package com.rsa.cryptoj.f;

import com.rsa.cryptoj.f.C0600sj;
import com.rsa.jcp.OCSPResponderConfig;
import com.rsa.jcp.OCSPWithRespondersParameters;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:META-INF/lib/cryptoj-5.0.1-FIPS.jar:com/rsa/cryptoj/f/kT.class */
public class kT implements InterfaceC0439mk {
    private static final int l = 1000;
    private static final String m = "Content-length";
    private static final String n = "application/ocsp-request";
    private static final String o = "Content-type";
    private final PKIXParameters p;
    private final List q;
    private final boolean r;
    private boolean s;
    private String t;
    private final C0160fx u;

    public kT(C0160fx c0160fx) {
        this(c0160fx, null, null, false, false);
    }

    public kT(C0160fx c0160fx, PKIXParameters pKIXParameters) {
        this(c0160fx, pKIXParameters, null, false, false);
    }

    public kT(C0160fx c0160fx, PKIXParameters pKIXParameters, OCSPResponderConfig oCSPResponderConfig) {
        this(c0160fx, pKIXParameters, Arrays.asList(oCSPResponderConfig), oCSPResponderConfig.getOCSPResponderURL() != null, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public kT(C0160fx c0160fx, PKIXParameters pKIXParameters, OCSPWithRespondersParameters oCSPWithRespondersParameters) {
        this(c0160fx, pKIXParameters, oCSPWithRespondersParameters.getResponderConfigurations(), oCSPWithRespondersParameters.isOverrideAIAEnabled(), oCSPWithRespondersParameters.isSupplementAIAEnabled());
    }

    private kT(C0160fx c0160fx, PKIXParameters pKIXParameters, List list, boolean z, boolean z2) {
        this.u = c0160fx;
        this.p = pKIXParameters;
        this.q = list;
        this.r = z;
        this.s = z2;
    }

    @Override // com.rsa.cryptoj.f.InterfaceC0439mk
    public void a(X509Certificate x509Certificate, uT uTVar, Date date) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        C0192hb c0192hb;
        byte[] a;
        ArrayList<String> arrayList = new ArrayList();
        AbstractC0360jm a2 = vZ.a(x509Certificate, hS.cv);
        int a3 = a2 == null ? 0 : a2.a();
        for (int i = 0; i < a3; i++) {
            AbstractC0360jm a4 = a2.a(i);
            if (a4.a(0).equals(hS.de.c())) {
                arrayList.add(new C0652uh(a4.a(1)).c());
            }
        }
        if (!this.s && this.r) {
            this.s = true;
        }
        ArrayList<OCSPResponderConfig> arrayList2 = new ArrayList();
        if (this.q != null) {
            arrayList2.addAll(this.q);
        }
        if (!this.r && !this.s && arrayList.isEmpty()) {
            this.t = "No OCSP responders are configured.";
        }
        if (!this.r) {
            for (String str : arrayList) {
                OCSPResponderConfig a5 = a(str, uTVar, arrayList2);
                C0192hb c0192hb2 = new C0192hb(this.u, x509Certificate, uTVar.b(), a5);
                byte[] a6 = a(c0192hb2, str, a5.getOCSPProxy());
                if (a6 != null) {
                    C0600sj c0600sj = new C0600sj(this.u, a6);
                    if (a(c0192hb2, c0600sj, a5, uTVar, date)) {
                        C0600sj.a b = c0600sj.b(c0192hb2.b());
                        switch (b.f()) {
                            case 0:
                                return;
                            case 1:
                                throw new C0722wx("Certificate revoked on " + b.e() + " for reason: " + gB.e.get(b.c()));
                            case 2:
                                this.t = InterfaceC0439mk.d;
                                throw new CertPathValidatorException(InterfaceC0439mk.b);
                        }
                    }
                    continue;
                }
            }
        }
        if (this.s) {
            for (OCSPResponderConfig oCSPResponderConfig : arrayList2) {
                String oCSPResponderURL = oCSPResponderConfig.getOCSPResponderURL();
                if (oCSPResponderURL != null && (a = a((c0192hb = new C0192hb(this.u, x509Certificate, uTVar.b(), oCSPResponderConfig)), oCSPResponderURL, oCSPResponderConfig.getOCSPProxy())) != null) {
                    C0600sj c0600sj2 = new C0600sj(this.u, a);
                    if (a(c0192hb, c0600sj2, oCSPResponderConfig, uTVar, date)) {
                        C0600sj.a b2 = c0600sj2.b(c0192hb.b());
                        switch (b2.f()) {
                            case 0:
                                return;
                            case 1:
                                throw new C0722wx("Certificate revoked on " + b2.e() + " for reason: " + gB.e.get(b2.c()));
                            case 2:
                                this.t = InterfaceC0439mk.d;
                                throw new CertPathValidatorException(InterfaceC0439mk.b);
                            default:
                                throw new CertPathValidatorException(InterfaceC0439mk.k);
                        }
                    }
                }
            }
        }
        if (this.t == null) {
            this.t = "No OCSP Responder URLs specified.";
        }
        throw new CertPathValidatorException("Could not determine revocation status: " + this.t);
    }

