package org.eclipse.californium.scandium.dtls.x509;

import java.security.GeneralSecurityException;
import java.security.cert.CertPathValidator;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.DTLSSession;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes2.dex */
public class StaticCertificateVerifier implements CertificateVerifier {
    public static final Logger LOGGER = LoggerFactory.getLogger(StaticCertificateVerifier.class.getName());
    public final X509Certificate[] rootCertificates;

    public StaticCertificateVerifier(X509Certificate[] x509CertificateArr) {
        this.rootCertificates = x509CertificateArr;
    }

    public static Set<TrustAnchor> getTrustAnchors(X509Certificate[] x509CertificateArr) {
        HashSet hashSet = new HashSet();
        if (x509CertificateArr != null) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            }
        }
        return hashSet;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateVerifier
    public X509Certificate[] getAcceptedIssuers() {
        return this.rootCertificates;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateVerifier
    public void verifyCertificate(CertificateMessage certificateMessage, DTLSSession dTLSSession) throws HandshakeException {
        X509Certificate[] x509CertificateArr = this.rootCertificates;
        if (x509CertificateArr == null || x509CertificateArr.length != 0) {
            try {
                PKIXParameters pKIXParameters = new PKIXParameters(getTrustAnchors(this.rootCertificates));
                pKIXParameters.setRevocationEnabled(false);
                CertPathValidator.getInstance("PKIX").validate(certificateMessage.getCertificateChain(), pKIXParameters);
            } catch (GeneralSecurityException e2) {
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Certificate validation failed", (Throwable) e2);
                } else if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Certificate validation failed due to {}", e2.getMessage());
                }
                throw new HandshakeException("Certificate chain could not be validated", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, dTLSSession.getPeer()), e2);
            }
        }
    }
}
