package com.rsa.cryptoj.o;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.Arrays;
import java.util.BitSet;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/rsa/cryptoj/o/aq.class */
public class aq {
    private static final int b = -1;
    private static final int c = 0;
    private static final int d = 8;
    private static final boolean[] e = {false, false, false, false, false, false, true};
    private static final String f = "CRL was not SuiteB compliant.";
    private static final String g = "CRL path validation failed.";
    private static final String h = "CRL was outdated.";
    private static final String i = "Certificate has been revoked: reason ";
    private static final String j = "CRL status could not be determined";
    private final PKIXParameters k;
    private final gc l;
    private final CertPath m;
    private final X509CRL o;
    PublicKey a;
    private final List<nm> q;
    private String p = "";
    private final Set n = new HashSet();

    /* loaded from: input_file:com/rsa/cryptoj/o/aq$a.class */
    class a {
        final boolean a = true;
        String b;

        a() {
        }

        a(String str) {
            this.b = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/rsa/cryptoj/o/aq$b.class */
    public class b {
        private static final int b = 9;
        private final BitSet c;

        b() {
            this.c = new BitSet(9);
            this.c.set(0, 9);
        }

        b(BitSet bitSet) {
            this.c = (BitSet) bitSet.clone();
        }

        void a(b bVar) {
            this.c.and(bVar.c);
        }

        void b(b bVar) {
            this.c.or(bVar.c);
        }

        boolean c(b bVar) {
            BitSet bitSet = (BitSet) this.c.clone();
            bitSet.or(bVar.c);
            return !bitSet.equals(this.c);
        }

        boolean a() {
            return this.c.length() == 9 && this.c.cardinality() == 9;
        }
    }

    private void a() {
        this.p = "";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public aq(gc gcVar, List<nm> list, PKIXParameters pKIXParameters, CertPath certPath, TrustAnchor trustAnchor, X509CRL x509crl) {
        this.k = pKIXParameters;
        this.l = gcVar;
        this.q = list;
        this.m = certPath;
        this.n.add(trustAnchor);
        this.o = x509crl;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public a a(X509Certificate x509Certificate, nj njVar, PublicKey publicKey) throws InvalidAlgorithmParameterException {
        int a2 = njVar == null ? 0 : njVar.a();
        b bVar = new b(new BitSet());
        for (int i2 = 0; i2 < a2; i2++) {
            int a3 = a(x509Certificate, bVar, njVar.a(i2), publicKey);
            if (a3 != -1) {
                return new a(i + iv.e.get(a3) + "." + a(x509Certificate));
            }
            if (bVar.a()) {
                return new a();
            }
        }
        int a4 = a(x509Certificate, bVar, (nj) null, publicKey);
        return a4 != -1 ? new a(i + iv.e.get(a4) + "." + a(x509Certificate)) : bVar.a() ? new a() : new a("CRL status could not be determined: " + this.p + a(x509Certificate));
    }

    private String a(X509Certificate x509Certificate) {
        return " Subject of Certificate: " + x509Certificate.getSubjectX500Principal().getName();
    }

