package ru.CryptoPro.sspiSSL.pc_3;

import java.io.IOException;
import java.security.AlgorithmConstraints;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import ru.CryptoPro.reprov.array.DerInputStream;
import ru.CryptoPro.reprov.array.DerValue;
import ru.CryptoPro.reprov.array.ObjectIdentifier;
import ru.CryptoPro.reprov.x509.NetscapeCertTypeExtension;
import ru.CryptoPro.reprov.x509.X509CertImpl;

/* loaded from: classes5.dex */
public final class cl_4 extends cl_5 {
    static final String a = "2.5.29.19";
    static final String b = "2.16.840.1.113730.1.1";
    static final String c = "2.5.29.15";
    static final String d = "2.5.29.37";
    static final String e = "2.5.29.37.0";
    static final ObjectIdentifier f = NetscapeCertTypeExtension.NetscapeCertType_Id;
    private static final String v = "ssl_ca";
    private static final String w = "object_signing_ca";
    private final Map x;
    private final Collection y;
    private final Collection z;

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_4(String str, Collection collection) {
        super("Simple", str);
        this.z = new HashSet();
        this.y = new HashSet();
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            X509Certificate x509Certificate = (X509Certificate) it.next();
            if (cl_3.a(x509Certificate, (String) null)) {
                this.y.add(x509Certificate);
            }
            this.z.add(x509Certificate);
        }
        this.x = new HashMap();
        for (X509Certificate x509Certificate2 : this.y) {
            X500Principal subjectX500Principal = x509Certificate2.getSubjectX500Principal();
            List list = (List) this.x.get(subjectX500Principal);
            if (list == null) {
                list = new ArrayList(2);
                this.x.put(subjectX500Principal, list);
            }
            list.add(x509Certificate2);
        }
    }

    private int a(X509Certificate x509Certificate, int i) throws CertificateException {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.emptySet();
        }
        int a2 = a(x509Certificate, criticalExtensionOIDs, i);
        b(x509Certificate, criticalExtensionOIDs);
        a(x509Certificate, criticalExtensionOIDs);
        if (criticalExtensionOIDs.isEmpty()) {
            return a2;
        }
        throw new cl_6("Certificate contains unknown critical extensions: " + criticalExtensionOIDs, cl_6.c, x509Certificate);
    }

    private int a(X509Certificate x509Certificate, Set set, int i) throws CertificateException {
        set.remove(a);
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints < 0) {
            throw new cl_6("End user tried to act as a CA", cl_6.c, x509Certificate);
        }
        if (!cl_3.a(x509Certificate)) {
            if (i <= 0) {
                throw new cl_6("Violated path length constraints", cl_6.c, x509Certificate);
            }
            i--;
        }
        return i > basicConstraints ? basicConstraints : i;
    }

    private X509Certificate a(X509Certificate x509Certificate) {
        List<X509Certificate> list = (List) this.x.get(x509Certificate.getSubjectX500Principal());
        if (list == null) {
            return null;
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        PublicKey publicKey = x509Certificate.getPublicKey();
        for (X509Certificate x509Certificate2 : list) {
            if (x509Certificate2.equals(x509Certificate)) {
                return x509Certificate;
            }
            if (x509Certificate2.getIssuerX500Principal().equals(issuerX500Principal) && x509Certificate2.getPublicKey().equals(publicKey)) {
                return x509Certificate2;
            }
        }
        return null;
    }

    private void a(X509Certificate x509Certificate, Set set) throws CertificateException {
        if (this.s.equals("generic")) {
            return;
        }
        if (this.s.equals("tls client") || this.s.equals("tls server")) {
            if (!a(x509Certificate, "ssl_ca")) {
                throw new cl_6("Invalid Netscape CertType extension for SSL CA certificate", cl_6.c, x509Certificate);
            }
        } else {
            if (!this.s.equals("code signing") && !this.s.equals("jce signing")) {
                throw new CertificateException("Unknown variant " + this.s);
            }
            if (!a(x509Certificate, "object_signing_ca")) {
                throw new cl_6("Invalid Netscape CertType extension for code signing CA certificate", cl_6.c, x509Certificate);
            }
        }
        set.remove(b);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean a(X509Certificate x509Certificate, String str) {
        NetscapeCertTypeExtension netscapeCertTypeExtension;
        try {
            if (x509Certificate instanceof X509CertImpl) {
                netscapeCertTypeExtension = (NetscapeCertTypeExtension) ((X509CertImpl) x509Certificate).getExtension(f);
                if (netscapeCertTypeExtension == null) {
                    return true;
                }
            } else {
                byte[] extensionValue = x509Certificate.getExtensionValue(b);
                if (extensionValue == null) {
                    return true;
                }
                netscapeCertTypeExtension = new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray());
            }
            return ((Boolean) netscapeCertTypeExtension.get(str)).booleanValue();
        } catch (IOException unused) {
            return false;
        }
    }

