package gnu.crypto.pki.provider;

import gnu.crypto.der.OID;
import gnu.crypto.pki.GnuPKIExtension;
import gnu.crypto.pki.PolicyNodeImpl;
import gnu.crypto.pki.X509CRLSelectorImpl;
import gnu.crypto.pki.X509CertSelectorImpl;
import gnu.crypto.pki.X509CertificateBuilder;
import gnu.crypto.pki.ext.BasicConstraints;
import gnu.crypto.pki.ext.CertificatePolicies;
import gnu.crypto.pki.ext.Extension;
import gnu.crypto.pki.ext.PolicyConstraint;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:lib/gnu-crypto.jar:gnu/crypto/pki/provider/PKIXCertPathValidator.class */
public class PKIXCertPathValidator extends CertPathValidatorSpi {
    private static final boolean DEBUG = false;
    public static final String ANY_POLICY = "2.5.29.32.0";

    private static final void debug(String str) {
        System.err.print(">> PKIXCertPathValidator: ");
        System.err.println(str);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        PublicKey cAPublicKey;
        DSAParams params;
        if (!(certPathParameters instanceof PKIXParameters)) {
            throw new InvalidAlgorithmParameterException("not a PKIXParameters object");
        }
        PolicyNodeImpl policyNodeImpl = new PolicyNodeImpl();
        Set<String> initialPolicies = ((PKIXParameters) certPathParameters).getInitialPolicies();
        policyNodeImpl.setValidPolicy(ANY_POLICY);
        policyNodeImpl.setCritical(false);
        policyNodeImpl.setDepth(0);
        if (initialPolicies != null) {
            policyNodeImpl.addAllExpectedPolicies(initialPolicies);
        } else {
            policyNodeImpl.addExpectedPolicy(ANY_POLICY);
        }
        List<PKIXCertPathChecker> certPathCheckers = ((PKIXParameters) certPathParameters).getCertPathCheckers();
        List<? extends Certificate> certificates = certPath.getCertificates();
        if (certificates == null || certificates.size() == 0) {
            throw new CertPathValidatorException();
        }
        try {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) certificates.toArray(new X509Certificate[certificates.size()]);
            String sigProvider = ((PKIXParameters) certPathParameters).getSigProvider();
            PublicKey publicKey = null;
            Date date = ((PKIXParameters) certPathParameters).getDate();
            if (date == null) {
                date = new Date();
            }
            LinkedList linkedList = new LinkedList();
            for (int length = x509CertificateArr.length - 1; length >= 0; length--) {
                try {
                    x509CertificateArr[length].checkValidity(date);
                    Collection<String> critExts = getCritExts(x509CertificateArr[length]);
                    Iterator<PKIXCertPathChecker> it = certPathCheckers.iterator();
                    while (it.hasNext()) {
                        try {
                            it.next().check(x509CertificateArr[length], critExts);
                        } catch (Exception e10) {
                        }
                    }
                    PolicyConstraint policyConstraint = null;
                    if (x509CertificateArr[length] instanceof GnuPKIExtension) {
                        Extension extension = ((GnuPKIExtension) x509CertificateArr[length]).getExtension(PolicyConstraint.ID);
                        if (extension != null) {
                            policyConstraint = (PolicyConstraint) extension.getValue();
                        }
                    } else {
                        byte[] extensionValue = x509CertificateArr[length].getExtensionValue(PolicyConstraint.ID.toString());
                        if (extensionValue != null) {
                            try {
                                policyConstraint = new PolicyConstraint(extensionValue);
                            } catch (Exception e11) {
                            }
                        }
                    }
                    if (policyConstraint != null && policyConstraint.getRequireExplicitPolicy() >= 0) {
                        linkedList.add(new int[]{x509CertificateArr.length - length, policyConstraint.getRequireExplicitPolicy()});
                    }
                    updatePolicyTree(x509CertificateArr[length], policyNodeImpl, x509CertificateArr.length - length, (PKIXParameters) certPathParameters, checkExplicitPolicy(x509CertificateArr.length - length, linkedList));
                    if (length == 0) {
                        break;
                    }
                    basicSanity(x509CertificateArr, length);
                    try {
                        PublicKey publicKey2 = x509CertificateArr[length].getPublicKey();
                        if ((publicKey2 instanceof DSAPublicKey) && ((params = ((DSAPublicKey) publicKey2).getParams()) == null || params.getP() == null || params.getG() == null || params.getQ() == null)) {
                            if (publicKey == null) {
                                throw new InvalidKeyException("DSA keys not chainable");
                            }
                            if (!(publicKey instanceof DSAPublicKey)) {
                                throw new InvalidKeyException("DSA keys not chainable");
                            }
                            DSAParams params2 = ((DSAPublicKey) publicKey).getParams();
                            publicKey2 = new GnuDSAPublicKey(((DSAPublicKey) publicKey2).getY(), params2.getP(), params2.getQ(), params2.getG());
