package org.bouncycastle.jce.provider;

import d.c.a.a.a;
import java.io.ByteArrayInputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERInputStream;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.X509Extensions;

/* loaded from: classes.dex */
public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi {
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r2v21 */
    /* JADX WARN: Type inference failed for: r2v22, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r2v23, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r2v55 */
    /* JADX WARN: Type inference failed for: r2v56, types: [java.util.HashSet] */
    /* JADX WARN: Type inference failed for: r6v5, types: [java.security.cert.PolicyNode] */
    /* JADX WARN: Type inference failed for: r6v7 */
    /* JADX WARN: Type inference failed for: r6v8 */
    /* JADX WARN: Type inference failed for: r8v3 */
    /* JADX WARN: Type inference failed for: r8v4, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r8v5, types: [java.util.Collection] */
    /* JADX WARN: Type inference failed for: r8v6 */
    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        X500Principal x500Principal;
        PublicKey cAPublicKey;
        int i;
        String str;
        List<? extends Certificate> list;
        int i2;
        HashSet hashSet;
        Set<String> criticalExtensionOIDs;
        int intValue;
        String str2;
        TrustAnchor trustAnchor;
        boolean[] keyUsage;
        String str3 = " :";
        if (!(certPathParameters instanceof PKIXParameters)) {
            throw new InvalidAlgorithmParameterException("params must be a PKIXParameters instance");
        }
        PKIXParameters pKIXParameters = (PKIXParameters) certPathParameters;
        if (pKIXParameters.getTrustAnchors() == null) {
            throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for path validation");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size() + 1;
        Set<String> initialPolicies = pKIXParameters.getInitialPolicies();
        X509Certificate x509Certificate = null;
        if (initialPolicies.isEmpty()) {
            initialPolicies = null;
        }
        new HashSet();
        new HashSet();
        int i3 = size + 1;
        int i4 = pKIXParameters.isExplicitPolicyRequired() ? 1 : i3;
        Date date = new Date();
        if (pKIXParameters.getDate() != null) {
            date = pKIXParameters.getDate();
        }
        if (certificates.isEmpty()) {
            throw new CertPathValidatorException("CertPath is empty", null, certPath, 0);
        }
        if (pKIXParameters.getTargetCertConstraints() != null && !pKIXParameters.getTargetCertConstraints().match((X509Certificate) certificates.get(0))) {
            throw new CertPathValidatorException("target certificate in certpath does not match targetcertconstraints", null, certPath, 0);
        }
        TrustAnchor findTrustAnchor = PKIXCertPathBuilderSpi.findTrustAnchor((X509Certificate) certificates.get(certificates.size() - 1), pKIXParameters.getTrustAnchors());
        if (findTrustAnchor == null) {
            throw new CertPathValidatorException("TrustAnchor for CertPath not found", null, certPath, 0);
        }
        X509Certificate trustedCert = findTrustAnchor.getTrustedCert();
        try {
            if (trustedCert != null) {
                x500Principal = trustedCert.getSubjectX500Principal();
                cAPublicKey = trustedCert.getPublicKey();
            } else {
                x500Principal = new X500Principal(findTrustAnchor.getCAName());
                cAPublicKey = findTrustAnchor.getCAPublicKey();
            }
            Iterator<PKIXCertPathChecker> it = pKIXParameters.getCertPathCheckers().iterator();
            while (it.hasNext()) {
                it.next().init(false);
                x509Certificate = null;
                certificates = certificates;
                str3 = str3;
                size = size;
            }
            try {
                try {
                    i = certificates.size() - 1;
                    int i5 = i3;
                    X509Certificate x509Certificate2 = x509Certificate;
                    X509Certificate x509Certificate3 = trustedCert;
                    int i6 = i4;
                    ?? r8 = x509Certificate2;
                    ?? r6 = x509Certificate2;
                    while (i >= 0) {
                        int i7 = size - i;
                        try {
                            x509Certificate = (X509Certificate) certificates.get(i);
                            x509Certificate.verify(cAPublicKey);
                            x509Certificate.checkValidity(date);
                            if (pKIXParameters.isRevocationEnabled()) {
                                list = certificates;
                                X509CRLSelector x509CRLSelector = new X509CRLSelector();
                                i2 = size;
                                x509CRLSelector.addIssuerName(x509Certificate.getIssuerX500Principal().getEncoded());
                                x509CRLSelector.setCertificateChecking(x509Certificate);
                                Iterator<CertStore> it2 = pKIXParameters.getCertStores().iterator();
                                boolean z = false;
                                while (it2.hasNext()) {
                                    Iterator<CertStore> it3 = it2;
                                    Iterator<? extends CRL> it4 = it2.next().getCRLs(x509CRLSelector).iterator();
                                    while (it4.hasNext()) {
                                        X509CRLSelector x509CRLSelector2 = x509CRLSelector;
                                        X509CRL x509crl = (X509CRL) it4.next();
                                        Iterator<? extends CRL> it5 = it4;
                                        if (date.before(x509crl.getThisUpdate())) {
                                            it4 = it5;
                                            x509CRLSelector = x509CRLSelector2;
                                        } else {
                                            if (x509crl.getNextUpdate() != null || date.before(x509crl.getNextUpdate())) {
                                                z = true;
                                            }
                                            if (x509Certificate3 == null || (keyUsage = x509Certificate3.getKeyUsage()) == null) {
                                                str2 = str3;
                                                trustAnchor = findTrustAnchor;
                                            } else {
                                                trustAnchor = findTrustAnchor;
                                                str2 = str3;
                                                if (keyUsage.length < 7 || !keyUsage[6]) {
                                                    StringBuffer stringBuffer = new StringBuffer();
