package iaik.pki;

import iaik.asn1.structures.Name;
import iaik.logging.Log;
import iaik.logging.LogFactory;
import iaik.logging.TransactionId;
import iaik.pki.pathconstruction.CertPath;
import iaik.pki.pathconstruction.CertPathConstructor;
import iaik.pki.pathconstruction.ConstructionResult;
import iaik.pki.pathvalidation.ValidationFactory;
import iaik.pki.pathvalidation.ValidationProfile;
import iaik.pki.pathvalidation.ValidationResult;
import iaik.pki.pathvalidation.ValidationResultInvalid;
import iaik.pki.pathvalidation.ValidationResultValid;
import iaik.pki.revocation.RevocationSourceTypes;
import iaik.pki.store.certinfo.CertInfo;
import iaik.pki.store.certinfo.CertInfoStore;
import iaik.pki.store.certinfo.CertInfoStoreException;
import iaik.pki.store.certinfo.CertInfoStoreFactory;
import iaik.pki.store.certstore.CertStore;
import iaik.pki.store.certstore.CertStoreFactory;
import iaik.pki.store.revocation.CRLRevocationSource;
import iaik.pki.store.revocation.MemoryCRLRevocationSource;
import iaik.pki.store.revocation.OCSPRevocationSource;
import iaik.pki.store.revocation.RevocationFactory;
import iaik.pki.store.revocation.SupplementalRevocationSources;
import iaik.pki.store.truststore.TrustStore;
import iaik.pki.store.truststore.TrustStoreFactory;
import iaik.pki.store.truststore.TrustStoreProfile;
import iaik.pki.utils.ByteArrayContainer;
import iaik.pki.utils.Constants;
import iaik.pki.utils.DBTypeParser;
import iaik.pki.utils.NameUtils;
import iaik.pki.utils.UtilsException;
import iaik.x509.X509CRL;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.IssuingDistributionPoint;
import iaik.x509.ocsp.BasicOCSPResponse;
import iaik.x509.ocsp.CertID;
import iaik.x509.ocsp.OCSPResponse;
import iaik.x509.ocsp.ReqCert;
import iaik.x509.ocsp.SingleResponse;
import java.util.ArrayList;
import java.util.Date;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Stack;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class C implements PKIModule {
    protected static final String E = "Temporary memory store";
    protected static Log I = LogFactory.getLog(Constants.MODULE_NAME);
    protected CertInfoStore A;
    protected boolean B = false;
    protected ValidationFactory C;
    protected Stack D;
    protected CertInfoStore F;
    protected CertPathConstructor G;
    protected PKIProfile H;