    private void b(X509Certificate x509Certificate, Set set) throws CertificateException {
        set.remove("2.5.29.15");
        set.remove("2.5.29.37");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            if (keyUsage.length < 6 || !keyUsage[5]) {
                throw new cl_6("Wrong key usage: expected keyCertSign", cl_6.c, x509Certificate);
            }
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:10:0x001d, code lost:
    
        return (java.security.cert.X509Certificate[]) r5;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.security.cert.X509Certificate[] b(java.security.cert.X509Certificate[] r5) throws java.security.cert.CertificateException {
        /*
            r4 = this;
            java.util.ArrayList r0 = new java.util.ArrayList
            int r1 = r5.length
            r0.<init>(r1)
            r1 = 0
        L7:
            int r2 = r5.length
            if (r1 >= r2) goto L24
            r2 = r5[r1]
            java.security.cert.X509Certificate r3 = r4.a(r2)
            if (r3 == 0) goto L1e
            r0.add(r3)
            java.security.cert.X509Certificate[] r5 = ru.CryptoPro.sspiSSL.pc_3.cl_4.g
            java.lang.Object[] r5 = r0.toArray(r5)
        L1b:
            java.security.cert.X509Certificate[] r5 = (java.security.cert.X509Certificate[]) r5
            return r5
        L1e:
            r0.add(r2)
            int r1 = r1 + 1
            goto L7
        L24:
            int r1 = r5.length
            int r1 = r1 + (-1)
            r5 = r5[r1]
            r5.getSubjectX500Principal()
            javax.security.auth.x500.X500Principal r5 = r5.getIssuerX500Principal()
            java.util.Map r1 = r4.x
            java.lang.Object r5 = r1.get(r5)
            java.util.List r5 = (java.util.List) r5
            if (r5 == 0) goto L4e
            java.util.Iterator r5 = r5.iterator()
            java.lang.Object r5 = r5.next()
            java.security.cert.X509Certificate r5 = (java.security.cert.X509Certificate) r5
            r0.add(r5)
            java.security.cert.X509Certificate[] r5 = ru.CryptoPro.sspiSSL.pc_3.cl_4.g
            java.lang.Object[] r5 = r0.toArray(r5)
            goto L1b
        L4e:
            ru.CryptoPro.sspiSSL.pc_3.cl_6 r5 = new ru.CryptoPro.sspiSSL.pc_3.cl_6
            java.lang.Object r0 = ru.CryptoPro.sspiSSL.pc_3.cl_6.a
            r5.<init>(r0)
            throw r5
        */
        throw new UnsupportedOperationException("Method not decompiled: ru.CryptoPro.sspiSSL.pc_3.cl_4.b(java.security.cert.X509Certificate[]):java.security.cert.X509Certificate[]");
    }

    @Override // ru.CryptoPro.sspiSSL.pc_3.cl_5
    public Collection a() {
        return this.y;
    }

    @Override // ru.CryptoPro.sspiSSL.pc_3.cl_5
    X509Certificate[] a(X509Certificate[] x509CertificateArr, Collection collection, AlgorithmConstraints algorithmConstraints, Object obj) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("null or zero-length certificate chain");
        }
        X509Certificate[] b2 = b(x509CertificateArr);
        Date date = this.u;
        if (date == null) {
            date = new Date();
        }
        TrustAnchor trustAnchor = new TrustAnchor(b2[b2.length - 1], null);
        ru.CryptoPro.sspiSSL.pc_1.cl_0 cl_0Var = new ru.CryptoPro.sspiSSL.pc_1.cl_0(trustAnchor, this.s);
        ru.CryptoPro.sspiSSL.pc_1.cl_0 cl_0Var2 = algorithmConstraints != null ? new ru.CryptoPro.sspiSSL.pc_1.cl_0(trustAnchor, algorithmConstraints, null, null, this.s) : null;
        int length = b2.length - 1;
        for (int length2 = b2.length - 2; length2 >= 0; length2--) {
            X509Certificate x509Certificate = b2[length2 + 1];
            X509Certificate x509Certificate2 = b2[length2];
            try {
                cl_0Var.check(x509Certificate2, Collections.emptySet());
                if (cl_0Var2 != null) {
                    cl_0Var2.check(x509Certificate2, Collections.emptySet());
                }
                if (!this.s.equals("code signing") && !this.s.equals("jce signing")) {
                    x509Certificate2.checkValidity(date);
                }
                if (!x509Certificate2.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                    throw new cl_6(cl_6.f, x509Certificate2);
                }
                try {
                    x509Certificate2.verify(x509Certificate.getPublicKey());
                    if (length2 != 0) {
                        length = a(x509Certificate2, length);
                    }
                } catch (GeneralSecurityException e2) {
                    throw new cl_6(cl_6.e, x509Certificate2, e2);
                }
            } catch (CertPathValidatorException e3) {
                throw new cl_6(cl_6.g, x509Certificate2, e3);
            }
        }
        return b2;
    }
}
