package iaik.pki.pathvalidation;

import iaik.asn1.ObjectID;
import iaik.asn1.structures.GeneralName;
import iaik.asn1.structures.Name;
import iaik.logging.Log;
import iaik.logging.LogFactory;
import iaik.logging.TransactionId;
import iaik.pki.PKIModule;
import iaik.pki.RevocationTrustProfileImpl;
import iaik.pki.revocation.CertificateStatusChecker;
import iaik.pki.revocation.RevocationProfile;
import iaik.pki.revocation.RevocationStatus;
import iaik.pki.store.certinfo.CertInfo;
import iaik.pki.store.certinfo.CertInfoStoreException;
import iaik.pki.store.certinfo.CertIssuer;
import iaik.pki.store.revocation.RevocationFactory;
import iaik.pki.store.revocation.RevocationInfo;
import iaik.pki.store.revocation.SupplementalRevocationSources;
import iaik.pki.utils.CertUtil;
import iaik.pki.utils.Constants;
import iaik.pki.utils.DBTypeParser;
import iaik.pki.utils.NameUtils;
import iaik.pki.utils.UtilsException;
import iaik.utils.CryptoUtils;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.BasicConstraints;
import iaik.x509.extensions.CertificatePolicies;
import iaik.x509.extensions.InhibitAnyPolicy;
import iaik.x509.extensions.KeyUsage;
import iaik.x509.extensions.NameConstraints;
import iaik.x509.extensions.PolicyConstraints;
import iaik.x509.extensions.PolicyMappings;
import iaik.x509.extensions.SubjectAltName;
import iaik.x509.extensions.SubjectKeyIdentifier;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class Q implements ValidationStatus, Validator {
    public static final String M = "iaik.pki.pathvalidation.CheckOneCertChainValidity";
    protected static Log P = LogFactory.getLog(Constants.MODULE_NAME);
    protected int A;
    protected int B;
    protected E C;
    protected List D;
    protected boolean E;
    protected int F;
    protected ValidationConfiguration G;
    protected CertificateStatusChecker H;
    protected ValidationProfile I;
    protected K J;
    protected G K;
    protected int L;
    protected int N;
    protected int O;

    public Q(ValidationProfile validationProfile) {
        if (validationProfile == null) {
            throw new NullPointerException("null profile not allowed");
        }
        if (validationProfile.getInitialPolicySet() == null) {
            throw new NullPointerException("Initial policy set mustn't be null");
        }
        this.I = validationProfile;
    }

    protected static int A(int i) {
        return i > 0 ? i - 1 : i;
    }

    protected int A(X509Certificate x509Certificate, Date date, TransactionId transactionId) {
        try {
            P.debug(transactionId, new StringBuffer("Checking certificate validity at ").append(date).toString(), null);
            x509Certificate.checkValidity(date);
            return 0;
        } catch (CertificateExpiredException e) {
            P.debug(transactionId, "Certificate expired", null);
            return -1;
        } catch (CertificateNotYetValidException e2) {
            P.debug(transactionId, "Certificate not yet valid ", null);
            return 1;
        }
    }

    protected Date A(X509Certificate x509Certificate, TransactionId transactionId) {
        P.debug(transactionId, new StringBuffer("Getting issuing date for cert ").append(x509Certificate.getSubjectDN()).toString(), null);
        return x509Certificate.getNotBefore();
    }

    protected List A(List list, TransactionId transactionId) {
        if (list == null) {
            return new ArrayList();
        }
        ArrayList arrayList = new ArrayList();
        ListIterator listIterator = list.listIterator();
        while (listIterator.hasNext()) {
            try {
                arrayList.add(((CertInfo) listIterator.next()).getCertificate(transactionId));
            } catch (CertInfoStoreException e) {
                P.error(transactionId, "Cannot get certificate out of certinfo", e);
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized void A(ValidationConfiguration validationConfiguration, TransactionId transactionId) {
        if (validationConfiguration == null) {
            throw new NullPointerException("Valdiation configuration must not be null.");
        }
        if (this.G != null) {
            P.error(transactionId, "Validator is already configured.", null);
            throw new ValidationException("Validator is already configured.", null, new StringBuffer().append(getClass().getName()).append(":7").toString());
        }
        P.debug(transactionId, "Validator successfully configured.", null);
        this.G = validationConfiguration;
    }

    protected boolean A(ObjectID objectID, X509Certificate x509Certificate, Set set, TransactionId transactionId) {
        String id = objectID.getID();
        boolean handleExtension = ExtensionHandler.handleExtension(id, this, x509Certificate, transactionId);
        set.remove(id);
        return handleExtension;
    }

    /* JADX WARN: Unsupported multi-entry loop pattern (BACK_EDGE: B:71:0x01bb -> B:64:0x000b). Please report as a decompilation issue!!! */