    private C() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public C(PKIProfile pKIProfile) {
        if (pKIProfile == null) {
            throw new NullPointerException("Profile mustn't be null");
        }
        this.H = pKIProfile;
        this.D = new Stack();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized PKIResult A(Date date, X509Certificate x509Certificate, SupplementalRevocationSources supplementalRevocationSources, boolean[] zArr, boolean z, boolean z2, boolean z3, TransactionId transactionId) {
        TrustStoreProfile trustStoreProfile;
        B b2;
        if (date == null) {
            throw new NullPointerException("Argument \"concernedDate\" is null.");
        }
        if (A(zArr, x509Certificate, transactionId)) {
            boolean useSupplementalRevocationSourcesOnly = supplementalRevocationSources == null ? false : supplementalRevocationSources.useSupplementalRevocationSourcesOnly();
            CertInfo createCertInfo = this.F.createCertInfo(x509Certificate, !z2 ? this.H.autoAddCertificates() == 2 : z2, transactionId);
            if (!z3 || this.H.getIndirectRevocationTrustStoreProfile() == null) {
                trustStoreProfile = this.H.getTrustStoreProfile();
            } else {
                trustStoreProfile = this.H.getIndirectRevocationTrustStoreProfile();
                I.debug(transactionId, "Using trust profile for indirect revocation sources.", null);
            }
            if (trustStoreProfile == null) {
                throw new NullPointerException("Truststore profile mustn't be null");
            }
            TrustStore trustStoreFactory = TrustStoreFactory.getInstance(trustStoreProfile, transactionId);
            ValidationProfile validationProfile = this.H.getValidationProfile();
            if (validationProfile == null) {
                throw new NullPointerException("validation profile mustn't be null");
            }
            this.B = false;
            ConstructionResult A = A(trustStoreFactory, createCertInfo, this.H.useAuthorityInfoAccess(), date, useSupplementalRevocationSourcesOnly ? 0 : 1, transactionId);
            if (A.getChainsCount() == 0) {
                I.info(transactionId, "No certification path found", null);
                b2 = new B(true, A, null);
            } else {
                ValidationResult validationResult = null;
                B b3 = null;
                int i = 0;
                I.debug(transactionId, new StringBuffer("found ").append(A.getChainsCount()).append(" chains").toString(), null);
                Iterator chainIterator = A.getChainIterator();
                while (true) {
                    if (chainIterator.hasNext()) {
                        int i2 = i + 1;
                        CertPath certPath = (CertPath) chainIterator.next();
                        List chain = certPath.getChain();
                        A(chain, i2, transactionId);
                        ByteArrayContainer byteArrayContainer = new ByteArrayContainer(x509Certificate.getFingerprintSHA());
                        if (this.D.contains(byteArrayContainer)) {
                            I.error(transactionId, "Cycling chain validation dependency", null);
                            throw new PKIException("Cyclic chain validating dependency.", null, new StringBuffer().append(getClass().getName()).append(":5").toString());
                        }
                        this.D.push(byteArrayContainer);
                        ValidationResult A2 = A(validationProfile, chain, date, supplementalRevocationSources, z, transactionId);
                        if (A2.getValidationResult().equals(ValidationResult.VALID)) {
                            I.info(transactionId, "Found valid cert chain", null);
                            if (this.D.size() > 0) {
                                this.D.pop();
                            }
                            List additionalInfoList = certPath.getAdditionalInfoList();
                            b2 = new B(true, A, (additionalInfoList == null || additionalInfoList.isEmpty()) ? A2 : new ValidationResultValidImpl((ValidationResultValid) A2, additionalInfoList));
                        } else {
                            if (A2.getValidationResult().equals(ValidationResult.INVALID)) {
                                ValidationResultInvalid validationResultInvalid = (ValidationResultInvalid) A2;
                                I.debug(transactionId, new StringBuffer("Chain validation failed: ").append(validationResultInvalid.getFailedReason()).append(" error").toString(), null);
                                if (this.D.size() > 0) {
                                    this.D.pop();
                                }
                                if (validationResultInvalid.getFailedReason().equals(ValidationResultInvalid.REVOCATION_FAILED)) {
                                    b3 = new B(true, A, A2);
                                    validationResult = A2;
                                    i = i2;
                                }
                            }
                            validationResult = A2;
                            i = i2;
                        }
                    } else if (validationResult.getValidationResult().equals(ValidationResult.VALID)) {
                        if (this.D.size() > 0) {
                            this.D.pop();
                        }
                        I.info(transactionId, "Found valid cert chain", null);
                        b2 = new B(true, A, validationResult);
                    } else {
                        I.info(transactionId, "Certificate validation failed", null);
                        b2 = b3 == null ? new B(true, A, validationResult) : b3;
                    }
                }
            }
        } else {
            b2 = new B(false, null, null);
        }
        return b2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized PKIResult A(Date date, boolean z, X509Certificate[] x509CertificateArr, SupplementalRevocationSources supplementalRevocationSources, boolean[] zArr, boolean z2, boolean z3, TransactionId transactionId) {
        B b2;
        if (x509CertificateArr == null) {
            I.error(transactionId, "Argument \"certificateChain\" must not be null.", null);
            throw new NullPointerException("Argument \"certificateChain\" must not be null.");
        }
        int length = x509CertificateArr.length;
        if (length == 0) {
            I.error(transactionId, "Certificate chain to be validated must not be empty.", null);
            throw new IllegalArgumentException("Certificate chain to be validated must not be empty.");
        }
        TrustStoreProfile trustStoreProfile = this.H.getTrustStoreProfile();
        if (trustStoreProfile == null) {
            throw new NullPointerException("Truststore profile mustn't be null");
        }
        if (!z || TrustStoreFactory.getInstance(trustStoreProfile, transactionId).isCertificateTrusted(x509CertificateArr[length - 1], date, transactionId).isCertificateTrusted()) {
            X509Certificate x509Certificate = x509CertificateArr[0];
            if (A(zArr, x509Certificate, transactionId)) {
                CertInfoStore certInfoStore = this.F;
                CertInfo createCertInfo = certInfoStore.createCertInfo(x509Certificate, !z3 ? this.H.autoAddCertificates() == 2 : z3, transactionId);
                ArrayList arrayList = new ArrayList(length);
                arrayList.add(createCertInfo);
                boolean z4 = this.H.autoAddCertificates() > 0;
                for (int i = 1; i < length; i++) {
                    arrayList.add(certInfoStore.createCertIssuer(certInfoStore.createCertInfo(x509CertificateArr[i], z4, transactionId), 0, transactionId));
                }
                ValidationProfile validationProfile = this.H.getValidationProfile();
                if (validationProfile == null) {
                    throw new NullPointerException("validation profile mustn't be null");
                }
                this.B = false;
                A(arrayList, 1, transactionId);
                ByteArrayContainer byteArrayContainer = new ByteArrayContainer(x509Certificate.getFingerprintSHA());
                if (this.D.contains(byteArrayContainer)) {
                    I.error(transactionId, "Cycling chain validation dependency", null);
                    throw new PKIException("Cyclic chain validating dependency.", null, new StringBuffer().append(getClass().getName()).append(":5").toString());
                }
                this.D.push(byteArrayContainer);
                ValidationResult A = A(validationProfile, arrayList, date, supplementalRevocationSources, z2, transactionId);
                if (A.getValidationResult().equals(ValidationResult.VALID)) {
                    I.info(transactionId, "Found valid cert chain", null);
                }
                if (A.getValidationResult().equals(ValidationResult.INVALID)) {
                    I.debug(transactionId, new StringBuffer("Chain validation failed: ").append(((ValidationResultInvalid) A).getFailedReason()).append(" error").toString(), null);
                }
                if (this.D.size() > 0) {
                    this.D.pop();
                }
                b2 = new B(true, null, A);
            } else {
                b2 = new B(false, null, null);
            }
        } else {
            I.info(transactionId, "Last certificate in chain is not a trusted certificate.", null);
            b2 = new B(true, null, null);
        }
        return b2;
    }

