package sun.security.provider.certpath;

import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CRLReason;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import sun.security.util.Debug;
import sun.security.validator.Validator;
import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.CRLDistributionPointsExtension;
import sun.security.x509.DistributionPoint;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNames;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.X500Name;
import sun.security.x509.X509CRLEntryImpl;
import sun.security.x509.X509CertImpl;

/* loaded from: classes4.dex */
class CrlRevocationChecker extends PKIXCertPathChecker {
    private static final long MAX_CLOCK_SKEW = 900000;
    private final TrustAnchor mAnchor;
    private HashSet<X509CRL> mApprovedCRLs;
    private boolean mCRLSignFlag;
    private final Date mCurrentTime;
    private boolean mOnlyEECert;
    private final PKIXParameters mParams;
    private HashSet<X509CRL> mPossibleCRLs;
    private PublicKey mPrevPubKey;
    private final String mSigProvider;
    private final List<CertStore> mStores;
    private static final Debug debug = Debug.getInstance("certpath");
    private static final boolean[] mCrlSignUsage = {false, false, false, false, false, false, true};
    private static final boolean[] ALL_REASONS = {true, true, true, true, true, true, true, true, true};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes4.dex */
    public static class RejectKeySelector extends X509CertSelector {
        private final Set<PublicKey> badKeySet;

        RejectKeySelector(Set<PublicKey> set) {
            this.badKeySet = set;
        }

        @Override // java.security.cert.X509CertSelector, java.security.cert.CertSelector
        public boolean match(Certificate certificate) {
            if (!super.match(certificate)) {
                return false;
            }
            if (!this.badKeySet.contains(certificate.getPublicKey())) {
                if (CrlRevocationChecker.debug != null) {
                    CrlRevocationChecker.debug.println("RejectCertSelector.match: returning true");
                }
                return true;
            }
            if (CrlRevocationChecker.debug == null) {
                return false;
            }
            CrlRevocationChecker.debug.println("RejectCertSelector.match: bad key");
            return false;
        }

        @Override // java.security.cert.X509CertSelector
        public String toString() {
            return "RejectCertSelector: [\n" + super.toString() + this.badKeySet + "]";
        }
    }

    CrlRevocationChecker(TrustAnchor trustAnchor, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this(trustAnchor, pKIXParameters, null);
    }

    CrlRevocationChecker(TrustAnchor trustAnchor, PKIXParameters pKIXParameters, Collection<X509Certificate> collection) throws CertPathValidatorException {
        this(trustAnchor, pKIXParameters, collection, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CrlRevocationChecker(TrustAnchor trustAnchor, PKIXParameters pKIXParameters, Collection<X509Certificate> collection, boolean z) throws CertPathValidatorException {
        this.mOnlyEECert = false;
        this.mAnchor = trustAnchor;
        this.mParams = pKIXParameters;
        this.mStores = new ArrayList(pKIXParameters.getCertStores());
        this.mSigProvider = pKIXParameters.getSigProvider();
        if (collection != null) {
            try {
                this.mStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
            } catch (Exception e) {
                if (debug != null) {
                    debug.println("CrlRevocationChecker: error creating Collection CertStore: " + e);
                }
            }
        }
        Date date = pKIXParameters.getDate();
        this.mCurrentTime = date == null ? new Date() : date;
        this.mOnlyEECert = z;
        init(false);
    }

