package com.ibm.xml.soap.security.dsig;

import com.ibm.trl.util.Logger;
import com.ibm.ws.wssecurity.xss4j.dsig.XSignatureException;
import com.ibm.xml.soap.security.util.CertificateUtil;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.soap.Constants;
import org.apache.soap.SOAPException;
import org.w3c.dom.Element;

/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/xml/soap/security/dsig/PKIXChecker.class */
final class PKIXChecker {
    private final PKIXBuilderParameters template;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXChecker(KeyStore keyStore) throws SOAPException {
        try {
            this.template = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            this.template.setDate(null);
        } catch (InvalidAlgorithmParameterException e) {
            throw new SOAPException(Constants.FAULT_CODE_CLIENT, "Invalid KeyStore", e);
        } catch (KeyStoreException e2) {
            throw new SOAPException(Constants.FAULT_CODE_CLIENT, "Invalid KeyStore", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXChecker(Set set) throws SOAPException {
        try {
            Iterator it = set.iterator();
            HashSet hashSet = new HashSet();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor((X509Certificate) it.next(), null));
            }
            this.template = new PKIXBuilderParameters(hashSet, new X509CertSelector());
            this.template.setDate(null);
        } catch (ClassCastException e) {
            throw new SOAPException(Constants.FAULT_CODE_CLIENT, "Unexpected class", e);
        } catch (InvalidAlgorithmParameterException e2) {
            throw new SOAPException(Constants.FAULT_CODE_CLIENT, "Invalid algorithm parameter", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Key check(Element element) throws SOAPException {
        Exception exc = null;
        try {
            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.template.clone();
            CertificateUtil.X509DataUtil[] x509Data = CertificateUtil.getX509Data(element);
            Logger.normal("Calling CertificateUtil.verify()...", 0);
            for (CertificateUtil.X509DataUtil x509DataUtil : x509Data) {
                try {
                    return check(element, pKIXBuilderParameters, x509DataUtil);
                } catch (XSignatureException e) {
                    exc = e.getException();
                } catch (IOException e2) {
                    exc = e2;
                }
            }
        } catch (XSignatureException e3) {
            exc = e3.getException();
        }
        Logger.normal("CertificateUtil.verify() Done.", 0);
        throw new SOAPException(Constants.FAULT_CODE_CLIENT, "Invalid certpath", exc);
    }

    Key check(Element element, PKIXBuilderParameters pKIXBuilderParameters, CertificateUtil.X509DataUtil x509DataUtil) throws XSignatureException, IOException {
        X509CertSelector createSelector = x509DataUtil.createSelector();
        Date date = new Date();
        createSelector.setCertificateValid(date);
        pKIXBuilderParameters.setDate(date);
        pKIXBuilderParameters.setTargetCertConstraints(createSelector);
        return x509DataUtil.validate(pKIXBuilderParameters);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PKIXBuilderParameters getTemplate() {
        return this.template;
    }
}