    protected ConstructionResult A(TrustStore trustStore, CertInfo certInfo, boolean z, Date date, int i, TransactionId transactionId) {
        if (i == 0) {
            I.debug(transactionId, "Constructing path using supplemental certificates only.", null);
        }
        return this.G.constructCertPath(new ConstructionParametersImpl(trustStore, certInfo, date, true, i, z), transactionId);
    }

    protected ValidationResult A(ValidationProfile validationProfile, List list, Date date, SupplementalRevocationSources supplementalRevocationSources, boolean z, TransactionId transactionId) {
        return this.C.getPathValidator(validationProfile, transactionId).validateChain(list, date, this, this.H.getRevocationProfile(), supplementalRevocationSources, z, transactionId);
    }

    protected SupplementalRevocationSources A(Date date, X509Certificate[] x509CertificateArr, X509CRL[] x509crlArr, OCSPResponse[] oCSPResponseArr, boolean z, boolean z2, TransactionId transactionId) {
        if (date == null) {
            I.error(transactionId, "Parameter \"concernedDate\" must not be null.", null);
            throw new NullPointerException("Parameter \"concernedDate\" must not be null.");
        }
        if (this.H == null) {
            I.error(transactionId, "Profile must't be null", null);
            throw new NullPointerException("Profile mustn't be null");
        }
        this.D.clear();
        this.F = null;
        A(z, transactionId);
        A(x509CertificateArr, z, z2, transactionId);
        return A(x509crlArr, oCSPResponseArr, z, transactionId);
    }

