package org.spongycastle.jce.provider;

import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.spongycastle.asn1.x500.X500Name;
import org.spongycastle.asn1.x509.AlgorithmIdentifier;
import org.spongycastle.asn1.x509.Extension;
import org.spongycastle.jcajce.PKIXExtendedBuilderParameters;
import org.spongycastle.jcajce.PKIXExtendedParameters;
import org.spongycastle.jcajce.util.BCJcaJceHelper;
import org.spongycastle.jcajce.util.JcaJceHelper;
import org.spongycastle.jce.exception.ExtCertPathValidatorException;
import org.spongycastle.x509.ExtendedPKIXParameters;
import u.e.h.a.c;
import u.e.h.a.g;
import u.e.h.a.h;

/* loaded from: classes8.dex */
public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi {
    public final JcaJceHelper helper = new BCJcaJceHelper();

    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        PKIXExtendedParameters pKIXExtendedParameters;
        CertPath certPath2;
        X500Name a2;
        PublicKey cAPublicKey;
        HashSet hashSet;
        PKIXCertPathValidatorSpi pKIXCertPathValidatorSpi;
        List list;
        ArrayList[] arrayListArr;
        HashSet hashSet2;
        PKIXCertPathValidatorSpi pKIXCertPathValidatorSpi2 = this;
        CertPath certPath3 = certPath;
        if (certPathParameters instanceof PKIXParameters) {
            PKIXExtendedParameters.Builder builder = new PKIXExtendedParameters.Builder((PKIXParameters) certPathParameters);
            if (certPathParameters instanceof ExtendedPKIXParameters) {
                ExtendedPKIXParameters extendedPKIXParameters = (ExtendedPKIXParameters) certPathParameters;
                builder.setUseDeltasEnabled(extendedPKIXParameters.isUseDeltasEnabled());
                builder.setValidityModel(extendedPKIXParameters.getValidityModel());
            }
            pKIXExtendedParameters = builder.build();
        } else if (certPathParameters instanceof PKIXExtendedBuilderParameters) {
            pKIXExtendedParameters = ((PKIXExtendedBuilderParameters) certPathParameters).getBaseParameters();
        } else {
            if (!(certPathParameters instanceof PKIXExtendedParameters)) {
                throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() + " instance.");
            }
            pKIXExtendedParameters = (PKIXExtendedParameters) certPathParameters;
        }
        if (pKIXExtendedParameters.getTrustAnchors() == null) {
            throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for certification path validation.");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size();
        Throwable th = null;
        if (certificates.isEmpty()) {
            throw new CertPathValidatorException("Certification path is empty.", null, certPath3, -1);
        }
        Set initialPolicies = pKIXExtendedParameters.getInitialPolicies();
        try {
            TrustAnchor a3 = c.a((X509Certificate) certificates.get(certificates.size() - 1), pKIXExtendedParameters.getTrustAnchors(), pKIXExtendedParameters.getSigProvider());
            if (a3 == null) {
                throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath3, -1);
            }
            PKIXExtendedParameters build = new PKIXExtendedParameters.Builder(pKIXExtendedParameters).setTrustAnchor(a3).build();
            ArrayList[] arrayListArr2 = new ArrayList[size + 1];
            for (int i2 = 0; i2 < arrayListArr2.length; i2++) {
                arrayListArr2[i2] = new ArrayList();
            }
            HashSet hashSet3 = new HashSet();
            hashSet3.add("2.5.29.32.0");
            PKIXPolicyNode pKIXPolicyNode = new PKIXPolicyNode(new ArrayList(), 0, hashSet3, null, new HashSet(), "2.5.29.32.0", false);
            arrayListArr2[0].add(pKIXPolicyNode);
            PKIXNameConstraintValidator pKIXNameConstraintValidator = new PKIXNameConstraintValidator();
            HashSet hashSet4 = new HashSet();
            int i3 = build.isExplicitPolicyRequired() ? 0 : size + 1;
            int i4 = build.isAnyPolicyInhibited() ? 0 : size + 1;
            int i5 = build.isPolicyMappingInhibited() ? 0 : size + 1;
            X509Certificate trustedCert = a3.getTrustedCert();
            if (trustedCert != null) {
                try {
                    a2 = g.b(trustedCert);
                    cAPublicKey = trustedCert.getPublicKey();
                } catch (IllegalArgumentException e2) {
                    e = e2;
