package com.rsa.certj.provider.path;

import com.rsa.certj.CertJ;
import com.rsa.certj.CertJUtils;
import com.rsa.certj.NoServiceException;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.NameException;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cert.extensions.AuthorityInfoAccess;
import com.rsa.certj.cert.extensions.AuthorityKeyID;
import com.rsa.certj.cert.extensions.BasicConstraints;
import com.rsa.certj.cert.extensions.CRLDistributionPoints;
import com.rsa.certj.cert.extensions.FreshestCRL;
import com.rsa.certj.cert.extensions.GeneralNames;
import com.rsa.certj.cert.extensions.GeneralSubtrees;
import com.rsa.certj.cert.extensions.InhibitAnyPolicy;
import com.rsa.certj.cert.extensions.KeyUsage;
import com.rsa.certj.cert.extensions.NameConstraints;
import com.rsa.certj.cert.extensions.PolicyConstraints;
import com.rsa.certj.cert.extensions.PolicyMappings;
import com.rsa.certj.cert.extensions.SubjectAltName;
import com.rsa.certj.cert.extensions.SubjectInfoAccess;
import com.rsa.certj.cert.extensions.SubjectKeyID;
import com.rsa.certj.cert.extensions.X509V3Extension;
import com.rsa.certj.spi.path.CertPathCtx;
import com.rsa.certj.spi.path.CertPathException;
import com.rsa.certj.spi.random.RandomException;
import com.rsa.certj.x.h;
import com.rsa.jsafe.JSAFE_PublicKey;
import java.security.SecureRandom;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;

/* loaded from: input_file:com/rsa/certj/provider/path/a.class */
final class a {
    private static final int a = 85;
    private static final int b = 29;
    private static final Set<String> c = new HashSet();
    private final CertJ d;

    /* JADX INFO: Access modifiers changed from: package-private */
    public a(CertJ certJ) {
        this.d = certJ;
    }

    private static void a(int i) {
        a(new byte[]{85, 29, (byte) i});
    }

    private static void a(byte[] bArr) {
        c.add(h.a(bArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void a(X509Certificate x509Certificate, CertPathCtx certPathCtx, JSAFE_PublicKey jSAFE_PublicKey) throws CertPathException, CertificateException {
        b(x509Certificate, certPathCtx, jSAFE_PublicKey);
        b(x509Certificate.getSerialNumber());
        a(x509Certificate, certPathCtx);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void b(X509Certificate x509Certificate, CertPathCtx certPathCtx, JSAFE_PublicKey jSAFE_PublicKey) throws CertificateException, CertPathException {
        x509Certificate.getSubjectPublicKey(this.d.getDevice());
        if (x509Certificate.getIssuerName() == null || x509Certificate.getIssuerName().getRDNCount() == 0) {
            throw new CertificateException("Issuer name MUST be present");
        }
        if (!certPathCtx.isFlagRaised(2)) {
            Date validationTime = certPathCtx.getValidationTime();
            if (validationTime == null) {
                validationTime = new Date();
            }
            if (!x509Certificate.checkValidityDate(validationTime)) {
                throw new CertificateException("Certificate is not valid at validation time.");
            }
        }
        try {
            if (certPathCtx.isFlagRaised(1) || x509Certificate.verifyCertificateSignature(this.d.getDevice(), jSAFE_PublicKey, (SecureRandom) this.d.getRandomObject())) {
            } else {
                throw new CertificateException("Certificate signature could not be validated.");
            }
        } catch (NoServiceException e) {
            throw new CertPathException(e);
        } catch (RandomException e2) {
            throw new CertPathException(e2);
        }
    }