                                                    stringBuffer.append("Issuer certificate keyusage extension does not permit crl signing.\n");
                                                    stringBuffer.append(x509Certificate3);
                                                    throw new CertPathValidatorException(stringBuffer.toString(), null, certPath, i);
                                                }
                                            }
                                            x509crl.verify(cAPublicKey);
                                            X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate.getSerialNumber());
                                            if (revokedCertificate != null && !date.before(revokedCertificate.getRevocationDate())) {
                                                StringBuffer stringBuffer2 = new StringBuffer();
                                                stringBuffer2.append("Certificate revokation after ");
                                                stringBuffer2.append(revokedCertificate.getRevocationDate());
                                                throw new CertPathValidatorException(stringBuffer2.toString(), null, certPath, i);
                                            }
                                            it4 = it5;
                                            x509CRLSelector = x509CRLSelector2;
                                            findTrustAnchor = trustAnchor;
                                            str3 = str2;
                                        }
                                    }
                                    it2 = it3;
                                }
                                if (!z) {
                                    throw new CertPathValidatorException("no valid CRL found", null, certPath, i);
                                }
                                str = str3;
                            } else {
                                str = str3;
                                list = certificates;
                                i2 = size;
                            }
                            TrustAnchor trustAnchor2 = findTrustAnchor;
                            try {
                                X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
                                if (!issuerX500Principal.equals(x500Principal)) {
                                    StringBuffer stringBuffer3 = new StringBuffer();
                                    stringBuffer3.append("IssuerName(");
                                    stringBuffer3.append(issuerX500Principal);
                                    stringBuffer3.append(") does not match SubjectName(");
                                    stringBuffer3.append(x500Principal);
                                    stringBuffer3.append(") of signing certificate");
                                    throw new CertPathValidatorException(stringBuffer3.toString(), null, certPath, i);
                                }
                                try {
                                    byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.CertificatePolicies.getId());
                                    if (extensionValue != null) {
                                        HashSet hashSet2 = new HashSet();
                                        Enumeration objects = ((ASN1Sequence) new DERInputStream(new ByteArrayInputStream(((ASN1OctetString) new DERInputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets())).readObject()).getObjects();
                                        while (objects.hasMoreElements()) {
                                            hashSet2.add(((DERObjectIdentifier) ((ASN1Sequence) objects.nextElement()).getObjectAt(0)).getId());
                                        }
                                        hashSet = hashSet2;
                                    } else {
                                        hashSet = null;
                                    }
                                    if (i6 <= i7 && initialPolicies != null && hashSet != null) {
                                        Iterator it6 = hashSet.iterator();
                                        boolean z2 = false;
                                        while (it6.hasNext() && !z2) {
                                            if (!initialPolicies.contains(it6.next())) {
                                                z2 = true;
                                            }
                                        }
                                        if (z2) {
                                            throw new CertPathValidatorException("policy OID not in initialPolicies and requiredExplictPolicy", null, certPath, i);
                                        }
                                    }
                                    Set<String> criticalExtensionOIDs2 = x509Certificate.getCriticalExtensionOIDs();
                                    if (criticalExtensionOIDs2 != null && criticalExtensionOIDs2.contains(X509Extensions.CertificatePolicies.getId())) {
                                        if (r8 != null) {
                                            r8.retainAll(hashSet);
                                            hashSet = r8;
                                        }
                                        if (hashSet != null && hashSet.isEmpty()) {
                                            throw new CertPathValidatorException("intersection of acceptablePolicies and certificate policies is empty: ", null, certPath, i);
                                        }
                                        r8 = hashSet;
                                    }
                                    ?? hashSet3 = initialPolicies != null ? new HashSet(initialPolicies) : null;
                                    if (r8 != null) {
                                        if (hashSet3 == null) {
                                            hashSet3 = r8;
                                        } else {
                                            hashSet3.retainAll(r8);
                                        }
                                    }
                                    if (hashSet3 != null && hashSet3.isEmpty()) {
                                        throw new CertPathValidatorException("intersection of acceptablePolicies and initial policies is empty: ", null, certPath, i);
                                    }
                                    if (x509Certificate.hasUnsupportedCriticalExtension()) {
                                        HashSet hashSet4 = new HashSet(x509Certificate.getCriticalExtensionOIDs());
                                        hashSet4.remove(X509Extensions.CertificatePolicies.getId());
                                        hashSet4.remove(X509Extensions.PolicyConstraints.getId());
