package sun.security.provider.certpath;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
import sun.security.validator.Validator;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.ReasonFlags;
import sun.security.x509.X509CRLEntryImpl;

/* loaded from: input_file:118668-05/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/rt.jar:sun/security/provider/certpath/CrlRevocationChecker.class */
class CrlRevocationChecker extends PKIXCertPathChecker {
    private final PublicKey mInitPubKey;
    private final List<CertStore> mStores;
    private final String mSigProvider;
    private final Date mCurrentTime;
    private PublicKey mPrevPubKey;
    private boolean mCRLSignFlag;
    private HashSet<X509CRL> mPossibleCRLs;
    private HashSet<X509CRL> mApprovedCRLs;
    private final PKIXParameters mParams;
    private final Collection<X509Certificate> mExtraCerts;
    private static final Debug debug = Debug.getInstance("certpath");
    private static final boolean[] mCrlSignUsage = {false, false, false, false, false, false, true};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:118668-05/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/rt.jar:sun/security/provider/certpath/CrlRevocationChecker$RejectKeySelector.class */
    public static class RejectKeySelector extends X509CertSelector {
        private final Set<PublicKey> badKeySet;

        RejectKeySelector(Collection<PublicKey> collection) {
            this.badKeySet = new HashSet(collection);
        }

        @Override // java.security.cert.X509CertSelector, java.security.cert.CertSelector
        public boolean match(Certificate certificate) {
            if (!super.match(certificate)) {
                return false;
            }
            if (this.badKeySet.contains(certificate.getPublicKey())) {
                if (CrlRevocationChecker.debug == null) {
                    return false;
                }
                CrlRevocationChecker.debug.println("RejectCertSelector.match: bad key");
                return false;
            }
            if (CrlRevocationChecker.debug == null) {
                return true;
            }
            CrlRevocationChecker.debug.println("RejectCertSelector.match: returning true");
            return true;
        }

        @Override // java.security.cert.X509CertSelector
        public String toString() {
            return "RejectCertSelector: [\n" + super.toString() + ((Object) this.badKeySet) + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CrlRevocationChecker(PublicKey publicKey, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this(publicKey, pKIXParameters, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CrlRevocationChecker(PublicKey publicKey, PKIXParameters pKIXParameters, Collection collection) throws CertPathValidatorException {
        this.mInitPubKey = publicKey;
        this.mParams = pKIXParameters;
        this.mStores = pKIXParameters.getCertStores();
        this.mSigProvider = pKIXParameters.getSigProvider();
        this.mExtraCerts = collection;
        Date date = pKIXParameters.getDate();
        this.mCurrentTime = date != null ? date : new Date();
        init(false);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.mPrevPubKey = this.mInitPubKey;
        this.mCRLSignFlag = true;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        verifyRevocationStatus(x509Certificate, this.mPrevPubKey, this.mCRLSignFlag, true);
        PublicKey publicKey = x509Certificate.getPublicKey();
        if ((publicKey instanceof DSAPublicKey) && ((DSAPublicKey) publicKey).getParams() == null) {
            publicKey = BasicChecker.makeInheritedParamsKey(publicKey, this.mPrevPubKey);
        }
        this.mPrevPubKey = publicKey;
        this.mCRLSignFlag = certCanSignCrl(x509Certificate);
    }

    public boolean check(X509Certificate x509Certificate, PublicKey publicKey, boolean z) throws CertPathValidatorException {
        verifyRevocationStatus(x509Certificate, publicKey, z, true);
        return certCanSignCrl(x509Certificate);
    }

    public boolean certCanSignCrl(X509Certificate x509Certificate) {
        try {
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            if (keyUsage != null) {
                return ((Boolean) new KeyUsageExtension(keyUsage).get(KeyUsageExtension.CRL_SIGN)).booleanValue();
            }
            return true;
        } catch (Exception e) {
            if (debug == null) {
                return false;
            }
            debug.println("CrlRevocationChecker.certCanSignCRL() unexpected exception");
            e.printStackTrace();
            return false;
        }
    }