    private boolean a(C0192hb c0192hb, C0600sj c0600sj, OCSPResponderConfig oCSPResponderConfig, uT uTVar, Date date) {
        PublicKey publicKey;
        if (!c0600sj.c()) {
            this.t = c0600sj.d();
            return false;
        }
        X509Certificate trustedResponderCert = oCSPResponderConfig.getTrustedResponderCert();
        if (trustedResponderCert != null) {
            if (!c0600sj.a(trustedResponderCert)) {
                this.t = InterfaceC0439mk.f;
                return false;
            }
            publicKey = trustedResponderCert.getPublicKey();
        } else if (c0600sj.a(uTVar)) {
            publicKey = uTVar.b();
        } else {
            X509Certificate a = a(c0600sj);
            if (a == null) {
                this.t = InterfaceC0439mk.i;
                return false;
            }
            if (!a.getIssuerX500Principal().equals(uTVar.c())) {
                this.t = InterfaceC0439mk.j;
                return false;
            }
            List<String> list = null;
            try {
                list = a.getExtendedKeyUsage();
            } catch (CertificateParsingException e) {
                this.t = "Certificate contained invalid extension: " + e.getMessage();
            }
            if (list == null || !list.contains(hS.dc.toString())) {
                this.t = InterfaceC0439mk.j;
                return false;
            }
            if (!a(a, uTVar, !(vZ.a(a, hS.cF) != null) && oCSPResponderConfig.isResponderRevocationCheckingEnabled())) {
                return false;
            }
            publicKey = a.getPublicKey();
        }
        if (!c0600sj.a(publicKey)) {
            this.t = InterfaceC0439mk.h;
            return false;
        }
        if (!c0600sj.a(c0192hb.c())) {
            this.t = InterfaceC0439mk.g;
            return false;
        }
        C0600sj.a b = c0600sj.b(c0192hb.b());
        if (b == null) {
            this.t = InterfaceC0439mk.e;
            return false;
        }
        if (new Date(b.a().getTime() - (oCSPResponderConfig.getTimeTolerance() * l)).after(date)) {
            this.t = InterfaceC0439mk.a;
            return false;
        }
        if (b.b() == null || !new Date(b.b().getTime() + (oCSPResponderConfig.getTimeTolerance() * l)).before(date)) {
            return true;
        }
        this.t = InterfaceC0439mk.c;
        return false;
    }

    private X509Certificate a(C0600sj c0600sj) {
        X509Certificate x509Certificate = null;
        Iterator it = c0600sj.b().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            X509Certificate x509Certificate2 = (X509Certificate) it.next();
            if (c0600sj.a(x509Certificate2)) {
                x509Certificate = x509Certificate2;
                break;
            }
        }
        if (x509Certificate == null) {
            x509Certificate = b(c0600sj);
        }
        return x509Certificate;
    }

