package de.authada.eid.core.tls;

import de.authada.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import de.authada.org.bouncycastle.cert.X509CertificateHolder;
import de.authada.org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import de.authada.org.bouncycastle.est.jcajce.JsseDefaultHostnameAuthorizer;
import de.authada.org.bouncycastle.jce.provider.BouncyCastleProvider;
import de.authada.org.bouncycastle.tls.SignatureAlgorithm;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Collections;

/* loaded from: classes2.dex */
class CertificateValidator {
    private final String hostName;
    private final JsseDefaultHostnameAuthorizer jsseDefaultHostnameAuthorizer = new JsseDefaultHostnameAuthorizer(Collections.emptySet());

    public CertificateValidator(String str) {
        this.hostName = str;
    }

    private void validateHostname(X509Certificate x509Certificate) {
        if (!this.jsseDefaultHostnameAuthorizer.verify(this.hostName, x509Certificate)) {
            throw new IOException("Hostname validation failed");
        }
    }

    public void validate(AuthadaTlsCertificate authadaTlsCertificate) {
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(new X509CertificateHolder(authadaTlsCertificate.getCertificate()));
            validateHostname(certificate);
            validateValidityPeriod(certificate);
            validateKey(authadaTlsCertificate);
        } catch (CertificateException e10) {
            throw new IOException("Failed to convert to x509certificate", e10);
        }
    }

    public void validateKey(AuthadaTlsCertificate authadaTlsCertificate) {
        short clientCertificateType = SignatureAlgorithm.getClientCertificateType(authadaTlsCertificate.getLegacySignatureAlgorithm());
        boolean z10 = false;
        if (clientCertificateType != 1) {
            if (clientCertificateType == 64) {
                z10 = TlsUtils.VALID_CERT_CURVES.contains(ASN1ObjectIdentifier.getInstance(authadaTlsCertificate.getCertificate().getSubjectPublicKeyInfo().getAlgorithm().getParameters()));
            }
        } else if (authadaTlsCertificate.getPubKeyRSA().getModulus().bitLength() >= 2048) {
            z10 = true;
        }
        if (!z10) {
            throw new IOException("Unsupported Public Key");
        }
    }

    public void validateValidityPeriod(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException | CertificateNotYetValidException e10) {
            throw new IOException("Certificate is not valid", e10);
        }
    }
}
