package org.bouncycastle.jce.provider;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.PKIXParameters;
import java.security.cert.PolicyQualifierInfo;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.a.s.be;

/* loaded from: classes.dex */
public class ak extends CertPathValidatorSpi {
    private static final String l = "2.5.29.32.0";
    private static final int m = 5;
    private static final int n = 6;
    private static final String a = be.s.e();
    private static final String b = be.t.e();
    private static final String c = be.y.e();
    private static final String d = be.o.e();
    private static final String e = be.n.e();
    private static final String f = be.v.e();
    private static final String g = be.i.e();
    private static final String h = be.g.e();
    private static final String i = be.q.e();
    private static final String j = be.e.e();
    private static final String k = be.j.e();
    private static final String[] o = {"unspecified", "keyCompromise", "cACompromise", "affiliationChanged", "superseded", "cessationOfOperation", "certificateHold", "unknown", "removeFromCRL", "privilegeWithdrawn", "aACompromise"};

    private final Collection a(X509CRLSelector x509CRLSelector, List list) throws a {
        HashSet hashSet = new HashSet();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            try {
                hashSet.addAll(((CertStore) it.next()).getCRLs(x509CRLSelector));
            } catch (CertStoreException e2) {
                throw new a(new StringBuffer().append("cannot extract crl: ").append(e2).toString(), e2);
            }
        }
        return hashSet;
    }

    private Date a(PKIXParameters pKIXParameters) {
        Date date = pKIXParameters.getDate();
        return date == null ? new Date() : date;
    }

    private Set a(Set set, String str) {
        String substring = str.substring(str.indexOf(64) + 1);
        if (set.isEmpty()) {
            set.add(substring);
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (substring.endsWith(str2)) {
                hashSet.add(substring);
            } else if (str2.endsWith(substring)) {
                hashSet.add(str2);
            }
        }
        return hashSet;
    }

    private Set a(Set set, byte[] bArr) {
        return set;
    }

    private final Set a(org.bouncycastle.a.i iVar) throws CertPathValidatorException {
        HashSet hashSet = new HashSet();
        if (iVar != null) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            org.bouncycastle.a.h hVar = new org.bouncycastle.a.h(byteArrayOutputStream);
            Enumeration e2 = iVar.e();
            while (e2.hasMoreElements()) {
                try {
                    hVar.a(e2.nextElement());
                    hashSet.add(new PolicyQualifierInfo(byteArrayOutputStream.toByteArray()));
                    byteArrayOutputStream.reset();
                } catch (IOException e3) {
                    throw new CertPathValidatorException(new StringBuffer().append("exception building qualifier set: ").append(e3).toString());
                }
            }
        }
        return hashSet;
    }

    private X500Principal a(X509CRL x509crl) {
        return x509crl.getIssuerX500Principal();
    }

    private org.bouncycastle.a.ak a(String str, byte[] bArr) throws a {
        try {
            return new org.bouncycastle.a.d(((org.bouncycastle.a.g) new org.bouncycastle.a.d(bArr).b()).e()).b();
        } catch (IOException e2) {
            throw new a(new StringBuffer().append("exception processing extension ").append(str).toString(), e2);
        }
    }

    private org.bouncycastle.a.ak a(X509Extension x509Extension, String str) throws a {
        byte[] extensionValue = x509Extension.getExtensionValue(str);
        if (extensionValue == null) {
            return null;
        }
        return a(str, extensionValue);
    }

    private org.bouncycastle.a.s.b a(PublicKey publicKey) throws CertPathValidatorException {
        try {
            return org.bouncycastle.a.s.aq.a(new org.bouncycastle.a.d(new ByteArrayInputStream(publicKey.getEncoded())).b()).e();
        } catch (IOException e2) {
            throw new CertPathValidatorException("exception processing public key");
        }
    }

    private al a(al alVar, List[] listArr, al alVar2) {
        al alVar3 = (al) alVar2.getParent();
        if (alVar == null) {
            return null;
        }
        if (alVar3 != null) {
            alVar3.b(alVar2);
            a(listArr, alVar2);
            return alVar;
        }
        for (int i2 = 0; i2 < listArr.length; i2++) {
            listArr[i2] = new ArrayList();
        }
        return null;
    }

