package ru.CryptoPro.reprov.certpath;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import ru.CryptoPro.JCP.tools.CertReader.Extension;
import ru.CryptoPro.JCP.tools.JCPLogger;
import ru.CryptoPro.reprov.cl_9;
import ru.CryptoPro.reprov.x509.AccessDescription;
import ru.CryptoPro.reprov.x509.AuthorityInfoAccessExtension;
import ru.CryptoPro.reprov.x509.PKIXExtensions;
import ru.CryptoPro.reprov.x509.X500Name;
import ru.CryptoPro.reprov.x509.X500Principal;
import ru.CryptoPro.reprov.x509.X509CertImpl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class ForwardBuilder extends Builder {
    TrustAnchor f;
    private final Set g;
    private final Set h;
    private final Set i;
    private X509CertSelector j;
    private X509CertSelector k;
    private X509CertSelector l;
    private Comparator m;
    private boolean n;
    private boolean o;

    /* loaded from: classes5.dex */
    class PKIXCertComparator implements Comparator {
        private final Set a;

        PKIXCertComparator(Set set) {
            this.a = set;
        }

        @Override // java.util.Comparator
        public int compare(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
            if (x509Certificate.equals(x509Certificate2)) {
                return 0;
            }
            X500Principal x500Principal = new X500Principal(x509Certificate.getIssuerX500Principal().getEncoded());
            X500Principal x500Principal2 = new X500Principal(x509Certificate2.getIssuerX500Principal().getEncoded());
            X500Name asX500Name = X500Name.asX500Name(x500Principal);
            X500Name asX500Name2 = X500Name.asX500Name(x500Principal2);
            JCPLogger.finerFormat("{0} o1 Issuer: {1}", "PKIXCertComparator.compare()", x500Principal);
            JCPLogger.finerFormat("{0} o2 Issuer: {1}", "PKIXCertComparator.compare()", x500Principal2);
            JCPLogger.finer("PKIXCertComparator.compare()", " MATCH TRUSTED SUBJECT TEST...");
            boolean contains = this.a.contains(x500Principal);
            boolean contains2 = this.a.contains(x500Principal2);
            JCPLogger.finerFormat("{0} m1: {1}", "PKIXCertComparator.compare()", Boolean.valueOf(contains));
            JCPLogger.finerFormat("{0} m2: {1}", "PKIXCertComparator.compare()", Boolean.valueOf(contains2));
            if ((contains && contains2) || contains) {
                return -1;
            }
            if (contains2) {
                return 1;
            }
            JCPLogger.finer("PKIXCertComparator.compare()", " NAMING DESCENDANT TEST...");
            Iterator it = this.a.iterator();
            while (it.hasNext()) {
                X500Name asX500Name3 = X500Name.asX500Name((X500Principal) it.next());
                int a = Builder.a(asX500Name3, asX500Name, -1);
                int a2 = Builder.a(asX500Name3, asX500Name2, -1);
                JCPLogger.finerFormat("{0} distanceTto1: {1}", "PKIXCertComparator.compare()", Integer.valueOf(a));
                JCPLogger.finerFormat("{0} distanceTto2 {1}", "PKIXCertComparator.compare()", Integer.valueOf(a2));
                if (a > 0 || a2 > 0) {
                    if (a == a2) {
                        return -1;
                    }
                    if (a <= 0 || a2 > 0) {
                        return ((a > 0 || a2 <= 0) && a < a2) ? -1 : 1;
                    }
                    return -1;
                }
            }
            JCPLogger.finer("PKIXCertComparator.compare()", " NAMING ANCESTOR TEST...");
            Iterator it2 = this.a.iterator();
            while (it2.hasNext()) {
                X500Name asX500Name4 = X500Name.asX500Name((X500Principal) it2.next());
                int a3 = Builder.a(asX500Name4, asX500Name, Integer.MAX_VALUE);
                int a4 = Builder.a(asX500Name4, asX500Name2, Integer.MAX_VALUE);
                JCPLogger.finerFormat("{0} distanceTto1: {1}", "PKIXCertComparator.compare()", Integer.valueOf(a3));
                JCPLogger.finerFormat("{0} distanceTto2 {1}", "PKIXCertComparator.compare()", Integer.valueOf(a4));
                if (a3 < 0 || a4 < 0) {
                    if (a3 == a4) {
                        return -1;
                    }
                    if (a3 >= 0 || a4 < 0) {
                        return ((a3 < 0 || a4 >= 0) && a3 > a4) ? -1 : 1;
                    }
                    return -1;
                }
            }
            JCPLogger.finer("PKIXCertComparator.compare()", " SAME NAMESPACE AS TRUSTED TEST...");
            Iterator it3 = this.a.iterator();
            while (it3.hasNext()) {
                X500Name asX500Name5 = X500Name.asX500Name((X500Principal) it3.next());
                X500Name commonAncestor = asX500Name5.commonAncestor(asX500Name);
                X500Name commonAncestor2 = asX500Name5.commonAncestor(asX500Name2);