    private void a(X509Certificate x509Certificate, CertPathCtx certPathCtx) throws CertPathException, CertificateException {
        X509V3Extensions extensions = x509Certificate.getExtensions();
        if (extensions == null || extensions.getExtensionCount() == 0) {
            if (x509Certificate.getSubjectName() == null || x509Certificate.getSubjectName().getRDNCount() == 0) {
                throw new CertificateException("Subject name MUST NOT be empty when no extensions are specified");
            }
            return;
        }
        boolean z = false;
        BasicConstraints basicConstraints = (BasicConstraints) extensions.getExtensionByType(19);
        if (!certPathCtx.isFlagRaised(32) && basicConstraints != null && basicConstraints.getCA() && basicConstraints.getPathLen() >= 0) {
            z = true;
        }
        if (x509Certificate.getVersion() != 2) {
            throw new CertificateException("Version number MUST be V3 if extensions are present");
        }
        a(extensions);
        a(extensions, certPathCtx);
        a(x509Certificate, certPathCtx, extensions, z);
        a(x509Certificate, extensions);
        a(extensions, z);
        a(basicConstraints, extensions, certPathCtx, z);
        InhibitAnyPolicy inhibitAnyPolicy = (InhibitAnyPolicy) extensions.getExtensionByType(54);
        if (inhibitAnyPolicy != null && !inhibitAnyPolicy.getCriticality()) {
            throw new CertificateException("Inhibit anyPolicy extension MUST be marked as critical");
        }
        b(extensions);
        c(extensions);
        SubjectInfoAccess subjectInfoAccess = (SubjectInfoAccess) extensions.getExtensionByType(125);
        if (subjectInfoAccess != null && subjectInfoAccess.getCriticality()) {
            throw new CertificateException("SubjectInfoAccess extension MUST NOT be set as critical");
        }
        AuthorityInfoAccess authorityInfoAccess = (AuthorityInfoAccess) extensions.getExtensionByType(100);
        if (authorityInfoAccess != null && authorityInfoAccess.getCriticality()) {
            throw new CertificateException("AuthorityInfoAccess extension MUST NOT be set as critical");
        }
        b(extensions, z);
        c(extensions, z);
        SubjectAltName subjectAltName = (SubjectAltName) extensions.getExtensionByType(17);
        if (subjectAltName != null && subjectAltName.getGeneralNames().getNameCount() == 0) {
            throw new CertificateException("SubjectAltName MUST contain at least one entry");
        }
        d(extensions);
    }

    private void b(byte[] bArr) throws CertificateException {
        if (bArr == null || bArr.length == 0) {
            return;
        }
        if (bArr[0] < 0) {
            throw new CertificateException("Serial number cannot be negative");
        }
        if (bArr.length > 20) {
            throw new CertificateException("Serial number cannot be have more than 20 bytes");
        }
    }

    private void a(X509V3Extensions x509V3Extensions) throws CertificateException {
        HashSet hashSet = new HashSet();
        for (int i = 0; i < x509V3Extensions.getExtensionCount(); i++) {
            X509V3Extension extensionByIndex = x509V3Extensions.getExtensionByIndex(i);
            String a2 = h.a(extensionByIndex.getOID());
            if (hashSet.contains(a2)) {
                throw new CertificateException("Found duplicate extension: " + extensionByIndex.getExtensionTypeString());
            }
            hashSet.add(a2);
        }
    }

    private void a(X509V3Extensions x509V3Extensions, CertPathCtx certPathCtx) throws CertificateException {
        if (certPathCtx.isFlagRaised(128)) {
            return;
        }
        for (int i = 0; i < x509V3Extensions.getExtensionCount(); i++) {
            X509V3Extension extensionByIndex = x509V3Extensions.getExtensionByIndex(i);
            if (extensionByIndex.isExtensionType(-1)) {
                String a2 = h.a(extensionByIndex.getOID());
                if (c.contains(a2)) {
                    throw new CertificateException("Standard extension found defined as non-standard with OID: " + a2);
                }
                if (extensionByIndex.getCriticality()) {
                    throw new CertificateException("Non-standard extension is marked as critical.");
                }
            }
        }
    }

    private void a(X509Certificate x509Certificate, CertPathCtx certPathCtx, X509V3Extensions x509V3Extensions, boolean z) throws CertificateException {
        if (x509Certificate.getSubjectName() == null || x509Certificate.getSubjectName().getRDNCount() == 0) {
            if (z) {
                throw new CertificateException("Subject name MUST be present for CA certificates");
            }
            KeyUsage keyUsage = (KeyUsage) x509V3Extensions.getExtensionByType(15);
            if (keyUsage != null && keyUsage.verifyKeyUsage(33554432)) {
                throw new CertificateException("Subject name MUST be present for CRL Issuers");
            }
            SubjectAltName subjectAltName = (SubjectAltName) x509V3Extensions.getExtensionByType(17);
            if (subjectAltName == null || subjectAltName.getGeneralNames().getNameCount() == 0) {
                throw new CertificateException("Subject alternate name MUST be present if subject name field is empty");
            }
            if (!subjectAltName.getCriticality()) {
                throw new CertificateException("Subject alternate name MUST be critical if subject name is not specified");
            }
        }
    }