    private int a(X509Certificate x509Certificate, b bVar, nj njVar, PublicKey publicKey) throws InvalidAlgorithmParameterException {
        X500Principal a2;
        int i2 = -1;
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        boolean z = false;
        if (njVar == null) {
            a2 = x509Certificate.getIssuerX500Principal();
        } else {
            nj a3 = njVar.a("cRLIssuer");
            if (a3 == null) {
                a2 = x509Certificate.getIssuerX500Principal();
            } else {
                z = true;
                a2 = ot.a(a3);
                if (a2 == null) {
                    this.p = "CRLDistributionPoints extension does not contain a CRLIssuer";
                    return -1;
                }
            }
        }
        try {
            x509CRLSelector.addIssuerName(a2.getEncoded());
            Set a4 = a(x509CRLSelector);
            if (a4.isEmpty()) {
                return -1;
            }
            Iterator it = a4.iterator();
            while (it.hasNext() && !bVar.a() && i2 == -1) {
                X509CRL x509crl = (X509CRL) it.next();
                Date nextUpdate = x509crl.getNextUpdate();
                if (nextUpdate != null) {
                    Date date = this.k.getDate();
                    if (date == null) {
                        date = new Date();
                    }
                    if (nextUpdate.before(date)) {
                        this.p = h;
                    }
                }
                nj a5 = ot.a(x509crl, ks.cR);
                if (a(a2, a5, z, x509Certificate, njVar)) {
                    b a6 = a(a5, njVar);
                    if (!bVar.c(a6)) {
                        a();
                    } else if (!a(x509crl, z, publicKey, b(x509Certificate))) {
                        this.p = g;
                    } else if (a(x509crl)) {
                        i2 = a(x509crl, x509Certificate, z);
                        if (i2 != -1 || !x509crl.hasUnsupportedCriticalExtension()) {
                            bVar.b(a6);
                        }
                    } else {
                        this.p = f;
                    }
                } else {
                    a();
                }
            }
            return i2;
        } catch (IOException e2) {
            throw new Error();
        }
    }

    boolean a(X509CRL x509crl) {
        return true;
    }

    private int a(X509CRL x509crl, X509Certificate x509Certificate, boolean z) {
        X509CRLEntry revokedCertificate = z ? x509crl.getRevokedCertificate(x509Certificate) : x509crl.getRevokedCertificate(x509Certificate.getSerialNumber());
        if (revokedCertificate == null) {
            return -1;
        }
        gh ghVar = (gh) ot.a(revokedCertificate, ks.cS);
        int e2 = ghVar == null ? 0 : ghVar.e();
        if (e2 == 8) {
            e2 = -1;
        }
        return e2;
    }

    private X509Certificate b(X509Certificate x509Certificate) {
        List<? extends Certificate> certificates = this.m.getCertificates();
        int indexOf = certificates.indexOf(x509Certificate);
        if (indexOf == certificates.size() - 1) {
            return null;
        }
        return (X509Certificate) certificates.get(indexOf + 1);
    }

    private Set a(X509CRLSelector x509CRLSelector) throws InvalidAlgorithmParameterException {
        HashSet hashSet = new HashSet();
        Iterator<CertStore> it = this.k.getCertStores().iterator();
        while (it.hasNext()) {
            try {
                hashSet.addAll(it.next().getCRLs(x509CRLSelector));
            } catch (CertStoreException e2) {
                throw new InvalidAlgorithmParameterException(e2.getMessage());
            }
        }
        return hashSet;
    }

    private b a(nj njVar, nj njVar2) {
        b bVar;
        ps psVar = njVar == null ? null : (ps) njVar.a("onlySomeReasons");
        ps psVar2 = njVar2 == null ? null : (ps) njVar2.a("reasons");
        if (psVar == null || psVar2 == null) {
            bVar = psVar != null ? new b(psVar.j()) : psVar2 != null ? new b(psVar2.j()) : new b();
        } else {
            bVar = new b(psVar.j());
            bVar.a(new b(psVar2.j()));
        }
        return bVar;
    }

    private boolean a(X509CRL x509crl, boolean z, PublicKey publicKey, X509Certificate x509Certificate) {
        if (x509crl.equals(this.o)) {
            return true;
        }
        try {
            this.a = publicKey;
            if (z || x509Certificate == null || !a(x509crl, x509Certificate)) {
                this.a = b(x509crl).getPublicKey();
            } else {
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if (keyUsage != null && !keyUsage[6]) {
                    return false;
                }
            }
            if (this.k.getSigProvider() != null) {
                x509crl.verify(this.a, this.k.getSigProvider());
            } else {
                x509crl.verify(this.a);
            }
            return true;
        } catch (IOException e2) {
            return false;
        } catch (GeneralSecurityException e3) {
            return false;
        }
    }