    protected boolean A(CertInfo certInfo, boolean z, CertIssuer certIssuer, PublicKey publicKey, TransactionId transactionId) {
        boolean z2;
        int status = certIssuer.getStatus();
        if (status == -1) {
            return false;
        }
        if (status == 3) {
            return true;
        }
        try {
            X509Certificate certificate = certInfo.getCertificate(transactionId);
            X509Certificate certificate2 = certIssuer.getCertificate(transactionId);
            if (status == 0) {
                try {
                    if (!CertUtil.checkPKIXChainNaming(certificate2, certificate)) {
                        certIssuer.setStatus(-1);
                        P.debug(transactionId, "Chaining invalid, issuerDN of subject cert does not match subjectDN of issuer cert.", null);
                        return false;
                    }
                    certIssuer.setStatus(1);
                } catch (UtilsException e) {
                    throw new ValidationException("Error comparing certificate names.", e, new StringBuffer().append(getClass().getName()).append(DBTypeParser.SEPARATOR).toString());
                }
            }
            if (status != 2) {
                P.debug(transactionId, "Checking key id.", null);
                try {
                    AuthorityKeyIdentifier authorityKeyIdentifier = (AuthorityKeyIdentifier) certificate.getExtension(AuthorityKeyIdentifier.oid);
                    if (authorityKeyIdentifier != null) {
                        byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
                        if (keyIdentifier == null) {
                            GeneralName[] names = authorityKeyIdentifier.getAuthorityCertIssuer().getNames(4);
                            if (names == null) {
                                P.debug(transactionId, "Neither a KeyIdentifier nor a AuthorityCertIssuer included in AuthorityKeyIdentifier extension.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                            if (names.length != 1) {
                                P.debug(transactionId, "More than one Directory Name included in AuthorityCertIssuer of AuthorityKeyIdentifier extension.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                            try {
                                if (!NameUtils.getNormalizedName((Name) names[0].getName()).equals(NameUtils.getNormalizedName((Name) certificate2.getIssuerDN()))) {
                                    P.debug(transactionId, "AuthorityCertIssuer in AuthorityKeyIdentifier of certificate does not match IssuerDN of issuer certificate.", null);
                                    certIssuer.setStatus(-1);
                                    return false;
                                }
                                BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
                                if (authorityCertSerialNumber == null) {
                                    P.debug(transactionId, "AuthorityCertIssuer but no AuthorityCertSerialNumber included in AuthorityKeyIdentifier extension.", null);
                                    certIssuer.setStatus(-1);
                                    return false;
                                }
                                if (!authorityCertSerialNumber.equals(certificate2.getSerialNumber())) {
                                    P.debug(transactionId, "AuthorityCertSerialNumber in AuthorityKeyIdentifier of certificate does not match serial number of issuer certificate.", null);
                                    certIssuer.setStatus(-1);
                                    return false;
                                }
                                P.debug(transactionId, "AuthorityCertIssuer and AuthorityCertSerialNumber in AuthorityKeyIdentifier of certificate match SubjectDN and serial number of issuer certificate.", null);
                            } catch (UtilsException e2) {
                                P.debug(transactionId, "Could not compare AuthorityCertIssuer in AuthorityKeyIdentifier extension of certificate with SubjectDN of issuer certificate.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            } catch (ClassCastException e3) {
                                P.debug(transactionId, "AuthorityCertIssuer in AuthorityKeyIdentifier extension is not a Directory Name.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                        } else {
                            SubjectKeyIdentifier subjectKeyIdentifier = (SubjectKeyIdentifier) certificate2.getExtension(SubjectKeyIdentifier.oid);
                            if (subjectKeyIdentifier == null) {
                                P.debug(transactionId, "Could not compare key identifiers. No SubjectKeyidentifier included in issuer certificate.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                            if (!Arrays.equals(keyIdentifier, subjectKeyIdentifier.get())) {