    private void verifyRevocationStatus(X509Certificate x509Certificate, PublicKey publicKey, boolean z, boolean z2) throws CertPathValidatorException {
        verifyRevocationStatus(x509Certificate, publicKey, z, z2, null);
    }

    private void verifyRevocationStatus(X509Certificate x509Certificate, PublicKey publicKey, boolean z, boolean z2, Set<X509Certificate> set) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...");
        }
        if (set != null && set.contains(x509Certificate)) {
            throw new CertPathValidatorException("circular dependency - cert can't vouch for CRL");
        }
        if (!z) {
            if (!z2 || !verifyWithSeparateSigningKey(x509Certificate, publicKey, z, set)) {
                throw new CertPathValidatorException("cert can't vouch for CRL");
            }
            return;
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        this.mPossibleCRLs = new HashSet<>();
        this.mApprovedCRLs = new HashSet<>();
        try {
            X509CRLSelector x509CRLSelector = new X509CRLSelector();
            x509CRLSelector.setCertificateChecking(x509Certificate);
            x509CRLSelector.setDateAndTime(this.mCurrentTime);
            CertPathHelper.addIssuer(x509CRLSelector, issuerX500Principal);
            Iterator<CertStore> it = this.mStores.iterator();
            while (it.hasNext()) {
                this.mPossibleCRLs.addAll(it.next().getCRLs(x509CRLSelector));
            }
            this.mPossibleCRLs.addAll(DistributionPointFetcher.getInstance().getCRLs(x509CRLSelector));
            if (this.mPossibleCRLs.isEmpty()) {
                if (!z2 || !verifyWithSeparateSigningKey(x509Certificate, publicKey, z, set)) {
                    throw new CertPathValidatorException("revocation status check failed: no CRL found");
                }
                return;
            }
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyRevocationStatus() crls.size() = " + this.mPossibleCRLs.size());
            }
            Iterator<X509CRL> it2 = this.mPossibleCRLs.iterator();
            while (it2.hasNext()) {
                X509CRL next = it2.next();
                if (verifyPossibleCRL(next, issuerX500Principal, publicKey)) {
                    this.mApprovedCRLs.add(next);
                }
            }
            if (this.mApprovedCRLs.isEmpty()) {
                if (!z2 || !verifyWithSeparateSigningKey(x509Certificate, publicKey, z, set)) {
                    throw new CertPathValidatorException("no possible CRLs");
                }
                return;
            }
            BigInteger serialNumber = x509Certificate.getSerialNumber();
            if (debug != null) {
                debug.println("starting the final sweep...");
                debug.println("CrlRevocationChecker.verifyRevocationStatus cert SN: " + serialNumber.toString());
            }
            boolean z3 = false;
            Iterator<X509CRL> it3 = this.mApprovedCRLs.iterator();
            while (it3.hasNext()) {
                X509CRLEntry revokedCertificate = it3.next().getRevokedCertificate(serialNumber);
                if (revokedCertificate != null) {
                    if (debug != null) {
                        debug.println("CrlRevocationChecker.verifyRevocationStatus CRL entry: " + revokedCertificate.toString());
                    }
                    try {
                        Integer reasonCode = X509CRLEntryImpl.toImpl(revokedCertificate).getReasonCode();
                        int intValue = reasonCode == null ? 0 : reasonCode.intValue();
                        z3 = intValue == 6;
                        if (!z3 && intValue != 8) {
                            throw new CertPathValidatorException("Certificate has been revoked, reason: " + reasonToString(intValue));
                        }
                        Set<String> criticalExtensionOIDs = revokedCertificate.getCriticalExtensionOIDs();
                        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                            criticalExtensionOIDs.remove(PKIXExtensions.ReasonCode_Id.toString());
                            if (!criticalExtensionOIDs.isEmpty()) {
                                throw new CertPathValidatorException("Unrecognized critical extension(s) in revoked CRL entry: " + ((Object) criticalExtensionOIDs));
                            }
                        }
                    } catch (Exception e) {
                        throw new CertPathValidatorException(e);
                    }
                }
            }
            if (z3) {
                throw new CertPathValidatorException("Certificate is on hold");
            }
        } catch (Exception e2) {
            if (debug != null) {
                debug.println("CrlRevocationChecker.verifyRevocationStatus() unexpected exception: " + e2.getMessage());
                e2.printStackTrace();
            }
            throw new CertPathValidatorException(e2);
        }
    }

