package net.netca.pki.encoding.asn1.pki;

import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import net.netca.pki.PkiException;
import net.netca.pki.RevokeInfo;
import net.netca.pki.RevokeInfoSource;
import net.netca.pki.encoding.asn1.ASN1Exception;
import net.netca.pki.encoding.asn1.pki.ocsp.BasicOCSPResponse;
import net.netca.pki.encoding.asn1.pki.ocsp.CertStatus;
import net.netca.pki.encoding.asn1.pki.ocsp.HttpGetOCSP;
import net.netca.pki.encoding.asn1.pki.ocsp.OCSPResponse;
import net.netca.pki.encoding.asn1.pki.ocsp.RevokedInfo;
import net.netca.pki.encoding.asn1.pki.ocsp.SingleResponse;

/* loaded from: classes3.dex */
public class X509CertificatePathValidator {
    private static final int NO_REVOKE_INFO = 3;
    private static final int REVOKED = 1;
    private static final int UNDETERMINED = 2;
    private static final int UNREVOKED = 0;
    public static final int VERIFY_LEVEL_NO_REVOKE = 0;
    public static final int VERIFY_LEVEL_VERIFY_CERTPATH_REVOKE = 2;
    public static final int VERIFY_LEVEL_VERIFY_EECERT_REVOKE = 1;
    public static final int VERIFY_OPTION_NOT_VERIFY_TIME = 128;
    public static final int VERIFY_OPTION_ONLINE_GETCRL = 1;
    public static final int VERIFY_OPTION_ONLINE_GETOCSP = 2;
    private ArrayList<PolicyInformation> authorities_constrained_policy_set;
    private Date checkTime;
    private int explicit_policy;
    private int inhibit_anyPolicy;
    private AlgorithmIdentifier ocspHashAlgorithm;
    private int policy_mapping;
    private PublicKey[] public_keys;
    private SubjectPublicKeyInfo spki;
    private ArrayList<PolicyInformation> user_constrained_policy_set;
    private PolicyTree valid_policy_tree;
    private X500Name working_issuer_name;
    private PublicKey working_public_key;
    private int max_path_length = -1;
    private boolean initial_policy_mapping_inhibit = false;
    private boolean initial_explicit_policy = false;
    private boolean initial_any_policy_inhibit = false;
    private Verifible verifier = new JCEVerifier();
    private ArrayList<IProcessExtension> processorList = new ArrayList<>();
    private ArrayList<CRLInfo> crls = new ArrayList<>();
    private ArrayList<BasicOCSPResponse> ocsps = new ArrayList<>();
    private Hashable hasher = new JCEHasher();
    private IHttp http = new SimpleHttp();
    BasicOCSPResponse[] ocsp_items = null;
    CRLInfo[] crl_items = null;
    private int revoke_index = -1;
    private int undetermined_index = -1;
    private int norevokeinfo_index = -1;
    private long timeTolerance = 600;
    private int verify_level = 0;
    private int option = 0;
    private int revoked_status = 3;
    private RevokeInfo revoke_info = null;
    private String[] user_initial_policy_set = {PolicyInformation.ANYPOLICY_OID};

    private void basicProcessing(X509Certificate x509Certificate, boolean z) throws PkiException {
        if (!x509Certificate.getIssuer().equals(this.working_issuer_name)) {
            throw new PkiException("cert issuer name mismatch");
        }
        byte[] tbs = x509Certificate.getTbs();
        if (!this.verifier.verify(this.working_public_key, x509Certificate.getOutterSignatureAlgorithmIdentifier(), tbs, 0, tbs.length, x509Certificate.getSignature())) {
            throw new PkiException("verify signature fail");
        }
        if ((this.option & 128) == 0) {
            Date date = new Date(this.checkTime.getTime() - (this.timeTolerance * 1000));
            if (x509Certificate.getNotBefore().after(new Date(this.checkTime.getTime() + (this.timeTolerance * 1000)))) {
                throw new PkiException("cert not yet valid");
            }
            if (x509Certificate.getNotAfter().before(date)) {
                throw new PkiException("cert expire");
            }
        }
        if (this.valid_policy_tree == null) {
            if (this.explicit_policy <= 0) {
                throw new CertificatePolicyException("explicit policy require");
            }
            return;
        }
        Extensions extensions = x509Certificate.getExtensions();
        if (extensions == null) {
            this.valid_policy_tree = null;
            if (this.explicit_policy <= 0) {
                throw new CertificatePolicyException("explicit policy require");
            }
        }
        Extension extension = extensions.get(Extension.CERTPOLICIES_OID);
        if (extension == null) {
            this.valid_policy_tree = null;
            if (this.explicit_policy <= 0) {
                throw new CertificatePolicyException("explicit policy require");
            }
        }
        if (extension != null) {
            if (this.valid_policy_tree.procCertificatePolicies(extension.isCritical(), ((CertificatePoliciesExtension) extension.getExtensionObject()).getCertificatePolicies(), z)) {
                return;
            }
            this.valid_policy_tree = null;
            if (this.explicit_policy <= 0) {
                throw new CertificatePolicyException("explicit policy require");
            }
        }
    }

