package org.bouncycastle.jce.provider;

import java.io.ByteArrayInputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERInputStream;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.X509Extensions;

/* loaded from: input_file:org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.class */
public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi {
    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        X500Principal x500Principal;
        PublicKey cAPublicKey;
        Set<String> criticalExtensionOIDs;
        boolean[] keyUsage;
        if (!(certPathParameters instanceof PKIXParameters)) {
            throw new InvalidAlgorithmParameterException("params must be a PKIXParameters instance");
        }
        PKIXParameters pKIXParameters = (PKIXParameters) certPathParameters;
        if (pKIXParameters.getTrustAnchors() == null) {
            throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for path validation");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size() + 1;
        X509Certificate x509Certificate = null;
        Set<String> initialPolicies = pKIXParameters.getInitialPolicies();
        if (initialPolicies.isEmpty()) {
            initialPolicies = null;
        }
        HashSet hashSet = null;
        new HashSet();
        new HashSet();
        int i = size + 1;
        if (pKIXParameters.isExplicitPolicyRequired()) {
            i = 1;
        }
        int i2 = size + 1;
        Date date = new Date();
        if (pKIXParameters.getDate() != null) {
            date = pKIXParameters.getDate();
        }
        if (certificates.isEmpty()) {
            throw new CertPathValidatorException("CertPath is empty", null, certPath, 0);
        }
        if (pKIXParameters.getTargetCertConstraints() != null && !pKIXParameters.getTargetCertConstraints().match((X509Certificate) certificates.get(0))) {
            throw new CertPathValidatorException("target certificate in certpath does not match targetcertconstraints", null, certPath, 0);
        }
        TrustAnchor findTrustAnchor = PKIXCertPathBuilderSpi.findTrustAnchor((X509Certificate) certificates.get(certificates.size() - 1), pKIXParameters.getTrustAnchors());
        if (findTrustAnchor == null) {
            throw new CertPathValidatorException("TrustAnchor for CertPath not found", null, certPath, 0);
        }
        X509Certificate trustedCert = findTrustAnchor.getTrustedCert();
        try {
            if (trustedCert != null) {
                x500Principal = trustedCert.getSubjectX500Principal();
                cAPublicKey = trustedCert.getPublicKey();
            } else {
                x500Principal = new X500Principal(findTrustAnchor.getCAName());
                cAPublicKey = findTrustAnchor.getCAPublicKey();
            }
            Iterator<PKIXCertPathChecker> it = pKIXParameters.getCertPathCheckers().iterator();
            while (it.hasNext()) {
                it.next().init(false);
            }
            try {
                for (int size2 = certificates.size() - 1; size2 >= 0; size2--) {
                    int i3 = size - size2;
                    x509Certificate = (X509Certificate) certificates.get(size2);
                    x509Certificate.verify(cAPublicKey);
                    x509Certificate.checkValidity(date);
                    if (pKIXParameters.isRevocationEnabled()) {
                        boolean z = false;
                        X509CRLSelector x509CRLSelector = new X509CRLSelector();
                        x509CRLSelector.addIssuerName(x509Certificate.getIssuerX500Principal().getEncoded());
                        x509CRLSelector.setCertificateChecking(x509Certificate);
                        Iterator<CertStore> it2 = pKIXParameters.getCertStores().iterator();
                        while (it2.hasNext()) {
                            Iterator<? extends CRL> it3 = it2.next().getCRLs(x509CRLSelector).iterator();
                            while (it3.hasNext()) {
                                X509CRL x509crl = (X509CRL) it3.next();
                                if (!date.before(x509crl.getThisUpdate())) {
                                    if (x509crl.getNextUpdate() != null || date.before(x509crl.getNextUpdate())) {
                                        z = true;
                                    }
                                    if (trustedCert != null && (keyUsage = trustedCert.getKeyUsage()) != null && (keyUsage.length < 7 || !keyUsage[6])) {
                                        throw new CertPathValidatorException(new StringBuffer().append("Issuer certificate keyusage extension does not permit crl signing.\n").append(trustedCert).toString(), null, certPath, size2);
                                    }
                                    x509crl.verify(cAPublicKey);
                                    X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate.getSerialNumber());
                                    if (revokedCertificate != null && !date.before(revokedCertificate.getRevocationDate())) {
                                        throw new CertPathValidatorException(new StringBuffer().append("Certificate revokation after ").append(revokedCertificate.getRevocationDate()).toString(), null, certPath, size2);
                                    }
                                }
                            }
                        }
                        if (!z) {
                            throw new CertPathValidatorException("no valid CRL found", null, certPath, size2);
                        }
                    }
                    try {
                        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
                        if (!issuerX500Principal.equals(x500Principal)) {
                            throw new CertPathValidatorException(new StringBuffer().append("IssuerName(").append(issuerX500Principal).append(") does not match SubjectName(").append(x500Principal).append(") of signing certificate").toString(), null, certPath, size2);
                        }
                        HashSet hashSet2 = null;
                        try {
                            byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.CertificatePolicies.getId());
                            if (extensionValue != null) {
                                hashSet2 = new HashSet();
                                Enumeration objects = ((ASN1Sequence) new DERInputStream(new ByteArrayInputStream(((ASN1OctetString) new DERInputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets())).readObject()).getObjects();
                                while (objects.hasMoreElements() && 0 == 0) {
                                    hashSet2.add(((DERObjectIdentifier) ((ASN1Sequence) objects.nextElement()).getObjectAt(0)).getId());
                                }
                            }
                            if (i <= i3 && initialPolicies != null && hashSet2 != null) {
                                Iterator it4 = hashSet2.iterator();
                                boolean z2 = false;
                                while (it4.hasNext() && !z2) {
                                    if (!initialPolicies.contains(it4.next())) {
                                        z2 = true;
                                    }
                                }
                                if (z2) {
                                    throw new CertPathValidatorException("policy OID not in initialPolicies and requiredExplictPolicy", null, certPath, size2);