    private boolean verifyWithSeparateSigningKey(X509Certificate x509Certificate, PublicKey publicKey, boolean z, Set<X509Certificate> set) {
        if (debug != null) {
            debug.println("CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...");
        }
        if (set != null && set.contains(x509Certificate)) {
            return false;
        }
        if (!z) {
            publicKey = null;
        }
        try {
            HashSet hashSet = new HashSet();
            if (publicKey != null) {
                hashSet.add(publicKey);
            }
            while (true) {
                PublicKey buildToNewKey = buildToNewKey(x509Certificate, hashSet, set);
                try {
                    verifyRevocationStatus(x509Certificate, buildToNewKey, true, false);
                    return true;
                } catch (CertPathValidatorException e) {
                    hashSet.add(buildToNewKey);
                }
            }
        } catch (Exception e2) {
            if (debug == null) {
                return false;
            }
            debug.println("CrlRevocationChecker.verifyWithSeparateSigningKey() got exception " + ((Object) e2));
            return false;
        }
    }

    private PublicKey buildToNewKey(X509Certificate x509Certificate, Set<PublicKey> set, Set<X509Certificate> set2) throws CertPathBuilderException {
        PKIXBuilderParameters pKIXBuilderParameters;
        if (debug != null) {
            debug.println("CrlRevocationChecker.buildToNewKey() starting work");
        }
        try {
            RejectKeySelector rejectKeySelector = new RejectKeySelector(set);
            rejectKeySelector.setSubject(x509Certificate.getIssuerX500Principal().getName());
            rejectKeySelector.setKeyUsage(mCrlSignUsage);
            if (this.mParams instanceof PKIXBuilderParameters) {
                pKIXBuilderParameters = (PKIXBuilderParameters) this.mParams.clone();
                pKIXBuilderParameters.setTargetCertConstraints(rejectKeySelector);
                pKIXBuilderParameters.setPolicyQualifiersRejected(true);
            } else {
                pKIXBuilderParameters = new PKIXBuilderParameters(this.mParams.getTrustAnchors(), rejectKeySelector);
                pKIXBuilderParameters.setInitialPolicies(this.mParams.getInitialPolicies());
                pKIXBuilderParameters.setCertStores(this.mParams.getCertStores());
                pKIXBuilderParameters.setExplicitPolicyRequired(this.mParams.isExplicitPolicyRequired());
                pKIXBuilderParameters.setPolicyMappingInhibited(this.mParams.isPolicyMappingInhibited());
                pKIXBuilderParameters.setAnyPolicyInhibited(this.mParams.isAnyPolicyInhibited());
                pKIXBuilderParameters.setDate(this.mParams.getDate());
                pKIXBuilderParameters.setCertPathCheckers(this.mParams.getCertPathCheckers());
                pKIXBuilderParameters.setSigProvider(this.mParams.getSigProvider());
            }
            if (this.mInitPubKey != null) {
                Set<TrustAnchor> trustAnchors = pKIXBuilderParameters.getTrustAnchors();
                HashSet hashSet = new HashSet();
                for (TrustAnchor trustAnchor : trustAnchors) {
                    PublicKey cAPublicKey = trustAnchor.getCAPublicKey();
                    if (cAPublicKey != null) {
                        if (cAPublicKey.equals(this.mInitPubKey)) {
                            hashSet.add(trustAnchor);
                        }
                    } else if (trustAnchor.getTrustedCert().getPublicKey().equals(this.mInitPubKey)) {
                        hashSet.add(trustAnchor);
                    }
                }
                pKIXBuilderParameters.setTrustAnchors(hashSet);
            }
            pKIXBuilderParameters.setRevocationEnabled(false);
            if (this.mExtraCerts != null) {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.mExtraCerts)));
            }
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(Validator.TYPE_PKIX);
            if (debug != null) {
                debug.println("CrlRevocationChecker.buildToNewKey() about to try build ...");
            }
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
            if (debug != null) {
                debug.println("CrlRevocationChecker.buildToNewKey() about to check revocation ...");
            }
            HashSet hashSet2 = set2 == null ? new HashSet() : new HashSet(set2);
            hashSet2.add(x509Certificate);
            TrustAnchor trustAnchor2 = pKIXCertPathBuilderResult.getTrustAnchor();
            PublicKey cAPublicKey2 = trustAnchor2.getCAPublicKey();
            if (cAPublicKey2 == null) {
                cAPublicKey2 = trustAnchor2.getTrustedCert().getPublicKey();
            }
            boolean z = true;
            List<? extends Certificate> certificates = pKIXCertPathBuilderResult.getCertPath().getCertificates();
            for (int size = certificates.size() - 1; size >= 0; size--) {
                X509Certificate x509Certificate2 = (X509Certificate) certificates.get(size);
                if (debug != null) {
                    debug.println("CrlRevocationChecker.buildToNewKey() index " + size + " checking " + ((Object) x509Certificate2));
                }
                verifyRevocationStatus(x509Certificate2, cAPublicKey2, z, true, hashSet2);
                z = certCanSignCrl(x509Certificate);
                cAPublicKey2 = x509Certificate2.getPublicKey();
            }
            if (debug != null) {
                debug.println("CrlRevocationChecker.buildToNewKey() got key " + ((Object) pKIXCertPathBuilderResult.getPublicKey()));
            }
            return pKIXCertPathBuilderResult.getPublicKey();
        } catch (IOException e) {
            throw new CertPathBuilderException(e);
        } catch (InvalidAlgorithmParameterException e2) {
            throw new CertPathBuilderException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertPathBuilderException(e3);
        } catch (CertPathValidatorException e4) {
            throw new CertPathBuilderException(e4);
        }
    }

