package org.bouncycastle.pkix.jcajce;

import java.io.IOException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.bouncycastle.asn1.m1;
import org.bouncycastle.asn1.q;
import org.bouncycastle.asn1.u;
import org.bouncycastle.asn1.x509.b0;
import org.bouncycastle.asn1.x509.c0;
import org.bouncycastle.asn1.x509.i0;
import org.bouncycastle.asn1.x509.j;
import org.bouncycastle.asn1.x509.v;
import org.bouncycastle.asn1.x509.w;
import org.bouncycastle.asn1.x509.y;
import org.bouncycastle.jcajce.e;
import org.bouncycastle.jcajce.i;
import org.bouncycastle.jcajce.j;
import org.bouncycastle.jcajce.k;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class d {
    private static final c a = new c();
    public static final String b = y.q.z();
    public static final String c = y.z.z();
    public static final String d = y.p.z();
    public static final String e = y.k.z();
    public static final String f = y.w.z();
    protected static final int g = 5;
    protected static final int h = 6;

    d() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(v vVar, k kVar, X509Certificate x509Certificate, Date date, X509Certificate x509Certificate2, PublicKey publicKey, a aVar, e eVar, List list, org.bouncycastle.jcajce.util.d dVar) throws AnnotatedException, CRLNotFoundException {
        e eVar2;
        Iterator it;
        X509CRL j;
        Set<String> criticalExtensionOIDs;
        e eVar3 = eVar;
        Date date2 = new Date(System.currentTimeMillis());
        if (date.getTime() > date2.getTime()) {
            throw new AnnotatedException("Validation time is in future.");
        }
        if (kVar.p() != null) {
            date2 = kVar.p();
        }
        Date date3 = date2;
        Iterator it2 = f.k(vVar, x509Certificate, date3, kVar.n(), kVar.k()).iterator();
        AnnotatedException e2 = null;
        boolean z = false;
        while (it2.hasNext() && aVar.a() == 11 && !eVar.e()) {
            try {
                X509CRL x509crl = (X509CRL) it2.next();
                e g2 = g(x509crl, vVar);
                if (g2.c(eVar3)) {
                    it = it2;
                    AnnotatedException annotatedException = e2;
                    try {
                        j = kVar.C() ? j(f.l(date3, x509crl, kVar.n(), kVar.k()), i(x509crl, h(x509crl, x509Certificate, x509Certificate2, publicKey, kVar, list, dVar))) : null;
                        if (kVar.x() != 1 && x509Certificate.getNotAfter().getTime() < x509crl.getThisUpdate().getTime()) {
                            throw new AnnotatedException("No valid CRL for current time found.");
                            break;
                        }
                        d(vVar, x509Certificate, x509crl);
                        e(vVar, x509Certificate, x509crl);
                        f(j, x509crl, kVar);
                        k(date, j, x509Certificate, aVar, kVar);
                        l(date, x509crl, x509Certificate, aVar);
                        if (aVar.a() == 8) {
                            aVar.c(11);
                        }
                        eVar2 = eVar;
                    } catch (AnnotatedException e3) {
                        e2 = e3;
                        eVar2 = eVar;
                    }
                    try {
                        eVar2.a(g2);
                        Set<String> criticalExtensionOIDs2 = x509crl.getCriticalExtensionOIDs();
                        if (criticalExtensionOIDs2 != null) {
                            HashSet hashSet = new HashSet(criticalExtensionOIDs2);
                            hashSet.remove(y.q.z());
                            hashSet.remove(y.p.z());
                            if (!hashSet.isEmpty()) {
                                throw new AnnotatedException("CRL contains unsupported critical extensions.");
                            }
                        }
                        if (j != null && (criticalExtensionOIDs = j.getCriticalExtensionOIDs()) != null) {
                            HashSet hashSet2 = new HashSet(criticalExtensionOIDs);
                            hashSet2.remove(y.q.z());
                            hashSet2.remove(y.p.z());
                            if (!hashSet2.isEmpty()) {
                                throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
                            }
                        }
                        eVar3 = eVar2;
                        it2 = it;
                        e2 = annotatedException;
                        z = true;
                    } catch (AnnotatedException e4) {
                        e2 = e4;
                        eVar3 = eVar2;
                        it2 = it;
                    }
                } else {
                    continue;
                }
            } catch (AnnotatedException e5) {
                e2 = e5;
                eVar2 = eVar3;
                it = it2;
            }
        }
        AnnotatedException annotatedException2 = e2;
        if (!z) {
            throw annotatedException2;
        }
    }

