package org.bouncycastle.pkix.jcajce;

import java.io.IOException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.jcajce.PKIXCertStoreSelector;
import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters;
import org.bouncycastle.jcajce.PKIXExtendedParameters;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.util.Arrays;

/* loaded from: classes.dex */
class RFC3280CertPathUtilities {

    /* renamed from: a, reason: collision with root package name */
    private static final PKIXCRLUtil f18815a = new PKIXCRLUtil();

    /* renamed from: b, reason: collision with root package name */
    public static final String f18816b = Extension.f15169k4.C();

    /* renamed from: c, reason: collision with root package name */
    public static final String f18817c = Extension.f15178t4.C();

    /* renamed from: d, reason: collision with root package name */
    public static final String f18818d = Extension.f15168j4.C();

    /* renamed from: e, reason: collision with root package name */
    public static final String f18819e = Extension.f15163e4.C();

    /* renamed from: f, reason: collision with root package name */
    public static final String f18820f = Extension.f15175q4.C();

    RFC3280CertPathUtilities() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(DistributionPoint distributionPoint, PKIXExtendedParameters pKIXExtendedParameters, X509Certificate x509Certificate, Date date, X509Certificate x509Certificate2, PublicKey publicKey, CertStatus certStatus, ReasonsMask reasonsMask, List list, JcaJceHelper jcaJceHelper) {
        ReasonsMask reasonsMask2;
        Iterator it;
        Set<String> criticalExtensionOIDs;
        ReasonsMask reasonsMask3 = reasonsMask;
        Date date2 = new Date(System.currentTimeMillis());
        if (date.getTime() > date2.getTime()) {
            throw new AnnotatedException("Validation time is in future.");
        }
        if (pKIXExtendedParameters.o() != null) {
            date2 = pKIXExtendedParameters.o();
        }
        Date date3 = date2;
        Iterator it2 = RevocationUtilities.e(distributionPoint, x509Certificate, date3, pKIXExtendedParameters.m(), pKIXExtendedParameters.j()).iterator();
        AnnotatedException e6 = null;
        boolean z5 = false;
        while (it2.hasNext() && certStatus.a() == 11 && !reasonsMask.e()) {
            try {
                X509CRL x509crl = (X509CRL) it2.next();
                ReasonsMask e7 = e(x509crl, distributionPoint);
                if (e7.c(reasonsMask3)) {
                    it = it2;
                    AnnotatedException annotatedException = e6;
                    try {
                        X509CRL h6 = pKIXExtendedParameters.C() ? h(RevocationUtilities.f(date3, x509crl, pKIXExtendedParameters.m(), pKIXExtendedParameters.j()), g(x509crl, f(x509crl, x509Certificate, x509Certificate2, publicKey, pKIXExtendedParameters, list, jcaJceHelper))) : null;
                        if (pKIXExtendedParameters.x() != 1 && x509Certificate.getNotAfter().getTime() < x509crl.getThisUpdate().getTime()) {
                            throw new AnnotatedException("No valid CRL for current time found.");
                            break;
                        }
                        b(distributionPoint, x509Certificate, x509crl);
                        c(distributionPoint, x509Certificate, x509crl);
                        d(h6, x509crl, pKIXExtendedParameters);
                        i(date, h6, x509Certificate, certStatus, pKIXExtendedParameters);
                        j(date, x509crl, x509Certificate, certStatus);
                        if (certStatus.a() == 8) {
                            certStatus.c(11);
                        }
                        reasonsMask2 = reasonsMask;
                        try {
                            reasonsMask2.a(e7);
                            Set<String> criticalExtensionOIDs2 = x509crl.getCriticalExtensionOIDs();
                            if (criticalExtensionOIDs2 != null) {
                                HashSet hashSet = new HashSet(criticalExtensionOIDs2);
                                hashSet.remove(Extension.f15169k4.C());
                                hashSet.remove(Extension.f15168j4.C());
                                if (!hashSet.isEmpty()) {
                                    throw new AnnotatedException("CRL contains unsupported critical extensions.");
                                }
                            }
                            if (h6 != null && (criticalExtensionOIDs = h6.getCriticalExtensionOIDs()) != null) {
                                HashSet hashSet2 = new HashSet(criticalExtensionOIDs);
                                hashSet2.remove(Extension.f15169k4.C());
                                hashSet2.remove(Extension.f15168j4.C());
                                if (!hashSet2.isEmpty()) {
                                    throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
                                }
                            }
                            reasonsMask3 = reasonsMask2;
                            it2 = it;
                            e6 = annotatedException;
                            z5 = true;
                        } catch (AnnotatedException e8) {
                            e6 = e8;
                            reasonsMask3 = reasonsMask2;
                            it2 = it;
                        }
                    } catch (AnnotatedException e9) {
                        e6 = e9;
                        reasonsMask2 = reasonsMask;
                    }
                } else {
                    continue;
                }
            } catch (AnnotatedException e10) {
                e6 = e10;
                reasonsMask2 = reasonsMask3;
                it = it2;
            }
        }
        AnnotatedException annotatedException2 = e6;
        if (!z5) {
            throw annotatedException2;
        }
    }