    private void a(PKIXParameters pKIXParameters, X509Certificate x509Certificate, Date date, X509Certificate x509Certificate2, PublicKey publicKey) throws a {
        boolean z;
        org.bouncycastle.a.ac a2;
        boolean[] keyUsage;
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        try {
            x509CRLSelector.addIssuerName(b(x509Certificate).getEncoded());
            x509CRLSelector.setCertificateChecking(x509Certificate);
            boolean z2 = false;
            for (X509CRL x509crl : a(x509CRLSelector, pKIXParameters.getCertStores())) {
                if (x509Certificate.getNotAfter().after(x509crl.getThisUpdate())) {
                    boolean z3 = (x509crl.getNextUpdate() == null || date.before(x509crl.getNextUpdate())) ? true : z2;
                    if (x509Certificate2 != null && (keyUsage = x509Certificate2.getKeyUsage()) != null && (keyUsage.length < 7 || !keyUsage[6])) {
                        throw new a(new StringBuffer().append("Issuer certificate keyusage extension does not permit crl signing.\n").append(x509Certificate2).toString());
                    }
                    try {
                        x509crl.verify(publicKey, "BC");
                        X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate.getSerialNumber());
                        if (revokedCertificate != null && !date.before(revokedCertificate.getRevocationDate())) {
                            String str = null;
                            if (revokedCertificate.hasExtensions() && (a2 = org.bouncycastle.a.ac.a(a(revokedCertificate, be.k.e()))) != null) {
                                str = o[a2.e().intValue()];
                            }
                            String stringBuffer = new StringBuffer().append("Certificate revocation after ").append(revokedCertificate.getRevocationDate()).toString();
                            throw new a(str != null ? new StringBuffer().append(stringBuffer).append(", reason: ").append(str).toString() : stringBuffer);
                        }
                        org.bouncycastle.a.ak a3 = a(x509crl, d);
                        org.bouncycastle.a.ak a4 = a(x509crl, e);
                        if (a4 != null) {
                            X509CRLSelector x509CRLSelector2 = new X509CRLSelector();
                            try {
                                x509CRLSelector2.addIssuerName(a(x509crl).getEncoded());
                                x509CRLSelector2.setMinCRLNumber(((org.bouncycastle.a.ah) a4).f());
                                x509CRLSelector2.setMaxCRLNumber(((org.bouncycastle.a.ah) a(x509crl, k)).f().subtract(BigInteger.valueOf(1L)));
                                Iterator it = a(x509CRLSelector2, pKIXParameters.getCertStores()).iterator();
                                while (true) {
                                    if (!it.hasNext()) {
                                        z = false;
                                        break;
                                    }
                                    Object a5 = a((X509CRL) it.next(), d);
                                    if (a3 != null) {
                                        if (a3.equals(a5)) {
                                            z = true;
                                            break;
                                        }
                                    } else {
                                        if (a5 == null) {
                                            z = true;
                                            break;
                                        }
                                    }
                                }
                                if (!z) {
                                    throw new a("No base CRL for delta CRL");
                                }
                            } catch (IOException e2) {
                                throw new a(new StringBuffer().append("can't extract issuer from certificate: ").append(e2).toString(), e2);
                            }
                        }
                        if (a3 != null) {
                            org.bouncycastle.a.s.ac a6 = org.bouncycastle.a.s.ac.a(a3);
                            org.bouncycastle.a.s.j a7 = org.bouncycastle.a.s.j.a(a(x509Certificate, g));
                            if (a6.e() && a7 != null && a7.e()) {
                                throw new a("CA Cert CRL only contains user certificates");
                            }
                            if (a6.f() && (a7 == null || !a7.e())) {
                                throw new a("End CRL only contains CA certificates");
                            }
                            if (a6.h()) {
                                throw new a("onlyContainsAttributeCerts boolean is asserted");
                            }
                        }
                        z2 = z3;
                    } catch (Exception e3) {
                        throw new a(new StringBuffer().append("can't verify CRL: ").append(e3).toString(), e3);
                    }
                }
            }
            if (!z2) {
                throw new a("no valid CRL found");
            }
        } catch (IOException e4) {
            throw new a(new StringBuffer().append("Cannot extract issuer from certificate: ").append(e4).toString(), e4);
        }
    }