    protected static Set b(Date date, k kVar, X509Certificate x509Certificate, X509CRL x509crl) throws AnnotatedException {
        HashSet hashSet = new HashSet();
        if (kVar.C()) {
            try {
                q qVar = y.z;
                org.bouncycastle.asn1.x509.k o = org.bouncycastle.asn1.x509.k.o(f.m(x509Certificate, qVar));
                if (o == null) {
                    try {
                        o = org.bouncycastle.asn1.x509.k.o(f.m(x509crl, qVar));
                    } catch (AnnotatedException e2) {
                        throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL.", e2);
                    }
                }
                if (o != null) {
                    ArrayList arrayList = new ArrayList();
                    arrayList.addAll(kVar.k());
                    try {
                        arrayList.addAll(f.g(o, kVar.r()));
                        try {
                            hashSet.addAll(f.l(date, x509crl, kVar.n(), arrayList));
                        } catch (AnnotatedException e3) {
                            throw new AnnotatedException("Exception obtaining delta CRLs.", e3);
                        }
                    } catch (AnnotatedException e4) {
                        throw new AnnotatedException("No new delta CRL locations could be added from Freshest CRL extension.", e4);
                    }
                }
            } catch (AnnotatedException e5) {
                throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate.", e5);
            }
        }
        return hashSet;
    }

    protected static Set[] c(Date date, k kVar, X509Certificate x509Certificate, X509CRL x509crl) throws AnnotatedException {
        HashSet hashSet = new HashSet();
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setCertificateChecking(x509Certificate);
        try {
            x509CRLSelector.addIssuerName(x509crl.getIssuerX500Principal().getEncoded());
            org.bouncycastle.jcajce.e<? extends CRL> g2 = new e.b(x509CRLSelector).h(true).g();
            if (kVar.p() != null) {
                date = kVar.p();
            }
            Set b2 = a.b(g2, date, kVar.n(), kVar.k());
            if (kVar.C()) {
                try {
                    hashSet.addAll(f.l(date, x509crl, kVar.n(), kVar.k()));
                } catch (AnnotatedException e2) {
                    throw new AnnotatedException("Exception obtaining delta CRLs.", e2);
                }
            }
            return new Set[]{b2, hashSet};
        } catch (IOException e3) {
            throw new AnnotatedException("Cannot extract issuer from CRL." + e3, e3);
        }
    }

    protected static void d(v vVar, Object obj, X509CRL x509crl) throws AnnotatedException {
        u m = f.m(x509crl, y.q);
        boolean z = true;
        boolean z2 = m != null && i0.p(m).s();
        byte[] encoded = x509crl.getIssuerX500Principal().getEncoded();
        if (vVar.n() != null) {
            b0[] q = vVar.n().q();
            boolean z3 = false;
            for (int i = 0; i < q.length; i++) {
                if (q[i].e() == 4) {
                    try {
                        if (org.bouncycastle.util.a.g(q[i].p().f().getEncoded(), encoded)) {
                            z3 = true;
                        }
                    } catch (IOException e2) {
                        throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", e2);
                    }
                }
            }
            if (z3 && !z2) {
                throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
            }
            if (!z3) {
                throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
            }
            z = z3;
        } else if (!x509crl.getIssuerX500Principal().equals(((X509Certificate) obj).getIssuerX500Principal())) {
            z = false;
        }
        if (!z) {
            throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
        }
    }