    private static String reasonToString(int i) {
        switch (i) {
            case 0:
                return "unspecified";
            case 1:
                return "key compromise";
            case 2:
                return "CA compromise";
            case 3:
                return "affiliation changed";
            case 4:
                return ReasonFlags.SUPERSEDED;
            case 5:
                return "cessation of operation";
            case 6:
                return "certificate hold";
            case 7:
            default:
                return "unrecognized reason code";
            case 8:
                return "remove from CRL";
        }
    }

    private boolean verifyPossibleCRL(X509CRL x509crl, X500Principal x500Principal, PublicKey publicKey) throws CertPathValidatorException {
        if (!x509crl.getIssuerX500Principal().equals(x500Principal)) {
            if (debug == null) {
                return false;
            }
            debug.println("CRL issuer does not match cert issuer");
            return false;
        }
        try {
            x509crl.verify(publicKey, this.mSigProvider);
            Date nextUpdate = x509crl.getNextUpdate();
            if (nextUpdate != null && nextUpdate.before(this.mCurrentTime)) {
                if (debug == null) {
                    return false;
                }
                debug.println("discarding stale CRL (nextUpdate is before required validation time)");
                return false;
            }
            Set<String> criticalExtensionOIDs = x509crl.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs == null || criticalExtensionOIDs.isEmpty()) {
                return true;
            }
            if (debug != null) {
                Iterator<String> it = criticalExtensionOIDs.iterator();
                while (it.hasNext()) {
                    debug.println(it.next());
                }
            }
            throw new CertPathValidatorException("Unrecognized critical extension(s) in CRL: " + ((Object) criticalExtensionOIDs));
        } catch (Exception e) {
            if (debug == null) {
                return false;
            }
            debug.println("CRL signature failed to verify");
            e.printStackTrace();
            return false;
        }
    }
}