    protected SupplementalRevocationSources A(X509CRL[] x509crlArr, OCSPResponse[] oCSPResponseArr, boolean z, TransactionId transactionId) {
        SupplementalRevocationSources createSupplementalRevocationSources = RevocationFactory.getInstance(transactionId).createSupplementalRevocationSources(z);
        if (this.H.getValidationProfile().getRevocationChecking()) {
            if (z) {
                if (x509crlArr == null && oCSPResponseArr == null) {
                    I.error(transactionId, "Should use supplemental revocation data only, but no supplemental revocation data available.", null);
                    throw new IllegalArgumentException("Should use supplemental revocation data only, but no supplemental revocation data available.");
                }
                if (x509crlArr != null && x509crlArr.length == 0 && oCSPResponseArr != null && oCSPResponseArr.length == 0) {
                    I.error(transactionId, "Should use supplemental revocation data only, but no supplemental revocation data available.", null);
                    throw new IllegalArgumentException("Should use supplemental revocation data only, but no supplemental revocation data available.");
                }
            }
            if (x509crlArr != null) {
                int length = x509crlArr.length;
                Hashtable hashtable = new Hashtable(length);
                for (int i = 0; i < length; i++) {
                    X509CRL x509crl = x509crlArr[i];
                    if (x509crl != null) {
                        CRLRevocationSource cRLRevocationSource = (CRLRevocationSource) RevocationFactory.getInstance(transactionId).createRevocationSource(Constants.DUMMY_URI, "crl");
                        ((MemoryCRLRevocationSource) cRLRevocationSource).setCRL(x509crl, transactionId);
                        cRLRevocationSource.setIsSupplemental();
                        try {
                            IssuingDistributionPoint issuingDistributionPoint = (IssuingDistributionPoint) x509crl.getExtension(IssuingDistributionPoint.oid);
                            int reasonFlags = issuingDistributionPoint != null ? issuingDistributionPoint.getReasonFlags() : -1;
                            try {
                                Name name = (Name) x509crl.getIssuerDN();
                                String stringBuffer = new StringBuffer().append(NameUtils.getNormalizedName(name)).append(reasonFlags).toString();
                                if (hashtable.get(stringBuffer) != null) {
                                    throw new PKIException(new StringBuffer("Duplicate supplemental CRL (issuer: ").append(name).append(", reason code: ").append(reasonFlags).append(").").toString(), null, new StringBuffer().append(getClass().getName()).append(":6").toString());
                                }
                                hashtable.put(stringBuffer, cRLRevocationSource);
                            } catch (UtilsException e) {
                                throw new PKIException("Error on normalizing issuer name of supplemental CRL.", e, new StringBuffer().append(getClass().getName()).append(":4").toString());
                            }
                        } catch (X509ExtensionInitException e2) {
                            throw new PKIException("Error when trying to read Issuing distribution point extension of supplemental crl.", null, new StringBuffer().append(getClass().getName()).append(":8").toString());
                        }
                    } else {
                        I.warn(transactionId, new StringBuffer("Entry number ").append(i).append(" in array \"supplementalCrls\" is null, ignoring ...").toString(), null);
                    }
                }
                createSupplementalRevocationSources.setCrlRevocationSources(hashtable);
                I.debug(transactionId, new StringBuffer("Built supplemental CRL revocation sources table. Size: ").append(hashtable.size()).toString(), null);
            }
            if (oCSPResponseArr != null) {
                int length2 = oCSPResponseArr.length;
                Hashtable hashtable2 = new Hashtable(length2);
                for (int i2 = 0; i2 < length2; i2++) {
                    OCSPResponse oCSPResponse = oCSPResponseArr[i2];
                    if (oCSPResponse != null) {
                        for (SingleResponse singleResponse : ((BasicOCSPResponse) oCSPResponse.getResponse()).getSingleResponses()) {
                            ReqCert reqCert = singleResponse.getReqCert();
                            CertID certID = (CertID) reqCert.getReqCert();
                            if (hashtable2.get(certID) != null) {
                                throw new PKIException("Duplicate supplemental OCSP response for the same certificate.", null, new StringBuffer().append(getClass().getName()).append(":7").toString());
                            }
                            OCSPRevocationSource oCSPRevocationSource = (OCSPRevocationSource) RevocationFactory.getInstance(transactionId).createRevocationSource(Constants.DUMMY_URI, RevocationSourceTypes.OCSP);
                            oCSPRevocationSource.setReqCert(reqCert);
                            oCSPRevocationSource.setOCSPResponse(oCSPResponse, transactionId);
                            oCSPRevocationSource.setIsSupplemental();
                            hashtable2.put(certID, oCSPRevocationSource);
                        }
                    } else {
                        I.warn(transactionId, new StringBuffer("Entry number ").append(i2).append(" in array \"supplementalOCSPResponses\" is null, ignoring ...").toString(), null);
                    }
                }
                createSupplementalRevocationSources.setOcspRevocationSources(hashtable2);
                I.debug(transactionId, new StringBuffer("Built supplemental OCSP revocation sources table. Size: ").append(hashtable2.size()).toString(), null);
            }
        }
        return createSupplementalRevocationSources;
    }