                        }
                        if (sigProvider == null) {
                            x509CertificateArr[length - 1].verify(publicKey2);
                        } else {
                            x509CertificateArr[length - 1].verify(publicKey2, sigProvider);
                        }
                        publicKey = publicKey2;
                        if (!x509CertificateArr[length].getSubjectDN().equals(x509CertificateArr[length - 1].getIssuerDN())) {
                            throw new CertPathValidatorException("issuer DN mismatch");
                        }
                        boolean[] issuerUniqueID = x509CertificateArr[length - 1].getIssuerUniqueID();
                        boolean[] subjectUniqueID = x509CertificateArr[length].getSubjectUniqueID();
                        if (issuerUniqueID != null && subjectUniqueID != null && !Arrays.equals(issuerUniqueID, subjectUniqueID)) {
                            throw new CertPathValidatorException("UID mismatch");
                        }
                        if (((PKIXParameters) certPathParameters).isRevocationEnabled()) {
                            X509CRLSelectorImpl x509CRLSelectorImpl = new X509CRLSelectorImpl();
                            try {
                                x509CRLSelectorImpl.addIssuerName(x509CertificateArr[length].getSubjectDN());
                                List<CertStore> certStores = ((PKIXParameters) certPathParameters).getCertStores();
                                LinkedList<CRL> linkedList2 = new LinkedList();
                                Iterator<CertStore> it2 = certStores.iterator();
                                while (it2.hasNext()) {
                                    try {
                                        linkedList2.addAll(it2.next().getCRLs(x509CRLSelectorImpl));
                                    } catch (CertStoreException e12) {
                                    }
                                }
                                if (linkedList2.isEmpty()) {
                                    throw new CertPathValidatorException("no CRLs for issuer");
                                }
                                boolean z10 = false;
                                for (CRL crl : linkedList2) {
                                    if (crl instanceof X509CRL) {
                                        X509CRL x509crl = (X509CRL) crl;
                                        if (!checkCRL(x509crl, x509CertificateArr, date, x509CertificateArr[length], publicKey2, certStores)) {
                                            continue;
                                        } else {
                                            if (x509crl.isRevoked(x509CertificateArr[length - 1])) {
                                                throw new CertPathValidatorException("certificate is revoked");
                                            }
                                            z10 = true;
                                        }
                                    }
                                }
                                if (!z10) {
                                    throw new CertPathValidatorException("certificate's validity could not be determined");
                                }
                            } catch (IOException e13) {
                                throw new CertPathValidatorException("error selecting CRLs");
                            }
                        }
                    } catch (Exception e14) {
                        throw new CertPathValidatorException(e14.toString());
                    }
                } catch (CertificateException e15) {
                    throw new CertPathValidatorException(e15.toString());
                }
            }
            policyNodeImpl.setReadOnly();
            Exception exc = null;
            for (TrustAnchor trustAnchor : ((PKIXParameters) certPathParameters).getTrustAnchors()) {
                X509Certificate x509Certificate = null;
                if (trustAnchor.getTrustedCert() != null) {
                    x509Certificate = trustAnchor.getTrustedCert();
                    cAPublicKey = x509Certificate.getPublicKey();
                } else {
                    cAPublicKey = trustAnchor.getCAPublicKey();
                }
                if (cAPublicKey != null) {
                    if (x509Certificate == null) {
                        try {
                            x509Certificate.checkValidity(date);
                        } catch (Exception e16) {
                            exc = e16;
                        }
                    }
                    x509CertificateArr[x509CertificateArr.length - 1].verify(cAPublicKey);
                    if (x509Certificate == null || x509Certificate.getBasicConstraints() < 0 || x509Certificate.getBasicConstraints() >= x509CertificateArr.length) {
                        if (((PKIXParameters) certPathParameters).isRevocationEnabled()) {
                            X509CRLSelectorImpl x509CRLSelectorImpl2 = new X509CRLSelectorImpl();
                            if (x509Certificate != null) {
                                try {
                                    x509CRLSelectorImpl2.addIssuerName(x509Certificate.getSubjectDN());
                                } catch (IOException e17) {
