package xch.bouncycastle.pkix.jcajce;

import java.io.IOException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import xch.bouncycastle.asn1.ASN1Encodable;
import xch.bouncycastle.asn1.ASN1EncodableVector;
import xch.bouncycastle.asn1.ASN1ObjectIdentifier;
import xch.bouncycastle.asn1.ASN1Primitive;
import xch.bouncycastle.asn1.ASN1Sequence;
import xch.bouncycastle.asn1.DERSequence;
import xch.bouncycastle.asn1.x500.X500Name;
import xch.bouncycastle.asn1.x509.BasicConstraints;
import xch.bouncycastle.asn1.x509.CRLDistPoint;
import xch.bouncycastle.asn1.x509.DistributionPoint;
import xch.bouncycastle.asn1.x509.DistributionPointName;
import xch.bouncycastle.asn1.x509.Extension;
import xch.bouncycastle.asn1.x509.GeneralName;
import xch.bouncycastle.asn1.x509.GeneralNames;
import xch.bouncycastle.asn1.x509.IssuingDistributionPoint;
import xch.bouncycastle.jcajce.PKIXCRLStoreSelector;
import xch.bouncycastle.jcajce.PKIXCertStoreSelector;
import xch.bouncycastle.jcajce.PKIXExtendedBuilderParameters;
import xch.bouncycastle.jcajce.PKIXExtendedParameters;
import xch.bouncycastle.jcajce.util.JcaJceHelper;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class e {

    /* renamed from: a, reason: collision with root package name */
    private static final d f6065a = new d();

    /* renamed from: b, reason: collision with root package name */
    public static final String f6066b = Extension.K5.B();

    /* renamed from: c, reason: collision with root package name */
    public static final String f6067c = Extension.T5.B();

    /* renamed from: d, reason: collision with root package name */
    public static final String f6068d = Extension.J5.B();

    /* renamed from: e, reason: collision with root package name */
    public static final String f6069e = Extension.E5.B();

    /* renamed from: f, reason: collision with root package name */
    public static final String f6070f = Extension.Q5.B();

    /* renamed from: g, reason: collision with root package name */
    protected static final int f6071g = 5;

    /* renamed from: h, reason: collision with root package name */
    protected static final int f6072h = 6;

    e() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(DistributionPoint distributionPoint, PKIXExtendedParameters pKIXExtendedParameters, X509Certificate x509Certificate, Date date, X509Certificate x509Certificate2, PublicKey publicKey, c cVar, f fVar, List list, JcaJceHelper jcaJceHelper) throws a, b {
        Set<String> criticalExtensionOIDs;
        Date date2 = new Date(System.currentTimeMillis());
        if (date.getTime() > date2.getTime()) {
            throw new a("Validation time is in future.", null);
        }
        if (pKIXExtendedParameters.o() != null) {
            date2 = pKIXExtendedParameters.o();
        }
        Date date3 = date2;
        Iterator it = g.k(distributionPoint, x509Certificate, date3, pKIXExtendedParameters.m(), pKIXExtendedParameters.j()).iterator();
        a e2 = null;
        boolean z = false;
        while (it.hasNext() && cVar.a() == 11 && !fVar.e()) {
            try {
                X509CRL x509crl = (X509CRL) it.next();
                f g2 = g(x509crl, distributionPoint);
                if (g2.c(fVar)) {
                    a aVar = e2;
                    X509CRL j2 = pKIXExtendedParameters.B() ? j(g.l(date3, x509crl, pKIXExtendedParameters.m(), pKIXExtendedParameters.j()), i(x509crl, h(x509crl, x509Certificate, x509Certificate2, publicKey, pKIXExtendedParameters, list, jcaJceHelper))) : null;
                    if (pKIXExtendedParameters.w() != 1 && x509Certificate.getNotAfter().getTime() < x509crl.getThisUpdate().getTime()) {
                        throw new a("No valid CRL for current time found.", null);
                    }
                    d(distributionPoint, x509Certificate, x509crl);
                    e(distributionPoint, x509Certificate, x509crl);
                    f(j2, x509crl, pKIXExtendedParameters);
                    k(date, j2, x509Certificate, cVar, pKIXExtendedParameters);
                    l(date, x509crl, x509Certificate, cVar);
                    if (cVar.a() == 8) {
                        cVar.c(11);
                    }
                    fVar.a(g2);
                    Set<String> criticalExtensionOIDs2 = x509crl.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs2 != null) {
                        HashSet hashSet = new HashSet(criticalExtensionOIDs2);
                        hashSet.remove(Extension.K5.B());
                        hashSet.remove(Extension.J5.B());
                        if (!hashSet.isEmpty()) {
                            throw new a("CRL contains unsupported critical extensions.", null);
                        }
                    }
                    if (j2 != null && (criticalExtensionOIDs = j2.getCriticalExtensionOIDs()) != null) {
                        HashSet hashSet2 = new HashSet(criticalExtensionOIDs);
                        hashSet2.remove(Extension.K5.B());
                        hashSet2.remove(Extension.J5.B());
                        if (!hashSet2.isEmpty()) {
                            throw new a("Delta CRL contains unsupported critical extension.", null);
                        }
                    }
                    e2 = aVar;
                    z = true;
                }
            } catch (a e3) {
                e2 = e3;
            }
        }
        a aVar2 = e2;
        if (!z) {
            throw aVar2;
        }
    }