    private PKIXCertPathBuilderResult b(X509CRL x509crl) throws IOException, InvalidAlgorithmParameterException, CertPathBuilderException, NoSuchAlgorithmException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSubject(x509crl.getIssuerX500Principal().getEncoded());
        x509CertSelector.setKeyUsage(e);
        x509CertSelector.setSubjectKeyIdentifier(ot.a(x509crl));
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) this.n, x509CertSelector);
        pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
        pKIXBuilderParameters.setCertStores(this.k.getCertStores());
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.m.getCertificates()), com.rsa.jsafe.provider.b.a(this.l, ak.a)));
        return (PKIXCertPathBuilderResult) new ew(this.l, this.q, x509crl).engineBuild(pKIXBuilderParameters);
    }

    private boolean a(X500Principal x500Principal, nj njVar, boolean z, X509Certificate x509Certificate, nj njVar2) {
        kq kqVar;
        if (z && (njVar == null || (kqVar = (kq) njVar.a("indirectCRL")) == null || !kqVar.b())) {
            return false;
        }
        if (njVar == null) {
            return true;
        }
        nj a2 = njVar.a("distributionPoint");
        if (a2 != null) {
            if (njVar2 != null) {
                nj a3 = njVar2.a("distributionPoint");
                if (a3 != null) {
                    if (!a(x500Principal, a2, a3)) {
                        return false;
                    }
                } else if (!a(x500Principal, a2, x509Certificate)) {
                    return false;
                }
            } else if (!a(x500Principal, a2, x509Certificate)) {
                return false;
            }
        }
        kq kqVar2 = (kq) njVar.a("onlyContainsUserCerts");
        if (kqVar2 != null && kqVar2.b() && x509Certificate.getBasicConstraints() != -1) {
            return false;
        }
        kq kqVar3 = (kq) njVar.a("onlyContainsCACerts");
        if (kqVar3 != null && kqVar3.b() && x509Certificate.getBasicConstraints() == -1) {
            return false;
        }
        kq kqVar4 = (kq) njVar.a("onlyContainsAttributeCerts");
        return kqVar4 == null || !kqVar4.b();
    }

    private boolean a(X500Principal x500Principal, nj njVar, X509Certificate x509Certificate) {
        if (ir.f(njVar.g().d()) != 0) {
            return ot.a(x500Principal, njVar).equals(x509Certificate.getIssuerX500Principal());
        }
        for (int i2 = 0; i2 < njVar.a(); i2++) {
            lv lvVar = new lv(njVar.a(i2));
            if ((lvVar.a() == 4 && x509Certificate.getIssuerX500Principal().equals(lvVar.b())) || ot.a((X509Extension) x509Certificate, false).contains(lvVar)) {
                return true;
            }
        }
        return false;
    }

    private boolean a(X509CRL x509crl, X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return true;
        }
        return Arrays.equals(ot.a(x509crl), ot.b(x509Certificate, ks.cp));
    }

    private boolean a(X500Principal x500Principal, nj njVar, nj njVar2) {
        int f2 = ir.f(njVar.g().g());
        int f3 = ir.f(njVar2.g().g());
        if (f2 == 0 && f3 == 0) {
            for (int i2 = 0; i2 < njVar.a(); i2++) {
                lv lvVar = new lv(njVar.a(i2));
                for (int i3 = 0; i3 < njVar2.a(); i3++) {
                    if (lvVar.equals(new lv(njVar2.a(i3)))) {
                        return true;
                    }
                }
            }
            return false;
        }
        if (f2 == 1 && f3 == 0) {
            X500Principal a2 = ot.a(x500Principal, njVar);
            for (int i4 = 0; i4 < njVar2.a(); i4++) {
                lv lvVar2 = new lv(njVar2.a(i4));
                if (lvVar2.a() == 4 && lvVar2.b().equals(a2)) {
                    return true;
                }
            }
            return false;
        }
        if (f2 != 0 || f3 != 1) {
            if (f2 == 1 && f3 == 1) {
                return njVar.equals(njVar2);
            }
            return false;
        }
        X500Principal a3 = ot.a(x500Principal, njVar2);
        for (int i5 = 0; i5 < njVar.a(); i5++) {
            lv lvVar3 = new lv(njVar.a(i5));
            if (lvVar3.a() == 4 && lvVar3.b().equals(a3)) {
                return true;
            }
        }
        return false;
    }
}