    protected static void b(DistributionPoint distributionPoint, Object obj, X509CRL x509crl) {
        ASN1Primitive g6 = RevocationUtilities.g(x509crl, Extension.f15169k4);
        int i6 = 0;
        boolean z5 = g6 != null && IssuingDistributionPoint.r(g6).t();
        byte[] encoded = x509crl.getIssuerX500Principal().getEncoded();
        if (distributionPoint.o() != null) {
            GeneralName[] r6 = distributionPoint.o().r();
            int i7 = 0;
            while (i6 < r6.length) {
                if (r6[i6].s() == 4) {
                    try {
                        if (Arrays.b(r6[i6].r().g().getEncoded(), encoded)) {
                            i7 = 1;
                        }
                    } catch (IOException e6) {
                        throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", e6);
                    }
                }
                i6++;
            }
            if (i7 != 0 && !z5) {
                throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
            }
            if (i7 == 0) {
                throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
            }
            i6 = i7;
        } else if (x509crl.getIssuerX500Principal().equals(((X509Certificate) obj).getIssuerX500Principal())) {
            i6 = 1;
        }
        if (i6 == 0) {
            throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
        }
    }

    protected static void c(DistributionPoint distributionPoint, Object obj, X509CRL x509crl) {
        GeneralName[] generalNameArr;
        try {
            IssuingDistributionPoint r6 = IssuingDistributionPoint.r(RevocationUtilities.g(x509crl, Extension.f15169k4));
            if (r6 != null) {
                if (r6.q() != null) {
                    DistributionPointName q6 = IssuingDistributionPoint.r(r6).q();
                    ArrayList arrayList = new ArrayList();
                    boolean z5 = false;
                    if (q6.s() == 0) {
                        for (GeneralName generalName : GeneralNames.o(q6.r()).r()) {
                            arrayList.add(generalName);
                        }
                    }
                    if (q6.s() == 1) {
                        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                        try {
                            Enumeration B = ASN1Sequence.x(x509crl.getIssuerX500Principal().getEncoded()).B();
                            while (B.hasMoreElements()) {
                                aSN1EncodableVector.a((ASN1Encodable) B.nextElement());
                            }
                            aSN1EncodableVector.a(q6.r());
                            arrayList.add(new GeneralName(X500Name.n(new DERSequence(aSN1EncodableVector))));
                        } catch (Exception e6) {
                            throw new AnnotatedException("Could not read CRL issuer.", e6);
                        }
                    }
                    if (distributionPoint.q() != null) {
                        DistributionPointName q7 = distributionPoint.q();
                        GeneralName[] r7 = q7.s() == 0 ? GeneralNames.o(q7.r()).r() : null;
                        if (q7.s() == 1) {
                            if (distributionPoint.o() != null) {
                                generalNameArr = distributionPoint.o().r();
                            } else {
                                generalNameArr = new GeneralName[1];
                                try {
                                    generalNameArr[0] = new GeneralName(X500Name.n(((X509Certificate) obj).getIssuerX500Principal().getEncoded()));
                                } catch (Exception e7) {
                                    throw new AnnotatedException("Could not read certificate issuer.", e7);
                                }
                            }
                            r7 = generalNameArr;
                            for (int i6 = 0; i6 < r7.length; i6++) {
                                Enumeration B2 = ASN1Sequence.x(r7[i6].r().g()).B();
                                ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                                while (B2.hasMoreElements()) {
                                    aSN1EncodableVector2.a((ASN1Encodable) B2.nextElement());
                                }
                                aSN1EncodableVector2.a(q7.r());
                                r7[i6] = new GeneralName(X500Name.n(new DERSequence(aSN1EncodableVector2)));
                            }
                        }
                        if (r7 != null) {
                            int i7 = 0;
                            while (true) {
                                if (i7 >= r7.length) {
                                    break;
                                }
                                if (arrayList.contains(r7[i7])) {
                                    z5 = true;
                                    break;
                                }
                                i7++;
                            }
                        }
                        if (!z5) {
                            throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                        }
                    } else {
                        if (distributionPoint.o() == null) {
                            throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must be contained in DistributionPoint.");
                        }
                        GeneralName[] r8 = distributionPoint.o().r();
                        int i8 = 0;
                        while (true) {
                            if (i8 >= r8.length) {
                                break;
                            }
                            if (arrayList.contains(r8[i8])) {
                                z5 = true;
                                break;
                            }
                            i8++;
                        }
                        if (!z5) {
                            throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                        }
                    }
                }
                try {
                    BasicConstraints n6 = BasicConstraints.n(RevocationUtilities.g((X509Extension) obj, Extension.f15163e4));
                    if (obj instanceof X509Certificate) {
                        if (r6.w() && n6 != null && n6.q()) {
                            throw new AnnotatedException("CA Cert CRL only contains user certificates.");
                        }
                        if (r6.v() && (n6 == null || !n6.q())) {
                            throw new AnnotatedException("End CRL only contains CA certificates.");
                        }
                    }
                    if (r6.u()) {
                        throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
                    }
                } catch (Exception e8) {
                    throw new AnnotatedException("Basic constraints extension could not be decoded.", e8);
                }
            }
        } catch (Exception e9) {
            throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e9);
        }
    }