                                certIssuer.setStatus(-1);
                                P.debug(transactionId, "Cert chaining invalid, key identifiers don't match.", null);
                                return false;
                            }
                        }
                    } else if (!z) {
                        certIssuer.setStatus(-1);
                        P.debug(transactionId, "Cert chaining invalid, no AuthorityKeyidentifier included.", null);
                        return false;
                    }
                } catch (X509ExtensionInitException e4) {
                    P.info(transactionId, "CertIssuer: exception parsing extensions", e4);
                }
            }
            try {
                PublicKey publicKey2 = certificate2.getPublicKey();
                if (publicKey == null) {
                    publicKey = publicKey2;
                }
                certificate.verify(publicKey);
                if (CryptoUtils.compareBlock(certificate.getSignature(), certificate2.getSignature()) != -1 || certificate2.equals(certificate)) {
                    P.debug(transactionId, "Signature successfully verified.", null);
                    certIssuer.setStatus(3);
                    certInfo.addIssuer(certIssuer, transactionId);
                    z2 = true;
                } else {
                    P.info(transactionId, "Found two different certificates in the path with the same signature.", null);
                    z2 = false;
                }
            } catch (Exception e5) {
                P.debug(transactionId, "Signature verification failed.", e5);
                certIssuer.setStatus(-1);
                z2 = false;
            }
            return z2;
        } catch (CertInfoStoreException e6) {
            P.error(transactionId, "Can't get certificate", e6);
            return false;
        }
    }

    protected boolean A(List list, int i, PublicKey publicKey, TransactionId transactionId) {
        ListIterator listIterator = list.listIterator(i + 1);
        CertIssuer certIssuer = (CertIssuer) listIterator.previous();
        PublicKey publicKey2 = publicKey;
        while (listIterator.hasPrevious()) {
            CertInfo certInfo = (CertInfo) listIterator.previous();
            if (!A(certInfo, certInfo.isSelfIssued(), certIssuer, publicKey2, transactionId)) {
                return false;
            }
            publicKey2 = M.A(certInfo.getCertificate(transactionId).getPublicKey(), publicKey2, transactionId);
            if (listIterator.hasPrevious()) {
                certIssuer = (CertIssuer) certInfo;
            }
        }
        return true;
    }

    protected void B(List list, TransactionId transactionId) {
        if (list == null) {
            throw new NullPointerException("Can't validate null certpath");
        }
        if (list.size() == 0) {
            P.error(transactionId, "Certificate chain must at least contain one cert", null);
            throw new ValidationException("Can't validate empty chain", null, new StringBuffer().append(getClass().getName()).append(":1").toString());
        }
        this.D = list;
        if (list.size() > 1) {
            this.O = 0;
            int size = list.size() - 1;
            if (this.I.getPolicyProcessing()) {
                this.K = new G();
                this.F = this.I.getInitialAnyPolicyInhibit() ? 0 : size + 1;
                this.L = this.I.getInitialPolicyMappingInhibit() ? 0 : size + 1;
                this.B = this.I.getInitialExplicitPolicy() ? 0 : size + 1;
                if (P.isDebugEnabled()) {
                    StringBuffer stringBuffer = new StringBuffer("inhibitAnyPolicy = ");
                    stringBuffer.append(this.F);
                    stringBuffer.append(Constants.LINE_SEPARATOR);
                    stringBuffer.append("inhibitPolicyMapping = ");
                    stringBuffer.append(this.L);
                    stringBuffer.append(Constants.LINE_SEPARATOR);
                    stringBuffer.append("requireExplicitPolicy = ");
                    stringBuffer.append(this.B);
                    P.debug(transactionId, stringBuffer.toString(), null);
                }
            } else {
                this.K = null;
            }
            if (this.I.getNameConstraintsProcessing()) {
                this.C = new E();
                this.J = new K();
            }
            this.N = size;
        }
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void clearPolicyTree() {
        this.K = null;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getCertificateIndex() {
        return this.O;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public K getExcludedSubtrees() {
        return this.J;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getInhibitAnyPolicy() {
        return this.F;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getInhibitPolicyMapping() {
