package org.jetbrains.nativecerts.mac;

import com.sun.jna.Pointer;
import com.sun.jna.platform.mac.CoreFoundation;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.function.Predicate;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.nativecerts.NativeTrustedRootsInternalUtils;
import org.jetbrains.nativecerts.mac.SecurityFramework;

/* loaded from: input_file:org/jetbrains/nativecerts/mac/SecurityFrameworkUtil.class */
public class SecurityFrameworkUtil {
    private static final Logger LOGGER = Logger.getLogger(SecurityFrameworkUtil.class.getName());

    public static List<X509Certificate> getTrustedRoots(SecurityFramework.SecTrustSettingsDomain secTrustSettingsDomain) {
        List<X509Certificate> SecTrustSettingsCopyCertificates = SecTrustSettingsCopyCertificates(secTrustSettingsDomain, secCertificateRef -> {
            return isTrustedRoot(secTrustSettingsDomain, secCertificateRef);
        });
        if (LOGGER.isLoggable(Level.FINE)) {
            StringBuilder sb = new StringBuilder();
            sb.append("Received ").append(SecTrustSettingsCopyCertificates.size()).append(" certificates from trust settings domain ").append(secTrustSettingsDomain);
            Iterator<X509Certificate> it = SecTrustSettingsCopyCertificates.iterator();
            while (it.hasNext()) {
                sb.append("\n  ").append(it.next().getSubjectDN());
            }
            LOGGER.fine(sb.toString());
        }
        return SecTrustSettingsCopyCertificates;
    }

    @NotNull
    public static List<X509Certificate> SecTrustSettingsCopyCertificates(@NotNull SecurityFramework.SecTrustSettingsDomain secTrustSettingsDomain, Predicate<SecurityFramework.SecCertificateRef> predicate) {
        CFArrayRefByReference cFArrayRefByReference = new CFArrayRefByReference();
        SecurityFramework.OSStatus SecTrustSettingsCopyCertificates = SecurityFramework.INSTANCE.SecTrustSettingsCopyCertificates(secTrustSettingsDomain, cFArrayRefByReference);
        if (SecurityFramework.OSStatus.errSecNoTrustSettings.equals(SecTrustSettingsCopyCertificates)) {
            return Collections.emptyList();
        }
        if (!SecurityFramework.OSStatus.errSecSuccess.equals(SecTrustSettingsCopyCertificates)) {
            throw new IllegalStateException("Getting trust settings for domain " + secTrustSettingsDomain + " failed: " + SecTrustSettingsCopyCertificates);
        }
        CoreFoundation.CFArrayRef array = cFArrayRefByReference.getArray();
        if (array == null) {
            return Collections.emptyList();
        }
        try {
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < array.getCount(); i++) {
                SecurityFramework.SecCertificateRef secCertificateRef = new SecurityFramework.SecCertificateRef(array.getValueAtIndex(i));
                if (predicate.test(secCertificateRef)) {
                    try {
                        arrayList.add(getX509Certificate(secCertificateRef));
                    } catch (Throwable th) {
                        LOGGER.warning(NativeTrustedRootsInternalUtils.renderExceptionMessage("Unable to parse certificate '" + CoreFoundation.INSTANCE.CFCopyDescription(secCertificateRef).stringValue() + "'", th));
                    }
                }
            }
            return arrayList;
        } finally {
            array.release();
        }
    }

    private static X509Certificate getX509Certificate(SecurityFramework.SecCertificateRef secCertificateRef) {
        CoreFoundation.CFDataRef SecCertificateCopyData = SecurityFramework.INSTANCE.SecCertificateCopyData(secCertificateRef);
        try {
            try {
                X509Certificate parseCertificate = NativeTrustedRootsInternalUtils.parseCertificate(SecCertificateCopyData.getBytePtr().getByteArray(0L, SecCertificateCopyData.getLength()));
                SecCertificateCopyData.release();
                return parseCertificate;
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            SecCertificateCopyData.release();
            throw th;
        }
    }