    private X509Certificate b(C0600sj c0600sj) {
        Collection<? extends Certificate> certificates;
        X500Principal a = c0600sj.a();
        List<CertStore> certStores = this.p.getCertStores();
        if (a == null) {
            Iterator<CertStore> it = certStores.iterator();
            while (it.hasNext()) {
                try {
                    for (Certificate certificate : it.next().getCertificates(new X509CertSelector())) {
                        if ((certificate instanceof X509Certificate) && c0600sj.a((X509Certificate) certificate)) {
                            return (X509Certificate) certificate;
                        }
                    }
                } catch (CertStoreException e) {
                }
            }
            return null;
        }
        Iterator<TrustAnchor> it2 = this.p.getTrustAnchors().iterator();
        while (it2.hasNext()) {
            X509Certificate trustedCert = it2.next().getTrustedCert();
            if (trustedCert != null && c0600sj.a(trustedCert)) {
                return trustedCert;
            }
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(a.getEncoded());
            Iterator<CertStore> it3 = certStores.iterator();
            while (it3.hasNext()) {
                try {
                    certificates = it3.next().getCertificates(x509CertSelector);
                } catch (CertStoreException e2) {
                }
                if (!certificates.isEmpty()) {
                    return (X509Certificate) certificates.iterator().next();
                }
                continue;
            }
            return null;
        } catch (IOException e3) {
            return null;
        }
    }

    private boolean a(X509Certificate x509Certificate, uT uTVar, boolean z) {
        try {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal().getEncoded());
            HashSet hashSet = new HashSet();
            if (uTVar.a() != null) {
                hashSet.add(uTVar.a());
            } else {
                hashSet.add(new TrustAnchor(uTVar.d(), null));
            }
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificate)), com.rsa.jsafe.provider.b.a(this.u));
            pKIXBuilderParameters.setCertStores(this.p.getCertStores());
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setRevocationEnabled(z);
            pKIXBuilderParameters.addCertStore(certStore);
            new oR(this.u).engineBuild(pKIXBuilderParameters);
            return true;
        } catch (IOException e) {
            this.t = "Could not validate delegated responder certificate: " + e.getMessage();
            return false;
        } catch (GeneralSecurityException e2) {
            this.t = "Could not validate delegated responder certificate: " + e2.getMessage();
            return false;
        }
    }

    private OCSPResponderConfig a(String str, uT uTVar, List list) {
        OCSPResponderConfig[] oCSPResponderConfigArr = new OCSPResponderConfig[4];
        for (int i = 0; i < list.size(); i++) {
            OCSPResponderConfig oCSPResponderConfig = (OCSPResponderConfig) list.get(i);
            if (oCSPResponderConfig.getOCSPResponderURL() == null) {
                X509Certificate trustedResponderCert = oCSPResponderConfig.getTrustedResponderCert();
                if (trustedResponderCert != null && uTVar.a(trustedResponderCert) && oCSPResponderConfigArr[0] == null) {
                    oCSPResponderConfigArr[0] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[0].setResponderURL(str);
                } else if (trustedResponderCert != null && trustedResponderCert.getIssuerX500Principal().equals(uTVar.c()) && oCSPResponderConfigArr[1] == null) {
                    oCSPResponderConfigArr[1] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[1].setResponderURL(str);
                } else if (trustedResponderCert != null && oCSPResponderConfigArr[2] == null) {
                    oCSPResponderConfigArr[2] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[2].setResponderURL(str);
                } else if (trustedResponderCert == null && oCSPResponderConfigArr[3] == null) {
                    oCSPResponderConfigArr[3] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[3].setResponderURL(str);
                }
            } else if (oCSPResponderConfig.getOCSPResponderURL().equals(str)) {
                list.remove(oCSPResponderConfig);
                return oCSPResponderConfig;
            }
        }
        for (int i2 = 0; i2 < 4; i2++) {
            if (oCSPResponderConfigArr[i2] != null) {
                return oCSPResponderConfigArr[i2];
            }
        }
        return new OCSPResponderConfig(str);
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockProcessor
        jadx.core.utils.exceptions.JadxRuntimeException: Unreachable block: B:14:0x0195
        	at jadx.core.dex.visitors.blocks.BlockProcessor.checkForUnreachableBlocks(BlockProcessor.java:88)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.processBlocksTree(BlockProcessor.java:52)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.visit(BlockProcessor.java:44)
        */
    public byte[] a(com.rsa.cryptoj.f.C0192hb r8, java.lang.String r9, java.lang.String r10) {
        /*
            Method dump skipped, instructions count: 409
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.rsa.cryptoj.f.kT.a(com.rsa.cryptoj.f.hb, java.lang.String, java.lang.String):byte[]");
    }

    public String a() {
        return this.t;
    }
}