    protected static void d(X509CRL x509crl, X509CRL x509crl2, PKIXExtendedParameters pKIXExtendedParameters) {
        if (x509crl == null) {
            return;
        }
        try {
            ASN1ObjectIdentifier aSN1ObjectIdentifier = Extension.f15169k4;
            IssuingDistributionPoint r6 = IssuingDistributionPoint.r(RevocationUtilities.g(x509crl2, aSN1ObjectIdentifier));
            if (pKIXExtendedParameters.C()) {
                if (!x509crl.getIssuerX500Principal().equals(x509crl2.getIssuerX500Principal())) {
                    throw new AnnotatedException("complete CRL issuer does not match delta CRL issuer");
                }
                try {
                    IssuingDistributionPoint r7 = IssuingDistributionPoint.r(RevocationUtilities.g(x509crl, aSN1ObjectIdentifier));
                    boolean z5 = false;
                    if (r6 != null ? r6.equals(r7) : r7 == null) {
                        z5 = true;
                    }
                    if (!z5) {
                        throw new AnnotatedException("Issuing distribution point extension from delta CRL and complete CRL does not match.");
                    }
                    try {
                        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.f15175q4;
                        ASN1Primitive g6 = RevocationUtilities.g(x509crl2, aSN1ObjectIdentifier2);
                        try {
                            ASN1Primitive g7 = RevocationUtilities.g(x509crl, aSN1ObjectIdentifier2);
                            if (g6 == null) {
                                throw new AnnotatedException("CRL authority key identifier is null.");
                            }
                            if (g7 == null) {
                                throw new AnnotatedException("Delta CRL authority key identifier is null.");
                            }
                            if (!g6.s(g7)) {
                                throw new AnnotatedException("Delta CRL authority key identifier does not match complete CRL authority key identifier.");
                            }
                        } catch (AnnotatedException e6) {
                            throw new AnnotatedException("Authority key identifier extension could not be extracted from delta CRL.", e6);
                        }
                    } catch (AnnotatedException e7) {
                        throw new AnnotatedException("Authority key identifier extension could not be extracted from complete CRL.", e7);
                    }
                } catch (Exception e8) {
                    throw new AnnotatedException("Issuing distribution point extension from delta CRL could not be decoded.", e8);
                }
            }
        } catch (Exception e9) {
            throw new AnnotatedException("issuing distribution point extension could not be decoded.", e9);
        }
    }

    protected static ReasonsMask e(X509CRL x509crl, DistributionPoint distributionPoint) {
        try {
            IssuingDistributionPoint r6 = IssuingDistributionPoint.r(RevocationUtilities.g(x509crl, Extension.f15169k4));
            if (r6 != null && r6.s() != null && distributionPoint.s() != null) {
                return new ReasonsMask(distributionPoint.s()).d(new ReasonsMask(r6.s()));
            }
            if ((r6 == null || r6.s() == null) && distributionPoint.s() == null) {
                return ReasonsMask.f18821b;
            }
            return (distributionPoint.s() == null ? ReasonsMask.f18821b : new ReasonsMask(distributionPoint.s())).d(r6 == null ? ReasonsMask.f18821b : new ReasonsMask(r6.s()));
        } catch (Exception e6) {
            throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e6);
        }
    }