    private boolean canSignCRL(X509Certificate x509Certificate) {
        Extension extension;
        try {
            Extensions extensions = x509Certificate.getExtensions();
            if (extensions == null || (extension = extensions.get(Extension.KEYUSAGE_OID)) == null) {
                return true;
            }
            return ((NamedBitStringExtension) extension.getExtensionObject()).isSet(6);
        } catch (PkiException unused) {
            return false;
        }
    }

    private boolean checkOCSPCert(BasicOCSPResponse basicOCSPResponse, X509Certificate x509Certificate) {
        try {
            X509Certificate signatureCert = basicOCSPResponse.getSignatureCert();
            if (signatureCert == null) {
                return false;
            }
            BasicOCSPResponse.checkOCSPCert(signatureCert, x509Certificate, null, this.verifier);
            return true;
        } catch (PkiException unused) {
            return false;
        }
    }

    private void checkOCSPResponse(BasicOCSPResponse basicOCSPResponse) throws PkiException {
        if (basicOCSPResponse == null) {
            throw new PkiException("not BasicOCSPResponse");
        }
        if (!basicOCSPResponse.verifySignature(this.verifier, null, this.hasher)) {
            throw new PkiException("verify BasicOCSPResponse fail");
        }
        if ((this.option & 128) != 0) {
            return;
        }
        X509Certificate signatureCert = basicOCSPResponse.getSignatureCert();
        Date date = new Date(this.checkTime.getTime() - (this.timeTolerance * 1000));
        if (signatureCert.getNotBefore().after(new Date(this.checkTime.getTime() + (this.timeTolerance * 1000)))) {
            throw new PkiException("ocsp cert not yet valid");
        }
        if (signatureCert.getNotAfter().before(date)) {
            throw new PkiException("ocsp cert expire");
        }
        if (date.before(basicOCSPResponse.getProducedAt())) {
            throw new PkiException("producedAt too late");
        }
    }

    private boolean checkRevokeTime(Date date) {
        return ((this.option & 128) == 0 && date.after(new Date(this.checkTime.getTime() + (this.timeTolerance * 1000)))) ? false : true;
    }

    private void getAllCRL(X509Certificate x509Certificate) {
        try {
            String[] cRLUrl = x509Certificate.getCRLUrl();
            if (cRLUrl.length == 0) {
                return;
            }
            for (String str : cRLUrl) {
                getCRLByURL(str);
            }
        } catch (PkiException unused) {
        }
    }

    private void getAllCRL(X509Certificate[] x509CertificateArr) {
        int length = x509CertificateArr.length;
        for (int i = 1; i < length; i++) {
            getAllCRL(x509CertificateArr[i]);
        }
    }

    private void getAllOCSP(X509Certificate[] x509CertificateArr) {
        int length = x509CertificateArr.length;
        for (int i = 1; i < length; i++) {
            getOCSP(x509CertificateArr[i - 1], x509CertificateArr[i]);
        }
    }

    private void getAllRevokeInfoSource(X509Certificate[] x509CertificateArr) {
        if ((this.option & 1) != 0) {
            getAllCRL(x509CertificateArr);
        }
        if ((this.option & 2) != 0) {
            getAllOCSP(x509CertificateArr);
        }
    }

    private void getCRLByURL(String str) {
        ArrayList<byte[]> dataFromLDAP;
        if (SimpleHttp.isHttp(str)) {
            try {
                addCRL(new X509CRL(this.http.getData(str)));
            } catch (Exception unused) {
            }
        } else {
            if (!X509CertificatePathBuilder.isLdap(str) || (dataFromLDAP = X509CertificatePathBuilder.getDataFromLDAP(str)) == null) {
                return;
            }
            Iterator<byte[]> it = dataFromLDAP.iterator();
            while (it.hasNext()) {
                try {
                    addCRL(new X509CRL(it.next()));
                } catch (PkiException unused2) {
                }
            }
        }
    }

