package com.helger.peppol.utils;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.annotation.Nonempty;
import com.helger.commons.annotation.ReturnsMutableCopy;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.string.ToStringGenerator;
import java.io.IOException;
import java.security.cert.X509Certificate;
import javax.annotation.Nonnull;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/peppol-commons-9.4.0.jar:com/helger/peppol/utils/TrustedCACertificates.class */
public class TrustedCACertificates {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) TrustedCACertificates.class);
    private final ICommonsList<X509Certificate> m_aCerts = new CommonsArrayList();
    private final ICommonsList<X500Principal> m_aIssuers = new CommonsArrayList();

    private static boolean _isCA(@Nonnull X509Certificate x509Certificate) {
        BasicConstraints basicConstraints;
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.basicConstraints.getId());
        if (extensionValue == null) {
            return false;
        }
        try {
            ASN1Primitive parseExtensionValue = JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
            if (!(parseExtensionValue instanceof ASN1Sequence) || (basicConstraints = BasicConstraints.getInstance((ASN1Sequence) parseExtensionValue)) == null) {
                return false;
            }
            return basicConstraints.isCA();
        } catch (IOException e) {
            return false;
        }
    }

    public void addTrustedCACertificate(@Nonnull X509Certificate x509Certificate) {
        ValueEnforcer.notNull(x509Certificate, "Certificate");
        if (!_isCA(x509Certificate)) {
            throw new IllegalArgumentException("The provided certificate does not seem to be a CA: " + x509Certificate);
        }
        if (this.m_aCerts.contains(x509Certificate)) {
            throw new IllegalArgumentException("Certificate is already trusted as a CA: " + x509Certificate);
        }
        this.m_aCerts.add(x509Certificate);
        this.m_aIssuers.add(x509Certificate.getSubjectX500Principal());
    }

    public void clearTrustedCACertificates() {
        if (this.m_aCerts.isEmpty()) {
            return;
        }
        LOGGER.warn("Explicitly removing all " + this.m_aCerts.size() + " entries from the list of trusted CA certificates");
        this.m_aCerts.clear();
        this.m_aIssuers.clear();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public ICommonsList<X509Certificate> getAllTrustedCACertificates() {
        return (ICommonsList) this.m_aCerts.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public ICommonsList<X500Principal> getAllTrustedCAIssuers() {
        return (ICommonsList) this.m_aIssuers.getClone();
    }

    public String toString() {
        return new ToStringGenerator(null).append("Certs#", this.m_aCerts.size()).append("Issuers", this.m_aIssuers).getToString();
    }
}
