package net.fabricmc.loom.configuration.providers.minecraft.verify;

import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:net/fabricmc/loom/configuration/providers/minecraft/verify/CertificateChain.class */
public interface CertificateChain {

    @FunctionalInterface
    /* loaded from: input_file:net/fabricmc/loom/configuration/providers/minecraft/verify/CertificateChain$CertificateConsumer.class */
    public interface CertificateConsumer {
        void accept(X509Certificate x509Certificate) throws SignatureVerificationFailure;
    }

    /* loaded from: input_file:net/fabricmc/loom/configuration/providers/minecraft/verify/CertificateChain$Impl.class */
    public static class Impl implements CertificateChain {
        X509Certificate certificate;

        @Nullable
        Impl issuer;
        List<CertificateChain> children = new ArrayList();

        private Impl() {
        }

        @Override // net.fabricmc.loom.configuration.providers.minecraft.verify.CertificateChain
        public X509Certificate certificate() {
            return this.certificate;
        }

        @Override // net.fabricmc.loom.configuration.providers.minecraft.verify.CertificateChain
        @Nullable
        public CertificateChain issuer() {
            return this.issuer;
        }

        @Override // net.fabricmc.loom.configuration.providers.minecraft.verify.CertificateChain
        public List<CertificateChain> children() {
            return this.children;
        }

        @Override // net.fabricmc.loom.configuration.providers.minecraft.verify.CertificateChain
        public void verifyChainMatches(CertificateChain certificateChain) throws SignatureVerificationFailure {
            if (!certificate().equals(certificateChain.certificate())) {
                throw new SignatureVerificationFailure("Certificate mismatch: " + String.valueOf(this) + " != " + String.valueOf(certificateChain));
            }
            if (children().size() != certificateChain.children().size()) {
                throw new SignatureVerificationFailure("Certificate mismatch: " + String.valueOf(this) + " has " + children().size() + " children, but " + String.valueOf(certificateChain) + " has " + certificateChain.children().size());
            }
            if (this.children.isEmpty()) {
                return;
            }
            if (this.children.size() != 1) {
                throw new UnsupportedOperationException("Validating Certificate chain with multiple children is not supported");
            }
            this.children.get(0).verifyChainMatches(certificateChain.children().get(0));
        }

        public String toString() {
            return this.certificate.getSubjectX500Principal().getName();
        }
    }

    X509Certificate certificate();

    @Nullable
    CertificateChain issuer();

    List<CertificateChain> children();

    void verifyChainMatches(CertificateChain certificateChain) throws SignatureVerificationFailure;

    static void visitAll(CertificateChain certificateChain, CertificateConsumer certificateConsumer) throws SignatureVerificationFailure {
        certificateConsumer.accept(certificateChain.certificate());
        Iterator<CertificateChain> it = certificateChain.children().iterator();
        while (it.hasNext()) {
            visitAll(it.next(), certificateConsumer);
        }
    }

    static CertificateChain getRoot(String str) throws IOException {
        try {
            InputStream resourceAsStream = JarVerifier.class.getClassLoader().getResourceAsStream("certs/" + str + ".cer");
            try {
                CertificateChain root = getRoot(CertificateFactory.getInstance("X.509").generateCertificates(resourceAsStream).stream().map(certificate -> {
                    return (X509Certificate) certificate;
                }).toList());
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return root;
            } finally {
            }
        } catch (CertificateException e) {
            throw new RuntimeException("Failed to load certificate: " + str, e);
        }
    }

    static CertificateChain getRoot(Collection<X509Certificate> collection) {
        HashMap hashMap = new HashMap();
        for (X509Certificate x509Certificate : collection) {
            Impl impl = new Impl();
            impl.certificate = x509Certificate;
            hashMap.put(x509Certificate.getSubjectX500Principal().getName(), impl);
        }
        for (X509Certificate x509Certificate2 : collection) {
            String name = x509Certificate2.getSubjectX500Principal().getName();
            String name2 = x509Certificate2.getIssuerX500Principal().getName();
            if (!name.equals(name2)) {
                Impl impl2 = (Impl) hashMap.get(name2);
                Impl impl3 = (Impl) hashMap.get(name);
                if (impl2 == impl3) {
                    throw new IllegalStateException("Certificate " + name + " is its own issuer");
                }
                if (impl2 == null) {
                    throw new IllegalStateException("Certificate " + name + " defines issuer " + name2 + " which is not in the chain");
                }
                impl2.children.add(impl3);
                impl3.issuer = impl2;
            }
        }
        List list = hashMap.values().stream().filter(impl4 -> {
            return impl4.issuer == null;
        }).toList();
        if (list.size() != 1) {
            throw new IllegalStateException("Expected exactly one root certificate, but found " + list.size());
        }
        return (CertificateChain) list.get(0);
    }
}