    protected void A(List list, int i, TransactionId transactionId) {
        if (!I.isDebugEnabled()) {
            return;
        }
        StringBuffer stringBuffer = new StringBuffer(new StringBuffer("Validating chain number ").append(i).append(DBTypeParser.SEPARATOR).toString());
        int i2 = 1;
        try {
            Iterator it = list.iterator();
            while (true) {
                int i3 = i2;
                if (!it.hasNext()) {
                    I.debug(transactionId, stringBuffer.toString(), null);
                    return;
                }
                X509Certificate certificate = ((CertInfo) it.next()).getCertificate(transactionId);
                stringBuffer.append(Constants.LINE_SEPARATOR);
                stringBuffer.append("cert ");
                stringBuffer.append(i3);
                stringBuffer.append(": srlNr: ");
                stringBuffer.append(certificate.getSerialNumber());
                stringBuffer.append(", subjectDN: ");
                stringBuffer.append(certificate.getSubjectDN());
                i2 = i3 + 1;
            }
        } catch (CertInfoStoreException e) {
            I.debug(transactionId, new StringBuffer("Validating chain number ").append(i).append(DBTypeParser.SEPARATOR).toString(), null);
        }
    }

    protected void A(boolean z, TransactionId transactionId) {
        if (this.H.autoAddCertificates() != 0 && !z) {
            if (!this.A.hasWriteableCertStore(transactionId)) {
                throw new PKIException("Can not auto add certificates, no writeable certstore configured", null, new StringBuffer().append(getClass().getName()).append(":3").toString());
            }
            this.F = this.A;
            return;
        }
        if (this.H.autoAddCertificates() == 0) {
            I.info(transactionId, "Enable AutoAddCertificates to increase performance.", null);
        }
        this.F = CertInfoStoreFactory.getInstance(new CertStore[]{CertStoreFactory.getInstance(new GenericCertStoreParameters(E, false, "memory"), transactionId)});
        if (z) {
            return;
        }
        Iterator it = this.A.getCertStores(transactionId).iterator();
        while (it.hasNext()) {
            this.F.addCertStore((CertStore) it.next(), transactionId);
        }
    }

    protected void A(X509Certificate[] x509CertificateArr, boolean z, boolean z2, TransactionId transactionId) {
        if (z && !z2) {
            if (x509CertificateArr == null) {
                I.error(transactionId, "Should use supplemental certificate data only, but no supplemental certificate data available.", null);
                throw new IllegalArgumentException("Should use supplemental certificate data only, but no supplemental certificate data available.");
            }
            if (x509CertificateArr != null && x509CertificateArr.length == 0) {
                I.error(transactionId, "Should use supplemental certificate data only, but no supplemental certificate data available.", null);
                throw new IllegalArgumentException("Should use supplemental certificate data only, but no supplemental certificate data available.");
            }
        }
        if (x509CertificateArr != null) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                X509Certificate x509Certificate = x509CertificateArr[i];
                if (x509Certificate != null) {
                    this.F.createCertInfo(x509Certificate, true, transactionId);
                    if (z && this.H.autoAddCertificates() > 0 && this.A != null && this.A.hasWriteableCertStore(transactionId)) {
                        this.A.createCertInfo(x509Certificate, true, transactionId);
                    }
                } else {
                    I.warn(transactionId, new StringBuffer("Entry number ").append(i).append(" in array \"supplementalCertificates\" is null, ignoring ...").toString(), null);
                }
            }
        }
    }