        return this.L;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getMaxPathLength() {
        return this.N;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getPathLenConstraint() {
        return this.A;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public E getPermittedSubtrees() {
        return this.C;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public PolicyNode getPolicyTree() {
        return this.K;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getRequireExplicitPolicy() {
        return this.B;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public boolean isCaBooleanSet() {
        return this.E;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public boolean isLastCertificate() {
        return this.O == this.D.size() + (-1);
    }

    @Override // iaik.pki.pathvalidation.Validator
    public void setCertificateStatusChecker(CertificateStatusChecker certificateStatusChecker) {
        if (certificateStatusChecker == null) {
            throw new NullPointerException("Staus checker must not be set to null");
        }
        this.H = certificateStatusChecker;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setExcludedSubtrees(K k) {
        this.J = k;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setInhibitAnyPolicy(int i) {
        this.F = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setInhibitPolicyMapping(int i) {
        this.L = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setMaxPathLength(int i) {
        this.N = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setPermtittedSubtrees(E e) {
        this.C = e;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setRequireExplicitPolicy(int i) {
        this.B = i;
    }

    @Override // iaik.pki.pathvalidation.Validator
    public ValidationResult validateChain(List list, Date date, PKIModule pKIModule, RevocationProfile revocationProfile, SupplementalRevocationSources supplementalRevocationSources, boolean z, TransactionId transactionId) {
        Date date2;
        if (this.G == null) {
            P.error(transactionId, "Validator not yet configured", null);
            throw new ValidationException("Validator not yet configured", null, new StringBuffer().append(getClass().getName()).append(":2").toString());
        }
        B(list, transactionId);
        if (date == null) {
            throw new ValidationException("Profile returned null as validation date", null, new StringBuffer().append(getClass().getName()).append(":3").toString());
        }
        P.debug(transactionId, new StringBuffer("Validation date: ").append(date).toString(), null);
        if (list.size() == 1) {
            CertInfo certInfo = (CertInfo) list.get(0);
            X509Certificate certificate = certInfo.getCertificate(transactionId);
            String chainingMode = this.G.getChainingMode(certificate);
            P.info(transactionId, new StringBuffer("Only one element (\"").append(certificate.getSubjectDN()).append("\") in the chain.").toString(), null);
            if (this.I.getRevocationChecking()) {
                P.info(transactionId, "Don't perform revocation checking for trust anchor", null);
            }
            int A = A(certificate, date, transactionId);
            String property = System.getProperty(M);
            if (property == null || !property.equalsIgnoreCase("true") || A == 0) {
                if (A != 0) {
                    if (A == -1) {
                        P.warn(transactionId, new StringBuffer("Certificate not valid (expired) at ").append(date).append(". Accepting anyway, because it is a trust anchor.").toString(), null);
                    } else {
                        P.warn(transactionId, new StringBuffer("Certificate not yet valid at ").append(date).append(". Accepting anyway, because it is a trust anchor.").toString(), null);
                    }
                }
                return new U(ValidationResult.VALID, certInfo.getCertificate(transactionId).getPublicKey(), null, chainingMode, A(list, transactionId));
            }
            P.info(transactionId, new StringBuffer("certificate not valid at ").append(date).toString(), null);
            U u = new U(ValidationResult.INVALID, certInfo.getCertificate(transactionId).getPublicKey(), null, chainingMode, A(list, transactionId));
            if (A == -1) {
                u.A(ValidationResultInvalid.CERTIFICATE_EXPIRED);
                return u;
            }
            u.A(ValidationResultInvalid.CERTIFICATE_NOT_YET_VALID);
            return u;
        }
        int size = list.size() - 1;
        P.debug(transactionId, new StringBuffer("chain.size(): ").append(list.size()).toString(), null);
        ListIterator listIterator = list.listIterator(size + 1);
        CertInfo certInfo2 = (CertInfo) listIterator.previous();
        if (P.isDebugEnabled()) {
