package com.sshtools.common.knownhosts;

import com.sshtools.common.logger.Log;
import com.sshtools.common.ssh.SshException;
import com.sshtools.common.ssh.components.SshPublicKey;
import com.sshtools.common.ssh.components.SshX509PublicKey;
import com.sshtools.common.ssh.components.jce.JCEAlgorithms;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.util.Arrays;
import java.util.Set;

/* loaded from: input_file:com/sshtools/common/knownhosts/X509HostKeyVerification.class */
public class X509HostKeyVerification implements HostKeyVerification {
    PKIXParameters params;

    public X509HostKeyVerification(boolean z) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException, InvalidAlgorithmParameterException {
        FileInputStream fileInputStream = new FileInputStream(System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar));
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(fileInputStream, "changeit".toCharArray());
        this.params = new PKIXParameters(keyStore);
        this.params.setRevocationEnabled(z);
    }

    public X509HostKeyVerification(Set<TrustAnchor> set, boolean z) throws InvalidAlgorithmParameterException {
        this.params = new PKIXParameters(set);
        this.params.setRevocationEnabled(z);
    }

    @Override // com.sshtools.common.knownhosts.HostKeyVerification
    public boolean verifyHost(String str, SshPublicKey sshPublicKey) throws SshException {
        if (!(sshPublicKey instanceof SshX509PublicKey)) {
            return false;
        }
        try {
            return validateChain(((SshX509PublicKey) sshPublicKey).getCertificateChain());
        } catch (Exception e) {
            Log.error("Failed to validate certificate chain", e, new Object[0]);
            return false;
        }
    }

    private boolean validateChain(Certificate[] certificateArr) throws CertificateException, NoSuchAlgorithmException, CertPathValidatorException, InvalidAlgorithmParameterException {
        Boolean bool = Boolean.FALSE;
        if (null != ((PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(CertificateFactory.getInstance(JCEAlgorithms.JCE_X509).generateCertPath(Arrays.asList(certificateArr)), this.params))) {
            bool = Boolean.TRUE;
        }
        return bool.booleanValue();
    }
}