    private void getOCSP(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            String ocspUrl = x509Certificate2.getOcspUrl();
            HttpGetOCSP httpGetOCSP = new HttpGetOCSP();
            httpGetOCSP.setHashAlgorithm(getOCSPHashAlgorithm(x509Certificate2));
            httpGetOCSP.setIssuerCert(x509Certificate);
            httpGetOCSP.setCert(x509Certificate2);
            httpGetOCSP.setHttpImplement(this.http);
            httpGetOCSP.setHashImplement(this.hasher);
            httpGetOCSP.setVerifyImplement(this.verifier);
            if ((this.option & 128) != 0) {
                httpGetOCSP.setVerifyTime(false);
            } else {
                httpGetOCSP.setTimeTolerance(this.timeTolerance);
            }
            if (httpGetOCSP.getCertStatus(ocspUrl) == 2) {
                return;
            }
            if (this.ocsps == null) {
                this.ocsps = new ArrayList<>();
            }
            this.ocsps.add(httpGetOCSP.getOCSPResponse().getBasicOCSPResponse());
        } catch (PkiException unused) {
        }
    }

    private AlgorithmIdentifier getOCSPHashAlgorithm(X509Certificate x509Certificate) throws PkiException {
        if (this.ocspHashAlgorithm != null) {
            return this.ocspHashAlgorithm;
        }
        String oid = x509Certificate.getSignatureAlgorithmIdentifier().getOid();
        return (oid.equals(AlgorithmIdentifier.SHA1WithRSA_OID) || oid.equals(AlgorithmIdentifier.DSAWithSHA1_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA1_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA1_OID) : (oid.equals(AlgorithmIdentifier.SHA224WithRSA_OID) || oid.equals(AlgorithmIdentifier.DSAWithSHA224_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA224_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA224_OID) : (oid.equals(AlgorithmIdentifier.SHA256WithRSA_OID) || oid.equals(AlgorithmIdentifier.DSAWithSHA256_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA256_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA256_OID) : (oid.equals(AlgorithmIdentifier.SHA384WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA384_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA384_OID) : (oid.equals(AlgorithmIdentifier.SHA512WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA512_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA512_OID) : (oid.equals(AlgorithmIdentifier.SM3WithSM2_OID) || oid.equals(AlgorithmIdentifier.SM3WithRSA_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifierNullParam(AlgorithmIdentifier.SM3_OID) : oid.equals(AlgorithmIdentifier.SHA512_224WithRSA_OID) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA512_224_OID) : oid.equals(AlgorithmIdentifier.SHA512_256WithRSA_OID) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA512_256_OID) : (oid.equals(AlgorithmIdentifier.SHA3_224WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA3_224_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA3_224_OID) : (oid.equals(AlgorithmIdentifier.SHA3_256WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA3_256_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA3_256_OID) : (oid.equals(AlgorithmIdentifier.SHA3_384WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA3_384_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA3_384_OID) : (oid.equals(AlgorithmIdentifier.SHA3_512WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA3_512_OID)) ? AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA3_384_OID) : AlgorithmIdentifier.CreateAlgorithmIdentifier(AlgorithmIdentifier.SHA1_OID);
    }

    private RevokeInfoSource getRevokeInfoSourceFromOCSP(BasicOCSPResponse basicOCSPResponse) throws PkiException {
        return new RevokeInfoSource(2, OCSPResponse.NewBasicOCSPResponse(basicOCSPResponse).derEncode());
    }

    private void init(X509Certificate x509Certificate, int i) throws PkiException {
        if (this.verifier == null) {
            throw new PkiException("no verifier");
        }
        this.working_issuer_name = x509Certificate.getSubject();
        if (this.checkTime == null) {
            this.checkTime = new Date();
        }
        this.spki = x509Certificate.getSubjectPublicKeyInfo();
        this.working_public_key = this.spki.getPublicKey();
        if (this.working_public_key instanceof UnknownPublicKey) {
            throw new PkiException("unknown root cert public key");
        }
        this.public_keys[0] = this.working_public_key;
        if (this.initial_explicit_policy) {
            this.explicit_policy = 0;
        } else {
            this.explicit_policy = i;
        }
        if (this.initial_any_policy_inhibit) {
            this.inhibit_anyPolicy = 0;
        } else {
            this.inhibit_anyPolicy = i;
        }
        if (this.initial_policy_mapping_inhibit) {
            this.policy_mapping = 0;
        } else {
            this.policy_mapping = i;
        }
        if (this.max_path_length < 0) {
            this.max_path_length = i - 1;
        }
        this.valid_policy_tree = new PolicyTree();
    }

    private boolean isAnyPolicy() {
        int length = this.user_initial_policy_set.length;
        for (int i = 0; i < length; i++) {
            if (this.user_initial_policy_set[i].equals(PolicyInformation.ANYPOLICY_OID)) {
                return true;
            }
        }
        return false;
    }

