package com.tomtom.navcloud.common.security;

import com.tomtom.navcloud.common.Logger;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.annotation.CheckForNull;
import javax.annotation.ParametersAreNonnullByDefault;

@ParametersAreNonnullByDefault
/* loaded from: classes2.dex */
public class X509CertificateChainNormaliser {
    private final Logger logger;
    private final TrustedRootsData trustedRootsData;

    public X509CertificateChainNormaliser(TrustedRootsData trustedRootsData, Logger logger) {
        this.trustedRootsData = trustedRootsData;
        this.logger = logger;
    }

    @CheckForNull
    private X509Certificate getImplicitRootParent(X509Certificate x509Certificate) {
        return this.trustedRootsData.getTrustedRootsMap().get(x509Certificate.getIssuerX500Principal());
    }

    private boolean isTrustedRoot(X509Certificate x509Certificate) {
        return this.trustedRootsData.getIdentities().contains(SubjectPublicKeyInfo.valueOf(x509Certificate));
    }

    private boolean isValidLink(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (!x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal())) {
            this.logger.info("Certificate encountered that is not part of trust chain: " + x509Certificate2);
            return false;
        }
        try {
            x509Certificate2.verify(x509Certificate.getPublicKey());
            return true;
        } catch (GeneralSecurityException e) {
            this.logger.warn("Certificate signature is incorrect: " + x509Certificate2, e);
            return false;
        }
    }

    public List<X509Certificate> normalise(X509Certificate... x509CertificateArr) throws CertificateException {
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate = null;
        boolean z = false;
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            if (x509Certificate == null || isValidLink(x509Certificate2, x509Certificate)) {
                if (isTrustedRoot(x509Certificate2)) {
                    z = true;
                }
                arrayList.add(x509Certificate2);
                x509Certificate = x509Certificate2;
            }
        }
        if (!z && x509Certificate != null) {
            X509Certificate implicitRootParent = getImplicitRootParent(x509Certificate);
            if (implicitRootParent == null || !isValidLink(implicitRootParent, x509Certificate)) {
                throw new CertificateException("Certificate chain contains no trusted authority.");
            }
            arrayList.add(implicitRootParent);
        }
        return Collections.unmodifiableList(arrayList);
    }
}