            P.debug(transactionId, new StringBuffer("trust anchor ").append(certInfo2.getCertificate(transactionId)).toString(), null);
        }
        X509Certificate certificate2 = certInfo2.getCertificate(transactionId);
        String chainingMode2 = this.G.getChainingMode(certificate2);
        if (!ChainingModes.ALL.contains(chainingMode2)) {
            throw new ValidationException(new StringBuffer("Invalid chaining mode: ").append(chainingMode2).toString(), null, new StringBuffer().append(getClass().getName()).append(":4").toString());
        }
        P.debug(transactionId, new StringBuffer("Using chaining mode: ").append(chainingMode2).toString(), null);
        if (chainingMode2.equals(ChainingModes.CHAIN_MODE) && listIterator.hasPrevious()) {
            Date A2 = A(((CertInfo) listIterator.previous()).getCertificate(transactionId), transactionId);
            int A3 = A(certificate2, A2, transactionId);
            if (A3 != 0) {
                P.info(transactionId, new StringBuffer("TrustAnchor not valid at ").append(A2).toString(), null);
                U u2 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u2.A(size);
                if (A3 == -1) {
                    u2.A(ValidationResultInvalid.CERTIFICATE_EXPIRED);
                    return u2;
                }
                u2.A(ValidationResultInvalid.CERTIFICATE_NOT_YET_VALID);
                return u2;
            }
            listIterator.next();
        }
        PublicKey A4 = M.A(certificate2, this.G, transactionId);
        ArrayList arrayList = new ArrayList();
        if (RevocationFactory.getInstance(transactionId).createRevocationInfo(certificate2, Collections.EMPTY_LIST) != null) {
            arrayList.add(RevocationFactory.getInstance(transactionId).createRevocationInfo(certificate2, Collections.EMPTY_LIST));
        }
        int size2 = list.size();
        while (listIterator.hasPrevious()) {
            CertInfo certInfo3 = (CertInfo) listIterator.previous();
            this.O++;
            int i = size2 - 1;
            X509Certificate certificate3 = certInfo3.getCertificate(transactionId);
            if (P.isDebugEnabled()) {
                P.debug(transactionId, new StringBuffer("current certificate: ").append(certificate3).toString(), null);
            }
            boolean isSelfIssued = certInfo3.isSelfIssued();
            P.debug(transactionId, new StringBuffer("selfIssued: ").append(isSelfIssued).toString(), null);
            if (!chainingMode2.equals(ChainingModes.CHAIN_MODE)) {
                date2 = date;
            } else if (listIterator.hasPrevious()) {
                date2 = A(((CertInfo) listIterator.previous()).getCertificate(transactionId), transactionId);
                listIterator.next();
            } else {
                date2 = date;
            }
            int A5 = A(certificate3, date2, transactionId);
            if (A5 != 0) {
                U u3 = new U(ValidationResult.INVALID, certInfo3.getCertificate(transactionId).getPublicKey(), null, chainingMode2, A(list, transactionId));
                if (A5 == 1) {
                    P.warn(transactionId, "Certificate not yet valid", null);
                    u3.A(ValidationResultInvalid.CERTIFICATE_NOT_YET_VALID);
                }
                if (A5 == -1) {
                    P.warn(transactionId, "Certificate expired", null);
                    u3.A(ValidationResultInvalid.CERTIFICATE_EXPIRED);
                }
                u3.A(i);
                u3.A((Collection) arrayList);
                return u3;
            }
            if (P.isDebugEnabled()) {
                P.debug(transactionId, new StringBuffer("verifying the signature with the issuer: ").append(certInfo2.getCertificate(transactionId)).toString(), null);
            }
            if (!A(certInfo3, isSelfIssued, (CertIssuer) certInfo2, A4, transactionId)) {
                P.info(transactionId, "Signature error: chain invalid.", null);
                U u4 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u4.A(i);
                u4.A(ValidationResultInvalid.CHAINING_FAILED);
                u4.A((Collection) arrayList);
                return u4;
            }
            this.E = false;
            this.A = -1;
            try {
                BasicConstraints basicConstraints = (BasicConstraints) certificate3.getExtension(ObjectID.getObjectID(BasicConstraints.oid.getID()));
                if (basicConstraints != null) {
                    this.E = basicConstraints.ca();
                    if (this.E) {
                        this.A = basicConstraints.getPathLenConstraint();
                    }
                }
            } catch (X509ExtensionInitException e) {
                this.E = false;
                this.A = -1;
            }
            if (this.I.getRevocationChecking()) {
                if (!z || listIterator.hasPrevious()) {
                    try {