    private boolean isCRLInValidity(X509CRL x509crl, X509CRL x509crl2) throws PkiException {
        if ((this.option & 128) != 0) {
            return true;
        }
        Date thisUpdate = x509crl.getThisUpdate();
        Date nextUpdate = x509crl.getNextUpdate();
        if (x509crl2 != null) {
            Date nextUpdate2 = x509crl2.getNextUpdate();
            if (nextUpdate == null || (nextUpdate2 != null && nextUpdate2.after(nextUpdate))) {
                nextUpdate = nextUpdate2;
            }
        }
        return (nextUpdate == null || !nextUpdate.before(new Date(this.checkTime.getTime() - (this.timeTolerance * 1000)))) && !thisUpdate.after(new Date(this.checkTime.getTime() + (this.timeTolerance * 1000)));
    }

    private boolean isKnownCriticalExtension(String str) {
        return str.equals(Extension.AUTHORITY_KEYIDENTIFIER_OID) || str.equals(Extension.SUBJECT_KEYIDENTIFIER_OID) || str.equals(Extension.BASIC_CONSTRAINTS_OID) || str.equals(Extension.KEYUSAGE_OID) || str.equals(Extension.CERTPOLICIES_OID) || str.equals(Extension.POLICY_CONSTRAINTS_OID) || str.equals(Extension.POLICYMAPPINGS_OID) || str.equals(Extension.INHIBIT_ANYPOLICY_OID);
    }

    private boolean isOCSPInValidity(SingleResponse singleResponse) throws PkiException {
        if ((this.option & 128) != 0) {
            return true;
        }
        Date thisUpdate = singleResponse.getThisUpdate();
        Date nextUpdate = singleResponse.getNextUpdate();
        return (nextUpdate == null || !nextUpdate.before(new Date(this.checkTime.getTime() - (this.timeTolerance * 1000)))) && !thisUpdate.after(new Date(this.checkTime.getTime() + (this.timeTolerance * 1000)));
    }

    private boolean isSelfIssuerCert(X509Certificate x509Certificate) throws ASN1Exception, PkiException {
        return x509Certificate.getIssuer().equals(x509Certificate.getSubject());
    }

    private void preparationNexCert(int i, X509Certificate x509Certificate, boolean z, X509Certificate[] x509CertificateArr, int i2) throws PkiException {
        int integerValue;
        procPolicyMappings(x509Certificate);
        if (!z) {
            if (this.explicit_policy > 0) {
                this.explicit_policy--;
            }
            if (this.policy_mapping > 0) {
                this.policy_mapping--;
            }
            if (this.inhibit_anyPolicy > 0) {
                this.inhibit_anyPolicy--;
            }
            if (this.max_path_length <= 0) {
                throw new PkiException("break path constraint");
            }
            this.max_path_length--;
        }
        Extensions extensions = x509Certificate.getExtensions();
        if (extensions == null) {
            throw new PkiException("not ca cert");
        }
        Extension extension = extensions.get(Extension.POLICY_CONSTRAINTS_OID);
        if (extension != null) {
            PolicyConstraintsExtension policyConstraintsExtension = (PolicyConstraintsExtension) extension.getExtensionObject();
            int requireExplicitPolicy = policyConstraintsExtension.getRequireExplicitPolicy();
            if (requireExplicitPolicy != -1 && requireExplicitPolicy < this.explicit_policy) {
                this.explicit_policy = requireExplicitPolicy;
            }
            int inhibitPolicyMapping = policyConstraintsExtension.getInhibitPolicyMapping();
            if (inhibitPolicyMapping != -1 && inhibitPolicyMapping < this.policy_mapping) {
                this.policy_mapping = inhibitPolicyMapping;
            }
        }
        Extension extension2 = extensions.get(Extension.INHIBIT_ANYPOLICY_OID);
        if (extension2 != null && (integerValue = ((IntegerExtension) extension2.getExtensionObject()).getIntegerValue()) < this.inhibit_anyPolicy) {
            this.inhibit_anyPolicy = integerValue;
        }
        Extension extension3 = extensions.get(Extension.BASIC_CONSTRAINTS_OID);
        if (extension3 == null) {
            throw new PkiException("not ca cert");
        }
        BasicConstraintsExtension basicConstraintsExtension = (BasicConstraintsExtension) extension3.getExtensionObject();
        if (!basicConstraintsExtension.isCA()) {
            throw new PkiException("not ca cert");
        }
        int pathLenConstraint = basicConstraintsExtension.getPathLenConstraint();
        if (pathLenConstraint != -1 && pathLenConstraint < this.max_path_length) {
            this.max_path_length = pathLenConstraint;
        }
        Extension extension4 = extensions.get(Extension.KEYUSAGE_OID);
        if (extension4 != null && !((NamedBitStringExtension) extension4.getExtensionObject()).isSet(5)) {
            throw new PkiException("not ca cert,no keyCertSign bits");
        }
        procOtherExtension(extensions, x509CertificateArr, i2);
        this.working_issuer_name = x509Certificate.getSubject();
        SubjectPublicKeyInfo subjectPublicKeyInfo = x509Certificate.getSubjectPublicKeyInfo();
        PublicKey publicKey = subjectPublicKeyInfo.getPublicKey();
        if (publicKey instanceof UnknownPublicKey) {
            if (!(this.working_public_key instanceof DSAPublicKey)) {
                throw new PkiException("unknown cert public key");
            }
            publicKey = new DSAPublicKey(subjectPublicKeyInfo, (DSAPublicKey) this.working_public_key);
        }
        this.spki = subjectPublicKeyInfo;
        this.working_public_key = publicKey;
        this.public_keys[i] = this.working_public_key;
    }