    static boolean isSelfSignedCertificate(X509Certificate x509Certificate) {
        if (!x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
            return false;
        }
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public static boolean isTrustedRoot(SecurityFramework.SecTrustSettingsDomain secTrustSettingsDomain, SecurityFramework.SecCertificateRef secCertificateRef) {
        SecurityFramework.SecTrustSettingsResult secTrustSettingsResult;
        boolean isSelfSignedCertificate = isSelfSignedCertificate(getX509Certificate(secCertificateRef));
        CFArrayRefByReference cFArrayRefByReference = new CFArrayRefByReference();
        SecurityFramework.OSStatus SecTrustSettingsCopyTrustSettings = SecurityFramework.INSTANCE.SecTrustSettingsCopyTrustSettings(secCertificateRef, secTrustSettingsDomain, cFArrayRefByReference);
        CoreFoundation.CFArrayRef array = cFArrayRefByReference.getArray();
        if (SecurityFramework.OSStatus.errSecItemNotFound.equals(SecTrustSettingsCopyTrustSettings) || array == null) {
            return false;
        }
        String stringValue = CoreFoundation.INSTANCE.CFCopyDescription(secCertificateRef).stringValue();
        if (LOGGER.isLoggable(Level.FINE)) {
            try {
                LOGGER.fine("Certificate '" + stringValue + "' trusted settings:\n" + CoreFoundation.INSTANCE.CFCopyDescription(array).stringValue());
            } catch (Throwable th) {
                LOGGER.warning(NativeTrustedRootsInternalUtils.renderExceptionMessage("Unable to describe certificate trusted settings", th));
            }
        }
        try {
            if (array.getCount() == 0) {
                return true;
            }
            for (int i = 0; i < array.getCount(); i++) {
                CoreFoundation.CFDictionaryRef cFDictionaryRef = new CoreFoundation.CFDictionaryRef(array.getValueAtIndex(i));
                CoreFoundation.CFIndex CFDictionaryGetCount = CoreFoundationExt.INSTANCE.CFDictionaryGetCount(cFDictionaryRef);
                int i2 = 0;
                SecurityFramework securityFramework = SecurityFramework.INSTANCE;
                Pointer value = cFDictionaryRef.getValue(SecurityFramework.kSecTrustSettingsResult);
                if (value == null) {
                    secTrustSettingsResult = SecurityFramework.SecTrustSettingsResult.kSecTrustSettingsResultTrustRoot;
                } else {
                    secTrustSettingsResult = new SecurityFramework.SecTrustSettingsResult(new CoreFoundation.CFNumberRef(value).longValue());
                    i2 = 0 + 1;
                }
                if (secTrustSettingsResult.equals(SecurityFramework.SecTrustSettingsResult.kSecTrustSettingsResultTrustRoot)) {
                    if (isSelfSignedCertificate) {
                        SecurityFramework securityFramework2 = SecurityFramework.INSTANCE;
                        if (cFDictionaryRef.getValue(SecurityFramework.kSecTrustSettingsAllowedError) != null) {
                            i2++;
                        }
                        SecurityFramework securityFramework3 = SecurityFramework.INSTANCE;
                        if (cFDictionaryRef.getValue(SecurityFramework.kSecTrustSettingsPolicyName) != null) {
                            i2++;
                        }
                        SecurityFramework securityFramework4 = SecurityFramework.INSTANCE;
                        Pointer value2 = cFDictionaryRef.getValue(SecurityFramework.kSecTrustSettingsPolicy);
                        if (value2 != null) {
                            CoreFoundation.CFDictionaryRef SecPolicyCopyProperties = SecurityFramework.INSTANCE.SecPolicyCopyProperties(new SecurityFramework.SecPolicyRef(value2));
                            try {
                                Pointer value3 = SecPolicyCopyProperties.getValue(SecurityFramework.kSecPolicyOid);
                                if (value3 == null) {
                                    SecPolicyCopyProperties.release();
                                } else {
                                    if (CoreFoundationExt.INSTANCE.CFEqual(SecurityFramework.kSecPolicyAppleSSL, new CoreFoundation.CFStringRef(value3))) {
                                        SecPolicyCopyProperties.release();
                                        i2++;
                                    } else {
                                        SecPolicyCopyProperties.release();
                                    }
                                }
                            } catch (Throwable th2) {
                                SecPolicyCopyProperties.release();
                                throw th2;
                            }
                        }
                        if (CFDictionaryGetCount.longValue() == i2) {
                            array.release();
                            return true;
                        }
                    } else {
                        LOGGER.warning("Certificate '" + stringValue + "' is not self-signed, skipping");
                    }
                }
            }
            array.release();
            return false;
        } finally {
            array.release();
        }
    }
}