    protected static Set f(X509CRL x509crl, Object obj, X509Certificate x509Certificate, PublicKey publicKey, PKIXExtendedParameters pKIXExtendedParameters, List list, JcaJceHelper jcaJceHelper) {
        int i6;
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(x509crl.getIssuerX500Principal().getEncoded());
            PKIXCertStoreSelector<? extends Certificate> a6 = new PKIXCertStoreSelector.Builder(x509CertSelector).a();
            try {
                Collection b6 = RevocationUtilities.b(a6, pKIXExtendedParameters.n());
                b6.addAll(RevocationUtilities.b(a6, pKIXExtendedParameters.m()));
                b6.add(x509Certificate);
                Iterator it = b6.iterator();
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    X509Certificate x509Certificate2 = (X509Certificate) it.next();
                    if (x509Certificate2.equals(x509Certificate)) {
                        arrayList.add(x509Certificate2);
                        arrayList2.add(publicKey);
                    } else {
                        try {
                            CertPathBuilder i7 = jcaJceHelper.i("PKIX");
                            X509CertSelector x509CertSelector2 = new X509CertSelector();
                            x509CertSelector2.setCertificate(x509Certificate2);
                            PKIXExtendedParameters.Builder p6 = new PKIXExtendedParameters.Builder(pKIXExtendedParameters).p(new PKIXCertStoreSelector.Builder(x509CertSelector2).a());
                            if (list.contains(x509Certificate2)) {
                                p6.o(false);
                            } else {
                                p6.o(true);
                            }
                            List<? extends Certificate> certificates = i7.build(new PKIXExtendedBuilderParameters.Builder(p6.n()).e()).getCertPath().getCertificates();
                            arrayList.add(x509Certificate2);
                            arrayList2.add(RevocationUtilities.j(certificates, 0, jcaJceHelper));
                        } catch (CertPathBuilderException e6) {
                            throw new AnnotatedException("CertPath for CRL signer failed to validate.", e6);
                        } catch (CertPathValidatorException e7) {
                            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e7);
                        } catch (Exception e8) {
                            throw new AnnotatedException(e8.getMessage());
                        }
                    }
                }
                HashSet hashSet = new HashSet();
                AnnotatedException annotatedException = null;
                for (i6 = 0; i6 < arrayList.size(); i6++) {
                    boolean[] keyUsage = ((X509Certificate) arrayList.get(i6)).getKeyUsage();
                    if (keyUsage == null || (keyUsage.length > 6 && keyUsage[6])) {
                        hashSet.add(arrayList2.get(i6));
                    } else {
                        annotatedException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
                    }
                }
                if (hashSet.isEmpty() && annotatedException == null) {
                    throw new AnnotatedException("Cannot find a valid issuer certificate.");
                }
                if (!hashSet.isEmpty() || annotatedException == null) {
                    return hashSet;
                }
                throw annotatedException;
            } catch (AnnotatedException e9) {
                throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e9);
            }
        } catch (IOException e10) {
            throw new AnnotatedException("subject criteria for certificate selector to find issuer certificate for CRL could not be set", e10);
        }
    }

    protected static PublicKey g(X509CRL x509crl, Set set) {
        Iterator it = set.iterator();
        Exception e6 = null;
        while (it.hasNext()) {
            PublicKey publicKey = (PublicKey) it.next();
            try {
                x509crl.verify(publicKey);
                return publicKey;
            } catch (Exception e7) {
                e6 = e7;
            }
        }
        throw new AnnotatedException("Cannot verify CRL.", e6);
    }

    protected static X509CRL h(Set set, PublicKey publicKey) {
        Iterator it = set.iterator();
        Exception e6 = null;
        while (it.hasNext()) {
            X509CRL x509crl = (X509CRL) it.next();
            try {
                x509crl.verify(publicKey);
                return x509crl;
            } catch (Exception e7) {
                e6 = e7;
            }
        }
        if (e6 == null) {
            return null;
        }
        throw new AnnotatedException("Cannot verify delta CRL.", e6);
    }

    protected static void i(Date date, X509CRL x509crl, Object obj, CertStatus certStatus, PKIXExtendedParameters pKIXExtendedParameters) {
        if (!pKIXExtendedParameters.C() || x509crl == null) {
            return;
        }
        RevocationUtilities.d(date, x509crl, obj, certStatus);
    }

    protected static void j(Date date, X509CRL x509crl, Object obj, CertStatus certStatus) {
        if (certStatus.a() == 11) {
            RevocationUtilities.d(date, x509crl, obj, certStatus);
        }
    }
}