    private void procOtherExtension(Extensions extensions, X509Certificate[] x509CertificateArr, int i) throws PkiException {
        int size = extensions.size();
        for (int i2 = 0; i2 < size; i2++) {
            Extension extension = extensions.get(i2);
            if (!procOtherExtension(extension, x509CertificateArr, i) && extension.isCritical() && !isKnownCriticalExtension(extension.getOid())) {
                throw new PkiException("has critical extension:" + extension.getOid());
            }
        }
    }

    private boolean procOtherExtension(Extension extension, X509Certificate[] x509CertificateArr, int i) throws PkiException {
        String oid = extension.getOid();
        int size = this.processorList.size();
        boolean z = false;
        for (int i2 = 0; i2 < size; i2++) {
            IProcessExtension iProcessExtension = this.processorList.get(i2);
            if (iProcessExtension != null && iProcessExtension.canProcess(oid)) {
                iProcessExtension.process(extension, x509CertificateArr, i);
                z = true;
            }
        }
        return z;
    }

    private void procPolicyMappings(X509Certificate x509Certificate) throws PkiException {
        Extension extension;
        Extensions extensions = x509Certificate.getExtensions();
        if (extensions == null || (extension = extensions.get(Extension.POLICYMAPPINGS_OID)) == null) {
            return;
        }
        PolicyMappingsExtension policyMappingsExtension = (PolicyMappingsExtension) extension.getExtensionObject();
        int size = policyMappingsExtension.size();
        for (int i = 0; i < size; i++) {
            PolicyMapping policyMapping = policyMappingsExtension.get(i);
            if (policyMapping.getIssuerDomainPolicy().equals(PolicyInformation.ANYPOLICY_OID)) {
                throw new CertificatePolicyException("issuer domain include any policy");
            }
            if (policyMapping.getSubjectDomainPolicy().equals(PolicyInformation.ANYPOLICY_OID)) {
                throw new CertificatePolicyException("subjcet domain include any policy");
            }
        }
        if (this.valid_policy_tree == null) {
            return;
        }
        if (this.policy_mapping > 0) {
            this.valid_policy_tree.procPolicyMappings(policyMappingsExtension);
        } else {
            if (this.policy_mapping != 0 || this.valid_policy_tree.procLastPolicyMappings(policyMappingsExtension)) {
                return;
            }
            this.valid_policy_tree = null;
        }
    }

    private void verifyRevoke(int i, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws PkiException {
        int i2;
        if (!verifyRevokeByOCSP(i, x509Certificate, x509Certificate2)) {
            i2 = 3;
        } else {
            if (this.revoked_status == 1) {
                this.revoke_index = i;
                throw new CertStatusRevokedException("cert " + i + " revoked");
            }
            i2 = this.revoked_status;
        }
        if (!verifyRevokeByCRL(i, x509Certificate, x509Certificate2)) {
            this.crl_items[i] = null;
            if (i2 != 3) {
                return;
            }
            this.norevokeinfo_index = i;
            throw new NoRevokeInfoException("no revoke info for cert " + i);
        }
        if (this.revoked_status == 1) {
            this.ocsp_items[i] = null;
            this.revoke_index = i;
            throw new CertStatusRevokedException("cert " + i + " revoked");
        }
        if (this.revoked_status == 0) {
            if (i2 == 0) {
                return;
            }
            this.ocsp_items[i] = null;
        } else {
            if (i2 == 0) {
                this.revoked_status = 0;
                return;
            }
            this.ocsp_items[i] = null;
            this.undetermined_index = i;
            throw new CertStatusUndeterminedException("the status of cert " + i + " is undetermined");
        }
    }

