package com.helger.smpclient.security;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.security.certificate.CertificateHelper;
import com.helger.security.keystore.ConstantKeySelectorResult;
import com.helger.security.keystore.EKeyStoreType;
import com.helger.security.keystore.KeyStoreHelper;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertPathValidator;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import javax.annotation.Nonnull;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/peppol-smp-client-8.1.7.jar:com/helger/smpclient/security/TrustStoreBasedX509KeySelector.class */
public final class TrustStoreBasedX509KeySelector extends KeySelector {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) TrustStoreBasedX509KeySelector.class);
    private KeyStore m_aTrustStore;

    @Deprecated
    public TrustStoreBasedX509KeySelector(@Nonnull EKeyStoreType eKeyStoreType, @Nonnull String str, @Nonnull String str2) {
        ValueEnforcer.notNull(eKeyStoreType, "TrustStoreType");
        ValueEnforcer.notNull(str, "TrustStorePath");
        ValueEnforcer.notNull(str2, "TrustStorePassword");
        try {
            this.m_aTrustStore = KeyStoreHelper.loadKeyStoreDirect(eKeyStoreType, str, str2);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Loaded truststore '" + str + "' of type " + eKeyStoreType);
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalArgumentException("Failed to load truststore '" + str + "' of type " + eKeyStoreType);
        }
    }

    public TrustStoreBasedX509KeySelector(@Nonnull KeyStore keyStore) {
        ValueEnforcer.notNull(keyStore, "TrustStore");
        this.m_aTrustStore = keyStore;
    }

    public static boolean algorithmEquals(@Nonnull String str, @Nonnull String str2) {
        if (str2.equalsIgnoreCase("DSA")) {
            if (str.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#dsa-sha1") || str.equalsIgnoreCase("http://www.w3.org/2009/xmldsig11#dsa-sha256")) {
                return true;
            }
        } else if (str2.equalsIgnoreCase("RSA")) {
            if (str.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#rsa-sha1") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#rsa-sha224") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1") || str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1")) {
                return true;
            }
        } else if (str2.equalsIgnoreCase("EC") && (str.equalsIgnoreCase("http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384") || str.equalsIgnoreCase("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"))) {
            return true;
        }
        if (!LOGGER.isWarnEnabled()) {
            return false;
        }
        LOGGER.warn("Algorithm mismatch between JCA/JCE public key algorithm name ('" + str2 + "') and signature algorithm URI ('" + str + "')");
        return false;
    }

    public KeySelectorResult select(@Nonnull KeyInfo keyInfo, KeySelector.Purpose purpose, @Nonnull AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
        for (X509Data x509Data : keyInfo.getContent()) {
            if (x509Data instanceof X509Data) {
                for (Object obj : x509Data.getContent()) {
                    if (obj instanceof X509Certificate) {
                        X509Certificate x509Certificate = (X509Certificate) obj;
                        try {
                            x509Certificate.checkValidity();
                            X509Certificate[] x509CertificateArr = {x509Certificate};
                            PKIXParameters pKIXParameters = new PKIXParameters(this.m_aTrustStore);
                            pKIXParameters.setRevocationEnabled(false);
                            CertPathValidator.getInstance("PKIX").validate(CertificateHelper.getX509CertificateFactory().generateCertPath(new CommonsArrayList((Object[]) x509CertificateArr)), pKIXParameters);
                            PublicKey publicKey = x509Certificate.getPublicKey();
                            if (algorithmEquals(algorithmMethod.getAlgorithm(), publicKey.getAlgorithm())) {
                                return new ConstantKeySelectorResult(publicKey);
                            }
                        } catch (Exception e) {
                            throw new KeySelectorException("Failed to select public key from certificate " + x509Certificate, e);
                        }
                    }
                }
            }
        }
        throw new KeySelectorException("No public key found!");
    }
}
