package org.openoces.ooapi.certificate;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import org.openoces.ooapi.environment.Environments;

/* loaded from: input_file:org/openoces/ooapi/certificate/ChainVerifier.class */
public class ChainVerifier {
    public static boolean verifyTrust(OcesCertificate ocesCertificate) {
        return verifyTrust(ocesCertificate.exportCertificate(), ocesCertificate.getSigningCA());
    }

    public static boolean verifyTrust(X509Certificate x509Certificate, CA ca) {
        if (verify(x509Certificate, ca.getPublicKey()) && verifyChain(ca, 0)) {
            return verifyRoot(ca);
        }
        return false;
    }

    private static boolean verifyChain(CA ca, int i) {
        if (ca.getCertificate().getBasicConstraints() < i) {
            return false;
        }
        if (isSelfSigned(ca) && !ca.isRoot()) {
            return false;
        }
        if (ca.isRoot()) {
            return true;
        }
        if (ca.getSigningCA() == null) {
            return false;
        }
        CA signingCA = ca.getSigningCA();
        if (signingCA.getCertificate().getBasicConstraints() < 0 || !verify(ca.getCertificate(), signingCA.getPublicKey())) {
            return false;
        }
        return verifyChain(ca.getSigningCA(), i + 1);
    }

    private static boolean isSelfSigned(CA ca) {
        return verify(ca.getCertificate(), ca.getPublicKey());
    }

    private static boolean verifyRoot(CA ca) {
        if (!ca.isRoot()) {
            return verifyRoot(ca.getSigningCA());
        }
        Iterator<TrustAnchor> it = Environments.getTrustAnchors().iterator();
        while (it.hasNext()) {
            if (it.next().getTrustedCert().equals(ca.getCertificate())) {
                return true;
            }
        }
        return false;
    }

    private static boolean verify(X509Certificate x509Certificate, PublicKey publicKey) {
        try {
            x509Certificate.verify(publicKey);
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            return false;
        }
    }
}