                        RevocationStatus certificateStatus = this.H.getCertificateStatus(certificate3, this.E, certInfo2.getCertificate(transactionId), A4, date2, chainingMode2, supplementalRevocationSources, new RevocationTrustProfileImpl(certInfo2, A4, pKIModule), revocationProfile, transactionId);
                        Collection<RevocationInfo> revocationInfoList = certificateStatus.getRevocationInfoList();
                        if (revocationInfoList != null) {
                            for (RevocationInfo revocationInfo : revocationInfoList) {
                                if (!arrayList.contains(revocationInfo)) {
                                    arrayList.add(revocationInfo);
                                }
                            }
                        }
                        if (P.isDebugEnabled()) {
                            P.debug(transactionId, new StringBuffer("Certificate status: ").append(certificateStatus).toString(), null);
                        }
                        if (!certificateStatus.getStatusCode().equals(RevocationStatus.VALID)) {
                            P.info(transactionId, new StringBuffer("Certificate revocation check failed ").append(certificateStatus.getStatusCode()).toString(), null);
                            U u5 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                            u5.A(i);
                            if (A(list, i, A4, transactionId)) {
                                u5.A(ValidationResultInvalid.REVOCATION_FAILED);
                                u5.A(certificateStatus);
                            } else {
                                u5.A(ValidationResultInvalid.CHAINING_FAILED);
                            }
                            u5.A((Collection) arrayList);
                            return u5;
                        }
                    } catch (Exception e2) {
                        P.info(transactionId, "Certificate status checking failed", e2);
                        throw new ValidationException("Certificate status checking failed", e2, new StringBuffer().append(getClass().getName()).append(":5").toString());
                    }
                } else if (P.isDebugEnabled()) {
                    P.debug(transactionId, "Do not check status of certificate - \"NoCheck\" extension is included.", null);
                }
            }
            PublicKey publicKey = certInfo3.getCertificate(transactionId).getPublicKey();
            if (P.isDebugEnabled()) {
                P.debug(transactionId, new StringBuffer("new working key: ").append(publicKey.toString()).toString(), null);
            }
            PublicKey A6 = M.A(publicKey, A4, transactionId);
            P.debug(transactionId, "checking extensions", null);
            HashSet<String> hashSet = new HashSet();
            Set criticalExtensionOIDs = certificate3.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs != null) {
                hashSet.addAll(criticalExtensionOIDs);
                P.debug(transactionId, new StringBuffer().append(criticalExtensionOIDs.size()).append(" critical extensions found").toString(), null);
            } else {
                P.debug(transactionId, "no critical extensions found", null);
            }
            Set nonCriticalExtensionOIDs = certificate3.getNonCriticalExtensionOIDs();
            if (nonCriticalExtensionOIDs != null) {
                hashSet.addAll(nonCriticalExtensionOIDs);
                P.debug(transactionId, new StringBuffer().append(nonCriticalExtensionOIDs.size()).append(" non critical extensions found").toString(), null);
            } else {
                P.debug(transactionId, "no non critical extensions found", null);
            }
            P.debug(transactionId, "handling extensions", null);
            if (!this.I.getNameConstraintsProcessing()) {
                hashSet.remove(SubjectAltName.oid.getID());
            } else if ((!isSelfIssued || !listIterator.hasPrevious()) && !A(SubjectAltName.oid, certificate3, hashSet, transactionId)) {
                U u6 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u6.A(i);
                u6.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u6.A((Collection) arrayList);
                return u6;
            }
            if (!this.I.getPolicyProcessing()) {
                hashSet.remove(CertificatePolicies.oid.getID());
            } else if (!A(CertificatePolicies.oid, certificate3, hashSet, transactionId)) {
                U u7 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u7.A(i);
                u7.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u7.A((Collection) arrayList);
                return u7;
            }
            if (!listIterator.hasPrevious()) {
                P.debug(transactionId, " -------------------- WRAP UP --------------------", null);
                if (this.I.getPolicyProcessing()) {
                    if (!isSelfIssued) {
                        this.B = A(this.B);