                JCPLogger.finerFormat("{0} tAo1: {1}", "PKIXCertComparator.compare()", String.valueOf(commonAncestor));
                JCPLogger.finerFormat("{0} tAo2 {1}", "PKIXCertComparator.compare()", String.valueOf(commonAncestor2));
                if (commonAncestor != null || commonAncestor2 != null) {
                    if (commonAncestor == null || commonAncestor2 == null) {
                        return commonAncestor == null ? 1 : -1;
                    }
                    int b = Builder.b(asX500Name5, asX500Name, Integer.MAX_VALUE);
                    int b2 = Builder.b(asX500Name5, asX500Name2, Integer.MAX_VALUE);
                    JCPLogger.finerFormat("{0} hopsTto1: {1}", "PKIXCertComparator.compare()", Integer.valueOf(b));
                    JCPLogger.finerFormat("{0} hopsTto2 {1}", "PKIXCertComparator.compare()", Integer.valueOf(b2));
                    if (b != b2) {
                        return b > b2 ? 1 : -1;
                    }
                }
            }
            JCPLogger.finer("PKIXCertComparator.compare()", " CERT ISSUER/SUBJECT COMPARISON TEST...");
            X500Principal x500Principal3 = new X500Principal(x509Certificate.getSubjectX500Principal().getEncoded());
            X500Principal x500Principal4 = new X500Principal(x509Certificate2.getSubjectX500Principal().getEncoded());
            X500Name asX500Name6 = X500Name.asX500Name(x500Principal3);
            X500Name asX500Name7 = X500Name.asX500Name(x500Principal4);
            JCPLogger.finerFormat("{0} o1 Subject: {1}", "PKIXCertComparator.compare()", x500Principal3);
            JCPLogger.finerFormat("{0} o2 Subject {1}", "PKIXCertComparator.compare()", x500Principal4);
            int a5 = Builder.a(asX500Name6, asX500Name, Integer.MAX_VALUE);
            int a6 = Builder.a(asX500Name7, asX500Name2, Integer.MAX_VALUE);
            JCPLogger.finerFormat("{0} distanceStoI1: {1}", "PKIXCertComparator.compare()", Integer.valueOf(a5));
            JCPLogger.finerFormat("{0} distanceStoI2 {1}", "PKIXCertComparator.compare()", Integer.valueOf(a6));
            if (a6 > a5) {
                return -1;
            }
            if (a6 < a5) {
                return 1;
            }
            JCPLogger.finer("PKIXCertComparator.compare()", " no tests matched; RETURN 0");
            return -1;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ForwardBuilder(PKIXBuilderParameters pKIXBuilderParameters, X500Principal x500Principal, boolean z, boolean z2) throws IOException {
        super(pKIXBuilderParameters, x500Principal);
        this.n = true;
        this.o = false;
        Set<TrustAnchor> trustAnchors = pKIXBuilderParameters.getTrustAnchors();
        this.i = trustAnchors;
        this.g = new HashSet(trustAnchors.size());
        this.h = new HashSet(trustAnchors.size());
        for (TrustAnchor trustAnchor : trustAnchors) {
            X509Certificate trustedCert = trustAnchor.getTrustedCert();
            if (trustedCert != null) {
                this.g.add(trustedCert);
                if (trustedCert.getSubjectX500Principal() != null) {
                    this.h.add(new X500Principal(trustedCert.getSubjectX500Principal().getEncoded()));
                }
            } else if (trustAnchor.getCA() != null) {
                this.h.add(new X500Principal(trustAnchor.getCA().getEncoded()));
            }
        }
        this.m = new PKIXCertComparator(this.h);
        this.n = z;
        this.o = z2;
    }

    private void a(ForwardState forwardState, List list, Collection collection) throws IOException {
        JCPLogger.finer("ForwardBuilder.getMatchingEECerts()...");
        if (this.j == null) {
            X509CertSelector x509CertSelector = (X509CertSelector) this.d.clone();
            this.j = x509CertSelector;
            x509CertSelector.setCertificateValid(this.c);
            if (this.a.isExplicitPolicyRequired()) {
                this.j.setPolicy(a());
            }
            this.j.setBasicConstraints(-2);
        }
        a(this.j, list, collection, this.n);
    }

    private boolean a(AuthorityInfoAccessExtension authorityInfoAccessExtension, Collection collection) {
        boolean z = false;
        if (!Builder.e) {
            return false;
        }
        List accessDescriptions = authorityInfoAccessExtension.getAccessDescriptions();
        if (accessDescriptions != null && !accessDescriptions.isEmpty()) {
            Iterator it = accessDescriptions.iterator();
            while (it.hasNext()) {
                CertStore a = URICertStore.a((AccessDescription) it.next());
                if (a != null) {
                    try {
                        if (collection.addAll(a.getCertificates(this.k))) {
                            z = true;
                            if (!this.n) {
                                return true;