    private void a(Set set, org.bouncycastle.a.i iVar) throws CertPathValidatorException {
        if (set.isEmpty()) {
            return;
        }
        Iterator it = set.iterator();
        while (it.hasNext()) {
            if (a(iVar, (org.bouncycastle.a.i) it.next())) {
                return;
            }
        }
        throw new CertPathValidatorException("Subject distinguished name is not from a permitted subtree");
    }

    private void a(List[] listArr, al alVar) {
        listArr[alVar.getDepth()].remove(alVar);
        if (alVar.a()) {
            Iterator children = alVar.getChildren();
            while (children.hasNext()) {
                a(listArr, (al) children.next());
            }
        }
    }

    private boolean a(int i2, List[] listArr, org.bouncycastle.a.al alVar, Set set) {
        List list = listArr[i2 - 1];
        for (int i3 = 0; i3 < list.size(); i3++) {
            al alVar2 = (al) list.get(i3);
            if (alVar2.getExpectedPolicies().contains(alVar.e())) {
                HashSet hashSet = new HashSet();
                hashSet.add(alVar.e());
                al alVar3 = new al(new ArrayList(), i2, hashSet, alVar2, set, alVar.e(), false);
                alVar2.a(alVar3);
                listArr[i2].add(alVar3);
                return true;
            }
        }
        return false;
    }

    private boolean a(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN());
    }

    private boolean a(Set set) {
        return set == null || set.contains(l) || set.isEmpty();
    }

    private boolean a(org.bouncycastle.a.i iVar, org.bouncycastle.a.i iVar2) {
        if (iVar2.f() < 1 || iVar2.f() > iVar.f()) {
            return false;
        }
        for (int f2 = iVar2.f() - 1; f2 >= 0; f2--) {
            if (!iVar2.a(f2).equals(iVar.a(f2))) {
                return false;
            }
        }
        return true;
    }

    private Set b(Set set, String str) {
        String substring = str.substring(str.indexOf(64) + 1);
        if (set.isEmpty()) {
            set.add(substring);
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (substring.endsWith(str2)) {
                hashSet.add(str2);
            } else if (str2.endsWith(substring)) {
                hashSet.add(substring);
            } else {
                hashSet.add(str2);
                hashSet.add(substring);
            }
        }
        return hashSet;
    }

    private Set b(Set set, byte[] bArr) {
        return set;
    }

    private X500Principal b(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerX500Principal();
    }

    private void b(int i2, List[] listArr, org.bouncycastle.a.al alVar, Set set) {
        List list = listArr[i2 - 1];
        for (int i3 = 0; i3 < list.size(); i3++) {
            al alVar2 = (al) list.get(i3);
            alVar2.getExpectedPolicies();
            if (l.equals(alVar2.getValidPolicy())) {
                HashSet hashSet = new HashSet();
                hashSet.add(alVar.e());
                al alVar3 = new al(new ArrayList(), i2, hashSet, alVar2, set, alVar.e(), false);
                alVar2.a(alVar3);
                listArr[i2].add(alVar3);
                return;
            }
        }
    }

    private void b(Set set, org.bouncycastle.a.i iVar) throws CertPathValidatorException {
        if (set.isEmpty()) {
            return;
        }
        Iterator it = set.iterator();
        while (it.hasNext()) {
            if (a(iVar, (org.bouncycastle.a.i) it.next())) {
                throw new CertPathValidatorException("Subject distinguished name is from an excluded subtree");
            }
        }
    }

    private Set c(Set set, org.bouncycastle.a.i iVar) {
        if (set.isEmpty()) {
            set.add(iVar);
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            org.bouncycastle.a.i iVar2 = (org.bouncycastle.a.i) it.next();
            if (a(iVar, iVar2)) {
                hashSet.add(iVar);
            } else if (a(iVar2, iVar)) {
                hashSet.add(iVar2);
            }
        }
        return hashSet;
    }