    private void a(X509Certificate x509Certificate, X509V3Extensions x509V3Extensions) throws CertificateException {
        AuthorityKeyID authorityKeyID = (AuthorityKeyID) x509V3Extensions.getExtensionByType(35);
        if (authorityKeyID != null) {
            if (authorityKeyID.getCriticality()) {
                throw new CertificateException("Auth key ID MUST NOT be set as critical");
            }
        } else if (x509Certificate.getSubjectName() != null && !x509Certificate.getSubjectName().equals(x509Certificate.getIssuerName())) {
            throw new CertificateException("Authority key identifier extension MUST be present");
        }
    }

    private void a(X509V3Extensions x509V3Extensions, boolean z) throws CertificateException {
        SubjectKeyID subjectKeyID = (SubjectKeyID) x509V3Extensions.getExtensionByType(14);
        if (subjectKeyID == null || subjectKeyID.getKeyID().length == 0) {
            if (z) {
                throw new CertificateException("SubjectKeyIdentifier extension MUST be present for CA certificates");
            }
        } else if (subjectKeyID.getCriticality()) {
            throw new CertificateException("SubjectKeyIdentifier MUST NOT be set as critical");
        }
    }

    private void a(BasicConstraints basicConstraints, X509V3Extensions x509V3Extensions, CertPathCtx certPathCtx, boolean z) throws CertificateException {
        KeyUsage keyUsage;
        if (certPathCtx.isFlagRaised(64) || (keyUsage = (KeyUsage) x509V3Extensions.getExtensionByType(15)) == null) {
            return;
        }
        if (keyUsage.getKeyUsage() == 0) {
            throw new CertificateException("At least one bit in the key usage extension MUST be set");
        }
        if (keyUsage.verifyKeyUsage(67108864)) {
            if (!z) {
                throw new CertificateException("BasicConstraints extension MUST be set if keyCertSign bit is set");
            }
            if (!basicConstraints.getCriticality()) {
                throw new CertificateException("BasicConstraint extension MUST be marked as critical if the keyCertSign bit is set");
            }
        }
    }

    private void b(X509V3Extensions x509V3Extensions) throws CertPathException, CertificateException {
        CRLDistributionPoints cRLDistributionPoints = (CRLDistributionPoints) x509V3Extensions.getExtensionByType(31);
        if (cRLDistributionPoints == null) {
            return;
        }
        a(cRLDistributionPoints);
    }

    private void c(X509V3Extensions x509V3Extensions) throws CertPathException, CertificateException {
        FreshestCRL freshestCRL = (FreshestCRL) x509V3Extensions.getExtensionByType(46);
        if (freshestCRL == null) {
            return;
        }
        if (freshestCRL.getCriticality()) {
            throw new CertificateException("Freshest CRL extension MUST NOT be set as critical");
        }
        a(freshestCRL);
    }

    private void a(CRLDistributionPoints cRLDistributionPoints) throws CertificateException, CertPathException {
        int distributionPointCount = cRLDistributionPoints.getDistributionPointCount();
        boolean z = false;
        for (int i = 0; i < distributionPointCount; i++) {
            try {
                if (cRLDistributionPoints.getReasonFlags(i) == -8388608) {
                    z = true;
                }
                GeneralNames cRLIssuer = cRLDistributionPoints.getCRLIssuer(i);
                if (cRLIssuer != null && (cRLIssuer.getNameCount() != 1 || cRLIssuer.getGeneralName(0).getGeneralNameType() != 5)) {
                    throw new CertificateException("The CRLIssuer MUST only contain the distinguished name from the issuer field of the CRL");
                }
            } catch (NameException e) {
                throw new CertPathException(e);
            }
        }
        if (!z) {
            throw new CertificateException("At least one Distribution Point MUST cover all reasons");
        }
    }

    private void b(X509V3Extensions x509V3Extensions, boolean z) throws CertificateException, CertPathException {
        NameConstraints nameConstraints = (NameConstraints) x509V3Extensions.getExtensionByType(30);
        if (nameConstraints == null) {
            return;
        }
        GeneralSubtrees excludedSubtrees = nameConstraints.getExcludedSubtrees();
        GeneralSubtrees permittedSubtrees = nameConstraints.getPermittedSubtrees();
        if (excludedSubtrees == null && permittedSubtrees == null) {
            throw new CertificateException("Either the permittedSubtrees field or the excludedSubtrees MUST be present");
        }
        a(nameConstraints, excludedSubtrees, z);
        a(nameConstraints, permittedSubtrees, z);
    }