    protected boolean A(boolean[] zArr, X509Certificate x509Certificate, TransactionId transactionId) {
        if (zArr == null) {
            I.debug(transactionId, "EE cert key usage checked disabled", null);
            return true;
        }
        if (zArr.length != 9) {
            throw new PKIException("key usage boolean[] must be of length 9", null, new StringBuffer().append(getClass().getName()).append(":1").toString());
        }
        I.debug(transactionId, "Checking EE cert key usage", null);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            throw new PKIException("Certificate does not have any key usage extension", null, new StringBuffer().append(getClass().getName()).append(":2").toString());
        }
        for (int i = 0; i < zArr.length; i++) {
            if (zArr[i] != (zArr[i] && keyUsage[i])) {
                return false;
            }
        }
        return true;
    }

    @Override // iaik.pki.PKIModule
    public void setDefaultCertInfoStore(CertInfoStore certInfoStore) {
        if (certInfoStore == null) {
            throw new NullPointerException("Default CertInfoStore must not be null");
        }
        this.A = certInfoStore;
    }

    @Override // iaik.pki.PKIModule
    public void setPathConstructor(CertPathConstructor certPathConstructor) {
        if (certPathConstructor == null) {
            throw new NullPointerException("Path constructor must not be null");
        }
        this.G = certPathConstructor;
    }

    @Override // iaik.pki.PKIModule
    public void setValidationFactory(ValidationFactory validationFactory) {
        if (validationFactory == null) {
            throw new NullPointerException("Validation factory must not be null");
        }
        this.C = validationFactory;
    }

    @Override // iaik.pki.PKIModule
    public synchronized PKIResult validateCertificate(Date date, X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, X509CRL[] x509crlArr, OCSPResponse[] oCSPResponseArr, boolean z, boolean[] zArr, TransactionId transactionId) {
        if (x509Certificate == null) {
            I.error(transactionId, "End entity certificate must not be null.", null);
            throw new NullPointerException("End entity certificate must not be null.");
        }
        return A(date, x509Certificate, A(date, x509CertificateArr, x509crlArr, oCSPResponseArr, z, false, transactionId), zArr, false, false, false, transactionId);
    }

    @Override // iaik.pki.PKIModule
    public synchronized PKIResult validateCertificate(Date date, X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, boolean[] zArr, TransactionId transactionId) {
        return validateCertificate(date, x509Certificate, x509CertificateArr, null, null, false, zArr, transactionId);
    }

    @Override // iaik.pki.PKIModule
    public synchronized PKIResult validateCertificateChain(Date date, boolean z, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, X509CRL[] x509crlArr, OCSPResponse[] oCSPResponseArr, boolean z2, boolean[] zArr, TransactionId transactionId) {
        if (x509CertificateArr == null) {
            I.error(transactionId, "Argument \"certificateChain\" must not be null.", null);
            throw new NullPointerException("Argument \"certificateChain\" must not be null.");
        }
        if (x509CertificateArr.length == 0) {
            I.error(transactionId, "Certificate chain to be validated must not be empty.", null);
            throw new IllegalArgumentException("Certificate chain to be validated must not be empty.");
        }
        return A(date, z, x509CertificateArr, A(date, x509CertificateArr2, x509crlArr, oCSPResponseArr, z2, true, transactionId), zArr, false, false, transactionId);
    }

    @Override // iaik.pki.PKIModule
    public PKIResult validateCertificateChain(Date date, boolean z, X509Certificate[] x509CertificateArr, boolean[] zArr, TransactionId transactionId) {
        return validateCertificateChain(date, z, x509CertificateArr, null, null, null, false, zArr, transactionId);
    }
}