                        P.debug(transactionId, new StringBuffer("requireExplicitPolicy (final value) = ").append(this.B).toString(), null);
                    }
                    if (!A(PolicyConstraints.oid, certificate3, hashSet, transactionId)) {
                        U u8 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                        u8.A(i);
                        u8.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                        u8.A((Collection) arrayList);
                        return u8;
                    }
                    Set<String> initialPolicySet = this.I.getInitialPolicySet();
                    if (this.K != null && !initialPolicySet.isEmpty()) {
                        P.debug(transactionId, "Calculating intesection of the valid policy tree and the user initial policy set", null);
                        if (P.isDebugEnabled()) {
                            P.debug(transactionId, new StringBuffer("User initial policy set(): ").append(initialPolicySet).toString(), null);
                        }
                        if (initialPolicySet.size() != 1 || !initialPolicySet.contains(PolicyNode.X509_ANY_POLICY)) {
                            List C = this.K.C();
                            HashSet hashSet2 = new HashSet();
                            Iterator it = C.iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                }
                                G g = (G) it.next();
                                String validPolicy = g.getValidPolicy();
                                hashSet2.add(validPolicy);
                                if (!validPolicy.equals(PolicyNode.X509_ANY_POLICY) && !initialPolicySet.contains(validPolicy)) {
                                    G g2 = (G) g.getParent();
                                    if (g2 == null) {
                                        this.K = null;
                                        break;
                                    }
                                    g2.A(g);
                                }
                            }
                            Iterator it2 = this.K.B(size).iterator();
                            while (true) {
                                if (!it2.hasNext()) {
                                    break;
                                }
                                G g3 = (G) it2.next();
                                if (g3.getValidPolicy().equals(PolicyNode.X509_ANY_POLICY)) {
                                    G g4 = (G) g3.getParent();
                                    boolean isCritical = g3.isCritical();
                                    HashSet hashSet3 = new HashSet(g3.getPolicyQualifiers());
                                    for (String str : initialPolicySet) {
                                        if (!hashSet2.contains(str)) {
                                            g4.A(str, hashSet3, isCritical);
                                        }
                                    }
                                    g4.A(g3);
                                }
                            }
                        }
                        this.K = this.K.A(size - 1);
                        if (P.isDebugEnabled()) {
                            P.debug(transactionId, new StringBuffer("Policy tree intersected with initial user policy set:").append(Constants.LINE_SEPARATOR).append(this.K).toString(), null);
                        }
                    }
                    if (this.B == 0 && this.K == null) {
                        P.info(transactionId, "No explicit policy", null);
                        U u9 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                        u9.A(i);
                        u9.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                        u9.A((Collection) arrayList);
                        return u9;
                    }
                    if (this.K != null) {
                        this.K.A();
                    }
                } else {
                    hashSet.remove(PolicyConstraints.oid.getID());
                    hashSet.remove(PolicyMappings.oid.getID());
                    hashSet.remove(InhibitAnyPolicy.oid.getID());
                }
                for (String str2 : hashSet) {
                    P.debug(transactionId, new StringBuffer("Processing ").append(ObjectID.getObjectID(str2).getName()).append(" extension").toString(), null);
                    if (!ExtensionHandler.handleExtension(str2, this, certificate3, transactionId)) {
                        U u10 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                        u10.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                        u10.A(i);
                        u10.A((Collection) arrayList);
                        return u10;
                    }
                }
                U u11 = new U(ValidationResult.VALID, A6, this.K, chainingMode2, A(list, transactionId));
