package sun.security.provider.certpath;

import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.PolicyNode;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;

/* loaded from: input_file:118666-05/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/rt.jar:sun/security/provider/certpath/PKIXCertPathValidator.class */
public class PKIXCertPathValidator extends CertPathValidatorSpi {
    private static final Debug debug = Debug.getInstance("certpath");
    private Date testDate;
    private List<PKIXCertPathChecker> userCheckers;
    private String sigProvider;
    private BasicChecker basicChecker;

    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        PublicKey cAPublicKey;
        X500Principal ca;
        if (debug != null) {
            debug.println("PKIXCertPathValidator.engineValidate()...");
        }
        if (!(certPathParameters instanceof PKIXParameters)) {
            throw new InvalidAlgorithmParameterException("inappropriate parameters, must be an instance of PKIXParameters");
        }
        if (!certPath.getType().equals("X.509") && !certPath.getType().equals("X509")) {
            throw new InvalidAlgorithmParameterException("inappropriate certification path type specified, must be X.509 or X509");
        }
        PKIXParameters pKIXParameters = (PKIXParameters) certPathParameters;
        Set<TrustAnchor> trustAnchors = pKIXParameters.getTrustAnchors();
        Iterator<TrustAnchor> it = trustAnchors.iterator();
        while (it.hasNext()) {
            if (it.next().getNameConstraints() != null) {
                throw new InvalidAlgorithmParameterException("name constraints in trust anchor not supported");
            }
        }
        ArrayList arrayList = new ArrayList(certPath.getCertificates());
        if (debug != null) {
            if (arrayList.isEmpty()) {
                debug.println("PKIXCertPathValidator.engineValidate() certList is empty");
            }
            debug.println("PKIXCertPathValidator.engineValidate() reversing certpath...");
        }
        Collections.reverse(arrayList);
        populateVariables(pKIXParameters);
        X509Certificate x509Certificate = arrayList.isEmpty() ? null : arrayList.get(0);
        CertPathValidatorException certPathValidatorException = null;
        for (TrustAnchor trustAnchor : trustAnchors) {
            X509Certificate trustedCert = trustAnchor.getTrustedCert();
            if (trustedCert != null) {
                if (debug != null) {
                    debug.println("PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null");
                }
                if (isWorthTrying(trustedCert, x509Certificate)) {
                    cAPublicKey = trustedCert.getPublicKey();
                    ca = trustedCert.getSubjectX500Principal();
                    if (debug != null) {
                        debug.println("anchor.getTrustedCert().getSubjectX500Principal() = " + ((Object) ca));
                    }
                } else {
                    continue;
                }
            } else {
                if (debug != null) {
                    debug.println("PKIXCertPathValidator.engineValidate(): anchor.getTrustedCert() == null");
                }
                cAPublicKey = trustAnchor.getCAPublicKey();
                ca = CertPathHelper.getCA(trustAnchor);
            }
            try {
                return new PKIXCertPathValidatorResult(trustAnchor, doValidate(cAPublicKey, ca, certPath, arrayList, pKIXParameters, new PolicyNodeImpl(null, "2.5.29.32.0", null, false, Collections.singleton("2.5.29.32.0"), false)), this.basicChecker.getPublicKey());
            } catch (CertPathValidatorException e) {
                certPathValidatorException = e;
            }
        }
        if (certPathValidatorException != null) {
            throw certPathValidatorException;
        }
        throw new CertPathValidatorException("Path does not chain with any of the trust anchors");
    }

    private boolean isWorthTrying(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...");
        }
        if (x509Certificate2 == null) {
            return true;
        }
        if (x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal())) {
            if (debug == null) {
                return true;
            }
            debug.println("YES - try this trustedCert");
            return true;
        }
        if (debug == null) {
            return false;
        }
        debug.println("NO - don't try this trustedCert");
        return false;
    }

    private void populateVariables(PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this.testDate = pKIXParameters.getDate();
        if (this.testDate == null) {
            this.testDate = new Date(System.currentTimeMillis());
        }
        this.userCheckers = pKIXParameters.getCertPathCheckers();
        this.sigProvider = pKIXParameters.getSigProvider();
    }

    private PolicyNode doValidate(PublicKey publicKey, X500Principal x500Principal, CertPath certPath, List<X509Certificate> list, PKIXParameters pKIXParameters, PolicyNodeImpl policyNodeImpl) throws CertPathValidatorException {
        ArrayList arrayList = new ArrayList();
        int size = list.size();
        this.basicChecker = new BasicChecker(publicKey, x500Principal, this.testDate, this.sigProvider, false);
        KeyChecker keyChecker = new KeyChecker(size, pKIXParameters.getTargetCertConstraints());
        ConstraintsChecker constraintsChecker = new ConstraintsChecker(size);
        PolicyChecker policyChecker = new PolicyChecker(pKIXParameters.getInitialPolicies(), size, pKIXParameters.isExplicitPolicyRequired(), pKIXParameters.isPolicyMappingInhibited(), pKIXParameters.isAnyPolicyInhibited(), pKIXParameters.getPolicyQualifiersRejected(), policyNodeImpl);
        arrayList.add(keyChecker);
        arrayList.add(constraintsChecker);
        arrayList.add(policyChecker);
        arrayList.add(this.basicChecker);
        if (pKIXParameters.isRevocationEnabled()) {
            if ("true".equalsIgnoreCase((String) AccessController.doPrivileged(new PrivilegedAction() { // from class: sun.security.provider.certpath.PKIXCertPathValidator.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
                }
            }))) {
                arrayList.add(new OCSPChecker(certPath, pKIXParameters));
            }
            arrayList.add(new CrlRevocationChecker(publicKey, pKIXParameters, list));
        }
        arrayList.addAll(this.userCheckers);
        new PKIXMasterCertPathValidator(arrayList).validate(certPath, list);
        return policyChecker.getPolicyTree();
    }
}