    private void verifyRevoke(X509Certificate[] x509CertificateArr) throws PkiException {
        if (this.verify_level == 0) {
            return;
        }
        this.revoke_index = -1;
        this.undetermined_index = -1;
        this.norevokeinfo_index = -1;
        getAllRevokeInfoSource(x509CertificateArr);
        int length = x509CertificateArr.length;
        this.ocsp_items = new BasicOCSPResponse[length];
        this.crl_items = new CRLInfo[length];
        for (int i = 1; i < length; i++) {
            if (i == length - 1 || this.verify_level != 1) {
                verifyRevoke(i, x509CertificateArr[i], x509CertificateArr[i - 1]);
            }
        }
    }

    private boolean verifyRevokeByCRL(int i, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (!canSignCRL(x509Certificate2)) {
            return false;
        }
        PublicKey publicKey = this.public_keys[i - 1];
        Iterator<CRLInfo> it = this.crls.iterator();
        boolean z = false;
        int i2 = 2;
        while (it.hasNext()) {
            CRLInfo next = it.next();
            X509CRL baseCRL = next.getBaseCRL();
            try {
                if (baseCRL.getIssuer().equals(x509Certificate.getIssuer()) && baseCRL.verifySignature(this.verifier, publicKey)) {
                    X509CRL deltaCRL = next.getDeltaCRL();
                    if (deltaCRL != null) {
                        try {
                        } catch (PkiException unused) {
                            next.setDeltaCrl(null);
                        }
                        if (!deltaCRL.verifySignature(this.verifier, publicKey)) {
                            next.setDeltaCrl(null);
                            deltaCRL = null;
                        }
                    }
                    int certStatus = baseCRL.getCertStatus(x509Certificate, deltaCRL);
                    if (certStatus == 1) {
                        if (deltaCRL != null) {
                            try {
                                this.revoke_info = deltaCRL.getRevokeInfo();
                            } catch (PkiException unused2) {
                                this.revoke_info = null;
                            }
                        }
                        if (this.revoke_info == null) {
                            this.revoke_info = baseCRL.getRevokeInfo();
                        }
                        if (isCRLInValidity(baseCRL, deltaCRL)) {
                            this.revoked_status = 1;
                            this.crl_items[i] = next;
                            return true;
                        }
                        if (checkRevokeTime(this.revoke_info.getTime())) {
                            this.revoked_status = 1;
                            this.crl_items[i] = next;
                            return true;
                        }
                    } else {
                        if (certStatus == 0) {
                            if (isCRLInValidity(baseCRL, deltaCRL)) {
                                this.revoked_status = 0;
                                if (!z) {
                                    this.crl_items[i] = next;
                                } else if (i2 == 2) {
                                    this.crl_items[i] = next;
                                }
                                i2 = this.revoked_status;
                            }
                        } else if (isCRLInValidity(baseCRL, deltaCRL)) {
                            this.revoked_status = 2;
                            if (z) {
                                this.crl_items[i].add(next);
                            } else {
                                this.crl_items[i] = next;
                            }
                            i2 = this.revoked_status;
                        }
                        z = true;
                    }
                }
            } catch (PkiException unused3) {
            }
        }
        if (!z) {
            return false;
        }
        if (this.revoked_status == 2 && X509CRL.isAllReasonsMask(this.crl_items[i].getReasonsMask())) {
            this.revoked_status = 0;
        }
        return true;
    }

    private boolean verifyRevokeByOCSP(int i, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Iterator<BasicOCSPResponse> it = this.ocsps.iterator();
        boolean z = false;
        while (it.hasNext()) {
            if (verifyRevokeByOCSP(i, it.next(), x509Certificate, x509Certificate2)) {
                if (this.revoked_status == 1) {
                    return true;
                }
                z = true;
            }
        }
        return z;
    }