                            }
                        } else {
                            continue;
                        }
                    } catch (CertStoreException e) {
                        JCPLogger.subThrown("exception getting certs from CertStore:", e);
                    }
                }
            }
        }
        return z;
    }

    private void b(ForwardState forwardState, List list, Collection collection) throws IOException {
        X509CertSelector x509CertSelector;
        X509CertSelector x509CertSelector2;
        AuthorityInfoAccessExtension authorityInfoAccessExtension;
        JCPLogger.finer("ForwardBuilder.getMatchingCACerts()...");
        int size = collection.size();
        if (!forwardState.isInitial()) {
            if (this.k == null) {
                X509CertSelector x509CertSelector3 = new X509CertSelector();
                this.k = x509CertSelector3;
                x509CertSelector3.setCertificateValid(this.c);
                if (this.a.isExplicitPolicyRequired()) {
                    this.k.setPolicy(a());
                }
            }
            this.k.setSubject(forwardState.a.getEncoded());
            CertPathHelper.b(this.k, forwardState.c);
            this.k.setBasicConstraints(forwardState.d);
            x509CertSelector = this.k;
        } else {
            if (this.d.getBasicConstraints() == -2) {
                return;
            }
            JCPLogger.finer("ForwardBuilder.getMatchingCACerts(): ca is target");
            if (this.l == null) {
                X509CertSelector x509CertSelector4 = (X509CertSelector) this.d.clone();
                this.l = x509CertSelector4;
                x509CertSelector4.setCertificateValid(this.c);
                if (this.a.isExplicitPolicyRequired()) {
                    this.l.setPolicy(a());
                }
            }
            this.l.setBasicConstraints(forwardState.d);
            x509CertSelector = this.l;
        }
        if (forwardState.isInitial()) {
            x509CertSelector2 = this.d;
        } else {
            x509CertSelector2 = new X509CertSelector();
            x509CertSelector2.setSubject(forwardState.a.getEncoded());
        }
        for (X509Certificate x509Certificate : this.g) {
            if (x509CertSelector2.match(x509Certificate)) {
                JCPLogger.finer("ForwardBuilder.getMatchingCACerts: found matching trust anchor");
                if (collection.add(x509Certificate) && !this.n) {
                    return;
                }
            }
        }
        if ((forwardState.isInitial() || this.a.getMaxPathLength() == -1 || this.a.getMaxPathLength() > forwardState.d) && a(x509CertSelector, list, collection, this.n) && !this.n) {
            return;
        }
        if (!forwardState.isInitial() && Builder.e && (authorityInfoAccessExtension = forwardState.b.getAuthorityInfoAccessExtension()) != null) {
            a(authorityInfoAccessExtension, collection);
        }
        JCPLogger.finerFormat("ForwardBuilder.getMatchingCACerts: found {0} CA certs", Integer.valueOf(collection.size() - size));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public Collection a(State state, List list) throws CertStoreException, CertificateException, IOException {
        JCPLogger.finer("ForwardBuilder.getMatchingCerts()...");
        ForwardState forwardState = (ForwardState) state;
        TreeSet treeSet = new TreeSet(this.m);
        if (forwardState.isInitial()) {
            a(forwardState, list, treeSet);
        }
        b(forwardState, list, treeSet);
        return treeSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public void a(X509Certificate x509Certificate, LinkedList linkedList) {
        linkedList.addFirst(x509Certificate);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public void a(X509Certificate x509Certificate, State state, List list) throws GeneralSecurityException {
        Collection<?> supportedExtensions;
        JCPLogger.finer("ForwardBuilder.verifyCert(SN: " + x509Certificate.getSerialNumber() + "\n  Issuer: " + x509Certificate.getIssuerX500Principal() + ")\n  Subject: " + x509Certificate.getSubjectX500Principal() + Extension.C_BRAKE);
        ForwardState forwardState = (ForwardState) state;
        forwardState.e.check(x509Certificate, Collections.emptySet());
        if (list != null) {
            Iterator it = list.iterator();
            boolean z = false;
            while (it.hasNext()) {
                X509Certificate x509Certificate2 = (X509Certificate) it.next();
                if (X509CertImpl.toImpl(x509Certificate2).getPolicyMappingsExtension() != null) {
                    z = true;
                }
                JCPLogger.finer("policyMappingFound = ", Boolean.valueOf(z));
                if (x509Certificate.equals(x509Certificate2) && (this.a.isPolicyMappingInhibited() || !z)) {