    protected static Set b(Date date, PKIXExtendedParameters pKIXExtendedParameters, X509Certificate x509Certificate, X509CRL x509crl) throws a {
        HashSet hashSet = new HashSet();
        if (pKIXExtendedParameters.B()) {
            try {
                ASN1ObjectIdentifier aSN1ObjectIdentifier = Extension.T5;
                CRLDistPoint q = CRLDistPoint.q(g.m(x509Certificate, aSN1ObjectIdentifier));
                if (q == null) {
                    try {
                        q = CRLDistPoint.q(g.m(x509crl, aSN1ObjectIdentifier));
                    } catch (a e2) {
                        throw new a("Freshest CRL extension could not be decoded from CRL.", e2);
                    }
                }
                if (q != null) {
                    ArrayList arrayList = new ArrayList();
                    arrayList.addAll(pKIXExtendedParameters.j());
                    try {
                        arrayList.addAll(g.g(q, pKIXExtendedParameters.q()));
                        try {
                            hashSet.addAll(g.l(date, x509crl, pKIXExtendedParameters.m(), arrayList));
                        } catch (a e3) {
                            throw new a("Exception obtaining delta CRLs.", e3);
                        }
                    } catch (a e4) {
                        throw new a("No new delta CRL locations could be added from Freshest CRL extension.", e4);
                    }
                }
            } catch (a e5) {
                throw new a("Freshest CRL extension could not be decoded from certificate.", e5);
            }
        }
        return hashSet;
    }

    protected static Set[] c(Date date, PKIXExtendedParameters pKIXExtendedParameters, X509Certificate x509Certificate, X509CRL x509crl) throws a {
        HashSet hashSet = new HashSet();
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setCertificateChecking(x509Certificate);
        try {
            x509CRLSelector.addIssuerName(x509crl.getIssuerX500Principal().getEncoded());
            PKIXCRLStoreSelector g2 = new PKIXCRLStoreSelector.Builder(x509CRLSelector).h(true).g();
            if (pKIXExtendedParameters.o() != null) {
                date = pKIXExtendedParameters.o();
            }
            Set b2 = f6065a.b(g2, date, pKIXExtendedParameters.m(), pKIXExtendedParameters.j());
            if (pKIXExtendedParameters.B()) {
                try {
                    hashSet.addAll(g.l(date, x509crl, pKIXExtendedParameters.m(), pKIXExtendedParameters.j()));
                } catch (a e2) {
                    throw new a("Exception obtaining delta CRLs.", e2);
                }
            }
            return new Set[]{b2, hashSet};
        } catch (IOException e3) {
            throw new a(xch.bouncycastle.asn1.i.a("Cannot extract issuer from CRL.", e3), e3);
        }
    }