    private X500Principal c(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal();
    }

    private void c(Set set, String str) throws CertPathValidatorException {
        if (set.isEmpty()) {
            return;
        }
        String substring = str.substring(str.indexOf(64) + 1);
        Iterator it = set.iterator();
        while (it.hasNext()) {
            if (substring.endsWith((String) it.next())) {
                return;
            }
        }
        throw new CertPathValidatorException("Subject email address is not from a permitted subtree");
    }

    private void c(Set set, byte[] bArr) throws CertPathValidatorException {
        if (set.isEmpty()) {
        }
    }

    private Set d(Set set, org.bouncycastle.a.i iVar) {
        if (set.isEmpty()) {
            set.add(iVar);
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            org.bouncycastle.a.i iVar2 = (org.bouncycastle.a.i) it.next();
            if (a(iVar, iVar2)) {
                hashSet.add(iVar2);
            } else if (a(iVar2, iVar)) {
                hashSet.add(iVar);
            } else {
                hashSet.add(iVar2);
                hashSet.add(iVar);
            }
        }
        return hashSet;
    }

    private void d(Set set, String str) throws CertPathValidatorException {
        if (set.isEmpty()) {
            return;
        }
        String substring = str.substring(str.indexOf(64) + 1);
        Iterator it = set.iterator();
        while (it.hasNext()) {
            if (substring.endsWith((String) it.next())) {
                throw new CertPathValidatorException("Subject email address is from an excluded subtree");
            }
        }
    }

    private void d(Set set, byte[] bArr) throws CertPathValidatorException {
        if (set.isEmpty()) {
        }
    }

    final TrustAnchor a(X509Certificate x509Certificate, CertPath certPath, int i2, Set set) throws CertPathValidatorException {
        Iterator it = set.iterator();
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(b(x509Certificate).getEncoded());
            Exception exc = null;
            PublicKey publicKey = null;
            TrustAnchor trustAnchor = null;
            while (it.hasNext() && trustAnchor == null) {
                TrustAnchor trustAnchor2 = (TrustAnchor) it.next();
                if (trustAnchor2.getTrustedCert() != null) {
                    if (x509CertSelector.match(trustAnchor2.getTrustedCert())) {
                        publicKey = trustAnchor2.getTrustedCert().getPublicKey();
                    } else {
                        trustAnchor2 = null;
                    }
                } else if (trustAnchor2.getCAName() == null || trustAnchor2.getCAPublicKey() == null) {
                    trustAnchor2 = null;
                } else {
                    try {
                        if (b(x509Certificate).equals(new X500Principal(trustAnchor2.getCAName()))) {
                            publicKey = trustAnchor2.getCAPublicKey();
                        } else {
                            trustAnchor2 = null;
                        }
                    } catch (IllegalArgumentException e2) {
                        trustAnchor2 = null;
                    }
                }
                if (publicKey != null) {
                    try {
                        x509Certificate.verify(publicKey);
                        trustAnchor = trustAnchor2;
                    } catch (Exception e3) {
                        exc = e3;
                        trustAnchor = null;
                    }
                } else {
                    trustAnchor = trustAnchor2;
                }
            }
            if (trustAnchor != null || exc == null) {
                return trustAnchor;
            }
            throw new CertPathValidatorException("TrustAnchor found but certificate validation failed.", exc, certPath, i2);
        } catch (IOException e4) {
            throw new CertPathValidatorException(e4);
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:341:0x0848, code lost:
    
        if (r21 < r3) goto L328;
     */
    /* JADX WARN: Removed duplicated region for block: B:559:0x0a93  */
    @Override // java.security.cert.CertPathValidatorSpi
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.security.cert.CertPathValidatorResult engineValidate(java.security.cert.CertPath r39, java.security.cert.CertPathParameters r40) throws java.security.cert.CertPathValidatorException, java.security.InvalidAlgorithmParameterException {
        /*
            Method dump skipped, instructions count: 3090
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.bouncycastle.jce.provider.ak.engineValidate(java.security.cert.CertPath, java.security.cert.CertPathParameters):java.security.cert.CertPathValidatorResult");
    }
}