    private void buildToNewKey(X509Certificate x509Certificate, PublicKey publicKey, Set<X509Certificate> set) throws CertPathValidatorException {
        PKIXBuilderParameters pKIXBuilderParameters;
        X509CertImpl x509CertImpl;
        List<AccessDescription> accessDescriptions;
        if (debug != null) {
            debug.println("CrlRevocationChecker.buildToNewKey() starting work");
        }
        HashSet hashSet = new HashSet();
        if (publicKey != null) {
            hashSet.add(publicKey);
        }
        RejectKeySelector rejectKeySelector = new RejectKeySelector(hashSet);
        rejectKeySelector.setSubject(x509Certificate.getIssuerX500Principal());
        rejectKeySelector.setKeyUsage(mCrlSignUsage);
        Set<TrustAnchor> trustAnchors = this.mAnchor == null ? this.mParams.getTrustAnchors() : Collections.singleton(this.mAnchor);
        if (this.mParams instanceof PKIXBuilderParameters) {
            PKIXBuilderParameters pKIXBuilderParameters2 = (PKIXBuilderParameters) this.mParams.clone();
            pKIXBuilderParameters2.setTargetCertConstraints(rejectKeySelector);
            pKIXBuilderParameters2.setPolicyQualifiersRejected(true);
            try {
                pKIXBuilderParameters2.setTrustAnchors(trustAnchors);
                pKIXBuilderParameters = pKIXBuilderParameters2;
            } catch (InvalidAlgorithmParameterException e) {
                throw new RuntimeException(e);
            }
        } else {
            try {
                PKIXBuilderParameters pKIXBuilderParameters3 = new PKIXBuilderParameters(trustAnchors, rejectKeySelector);
                pKIXBuilderParameters3.setInitialPolicies(this.mParams.getInitialPolicies());
                pKIXBuilderParameters3.setCertStores(this.mStores);
                pKIXBuilderParameters3.setExplicitPolicyRequired(this.mParams.isExplicitPolicyRequired());
                pKIXBuilderParameters3.setPolicyMappingInhibited(this.mParams.isPolicyMappingInhibited());
                pKIXBuilderParameters3.setAnyPolicyInhibited(this.mParams.isAnyPolicyInhibited());
                pKIXBuilderParameters3.setDate(this.mParams.getDate());
                pKIXBuilderParameters3.setCertPathCheckers(this.mParams.getCertPathCheckers());
                pKIXBuilderParameters3.setSigProvider(this.mParams.getSigProvider());
                pKIXBuilderParameters = pKIXBuilderParameters3;
            } catch (InvalidAlgorithmParameterException e2) {
                throw new RuntimeException(e2);
            }
        }
        pKIXBuilderParameters.setRevocationEnabled(false);
        if (Builder.USE_AIA) {
            try {
                x509CertImpl = X509CertImpl.toImpl(x509Certificate);
            } catch (CertificateException e3) {
                if (debug != null) {
                    debug.println("CrlRevocationChecker.buildToNewKey: error decoding cert: " + e3);
                }
                x509CertImpl = null;
            }
            AuthorityInfoAccessExtension authorityInfoAccessExtension = x509CertImpl != null ? x509CertImpl.getAuthorityInfoAccessExtension() : null;
            if (authorityInfoAccessExtension != null && (accessDescriptions = authorityInfoAccessExtension.getAccessDescriptions()) != null) {
                Iterator<AccessDescription> it = accessDescriptions.iterator();
                while (it.hasNext()) {
                    CertStore uRICertStore = URICertStore.getInstance(it.next());
                    if (uRICertStore != null) {
                        if (debug != null) {
                            debug.println("adding AIAext CertStore");
                        }
                        pKIXBuilderParameters.addCertStore(uRICertStore);
                    }
                }
            }
        }
        try {
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(Validator.TYPE_PKIX);
            Set<X509Certificate> set2 = set;
            while (true) {
                try {
                    if (debug != null) {
                        debug.println("CrlRevocationChecker.buildToNewKey() about to try build ...");
                    }
                    PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
                    if (debug != null) {
                        debug.println("CrlRevocationChecker.buildToNewKey() about to check revocation ...");
                    }
                    if (set2 == null) {
                        set2 = new HashSet<>();
                    }
                    set2.add(x509Certificate);
                    TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
                    PublicKey cAPublicKey = trustAnchor.getCAPublicKey();
                    if (cAPublicKey == null) {
                        cAPublicKey = trustAnchor.getTrustedCert().getPublicKey();
                    }
                    boolean z = true;
                    List<? extends Certificate> certificates = pKIXCertPathBuilderResult.getCertPath().getCertificates();
                    try {
                        for (int size = certificates.size() - 1; size >= 0; size--) {
                            X509Certificate x509Certificate2 = (X509Certificate) certificates.get(size);
                            if (debug != null) {
                                debug.println("CrlRevocationChecker.buildToNewKey() index " + size + " checking " + x509Certificate2);
                            }
                            verifyRevocationStatus(x509Certificate2, cAPublicKey, z, true, set2, trustAnchors);
                            z = certCanSignCrl(x509Certificate2);
                            cAPublicKey = x509Certificate2.getPublicKey();
                        }
                        if (debug != null) {
                            debug.println("CrlRevocationChecker.buildToNewKey() got key " + pKIXCertPathBuilderResult.getPublicKey());
                        }
                        PublicKey publicKey2 = pKIXCertPathBuilderResult.getPublicKey();
                        try {
                            verifyRevocationStatus(x509Certificate, publicKey2, true, false);
                            return;
                        } catch (CertPathValidatorException e4) {
                            if (e4.getReason() == CertPathValidatorException.BasicReason.REVOKED) {
                                throw e4;
                            }
                            hashSet.add(publicKey2);
                        }
                    } catch (CertPathValidatorException e5) {
                        hashSet.add(pKIXCertPathBuilderResult.getPublicKey());
                    }
                } catch (InvalidAlgorithmParameterException e6) {
                    throw new CertPathValidatorException(e6);
                } catch (CertPathBuilderException e7) {
                    throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                }
            }
        } catch (NoSuchAlgorithmException e8) {
            throw new CertPathValidatorException(e8);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean certCanSignCrl(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            return keyUsage[6];
        }
        return false;
    }