    protected static void d(DistributionPoint distributionPoint, Object obj, X509CRL x509crl) throws a {
        ASN1Primitive m2 = g.m(x509crl, Extension.K5);
        boolean z = true;
        boolean z2 = m2 != null && IssuingDistributionPoint.r(m2).u();
        byte[] encoded = x509crl.getIssuerX500Principal().getEncoded();
        if (distributionPoint.p() != null) {
            GeneralName[] s = distributionPoint.p().s();
            boolean z3 = false;
            for (int i2 = 0; i2 < s.length; i2++) {
                if (s[i2].b() == 4) {
                    try {
                        if (Arrays.equals(s[i2].r().d().getEncoded(), encoded)) {
                            z3 = true;
                        }
                    } catch (IOException e2) {
                        throw new a("CRL issuer information from distribution point cannot be decoded.", e2);
                    }
                }
            }
            if (z3 && !z2) {
                throw new a("Distribution point contains cRLIssuer field but CRL is not indirect.", null);
            }
            if (!z3) {
                throw new a("CRL issuer of CRL does not match CRL issuer of distribution point.", null);
            }
            z = z3;
        } else if (!x509crl.getIssuerX500Principal().equals(((X509Certificate) obj).getIssuerX500Principal())) {
            z = false;
        }
        if (!z) {
            throw new a("Cannot find matching CRL issuer for certificate.", null);
        }
    }

    protected static void e(DistributionPoint distributionPoint, Object obj, X509CRL x509crl) throws a {
        GeneralName[] generalNameArr;
        try {
            IssuingDistributionPoint r = IssuingDistributionPoint.r(g.m(x509crl, Extension.K5));
            if (r != null) {
                if (r.q() != null) {
                    DistributionPointName q = IssuingDistributionPoint.r(r).q();
                    ArrayList arrayList = new ArrayList();
                    boolean z = false;
                    if (q.s() == 0) {
                        for (GeneralName generalName : GeneralNames.q(q.r()).s()) {
                            arrayList.add(generalName);
                        }
                    }
                    if (q.s() == 1) {
                        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                        try {
                            Enumeration A = ASN1Sequence.x(x509crl.getIssuerX500Principal().getEncoded()).A();
                            while (A.hasMoreElements()) {
                                aSN1EncodableVector.a((ASN1Encodable) A.nextElement());
                            }
                            aSN1EncodableVector.a(q.r());
                            arrayList.add(new GeneralName(X500Name.q(new DERSequence(aSN1EncodableVector))));
                        } catch (Exception e2) {
                            throw new a("Could not read CRL issuer.", e2);
                        }
                    }
                    if (distributionPoint.q() != null) {
                        DistributionPointName q2 = distributionPoint.q();
                        GeneralName[] s = q2.s() == 0 ? GeneralNames.q(q2.r()).s() : null;
                        if (q2.s() == 1) {
                            if (distributionPoint.p() != null) {
                                generalNameArr = distributionPoint.p().s();
                            } else {
                                generalNameArr = new GeneralName[1];
                                try {
                                    generalNameArr[0] = new GeneralName(X500Name.q(((X509Certificate) obj).getIssuerX500Principal().getEncoded()));
                                } catch (Exception e3) {
                                    throw new a("Could not read certificate issuer.", e3);
                                }
                            }
                            s = generalNameArr;
                            for (int i2 = 0; i2 < s.length; i2++) {
                                Enumeration A2 = ASN1Sequence.x(s[i2].r().d()).A();
                                ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                                while (A2.hasMoreElements()) {
                                    aSN1EncodableVector2.a((ASN1Encodable) A2.nextElement());
                                }
                                aSN1EncodableVector2.a(q2.r());
                                s[i2] = new GeneralName(X500Name.q(new DERSequence(aSN1EncodableVector2)));
                            }
                        }
                        if (s != null) {
                            int i3 = 0;
                            while (true) {
                                if (i3 >= s.length) {
                                    break;
                                }
                                if (arrayList.contains(s[i3])) {
                                    z = true;
                                    break;
                                }
                                i3++;
                            }
                        }
                        if (!z) {
                            throw new a("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.", null);
                        }
                    } else {
                        if (distributionPoint.p() == null) {
                            throw new a("Either the cRLIssuer or the distributionPoint field must be contained in DistributionPoint.", null);
                        }
                        GeneralName[] s2 = distributionPoint.p().s();
                        int i4 = 0;
                        while (true) {
                            if (i4 >= s2.length) {
                                break;
                            }
                            if (arrayList.contains(s2[i4])) {
                                z = true;
                                break;
                            }
                            i4++;
                        }
                        if (!z) {
                            throw new a("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.", null);
                        }
                    }
                }
                try {
                    BasicConstraints p = BasicConstraints.p(g.m((X509Extension) obj, Extension.E5));
                    if (obj instanceof X509Certificate) {
                        if (r.x() && p != null && p.s()) {
                            throw new a("CA Cert CRL only contains user certificates.", null);
                        }
                        if (r.w() && (p == null || !p.s())) {
                            throw new a("End CRL only contains CA certificates.", null);
                        }
                    }
                    if (r.v()) {
                        throw new a("onlyContainsAttributeCerts boolean is asserted.", null);
                    }
                } catch (Exception e4) {
                    throw new a("Basic constraints extension could not be decoded.", e4);
                }
            }
        } catch (Exception e5) {
            throw new a("Issuing distribution point extension could not be decoded.", e5);
        }
    }