                                        hashSet4.remove(X509Extensions.KeyUsage.getId());
                                        hashSet4.remove(X509Extensions.BasicConstraints.getId());
                                        Iterator<PKIXCertPathChecker> it7 = pKIXParameters.getCertPathCheckers().iterator();
                                        while (it7.hasNext()) {
                                            it7.next().check(x509Certificate, hashSet4);
                                        }
                                        if (!hashSet4.isEmpty()) {
                                            throw new CertPathValidatorException("Certificate has unsupported critical extension", null, certPath, i);
                                        }
                                    }
                                    if (x509Certificate3 != null) {
                                        int basicConstraints = x509Certificate3.getBasicConstraints();
                                        if (basicConstraints < 0) {
                                            throw new CertPathValidatorException("Issuer certificate isn't a CA one", null, certPath, i);
                                        }
                                        if (basicConstraints < Integer.MAX_VALUE && i > basicConstraints) {
                                            StringBuffer stringBuffer4 = new StringBuffer();
                                            stringBuffer4.append("Issuer certificate is a CA one but does only allow pathlength < ");
                                            stringBuffer4.append(basicConstraints);
                                            stringBuffer4.append(" and pathlength is ");
                                            stringBuffer4.append(i);
                                            throw new CertPathValidatorException(stringBuffer4.toString(), null, certPath, i);
                                        }
                                    }
                                    byte[] extensionValue2 = x509Certificate.getExtensionValue(X509Extensions.PolicyConstraints.getId());
                                    if (extensionValue2 != null) {
                                        Enumeration objects2 = ((ASN1Sequence) new DERInputStream(new ByteArrayInputStream(((ASN1OctetString) new DERInputStream(new ByteArrayInputStream(extensionValue2)).readObject()).getOctets())).readObject()).getObjects();
                                        int i8 = i5;
                                        while (objects2.hasMoreElements()) {
                                            ASN1TaggedObject aSN1TaggedObject = (ASN1TaggedObject) objects2.nextElement();
                                            int tagNo = aSN1TaggedObject.getTagNo();
                                            if (tagNo == 0) {
                                                int intValue2 = DERInteger.getInstance(aSN1TaggedObject).getValue().intValue() + i7;
                                                if (intValue2 < i6) {
                                                    i6 = intValue2;
                                                }
                                            } else if (tagNo == 1 && (intValue = DERInteger.getInstance(aSN1TaggedObject).getValue().intValue() + i7) < i8) {
                                                i8 = intValue;
                                            }
                                        }
                                        i5 = i8;
                                    }
                                    if (x509Certificate3 != null && (criticalExtensionOIDs = x509Certificate3.getCriticalExtensionOIDs()) != null && criticalExtensionOIDs.contains(X509Extensions.KeyUsage.getId()) && !x509Certificate3.getKeyUsage()[5]) {
                                        StringBuffer stringBuffer5 = new StringBuffer();
                                        stringBuffer5.append("Issuer certificate keyusage extension is critical an does not permit key signing.\n");
                                        stringBuffer5.append(x509Certificate3);
                                        throw new CertPathValidatorException(stringBuffer5.toString(), null, certPath, i);
                                    }
                                    cAPublicKey = x509Certificate.getPublicKey();
                                    try {
                                        x500Principal = x509Certificate.getSubjectX500Principal();
                                        i--;
                                        r6 = 0;
                                        certificates = list;
                                        x509Certificate3 = x509Certificate;
                                        size = i2;
                                        findTrustAnchor = trustAnchor2;
                                        str3 = str;
                                    } catch (IllegalArgumentException e2) {
                                        StringBuffer stringBuffer6 = new StringBuffer();
                                        stringBuffer6.append(x509Certificate.getSubjectDN().getName());
                                        stringBuffer6.append(str);
                                        stringBuffer6.append(e2.toString());
                                        throw new CertPathBuilderException(stringBuffer6.toString());
                                    }
                                } catch (Exception e3) {
                                    throw new CertPathValidatorException("exception throw while parsing policy extension: ", e3, certPath, i);
                                }
                            } catch (IllegalArgumentException e4) {
                                StringBuffer stringBuffer7 = new StringBuffer();
                                stringBuffer7.append(x509Certificate.getIssuerDN().getName());
                                stringBuffer7.append(str);
                                stringBuffer7.append(e4.toString());
                                throw new CertPathBuilderException(stringBuffer7.toString());
                            }
                        } catch (Exception e5) {
                            e = e5;
                            throw new CertPathValidatorException("Exception thrown while doing CertPath validation", e, certPath, i);
                        }
                    }
                    return new PKIXCertPathValidatorResult(findTrustAnchor, r6, x509Certificate.getPublicKey());
                } catch (CertPathValidatorException e6) {
                    throw e6;
                }
            } catch (Exception e7) {
                e = e7;
                i = 0;
            }
        } catch (IllegalArgumentException e8) {
            StringBuffer a2 = a.a("TrustAnchor subjectDN: ");
            a2.append(e8.toString());
            throw new CertPathValidatorException(a2.toString());
        }
    }
}