    private boolean verifyRevokeByOCSP(int i, BasicOCSPResponse basicOCSPResponse, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (!checkOCSPCert(basicOCSPResponse, x509Certificate2)) {
            return false;
        }
        try {
            SingleResponse singleResponse = basicOCSPResponse.getSingleResponse(this.hasher, x509Certificate2, x509Certificate);
            if (singleResponse == null) {
                return false;
            }
            try {
                CertStatus certStatus = singleResponse.getCertStatus();
                int type = certStatus.getType();
                if (type == 1) {
                    RevokedInfo revoked = certStatus.getRevoked();
                    this.revoke_info = new RevokeInfo(revoked.getRevocationTime(), revoked.getRevocationReason());
                    if (isOCSPInValidity(singleResponse)) {
                        this.revoked_status = 1;
                        this.ocsp_items[i] = basicOCSPResponse;
                        return true;
                    }
                    if (checkRevokeTime(this.revoke_info.getTime())) {
                        this.revoked_status = 1;
                        this.ocsp_items[i] = basicOCSPResponse;
                        return true;
                    }
                } else if (type == 0 && isOCSPInValidity(singleResponse)) {
                    this.revoked_status = 0;
                    this.ocsp_items[i] = basicOCSPResponse;
                    return true;
                }
                return false;
            } catch (PkiException unused) {
                this.revoke_info = null;
                return false;
            }
        } catch (PkiException unused2) {
            return false;
        }
    }

    private void wrapUp(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, int i) throws PkiException {
        int requireExplicitPolicy;
        if (this.explicit_policy > 0) {
            this.explicit_policy--;
        }
        this.working_issuer_name = x509Certificate.getSubject();
        SubjectPublicKeyInfo subjectPublicKeyInfo = x509Certificate.getSubjectPublicKeyInfo();
        PublicKey publicKey = subjectPublicKeyInfo.getPublicKey();
        if ((publicKey instanceof UnknownPublicKey) && (this.working_public_key instanceof DSAPublicKey)) {
            try {
                publicKey = new DSAPublicKey(subjectPublicKeyInfo, (DSAPublicKey) this.working_public_key);
            } catch (Exception unused) {
                publicKey = subjectPublicKeyInfo.getPublicKey();
            }
        }
        this.spki = subjectPublicKeyInfo;
        this.working_public_key = publicKey;
        Extensions extensions = x509Certificate.getExtensions();
        if (extensions != null) {
            Extension extension = extensions.get(Extension.POLICY_CONSTRAINTS_OID);
            if (extension != null && (requireExplicitPolicy = ((PolicyConstraintsExtension) extension.getExtensionObject()).getRequireExplicitPolicy()) != -1 && requireExplicitPolicy == 0) {
                this.explicit_policy = 0;
            }
            procOtherExtension(extensions, x509CertificateArr, i);
        }
        if (this.valid_policy_tree == null) {
            this.authorities_constrained_policy_set = null;
            this.user_constrained_policy_set = null;
        } else if (isAnyPolicy()) {
            this.authorities_constrained_policy_set = this.valid_policy_tree.getPolicySet();
            this.user_constrained_policy_set = this.authorities_constrained_policy_set;
        } else {
            this.authorities_constrained_policy_set = this.valid_policy_tree.getPolicySet();
            this.valid_policy_tree.intersection(this.user_initial_policy_set);
            if (this.valid_policy_tree.valid_policy_node_set.size() == 0) {
                this.valid_policy_tree = null;
                this.user_constrained_policy_set = null;
            } else {
                this.user_constrained_policy_set = this.valid_policy_tree.getPolicySet();
            }
        }
        if (this.explicit_policy <= 0 && this.valid_policy_tree == null) {
            throw new CertificatePolicyException("explicit policy require");
        }
    }

    public void addCRL(X509CRL x509crl) throws PkiException {
        if (!x509crl.isDeltaCRL()) {
            this.crls.add(new CRLInfo(x509crl, null));
            return;
        }
        Iterator<CRLInfo> it = this.crls.iterator();
        while (it.hasNext()) {
            CRLInfo next = it.next();
            if (x509crl.matchBaseCRL(next.getBaseCRL())) {
                X509CRL deltaCRL = next.getDeltaCRL();
                if (deltaCRL == null) {
                    next.setDeltaCrl(x509crl);
                    return;
                } else {
                    if (deltaCRL.getThisUpdate().before(x509crl.getThisUpdate())) {
                        next.setDeltaCrl(x509crl);
                        return;
                    }
                    return;
                }
            }
        }
        throw new PkiException("no match base crl");
    }

    public void addExtensionProcessor(IProcessExtension iProcessExtension) {
        this.processorList.add(iProcessExtension);
    }

    public void addOCSPResponse(BasicOCSPResponse basicOCSPResponse) throws PkiException {
        checkOCSPResponse(basicOCSPResponse);
        this.ocsps.add(basicOCSPResponse);
    }

    public void addOCSPResponse(OCSPResponse oCSPResponse) throws PkiException {
        if (oCSPResponse.getStatus() != 0) {
            throw new PkiException("bad ocsp status");
        }
        BasicOCSPResponse basicOCSPResponse = oCSPResponse.getBasicOCSPResponse();
        checkOCSPResponse(basicOCSPResponse);
        this.ocsps.add(basicOCSPResponse);
    }