    protected static void f(X509CRL x509crl, X509CRL x509crl2, PKIXExtendedParameters pKIXExtendedParameters) throws a {
        if (x509crl == null) {
            return;
        }
        try {
            ASN1ObjectIdentifier aSN1ObjectIdentifier = Extension.K5;
            IssuingDistributionPoint r = IssuingDistributionPoint.r(g.m(x509crl2, aSN1ObjectIdentifier));
            if (pKIXExtendedParameters.B()) {
                if (!x509crl.getIssuerX500Principal().equals(x509crl2.getIssuerX500Principal())) {
                    throw new a("complete CRL issuer does not match delta CRL issuer", null);
                }
                try {
                    IssuingDistributionPoint r2 = IssuingDistributionPoint.r(g.m(x509crl, aSN1ObjectIdentifier));
                    boolean z = true;
                    if (r != null ? !r.equals(r2) : r2 != null) {
                        z = false;
                    }
                    if (!z) {
                        throw new a("Issuing distribution point extension from delta CRL and complete CRL does not match.", null);
                    }
                    try {
                        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.Q5;
                        ASN1Primitive m2 = g.m(x509crl2, aSN1ObjectIdentifier2);
                        try {
                            ASN1Primitive m3 = g.m(x509crl, aSN1ObjectIdentifier2);
                            if (m2 == null) {
                                throw new a("CRL authority key identifier is null.", null);
                            }
                            if (m3 == null) {
                                throw new a("Delta CRL authority key identifier is null.", null);
                            }
                            if (!m2.s(m3)) {
                                throw new a("Delta CRL authority key identifier does not match complete CRL authority key identifier.", null);
                            }
                        } catch (a e2) {
                            throw new a("Authority key identifier extension could not be extracted from delta CRL.", e2);
                        }
                    } catch (a e3) {
                        throw new a("Authority key identifier extension could not be extracted from complete CRL.", e3);
                    }
                } catch (Exception e4) {
                    throw new a("Issuing distribution point extension from delta CRL could not be decoded.", e4);
                }
            }
        } catch (Exception e5) {
            throw new a("issuing distribution point extension could not be decoded.", e5);
        }
    }

    protected static f g(X509CRL x509crl, DistributionPoint distributionPoint) throws a {
        try {
            IssuingDistributionPoint r = IssuingDistributionPoint.r(g.m(x509crl, Extension.K5));
            if (r != null && r.t() != null && distributionPoint.t() != null) {
                return new f(distributionPoint.t()).d(new f(r.t()));
            }
            if ((r == null || r.t() == null) && distributionPoint.t() == null) {
                return f.f6073b;
            }
            return (distributionPoint.t() == null ? f.f6073b : new f(distributionPoint.t())).d(r == null ? f.f6073b : new f(r.t()));
        } catch (Exception e2) {
            throw new a("Issuing distribution point extension could not be decoded.", e2);
        }
    }