    protected static void e(v vVar, Object obj, X509CRL x509crl) throws AnnotatedException {
        b0[] b0VarArr;
        try {
            i0 p = i0.p(f.m(x509crl, y.q));
            if (p != null) {
                if (p.o() != null) {
                    w o = i0.p(p).o();
                    ArrayList arrayList = new ArrayList();
                    boolean z = false;
                    if (o.getType() == 0) {
                        for (b0 b0Var : c0.o(o.p()).q()) {
                            arrayList.add(b0Var);
                        }
                    }
                    if (o.getType() == 1) {
                        org.bouncycastle.asn1.g gVar = new org.bouncycastle.asn1.g();
                        try {
                            Enumeration y = org.bouncycastle.asn1.v.v(x509crl.getIssuerX500Principal().getEncoded()).y();
                            while (y.hasMoreElements()) {
                                gVar.a((org.bouncycastle.asn1.f) y.nextElement());
                            }
                            gVar.a(o.p());
                            arrayList.add(new b0(org.bouncycastle.asn1.x500.d.o(new m1(gVar))));
                        } catch (Exception e2) {
                            throw new AnnotatedException("Could not read CRL issuer.", e2);
                        }
                    }
                    if (vVar.o() != null) {
                        w o2 = vVar.o();
                        b0[] q = o2.getType() == 0 ? c0.o(o2.p()).q() : null;
                        if (o2.getType() == 1) {
                            if (vVar.n() != null) {
                                b0VarArr = vVar.n().q();
                            } else {
                                b0VarArr = new b0[1];
                                try {
                                    b0VarArr[0] = new b0(org.bouncycastle.asn1.x500.d.o(((X509Certificate) obj).getIssuerX500Principal().getEncoded()));
                                } catch (Exception e3) {
                                    throw new AnnotatedException("Could not read certificate issuer.", e3);
                                }
                            }
                            q = b0VarArr;
                            for (int i = 0; i < q.length; i++) {
                                Enumeration y2 = org.bouncycastle.asn1.v.v(q[i].p().f()).y();
                                org.bouncycastle.asn1.g gVar2 = new org.bouncycastle.asn1.g();
                                while (y2.hasMoreElements()) {
                                    gVar2.a((org.bouncycastle.asn1.f) y2.nextElement());
                                }
                                gVar2.a(o2.p());
                                q[i] = new b0(org.bouncycastle.asn1.x500.d.o(new m1(gVar2)));
                            }
                        }
                        if (q != null) {
                            int i2 = 0;
                            while (true) {
                                if (i2 >= q.length) {
                                    break;
                                }
                                if (arrayList.contains(q[i2])) {
                                    z = true;
                                    break;
                                }
                                i2++;
                            }
                        }
                        if (!z) {
                            throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                        }
                    } else {
                        if (vVar.n() == null) {
                            throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must be contained in DistributionPoint.");
                        }
                        b0[] q2 = vVar.n().q();
                        int i3 = 0;
                        while (true) {
                            if (i3 >= q2.length) {
                                break;
                            }
                            if (arrayList.contains(q2[i3])) {
                                z = true;
                                break;
                            }
                            i3++;
                        }
                        if (!z) {
                            throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                        }
                    }
                }
                try {
                    j n = j.n(f.m((X509Extension) obj, y.k));
                    if (obj instanceof X509Certificate) {
                        if (p.v() && n != null && n.q()) {
                            throw new AnnotatedException("CA Cert CRL only contains user certificates.");
                        }
                        if (p.u() && (n == null || !n.q())) {
                            throw new AnnotatedException("End CRL only contains CA certificates.");
                        }
                    }
                    if (p.t()) {
                        throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
                    }
                } catch (Exception e4) {
                    throw new AnnotatedException("Basic constraints extension could not be decoded.", e4);
                }
            }
        } catch (Exception e5) {
            throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e5);
        }
    }

    protected static void f(X509CRL x509crl, X509CRL x509crl2, k kVar) throws AnnotatedException {
        if (x509crl == null) {
            return;
        }
        try {
            q qVar = y.q;
            i0 p = i0.p(f.m(x509crl2, qVar));
            if (kVar.C()) {
                if (!x509crl.getIssuerX500Principal().equals(x509crl2.getIssuerX500Principal())) {
                    throw new AnnotatedException("complete CRL issuer does not match delta CRL issuer");
                }
                try {
                    i0 p2 = i0.p(f.m(x509crl, qVar));
                    boolean z = true;
                    if (p != null ? !p.equals(p2) : p2 != null) {
                        z = false;
                    }
                    if (!z) {
                        throw new AnnotatedException("Issuing distribution point extension from delta CRL and complete CRL does not match.");
                    }
                    try {
                        q qVar2 = y.w;
                        u m = f.m(x509crl2, qVar2);
                        try {
                            u m2 = f.m(x509crl, qVar2);
                            if (m == null) {
                                throw new AnnotatedException("CRL authority key identifier is null.");
                            }
                            if (m2 == null) {
                                throw new AnnotatedException("Delta CRL authority key identifier is null.");
                            }
                            if (!m.q(m2)) {
                                throw new AnnotatedException("Delta CRL authority key identifier does not match complete CRL authority key identifier.");
                            }
                        } catch (AnnotatedException e2) {
                            throw new AnnotatedException("Authority key identifier extension could not be extracted from delta CRL.", e2);
                        }
                    } catch (AnnotatedException e3) {
                        throw new AnnotatedException("Authority key identifier extension could not be extracted from complete CRL.", e3);
                    }
                } catch (Exception e4) {
                    throw new AnnotatedException("Issuing distribution point extension from delta CRL could not be decoded.", e4);
                }
            }
        } catch (Exception e5) {
            throw new AnnotatedException("issuing distribution point extension could not be decoded.", e5);
        }
    }