                u11.A((Collection) arrayList);
                return u11;
            }
            if (!this.I.getPolicyProcessing()) {
                hashSet.remove(PolicyMappings.oid.getID());
                hashSet.remove(PolicyConstraints.oid.getID());
                hashSet.remove(InhibitAnyPolicy.oid.getID());
            } else {
                if (!A(PolicyMappings.oid, certificate3, hashSet, transactionId)) {
                    U u12 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u12.A(i);
                    u12.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u12.A((Collection) arrayList);
                    return u12;
                }
                if (!isSelfIssued) {
                    this.B = A(this.B);
                    this.L = A(this.L);
                    this.F = A(this.F);
                    if (P.isDebugEnabled()) {
                        StringBuffer stringBuffer = new StringBuffer("Updating policy varaibles:");
                        stringBuffer.append(Constants.LINE_SEPARATOR);
                        stringBuffer.append("requireExplicitPolicy  = ");
                        stringBuffer.append(this.B);
                        stringBuffer.append(Constants.LINE_SEPARATOR);
                        stringBuffer.append("inhibitPolicyMapping   = ");
                        stringBuffer.append(this.L);
                        stringBuffer.append(Constants.LINE_SEPARATOR);
                        stringBuffer.append("inhibitAnyPolicy       = ");
                        stringBuffer.append(this.F);
                        P.debug(transactionId, stringBuffer.toString(), null);
                    }
                }
                if (!A(PolicyConstraints.oid, certificate3, hashSet, transactionId)) {
                    U u13 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u13.A(i);
                    u13.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u13.A((Collection) arrayList);
                    return u13;
                }
                if (!A(InhibitAnyPolicy.oid, certificate3, hashSet, transactionId)) {
                    U u14 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u14.A(i);
                    u14.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u14.A((Collection) arrayList);
                    return u14;
                }
            }
            if (!this.I.getNameConstraintsProcessing()) {
                hashSet.remove(NameConstraints.oid.getID());
            } else if (!A(NameConstraints.oid, certificate3, hashSet, transactionId)) {
                U u15 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u15.A(i);
                u15.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u15.A((Collection) arrayList);
                return u15;
            }
            P.debug(transactionId, new StringBuffer("maxPathLength = ").append(this.N).toString(), null);
            if (!isSelfIssued) {
                int i2 = this.N;
                this.N = i2 - 1;
                if (i2 <= 0) {
                    P.debug(transactionId, "Path length constraint violation: ", null);
                    U u16 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u16.A(i);
                    u16.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u16.A((Collection) arrayList);
                    return u16;
                }
                P.debug(transactionId, new StringBuffer("maxPathLength decremented (new value is ").append(this.N).append(")").toString(), null);
            }
            if (!A(BasicConstraints.oid, certificate3, hashSet, transactionId)) {
                U u17 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u17.A(i);
                u17.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u17.A((Collection) arrayList);
                return u17;
            }
            if (!A(KeyUsage.oid, certificate3, hashSet, transactionId)) {
                U u18 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u18.A(i);
                u18.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u18.A((Collection) arrayList);
                return u18;
            }
            for (String str3 : hashSet) {
                P.debug(transactionId, new StringBuffer("Processing ").append(ObjectID.getObjectID(str3).getName()).append(" extension").toString(), null);
                if (!ExtensionHandler.handleExtension(str3, this, certificate3, transactionId)) {
                    U u19 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u19.A(i);
                    u19.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u19.A((Collection) arrayList);
                    return u19;
                }
            }
            size2 = i;
            A4 = A6;
            certInfo2 = certInfo3;
        }
        throw new ValidationException("Validation error, maybe got chain with 0 elements", null, new StringBuffer().append(getClass().getName()).append(":6").toString());
    }
}