    private void a(NameConstraints nameConstraints, GeneralSubtrees generalSubtrees, boolean z) throws CertificateException, CertPathException {
        if (generalSubtrees == null) {
            return;
        }
        if (!z) {
            throw new CertificateException("Named constraints MUST only be applied to CA certificates");
        }
        if (!nameConstraints.getCriticality()) {
            throw new CertificateException("Named constraint extension MUST be set as critical");
        }
        for (int i = 0; i < generalSubtrees.getSubtreeCount(); i++) {
            try {
                if (generalSubtrees.getMinimum(i) != 0 || generalSubtrees.getMaximum(i) != -1) {
                    throw new CertificateException("Named constraints minimum field MUST be 0 and the maximum field MUST be absent");
                }
            } catch (NameException e) {
                throw new CertPathException(e);
            }
        }
    }

    private void c(X509V3Extensions x509V3Extensions, boolean z) throws CertificateException {
        PolicyConstraints policyConstraints = (PolicyConstraints) x509V3Extensions.getExtensionByType(36);
        if (policyConstraints == null) {
            return;
        }
        if (z && !policyConstraints.getCriticality()) {
            throw new CertificateException("Policy constraints extension for CAs MUST be set as critical");
        }
        if (policyConstraints.getPolicyMapping() == -1 && policyConstraints.getExplicitPolicy() == -1) {
            throw new CertificateException("Either the inhibitPolicyMapping field or the requireExplicitPolicy field MUST be present");
        }
    }

    private void d(X509V3Extensions x509V3Extensions) throws CertificateException {
        PolicyMappings policyMappings = (PolicyMappings) x509V3Extensions.getExtensionByType(33);
        if (policyMappings == null) {
            return;
        }
        for (int i = 0; i < policyMappings.getPolicyCount(); i++) {
            byte[] issuerDomainPolicy = policyMappings.getIssuerDomainPolicy(i);
            byte[] subjectDomainPolicy = policyMappings.getSubjectDomainPolicy(i);
            if (CertJUtils.byteArraysEqual(X509V3Extension.ANY_POLICY_OID, issuerDomainPolicy) || CertJUtils.byteArraysEqual(X509V3Extension.ANY_POLICY_OID, subjectDomainPolicy)) {
                throw new CertificateException("Policies MUST NOT be mapped to or from the special value anyPolicy");
            }
        }
    }

    static {
        a(9);
        a(14);
        a(15);
        a(16);
        a(17);
        a(18);
        a(19);
        a(20);
        a(21);
        a(23);
        a(24);
        a(27);
        a(28);
        a(29);
        a(30);
        a(31);
        a(32);
        a(33);
        a(35);
        a(36);
        a(37);
        a(54);
        a(X509V3Extension.AUTHORITY_INFO_OID);
        a(X509V3Extension.NETSCAPE_CERT_TYPE_OID);
        a(X509V3Extension.NETSCAPE_BASE_URL_OID);
        a(X509V3Extension.NETSCAPE_REVOCATION_URL_OID);
        a(X509V3Extension.NETSCAPE_CA_REVOCATION_URL_OID);
        a(X509V3Extension.NETSCAPE_CERT_RENEWAL_URL_OID);
        a(X509V3Extension.NETSCAPE_CA_POLICY_URL_OID);
        a(X509V3Extension.NETSCAPE_SSL_SERVER_NAME_OID);
        a(X509V3Extension.NETSCAPE_COMMENT_OID);
        a(X509V3Extension.VERISIGN_CZAG_OID);
        a(X509V3Extension.VERISIGN_FIDELITY_ID_OID);
        a(X509V3Extension.VERISIGN_NETSCAPE_INBOX_V1_OID);
        a(X509V3Extension.VERISIGN_NETSCAPE_INBOX_V2_OID);
        a(X509V3Extension.VERISIGN_JURISDICTION_HASH_OID);
        a(X509V3Extension.VERISIGN_TOKEN_TYPE_OID);
        a(X509V3Extension.VERISIGN_SERIAL_NUMBER_OID);
        a(X509V3Extension.VERISIGN_NON_VERIFIED_OID);
        a(X509V3Extension.OCSP_NOCHECK_OID);
        a(X509V3Extension.ARCHIVE_CUTOFF_OID);
        a(X509V3Extension.CRL_REFERENCE_OID);
        a(X509V3Extension.OCSP_NONCE_OID);
        a(X509V3Extension.OCSP_ACCEPTABLE_RESPONSES_OID);
        a(X509V3Extension.OCSP_SERVICE_LOCATOR_OID);
        a(X509V3Extension.QC_STATEMENTS_OID);
        a(X509V3Extension.BIO_INFO_OID);
    }
}