                                }
                            } else {
                                x509CRLSelectorImpl2.addIssuerName(trustAnchor.getCAName());
                            }
                            List<CertStore> certStores2 = ((PKIXParameters) certPathParameters).getCertStores();
                            LinkedList<CRL> linkedList3 = new LinkedList();
                            Iterator<CertStore> it3 = certStores2.iterator();
                            while (it3.hasNext()) {
                                try {
                                    linkedList3.addAll(it3.next().getCRLs(x509CRLSelectorImpl2));
                                } catch (CertStoreException e18) {
                                }
                            }
                            if (!linkedList3.isEmpty()) {
                                for (CRL crl2 : linkedList3) {
                                    if (crl2 instanceof X509CRL) {
                                        X509CRL x509crl2 = (X509CRL) crl2;
                                        try {
                                            x509crl2.verify(cAPublicKey);
                                            Date nextUpdate = x509crl2.getNextUpdate();
                                            if (nextUpdate == null || nextUpdate.compareTo(date) >= 0) {
                                                if (x509crl2.isRevoked(x509CertificateArr[x509CertificateArr.length - 1])) {
                                                    throw new CertPathValidatorException("certificate is revoked");
                                                }
                                            }
                                        } catch (Exception e19) {
                                        }
                                    }
                                }
                            }
                        }
                        return new PKIXCertPathValidatorResult(trustAnchor, policyNodeImpl, x509CertificateArr[0].getPublicKey());
                    }
                }
            }
            CertPathValidatorException certPathValidatorException = new CertPathValidatorException("path validation failed");
            if (exc != null) {
                certPathValidatorException.initCause(exc);
            }
            throw certPathValidatorException;
        } catch (ClassCastException e20) {
            throw new CertPathValidatorException("invalid certificate path");
        }
    }

    private static final boolean checkCRL(X509CRL x509crl, X509Certificate[] x509CertificateArr, Date date, X509Certificate x509Certificate, PublicKey publicKey, List list) {
        boolean[] keyUsage;
        boolean[] keyUsage2;
        Date nextUpdate = x509crl.getNextUpdate();
        if ((nextUpdate != null && nextUpdate.compareTo(date) < 0) || x509crl.hasUnsupportedCriticalExtension()) {
            return false;
        }
        for (int i10 = 0; i10 < x509CertificateArr.length; i10++) {
            if (x509CertificateArr[i10].getSubjectDN().equals(x509crl.getIssuerDN()) && ((keyUsage2 = x509CertificateArr[i10].getKeyUsage()) == null || keyUsage2[6])) {
                try {
                    x509crl.verify(x509CertificateArr[i10].getPublicKey());
                    return true;
                } catch (Exception e10) {
                }
            }
        }
        if (x509crl.getIssuerDN().equals(x509Certificate.getSubjectDN())) {
            try {
                boolean[] keyUsage3 = x509Certificate.getKeyUsage();
                if (keyUsage3 != null && !keyUsage3[6]) {
                    throw new Exception();
                }
                x509crl.verify(publicKey);
                return true;
            } catch (Exception e11) {
            }
        }
        try {
            X509CertSelectorImpl x509CertSelectorImpl = new X509CertSelectorImpl();
            x509CertSelectorImpl.addSubjectName(x509crl.getIssuerDN());
            LinkedList<X509Certificate> linkedList = new LinkedList();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                try {
                    linkedList.addAll(((CertStore) it.next()).getCertificates(x509CertSelectorImpl));
                } catch (CertStoreException e12) {
                }
            }
            for (X509Certificate x509Certificate2 : linkedList) {
                for (int i11 = 0; i11 < x509CertificateArr.length; i11++) {
                    if (x509Certificate2.getIssuerDN().equals(x509CertificateArr[i11].getSubjectDN()) && ((keyUsage = x509Certificate2.getKeyUsage()) == null || keyUsage[6])) {
                        try {
                            x509Certificate2.verify(x509CertificateArr[i11].getPublicKey());
                            x509crl.verify(x509Certificate2.getPublicKey());
                            return true;
                        } catch (Exception e13) {
                        }
                    }
                }
                if (x509Certificate2.getIssuerDN().equals(x509Certificate.getSubjectDN())) {
                    x509Certificate2.verify(publicKey);
                    x509crl.verify(x509Certificate2.getPublicKey());
                }
            }
            return false;
        } catch (Exception e14) {
            return false;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static final Set getCritExts(X509Certificate x509Certificate) {
