package no.digipost.security.cert;

import java.io.IOException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:no/digipost/security/cert/CertHelper.class */
final class CertHelper {
    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<X509Certificate> findTrustAnchorCert(X509Certificate x509Certificate, Set<TrustAnchor> set) throws SignatureException {
        return findTrustAnchor(x509Certificate, set).map((v0) -> {
            return v0.getTrustedCert();
        });
    }

    static Optional<TrustAnchor> findTrustAnchor(X509Certificate x509Certificate, Set<TrustAnchor> set) throws SignatureException {
        PublicKey publicKey = null;
        X509CertSelector x509CertSelector = new X509CertSelector();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        try {
            x509CertSelector.setSubject(issuerX500Principal.getEncoded());
            for (TrustAnchor trustAnchor : set) {
                if (trustAnchor.getTrustedCert() != null) {
                    if (x509CertSelector.match(trustAnchor.getTrustedCert())) {
                        publicKey = trustAnchor.getTrustedCert().getPublicKey();
                    }
                } else if (trustAnchor.getCAName() != null && trustAnchor.getCAPublicKey() != null) {
                    try {
                        if (issuerX500Principal.equals(new X500Principal(trustAnchor.getCAName()))) {
                            publicKey = trustAnchor.getCAPublicKey();
                        }
                    } catch (IllegalArgumentException e) {
                    }
                }
                if (publicKey != null) {
                    try {
                        x509Certificate.verify(publicKey);
                        return Optional.of(trustAnchor);
                    } catch (Exception e2) {
                        throw new SignatureException("TrustAnchor found but certificate validation failed.", e2);
                    }
                }
            }
            return Optional.empty();
        } catch (IOException e3) {
            throw new SignatureException("Cannot set subject search criteria for trust anchor.", e3);
        }
    }

    private CertHelper() {
    }
}