                    JCPLogger.finer("loop detected!!");
                    throw new CertPathValidatorException("loop detected");
                }
            }
        }
        boolean contains = this.g.contains(x509Certificate);
        if (!contains) {
            Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs == null) {
                criticalExtensionOIDs = Collections.emptySet();
            }
            Iterator it2 = forwardState.f.iterator();
            while (it2.hasNext()) {
                ((PKIXCertPathChecker) it2.next()).check(x509Certificate, criticalExtensionOIDs);
            }
            for (PKIXCertPathChecker pKIXCertPathChecker : this.a.getCertPathCheckers()) {
                if (!pKIXCertPathChecker.isForwardCheckingSupported() && (supportedExtensions = pKIXCertPathChecker.getSupportedExtensions()) != null) {
                    criticalExtensionOIDs.removeAll(supportedExtensions);
                }
            }
            if (!criticalExtensionOIDs.isEmpty()) {
                criticalExtensionOIDs.remove(PKIXExtensions.BasicConstraints_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.NameConstraints_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.CertificatePolicies_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.PolicyMappings_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.PolicyConstraints_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.KeyUsage_Id.toString());
                criticalExtensionOIDs.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
                if (!criticalExtensionOIDs.isEmpty()) {
                    String str = "Unrecognized critical extension(s): " + criticalExtensionOIDs;
                    JCPLogger.fine(str);
                    if (!cl_9.a()) {
                        throw new CertificateException(str);
                    }
                    throw new CertPathValidatorException(str, null, null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
                }
            }
        }
        if (forwardState.isInitial()) {
            return;
        }
        if (!contains) {
            if (x509Certificate.getBasicConstraints() == -1) {
                throw new CertificateException("cert is NOT a CA cert");
            }
            KeyChecker.a(x509Certificate);
        }
        if (this.a.isRevocationEnabled() && CrlRevocationChecker.a(x509Certificate) && !forwardState.keyParamsNeeded()) {
            forwardState.crlChecker.check(forwardState.b, x509Certificate.getPublicKey(), true);
        }
        if (forwardState.keyParamsNeeded()) {
            return;
        }
        try {
            forwardState.b.verify(x509Certificate.getPublicKey(), this.a.getSigProvider());
        } catch (Exception e) {
            throw new GeneralSecurityException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public void a(LinkedList linkedList) {
        linkedList.removeFirst();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public boolean a(X509Certificate x509Certificate) {
        for (TrustAnchor trustAnchor : this.i) {
            if (trustAnchor.getTrustedCert() == null) {
                javax.security.auth.x500.X500Principal ca = trustAnchor.getCA();
                PublicKey cAPublicKey = trustAnchor.getCAPublicKey();
                if (ca != null && cAPublicKey != null && ca.equals(x509Certificate.getSubjectX500Principal()) && cAPublicKey.equals(x509Certificate.getPublicKey())) {
                    this.f = trustAnchor;
                    return true;
                }
                if (ca != null && ca.equals(x509Certificate.getIssuerX500Principal())) {
                    if (this.a.isRevocationEnabled()) {
                        try {
                            new CrlRevocationChecker(trustAnchor, this.a, null, this.o).check(x509Certificate, trustAnchor.getCAPublicKey(), true);
                        } catch (CertPathValidatorException e) {
                            e = e;
                            JCPLogger.ignoredException(e);
                        }
                    }
                    try {
                        x509Certificate.verify(trustAnchor.getCAPublicKey(), this.a.getSigProvider());
                        this.f = trustAnchor;
                        return true;
                    } catch (InvalidKeyException e2) {
                        e = e2;
                        JCPLogger.ignoredException(e);
                    } catch (Exception e3) {
                        e = e3;
                        JCPLogger.ignoredException(e);
                    }
                }
            } else if (x509Certificate.equals(trustAnchor.getTrustedCert())) {
                this.f = trustAnchor;
                return true;
            }
        }
        return false;
    }
}