        HashSet hashSet = new HashSet();
        if (x509Certificate instanceof GnuPKIExtension) {
            for (Extension extension : ((GnuPKIExtension) x509Certificate).getExtensions()) {
                if (extension.isCritical() && !extension.isSupported()) {
                    hashSet.add(extension.getOid().toString());
                }
            }
        } else {
            hashSet.addAll(x509Certificate.getCriticalExtensionOIDs());
        }
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static final void basicSanity(X509Certificate[] x509CertificateArr, int i10) throws CertPathValidatorException {
        X509CertificateBuilder x509CertificateBuilder = x509CertificateArr[i10];
        int i11 = 0;
        for (int i12 = i10 - 1; i12 > 0; i12--) {
            if (!x509CertificateArr[i12].getIssuerDN().equals(x509CertificateArr[i12].getSubjectDN())) {
                i11++;
            }
        }
        Extension extension = null;
        if (x509CertificateBuilder instanceof GnuPKIExtension) {
            extension = x509CertificateBuilder.getExtension(BasicConstraints.ID);
        } else {
            try {
                extension = new Extension(x509CertificateBuilder.getExtensionValue(BasicConstraints.ID.toString()));
            } catch (Exception e10) {
            }
        }
        if (extension == null) {
            throw new CertPathValidatorException("no basicConstraints");
        }
        BasicConstraints basicConstraints = (BasicConstraints) extension.getValue();
        if (!basicConstraints.isCA()) {
            throw new CertPathValidatorException("certificate cannot be used to verify signatures");
        }
        if (basicConstraints.getPathLengthConstraint() >= 0 && basicConstraints.getPathLengthConstraint() < i11) {
            throw new CertPathValidatorException("path is too long");
        }
        boolean[] keyUsage = x509CertificateBuilder.getKeyUsage();
        if (keyUsage != null && !keyUsage[5]) {
            throw new CertPathValidatorException("certificate cannot be used to sign certificates");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static final void updatePolicyTree(X509Certificate x509Certificate, PolicyNodeImpl policyNodeImpl, int i10, PKIXParameters pKIXParameters, boolean z10) throws CertPathValidatorException {
        List policyQualifierInfos;
        Extension extension;
        HashSet<PolicyNodeImpl> hashSet = new HashSet();
        LinkedList linkedList = new LinkedList();
        linkedList.addLast(Collections.singleton(policyNodeImpl).iterator());
        do {
            Iterator it = (Iterator) linkedList.removeLast();
            while (it.hasNext()) {
                PolicyNodeImpl policyNodeImpl2 = (PolicyNodeImpl) it.next();
                if (policyNodeImpl2.getDepth() == i10 - 1) {
                    hashSet.add(policyNodeImpl2);
                } else {
                    linkedList.addLast(it);
                    it = policyNodeImpl2.getChildren();
                }
            }
        } while (!linkedList.isEmpty());
        CertificatePolicies certificatePolicies = null;
        if ((x509Certificate instanceof GnuPKIExtension) && (extension = ((GnuPKIExtension) x509Certificate).getExtension(CertificatePolicies.ID)) != null) {
            certificatePolicies = (CertificatePolicies) extension.getValue();
        }
        List<OID> policies = certificatePolicies != null ? certificatePolicies.getPolicies() : Collections.EMPTY_LIST;
        boolean z11 = false;
        for (PolicyNodeImpl policyNodeImpl3 : hashSet) {
            for (OID oid : policies) {
                if (!oid.toString().equals(ANY_POLICY) || !pKIXParameters.isAnyPolicyInhibited()) {
                    PolicyNodeImpl policyNodeImpl4 = new PolicyNodeImpl();
                    policyNodeImpl4.setValidPolicy(oid.toString());
                    policyNodeImpl4.addExpectedPolicy(oid.toString());
                    if (policyNodeImpl3.getExpectedPolicies().contains(oid.toString())) {
                        policyNodeImpl3.addChild(policyNodeImpl4);
                        z11 = true;
                    } else if (policyNodeImpl3.getExpectedPolicies().contains(ANY_POLICY)) {
                        policyNodeImpl3.addChild(policyNodeImpl4);
                        z11 = true;
                    } else if (ANY_POLICY.equals(oid.toString())) {
                        policyNodeImpl3.addChild(policyNodeImpl4);
                        z11 = true;
                    }
                    if (z11 && certificatePolicies != null && (policyQualifierInfos = certificatePolicies.getPolicyQualifierInfos(oid)) != null) {
                        policyNodeImpl4.addAllPolicyQualifiers(policyQualifierInfos);
                    }
                }
            }
        }
        if (z11) {
            return;
        }
        if (pKIXParameters.isExplicitPolicyRequired() || z10) {
            throw new CertPathValidatorException("policy tree building failed");
        }
    }

    private final boolean checkExplicitPolicy(int i10, List list) {
        Iterator it = list.iterator();
        while (it.hasNext()) {
            int[] iArr = (int[]) it.next();
            int i11 = iArr[0];
            if (i10 - i11 >= iArr[1]) {
                return true;
            }
        }
        return false;
    }
}