    private Collection<X509CRL> verifyPossibleCRLs(Set<X509CRL> set, X509Certificate x509Certificate, boolean z, PublicKey publicKey, boolean[] zArr, Set<TrustAnchor> set2) throws CertPathValidatorException {
        try {
            X509CertImpl impl = X509CertImpl.toImpl(x509Certificate);
            if (debug != null) {
                debug.println("CRLRevocationChecker.verifyPossibleCRLs: Checking CRLDPs for " + impl.getSubjectX500Principal());
            }
            CRLDistributionPointsExtension cRLDistributionPointsExtension = impl.getCRLDistributionPointsExtension();
            List singletonList = cRLDistributionPointsExtension == null ? Collections.singletonList(new DistributionPoint(new GeneralNames().add(new GeneralName((X500Name) impl.getIssuerDN())), (boolean[]) null, (GeneralNames) null)) : (List) cRLDistributionPointsExtension.get(CRLDistributionPointsExtension.POINTS);
            HashSet hashSet = new HashSet();
            Iterator it = singletonList.iterator();
            while (it.hasNext() && !Arrays.equals(zArr, ALL_REASONS)) {
                DistributionPoint distributionPoint = (DistributionPoint) it.next();
                for (X509CRL x509crl : set) {
                    if (DistributionPointFetcher.verifyCRL(impl, distributionPoint, x509crl, zArr, z, publicKey, this.mSigProvider, set2, this.mStores, this.mParams.getDate())) {
                        hashSet.add(x509crl);
                    }
                }
            }
            return hashSet;
        } catch (Exception e) {
            if (debug != null) {
                debug.println("Exception while verifying CRL: " + e.getMessage());
                e.printStackTrace();
            }
            return Collections.emptySet();
        }
    }

    private void verifyRevocationStatus(X509Certificate x509Certificate, PublicKey publicKey, boolean z, boolean z2) throws CertPathValidatorException {
        verifyRevocationStatus(x509Certificate, publicKey, z, z2, null, this.mParams.getTrustAnchors());
    }