    protected static e g(X509CRL x509crl, v vVar) throws AnnotatedException {
        try {
            i0 p = i0.p(f.m(x509crl, y.q));
            if (p != null && p.r() != null && vVar.r() != null) {
                return new e(vVar.r()).d(new e(p.r()));
            }
            if ((p == null || p.r() == null) && vVar.r() == null) {
                return e.b;
            }
            return (vVar.r() == null ? e.b : new e(vVar.r())).d(p == null ? e.b : new e(p.r()));
        } catch (Exception e2) {
            throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e2);
        }
    }

    protected static Set h(X509CRL x509crl, Object obj, X509Certificate x509Certificate, PublicKey publicKey, k kVar, List list, org.bouncycastle.jcajce.util.d dVar) throws AnnotatedException {
        int i;
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(x509crl.getIssuerX500Principal().getEncoded());
            i<? extends Certificate> a2 = new i.b(x509CertSelector).a();
            try {
                Collection b2 = f.b(a2, kVar.o());
                b2.addAll(f.b(a2, kVar.n()));
                b2.add(x509Certificate);
                Iterator it = b2.iterator();
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    X509Certificate x509Certificate2 = (X509Certificate) it.next();
                    if (x509Certificate2.equals(x509Certificate)) {
                        arrayList.add(x509Certificate2);
                        arrayList2.add(publicKey);
                    } else {
                        try {
                            CertPathBuilder n = dVar.n("PKIX");
                            X509CertSelector x509CertSelector2 = new X509CertSelector();
                            x509CertSelector2.setCertificate(x509Certificate2);
                            k.b r = new k.b(kVar).r(new i.b(x509CertSelector2).a());
                            if (list.contains(x509Certificate2)) {
                                r.q(false);
                            } else {
                                r.q(true);
                            }
                            List<? extends Certificate> certificates = n.build(new j.b(r.p()).e()).getCertPath().getCertificates();
                            arrayList.add(x509Certificate2);
                            arrayList2.add(f.p(certificates, 0, dVar));
                        } catch (CertPathBuilderException e2) {
                            throw new AnnotatedException("CertPath for CRL signer failed to validate.", e2);
                        } catch (CertPathValidatorException e3) {
                            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e3);
                        } catch (Exception e4) {
                            throw new AnnotatedException(e4.getMessage());
                        }
                    }
                }
                HashSet hashSet = new HashSet();
                AnnotatedException annotatedException = null;
                for (i = 0; i < arrayList.size(); i++) {
                    boolean[] keyUsage = ((X509Certificate) arrayList.get(i)).getKeyUsage();
                    if (keyUsage == null || (keyUsage.length > 6 && keyUsage[6])) {
                        hashSet.add(arrayList2.get(i));
                    } else {
                        annotatedException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
                    }
                }
                if (hashSet.isEmpty() && annotatedException == null) {
                    throw new AnnotatedException("Cannot find a valid issuer certificate.");
                }
                if (!hashSet.isEmpty() || annotatedException == null) {
                    return hashSet;
                }
                throw annotatedException;
            } catch (AnnotatedException e5) {
                throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e5);
            }
        } catch (IOException e6) {
            throw new AnnotatedException("subject criteria for certificate selector to find issuer certificate for CRL could not be set", e6);
        }
    }

    protected static PublicKey i(X509CRL x509crl, Set set) throws AnnotatedException {
        Iterator it = set.iterator();
        Exception e2 = null;
        while (it.hasNext()) {
            PublicKey publicKey = (PublicKey) it.next();
            try {
                x509crl.verify(publicKey);
                return publicKey;
            } catch (Exception e3) {
                e2 = e3;
            }
        }
        throw new AnnotatedException("Cannot verify CRL.", e2);
    }

    protected static X509CRL j(Set set, PublicKey publicKey) throws AnnotatedException {
        Iterator it = set.iterator();
        Exception e2 = null;
        while (it.hasNext()) {
            X509CRL x509crl = (X509CRL) it.next();
            try {
                x509crl.verify(publicKey);
                return x509crl;
            } catch (Exception e3) {
                e2 = e3;
            }
        }
        if (e2 == null) {
            return null;
        }
        throw new AnnotatedException("Cannot verify delta CRL.", e2);
    }

    protected static void k(Date date, X509CRL x509crl, Object obj, a aVar, k kVar) throws AnnotatedException {
        if (!kVar.C() || x509crl == null) {
            return;
        }
        f.j(date, x509crl, obj, aVar);
    }

    protected static void l(Date date, X509CRL x509crl, Object obj, a aVar) throws AnnotatedException {
        if (aVar.a() == 11) {
            f.j(date, x509crl, obj, aVar);
        }
    }
}
