedVerificationException;

/* loaded from: input_file:WEB-INF/lib/icepdf-core-6.1.2.jar:org/icepdf/core/pobjects/acroform/signature/certificates/CertificateVerifier.class */
public class CertificateVerifier {
    public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Collection<X509Certificate> collection) throws CertificateVerificationException, CertificateExpiredException, SelfSignedVerificationException, RevocationVerificationException {
        try {
            if (isSelfSigned(x509Certificate)) {
                throw new SelfSignedVerificationException("The certificate is self-signed.");
            }
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (X509Certificate x509Certificate2 : collection) {
                if (isSelfSigned(x509Certificate2)) {
                    hashSet.add(x509Certificate2);
                } else {
                    hashSet2.add(x509Certificate2);
                }
            }
            PKIXCertPathBuilderResult verifyCertificate = verifyCertificate(x509Certificate, hashSet, hashSet2);
            CRLVerifier.verifyCertificateCRLs(x509Certificate);
            return verifyCertificate;
        } catch (CertPathBuilderException e) {
            if ((e.getCause() instanceof ExtCertPathValidatorException) && (e.getCause().getCause() instanceof CertificateExpiredException)) {
                throw ((CertificateExpiredException) e.getCause().getCause());
            }
            throw new CertificateVerificationException("Error building certification path: " + x509Certificate.getSubjectX500Principal(), e);
        } catch (CertificateVerificationException e2) {
            throw e2;
        } catch (RevocationVerificationException e3) {
            throw e3;
        } catch (Exception e4) {
            throw new CertificateVerificationException("Error verifying the certificate: " + x509Certificate.getSubjectX500Principal(), e4);
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            return false;
        } catch (SignatureException e2) {
            return false;
        }
    }

    private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<X509Certificate> set, Set<X509Certificate> set2) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        HashSet hashSet = new HashSet();
        Iterator<X509Certificate> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new TrustAnchor(it.next(), null));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2), BouncyCastleProvider.PROVIDER_NAME));
        return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME).build(pKIXBuilderParameters);
    }
}