    private void verifyRevocationStatus(X509Certificate x509Certificate, PublicKey publicKey, boolean z, boolean z2, Set<X509Certificate> set, Set<TrustAnchor> set2) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...");
        }
        if (this.mOnlyEECert && x509Certificate.getBasicConstraints() != -1) {
            if (debug != null) {
                debug.println("Skipping revocation check, not end entity cert");
                return;
            }
            return;
        }
        if (set != null && set.contains(x509Certificate)) {
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyRevocationStatus() circular dependency");
            }
            throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
        }
        this.mPossibleCRLs = new HashSet<>();
        this.mApprovedCRLs = new HashSet<>();
        boolean[] zArr = new boolean[9];
        try {
            X509CRLSelector x509CRLSelector = new X509CRLSelector();
            x509CRLSelector.setCertificateChecking(x509Certificate);
            CertPathHelper.setDateAndTime(x509CRLSelector, this.mCurrentTime, MAX_CLOCK_SKEW);
            Iterator<CertStore> it = this.mStores.iterator();
            while (it.hasNext()) {
                Iterator<? extends CRL> it2 = it.next().getCRLs(x509CRLSelector).iterator();
                while (it2.hasNext()) {
                    this.mPossibleCRLs.add((X509CRL) it2.next());
                }
            }
            this.mApprovedCRLs.addAll(DistributionPointFetcher.getCRLs(x509CRLSelector, z, publicKey, this.mSigProvider, this.mStores, zArr, set2, this.mParams.getDate()));
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyRevocationStatus() crls.size() = " + this.mPossibleCRLs.size());
            }
            if (!this.mPossibleCRLs.isEmpty()) {
                this.mApprovedCRLs.addAll(verifyPossibleCRLs(this.mPossibleCRLs, x509Certificate, z, publicKey, zArr, set2));
            }
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = " + this.mApprovedCRLs.size());
            }
            if (this.mApprovedCRLs.isEmpty() || !Arrays.equals(zArr, ALL_REASONS)) {
                if (!z2) {
                    throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                }
                verifyWithSeparateSigningKey(x509Certificate, publicKey, z, set);
                return;
            }
            if (debug != null) {
                BigInteger serialNumber = x509Certificate.getSerialNumber();
                debug.println("CrlRevocationChecker.verifyRevocationStatus() starting the final sweep...");
                debug.println("CrlRevocationChecker.verifyRevocationStatus cert SN: " + serialNumber.toString());
            }
            CRLReason cRLReason = CRLReason.UNSPECIFIED;
            Iterator<X509CRL> it3 = this.mApprovedCRLs.iterator();
            while (it3.hasNext()) {
                X509CRL next = it3.next();
                X509CRLEntry revokedCertificate = next.getRevokedCertificate(x509Certificate);
                if (revokedCertificate != null) {
                    try {
                        X509CRLEntryImpl impl = X509CRLEntryImpl.toImpl(revokedCertificate);
                        if (debug != null) {
                            debug.println("CrlRevocationChecker.verifyRevocationStatus CRL entry: " + impl.toString());
                        }
                        Set<String> criticalExtensionOIDs = impl.getCriticalExtensionOIDs();
                        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                            criticalExtensionOIDs.remove(PKIXExtensions.ReasonCode_Id.toString());
                            criticalExtensionOIDs.remove(PKIXExtensions.CertificateIssuer_Id.toString());
                            if (!criticalExtensionOIDs.isEmpty()) {
                                if (debug != null) {
                                    debug.println("Unrecognized critical extension(s) in revoked CRL entry: " + criticalExtensionOIDs);
                                }
                                throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                            }
                        }
                        CRLReason revocationReason = impl.getRevocationReason();
                        if (revocationReason == null) {
                            revocationReason = CRLReason.UNSPECIFIED;
                        }
                        CertificateRevokedException certificateRevokedException = new CertificateRevokedException(impl.getRevocationDate(), revocationReason, next.getIssuerX500Principal(), impl.getExtensions());
                        throw new CertPathValidatorException(certificateRevokedException.getMessage(), certificateRevokedException, null, -1, CertPathValidatorException.BasicReason.REVOKED);
                    } catch (CRLException e) {
                        throw new CertPathValidatorException(e);
                    }
                }
            }
        } catch (Exception e2) {
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyRevocationStatus() unexpected exception: " + e2.getMessage());
            }
            throw new CertPathValidatorException(e2);
        }
    }

    private void verifyWithSeparateSigningKey(X509Certificate x509Certificate, PublicKey publicKey, boolean z, Set<X509Certificate> set) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...");
        }
        if (set == null || !set.contains(x509Certificate)) {
            buildToNewKey(x509Certificate, z ? publicKey : null, set);
        } else {
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyWithSeparateSigningKey() circular dependency");
            }
            throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        verifyRevocationStatus(x509Certificate, this.mPrevPubKey, this.mCRLSignFlag, true);
        PublicKey publicKey = x509Certificate.getPublicKey();
        if ((publicKey instanceof DSAPublicKey) && ((DSAPublicKey) publicKey).getParams() == null) {
            publicKey = BasicChecker.makeInheritedParamsKey(publicKey, this.mPrevPubKey);
        }
        this.mPrevPubKey = publicKey;
        this.mCRLSignFlag = certCanSignCrl(x509Certificate);
    }

    public boolean check(X509Certificate x509Certificate, PublicKey publicKey, boolean z) throws CertPathValidatorException {
        verifyRevocationStatus(x509Certificate, publicKey, z, true);
        return certCanSignCrl(x509Certificate);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        if (this.mAnchor == null) {
            this.mPrevPubKey = null;
        } else if (this.mAnchor.getCAPublicKey() != null) {
            this.mPrevPubKey = this.mAnchor.getCAPublicKey();
        } else {
            this.mPrevPubKey = this.mAnchor.getTrustedCert().getPublicKey();
        }
        this.mCRLSignFlag = true;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }
}