                    certPath2 = certPath3;
                    throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", e, certPath2, -1);
                }
            } else {
                try {
                    a2 = g.a(a3);
                    cAPublicKey = a3.getCAPublicKey();
                } catch (IllegalArgumentException e3) {
                    e = e3;
                    certPath2 = certPath3;
                    throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", e, certPath2, -1);
                }
            }
            try {
                AlgorithmIdentifier a4 = c.a(cAPublicKey);
                a4.getAlgorithm();
                a4.getParameters();
                if (build.getTargetConstraints() != null && !build.getTargetConstraints().match((Certificate) certificates.get(0))) {
                    throw new ExtCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath3, 0);
                }
                List certPathCheckers = build.getCertPathCheckers();
                Iterator it2 = certPathCheckers.iterator();
                while (it2.hasNext()) {
                    ((PKIXCertPathChecker) it2.next()).init(false);
                }
                int i6 = i5;
                int i7 = size;
                X509Certificate x509Certificate = null;
                int i8 = i3;
                PKIXPolicyNode pKIXPolicyNode2 = pKIXPolicyNode;
                int size2 = certificates.size() - 1;
                while (size2 >= 0) {
                    HashSet hashSet5 = hashSet4;
                    int i9 = size - size2;
                    X509Certificate x509Certificate2 = (X509Certificate) certificates.get(size2);
                    PKIXNameConstraintValidator pKIXNameConstraintValidator2 = pKIXNameConstraintValidator;
                    int i10 = size2;
                    HashSet hashSet6 = hashSet3;
                    ArrayList[] arrayListArr3 = arrayListArr2;
                    TrustAnchor trustAnchor = a3;
                    List list2 = certPathCheckers;
                    h.a(certPath, build, size2, cAPublicKey, size2 == certificates.size() + (-1), a2, trustedCert, pKIXCertPathValidatorSpi2.helper);
                    h.b(certPath3, i10, pKIXNameConstraintValidator2);
                    Throwable th2 = th;
                    int i11 = size;
                    List<? extends Certificate> list3 = certificates;
                    CertPath certPath4 = certPath3;
                    hashSet4 = hashSet5;
                    PKIXPolicyNode a5 = h.a(certPath4, i10, h.a(certPath, i10, hashSet4, pKIXPolicyNode2, arrayListArr3, i4));
                    h.a(certPath4, i10, a5, i8);
                    if (i9 == i11) {
                        pKIXCertPathValidatorSpi = this;
                        list = list2;
                        arrayListArr = arrayListArr3;
                    } else {
                        if (x509Certificate2 != null && x509Certificate2.getVersion() == 1) {
                            throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", th2, certPath4, i10);
                        }
                        h.a(certPath4, i10);
                        int i12 = i6;
                        arrayListArr = arrayListArr3;
                        a5 = h.a(certPath4, i10, arrayListArr, a5, i12);
                        h.a(certPath4, i10, pKIXNameConstraintValidator2);
                        int a6 = h.a(certPath4, i10, i8);
                        int b2 = h.b(certPath4, i10, i12);
                        int c2 = h.c(certPath4, i10, i4);
                        int d2 = h.d(certPath4, i10, a6);
                        int e4 = h.e(certPath4, i10, b2);
                        i4 = h.f(certPath4, i10, c2);
                        h.b(certPath4, i10);
                        int h2 = h.h(certPath4, i10, h.g(certPath4, i10, i7));
                        h.c(certPath4, i10);
                        Set<String> criticalExtensionOIDs = x509Certificate2.getCriticalExtensionOIDs();
                        if (criticalExtensionOIDs != null) {
                            HashSet hashSet7 = new HashSet(criticalExtensionOIDs);
                            hashSet7.remove(h.f49559n);
                            hashSet7.remove(h.f49547b);
                            hashSet7.remove(h.f49548c);
                            hashSet7.remove(h.f49549d);