                                }
                            }
                            Set<String> criticalExtensionOIDs2 = x509Certificate.getCriticalExtensionOIDs();
                            if (criticalExtensionOIDs2 != null && criticalExtensionOIDs2.contains(X509Extensions.CertificatePolicies.getId())) {
                                if (hashSet == null) {
                                    hashSet = hashSet2;
                                } else {
                                    hashSet.retainAll(hashSet2);
                                }
                                if (hashSet != null && hashSet.isEmpty()) {
                                    throw new CertPathValidatorException("intersection of acceptablePolicies and certificate policies is empty: ", null, certPath, size2);
                                }
                            }
                            HashSet hashSet3 = initialPolicies != null ? new HashSet(initialPolicies) : null;
                            if (hashSet != null) {
                                if (hashSet3 == null) {
                                    hashSet3 = hashSet;
                                } else {
                                    hashSet3.retainAll(hashSet);
                                }
                            }
                            if (hashSet3 != null && hashSet3.isEmpty()) {
                                throw new CertPathValidatorException("intersection of acceptablePolicies and initial policies is empty: ", null, certPath, size2);
                            }
                            if (x509Certificate.hasUnsupportedCriticalExtension()) {
                                HashSet hashSet4 = new HashSet(x509Certificate.getCriticalExtensionOIDs());
                                hashSet4.remove(X509Extensions.CertificatePolicies.getId());
                                hashSet4.remove(X509Extensions.PolicyConstraints.getId());
                                hashSet4.remove(X509Extensions.KeyUsage.getId());
                                hashSet4.remove(X509Extensions.BasicConstraints.getId());
                                Iterator<PKIXCertPathChecker> it5 = pKIXParameters.getCertPathCheckers().iterator();
                                while (it5.hasNext()) {
                                    it5.next().check(x509Certificate, hashSet4);
                                }
                                if (!hashSet4.isEmpty()) {
                                    throw new CertPathValidatorException("Certificate has unsupported critical extension", null, certPath, size2);
                                }
                            }
                            if (trustedCert != null) {
                                int basicConstraints = trustedCert.getBasicConstraints();
                                if (basicConstraints < 0) {
                                    throw new CertPathValidatorException("Issuer certificate isn't a CA one", null, certPath, size2);
                                }
                                if (basicConstraints < Integer.MAX_VALUE && size2 > basicConstraints) {
                                    throw new CertPathValidatorException(new StringBuffer().append("Issuer certificate is a CA one but does only allow pathlength < ").append(basicConstraints).append(" and pathlength is ").append(size2).toString(), null, certPath, size2);
                                }
                            }
                            byte[] extensionValue2 = x509Certificate.getExtensionValue(X509Extensions.PolicyConstraints.getId());
                            if (extensionValue2 != null) {
                                Enumeration objects2 = ((ASN1Sequence) new DERInputStream(new ByteArrayInputStream(((ASN1OctetString) new DERInputStream(new ByteArrayInputStream(extensionValue2)).readObject()).getOctets())).readObject()).getObjects();
                                while (objects2.hasMoreElements()) {
                                    ASN1TaggedObject aSN1TaggedObject = (ASN1TaggedObject) objects2.nextElement();
                                    switch (aSN1TaggedObject.getTagNo()) {
                                        case 0:
                                            int intValue = DERInteger.getInstance(aSN1TaggedObject).getValue().intValue();
                                            if (i3 + intValue < i) {
                                                i = i3 + intValue;
                                                break;
                                            } else {
                                                break;
                                            }
                                        case 1:
                                            int intValue2 = DERInteger.getInstance(aSN1TaggedObject).getValue().intValue();
                                            if (i3 + intValue2 < i2) {
                                                i2 = i3 + intValue2;
                                                break;
                                            } else {
                                                break;
                                            }
                                    }
                                }
                            }
                            if (trustedCert != null && (criticalExtensionOIDs = trustedCert.getCriticalExtensionOIDs()) != null && criticalExtensionOIDs.contains(X509Extensions.KeyUsage.getId()) && !trustedCert.getKeyUsage()[5]) {
                                throw new CertPathValidatorException(new StringBuffer().append("Issuer certificate keyusage extension is critical an does not permit key signing.\n").append(trustedCert).toString(), null, certPath, size2);
                            }
                            trustedCert = x509Certificate;
                            cAPublicKey = trustedCert.getPublicKey();
                            try {
                                x500Principal = trustedCert.getSubjectX500Principal();
                            } catch (IllegalArgumentException e) {
                                throw new CertPathBuilderException(new StringBuffer().append(trustedCert.getSubjectDN().getName()).append(" :").append(e.toString()).toString());
                            }
                        } catch (Exception e2) {
                            throw new CertPathValidatorException("exception throw while parsing policy extension: ", e2, certPath, size2);
                        }
                    } catch (IllegalArgumentException e3) {
                        throw new CertPathBuilderException(new StringBuffer().append(x509Certificate.getIssuerDN().getName()).append(" :").append(e3.toString()).toString());
                    }
                }
                return new PKIXCertPathValidatorResult(findTrustAnchor, null, x509Certificate.getPublicKey());
            } catch (CertPathValidatorException e4) {
                throw e4;
            } catch (Exception e5) {
                throw new CertPathValidatorException("Exception thrown while doing CertPath validation", e5, certPath, 0);
            }
        } catch (IllegalArgumentException e6) {
            throw new CertPathValidatorException(new StringBuffer().append("TrustAnchor subjectDN: ").append(e6.toString()).toString());
        }
    }
}