    public PolicyInformation[] getAuthoritiesConstrainedPolicySet() {
        if (this.authorities_constrained_policy_set == null) {
            return null;
        }
        return (PolicyInformation[]) this.authorities_constrained_policy_set.toArray(new PolicyInformation[0]);
    }

    public int getNoRevokeInfoCertIndex() throws PkiException {
        return this.norevokeinfo_index;
    }

    public java.security.cert.PolicyNode getPolicyTree() {
        if (this.valid_policy_tree == null) {
            return null;
        }
        return new PolicyNode(this.valid_policy_tree, this.valid_policy_tree.tree.get(0).get(0));
    }

    public PublicKey getPublicKey() {
        return this.working_public_key;
    }

    public RevokeInfo getRevokeInfo() throws PkiException {
        return this.revoke_info;
    }

    public RevokeInfoSource[] getRevokeInfoSource(int i) throws PkiException {
        BasicOCSPResponse basicOCSPResponse = this.ocsp_items[i];
        if (basicOCSPResponse != null) {
            return new RevokeInfoSource[]{getRevokeInfoSourceFromOCSP(basicOCSPResponse)};
        }
        CRLInfo cRLInfo = this.crl_items[i];
        if (cRLInfo != null) {
            return cRLInfo.getRevokeInfoSource();
        }
        throw new PkiException("no revoke info source?");
    }

    public int getRevokedCertIndex() throws PkiException {
        return this.revoke_index;
    }

    public int getUndeterminerCertIndex() throws PkiException {
        return this.undetermined_index;
    }

    public PolicyInformation[] getUserConstrainedPolicySet() {
        if (this.user_constrained_policy_set == null) {
            return null;
        }
        return (PolicyInformation[]) this.user_constrained_policy_set.toArray(new PolicyInformation[0]);
    }

    public void setCheckTime(Date date) {
        this.checkTime = date;
    }

    public void setHashImplement(Hashable hashable) {
        this.hasher = hashable;
    }

    public void setHttpImplement(IHttp iHttp) {
        this.http = iHttp;
    }

    public void setInitialAnyPolicyInhibit(boolean z) {
        this.initial_any_policy_inhibit = z;
    }

    public void setInitialExplicitPolicy(boolean z) {
        this.initial_explicit_policy = z;
    }

    public void setInitialPolicyMappingInhibit(boolean z) {
        this.initial_policy_mapping_inhibit = z;
    }

    public void setMaxPathLength(int i) {
        this.max_path_length = i;
    }

    public void setOCSPHashAlgorithm(AlgorithmIdentifier algorithmIdentifier) throws PkiException {
        this.ocspHashAlgorithm = algorithmIdentifier;
    }

    public void setOption(int i) throws PkiException {
        this.option = i;
    }

    public void setTimeTolerance(long j) throws PkiException {
        if (j < 0) {
            throw new PkiException("timeTolerance<0");
        }
        this.timeTolerance = j;
    }

    public void setUserInitialPolicySet(String[] strArr) throws PkiException {
        if (strArr == null || strArr.length == 0) {
            throw new PkiException("bad user_initial_policy_set");
        }
        this.user_initial_policy_set = strArr;
    }

    public void setVerifier(Verifible verifible) {
        this.verifier = verifible;
    }

    public void setVerifyLevel(int i) throws PkiException {
        if (i == 0 || i == 1 || i == 2) {
            this.verify_level = i;
        } else {
            throw new PkiException("bad level:" + i);
        }
    }

    public void verify(X509Certificate[] x509CertificateArr) throws PkiException {
        int i;
        int length = x509CertificateArr.length;
        if (length == 1) {
            return;
        }
        this.public_keys = new PublicKey[length];
        init(x509CertificateArr[0], length);
        int i2 = 1;
        while (true) {
            i = length - 1;
            if (i2 >= i) {
                break;
            }
            X509Certificate x509Certificate = x509CertificateArr[i2];
            boolean isSelfIssuerCert = isSelfIssuerCert(x509Certificate);
            basicProcessing(x509Certificate, this.inhibit_anyPolicy <= 0 && !isSelfIssuerCert);
            preparationNexCert(i2, x509Certificate, isSelfIssuerCert, x509CertificateArr, i2);
            i2++;
        }
        X509Certificate x509Certificate2 = x509CertificateArr[i];
        basicProcessing(x509Certificate2, this.inhibit_anyPolicy <= 0);
        wrapUp(x509Certificate2, x509CertificateArr, 0);
        this.public_keys[i] = this.working_public_key;
        verifyRevoke(x509CertificateArr);
    }
}