                            hashSet7.remove(h.f49550e);
                            hashSet7.remove(h.f49552g);
                            hashSet7.remove(h.f49553h);
                            hashSet7.remove(h.f49554i);
                            hashSet7.remove(h.f49556k);
                            hashSet7.remove(h.f49557l);
                            hashSet2 = hashSet7;
                        } else {
                            hashSet2 = new HashSet();
                        }
                        h.a(certPath4, i10, hashSet2, list2);
                        trustedCert = x509Certificate2;
                        a2 = g.b(trustedCert);
                        try {
                            list = list2;
                            pKIXCertPathValidatorSpi = this;
                            try {
                                cAPublicKey = c.a(certPath.getCertificates(), i10, pKIXCertPathValidatorSpi.helper);
                                AlgorithmIdentifier a7 = c.a(cAPublicKey);
                                a7.getAlgorithm();
                                a7.getParameters();
                                i6 = e4;
                                i7 = h2;
                                i8 = d2;
                            } catch (CertPathValidatorException e5) {
                                e = e5;
                                throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath4, i10);
                            }
                        } catch (CertPathValidatorException e6) {
                            e = e6;
                        }
                    }
                    pKIXPolicyNode2 = a5;
                    certPathCheckers = list;
                    pKIXNameConstraintValidator = pKIXNameConstraintValidator2;
                    certPath3 = certPath4;
                    size = i11;
                    pKIXCertPathValidatorSpi2 = pKIXCertPathValidatorSpi;
                    arrayListArr2 = arrayListArr;
                    x509Certificate = x509Certificate2;
                    certificates = list3;
                    hashSet3 = hashSet6;
                    a3 = trustAnchor;
                    th = null;
                    size2 = i10 - 1;
                }
                ArrayList[] arrayListArr4 = arrayListArr2;
                TrustAnchor trustAnchor2 = a3;
                CertPath certPath5 = certPath3;
                List list4 = certPathCheckers;
                int i13 = size2;
                int i14 = h.i(certPath5, i13 + 1, h.a(i8, x509Certificate));
                Set<String> criticalExtensionOIDs2 = x509Certificate.getCriticalExtensionOIDs();
                if (criticalExtensionOIDs2 != null) {
                    HashSet hashSet8 = new HashSet(criticalExtensionOIDs2);
                    hashSet8.remove(h.f49559n);
                    hashSet8.remove(h.f49547b);
                    hashSet8.remove(h.f49548c);
                    hashSet8.remove(h.f49549d);
                    hashSet8.remove(h.f49550e);
                    hashSet8.remove(h.f49552g);
                    hashSet8.remove(h.f49553h);
                    hashSet8.remove(h.f49554i);
                    hashSet8.remove(h.f49556k);
                    hashSet8.remove(h.f49557l);
                    hashSet8.remove(h.f49555j);
                    hashSet8.remove(Extension.extendedKeyUsage.getId());
                    hashSet = hashSet8;
                } else {
                    hashSet = new HashSet();
                }
                h.a(certPath5, i13 + 1, list4, hashSet);
                X509Certificate x509Certificate3 = x509Certificate;
                PKIXPolicyNode a8 = h.a(certPath, build, initialPolicies, i13 + 1, arrayListArr4, pKIXPolicyNode2, hashSet4);
                if (i14 > 0 || a8 != null) {
                    return new PKIXCertPathValidatorResult(trustAnchor2, a8, x509Certificate3.getPublicKey());
                }
                throw new CertPathValidatorException("Path processing failed on policy.", null, certPath5, i13);
            } catch (CertPathValidatorException e7) {
                throw new ExtCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", e7, certPath3, -1);
            }
        } catch (AnnotatedException e8) {
            throw new CertPathValidatorException(e8.getMessage(), e8, certPath3, certificates.size() - 1);
        }
    }
}