    protected static Set h(X509CRL x509crl, Object obj, X509Certificate x509Certificate, PublicKey publicKey, PKIXExtendedParameters pKIXExtendedParameters, List list, JcaJceHelper jcaJceHelper) throws a {
        int i2;
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(x509crl.getIssuerX500Principal().getEncoded());
            PKIXCertStoreSelector a2 = new PKIXCertStoreSelector.Builder(x509CertSelector).a();
            try {
                Collection b2 = g.b(a2, pKIXExtendedParameters.n());
                b2.addAll(g.b(a2, pKIXExtendedParameters.m()));
                b2.add(x509Certificate);
                Iterator it = b2.iterator();
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    X509Certificate x509Certificate2 = (X509Certificate) it.next();
                    if (x509Certificate2.equals(x509Certificate)) {
                        arrayList.add(x509Certificate2);
                        arrayList2.add(publicKey);
                    } else {
                        try {
                            CertPathBuilder u = jcaJceHelper.u("PKIX");
                            X509CertSelector x509CertSelector2 = new X509CertSelector();
                            x509CertSelector2.setCertificate(x509Certificate2);
                            PKIXExtendedParameters.Builder r = new PKIXExtendedParameters.Builder(pKIXExtendedParameters).r(new PKIXCertStoreSelector.Builder(x509CertSelector2).a());
                            if (list.contains(x509Certificate2)) {
                                r.q(false);
                            } else {
                                r.q(true);
                            }
                            List<? extends Certificate> certificates = u.build(new PKIXExtendedBuilderParameters.Builder(r.p()).e()).getCertPath().getCertificates();
                            arrayList.add(x509Certificate2);
                            arrayList2.add(g.p(certificates, 0, jcaJceHelper));
                        } catch (CertPathBuilderException e2) {
                            throw new a("CertPath for CRL signer failed to validate.", e2);
                        } catch (CertPathValidatorException e3) {
                            throw new a("Public key of issuer certificate of CRL could not be retrieved.", e3);
                        } catch (Exception e4) {
                            throw new a(e4.getMessage(), null);
                        }
                    }
                }
                HashSet hashSet = new HashSet();
                a aVar = null;
                for (i2 = 0; i2 < arrayList.size(); i2++) {
                    boolean[] keyUsage = ((X509Certificate) arrayList.get(i2)).getKeyUsage();
                    if (keyUsage == null || (keyUsage.length >= 7 && keyUsage[6])) {
                        hashSet.add(arrayList2.get(i2));
                    } else {
                        aVar = new a("Issuer certificate key usage extension does not permit CRL signing.", null);
                    }
                }
                if (hashSet.isEmpty() && aVar == null) {
                    throw new a("Cannot find a valid issuer certificate.", null);
                }
                if (!hashSet.isEmpty() || aVar == null) {
                    return hashSet;
                }
                throw aVar;
            } catch (a e5) {
                throw new a("Issuer certificate for CRL cannot be searched.", e5);
            }
        } catch (IOException e6) {
            throw new a("subject criteria for certificate selector to find issuer certificate for CRL could not be set", e6);
        }
    }

    protected static PublicKey i(X509CRL x509crl, Set set) throws a {
        Iterator it = set.iterator();
        Exception e2 = null;
        while (it.hasNext()) {
            PublicKey publicKey = (PublicKey) it.next();
            try {
                x509crl.verify(publicKey);
                return publicKey;
            } catch (Exception e3) {
                e2 = e3;
            }
        }
        throw new a("Cannot verify CRL.", e2);
    }

    protected static X509CRL j(Set set, PublicKey publicKey) throws a {
        Iterator it = set.iterator();
        Exception e2 = null;
        while (it.hasNext()) {
            X509CRL x509crl = (X509CRL) it.next();
            try {
                x509crl.verify(publicKey);
                return x509crl;
            } catch (Exception e3) {
                e2 = e3;
            }
        }
        if (e2 == null) {
            return null;
        }
        throw new a("Cannot verify delta CRL.", e2);
    }

    protected static void k(Date date, X509CRL x509crl, Object obj, c cVar, PKIXExtendedParameters pKIXExtendedParameters) throws a {
        if (!pKIXExtendedParameters.B() || x509crl == null) {
            return;
        }
        g.j(date, x509crl, obj, cVar);
    }

    protected static void l(Date date, X509CRL x509crl, Object obj, c cVar) throws a {
        if (cVar.a() == 11) {
            g.j(date, x509crl, obj, cVar);
        }
    }
}
