package iaik.x509;

import iaik.asn1.ObjectID;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.BasicConstraints;
import iaik.x509.extensions.CRLDistributionPoints;
import iaik.x509.extensions.CRLNumber;
import iaik.x509.extensions.ExtendedKeyUsage;
import iaik.x509.extensions.IssuerAltName;
import iaik.x509.extensions.KeyUsage;
import iaik.x509.extensions.PolicyConstraints;
import iaik.x509.extensions.PolicyMappings;
import iaik.x509.extensions.ReasonCode;
import iaik.x509.extensions.SubjectAltName;
import iaik.x509.extensions.SubjectKeyIdentifier;
import iaik.x509.extensions.netscape.NetscapeBaseUrl;
import iaik.x509.extensions.netscape.NetscapeCaPolicyUrl;
import iaik.x509.extensions.netscape.NetscapeCaRevocationUrl;
import iaik.x509.extensions.netscape.NetscapeCertRenewalUrl;
import iaik.x509.extensions.netscape.NetscapeComment;
import iaik.x509.extensions.netscape.NetscapeRevocationUrl;
import iaik.x509.extensions.netscape.NetscapeSSLServerName;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.util.Enumeration;
import java.util.Vector;

/* loaded from: input_file:119465-06/SUNWamsci/reloc/SUNWam/lib/iaik_jce_full.jar:iaik/x509/ChainVerifier.class */
public abstract class ChainVerifier {
    private static final boolean a = false;
    private static final boolean b = false;

    public boolean verifyChain(java.security.cert.X509Certificate[] x509CertificateArr, boolean z) throws CertificateException {
        int length = x509CertificateArr.length;
        if (z) {
            java.security.cert.X509Certificate[] x509CertificateArr2 = new java.security.cert.X509Certificate[length];
            for (int i = 0; i < length; i++) {
                x509CertificateArr2[i] = x509CertificateArr[(length - i) - 1];
            }
            x509CertificateArr = x509CertificateArr2;
        }
        for (int i2 = 0; i2 < length; i2++) {
            if (i2 > 0) {
                try {
                    if (!x509CertificateArr[i2].getSubjectDN().equals(x509CertificateArr[i2 - 1].getIssuerDN())) {
                        throw new CertificateException("Certificate chain broken: not linked correctly");
                    }
                    x509CertificateArr[i2 - 1].verify(x509CertificateArr[i2].getPublicKey());
                } catch (CertificateException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new CertificateException("Error in certificate chain");
                }
            }
            if (x509CertificateArr[i2].getSubjectDN().equals(x509CertificateArr[i2].getIssuerDN())) {
                x509CertificateArr[i2].verify(x509CertificateArr[i2].getPublicKey());
            }
            checkExtensions(x509CertificateArr, i2);
            if (isTrustedCertificate(x509CertificateArr[i2])) {
                return true;
            }
            x509CertificateArr[i2].checkValidity();
        }
        return false;
    }

    public boolean verifyChain(java.security.cert.X509Certificate[] x509CertificateArr) throws CertificateException {
        return verifyChain(x509CertificateArr, false);
    }

    public static java.security.cert.X509Certificate[] orderCertificateChain(java.security.cert.X509Certificate x509Certificate, java.security.cert.X509Certificate[] x509CertificateArr) throws CertificateException {
        Principal issuerDN;
        int i;
        java.security.cert.X509Certificate[] x509CertificateArr2 = (java.security.cert.X509Certificate[]) x509CertificateArr.clone();
        Vector vector = new Vector();
        vector.addElement(x509Certificate);
        Enumeration elements = vector.elements();
        do {
            java.security.cert.X509Certificate x509Certificate2 = (java.security.cert.X509Certificate) elements.nextElement();
            Principal subjectDN = x509Certificate2.getSubjectDN();
            issuerDN = x509Certificate2.getIssuerDN();
            if (!subjectDN.equals(issuerDN)) {
                i = 0;
                while (true) {
                    if (i >= x509CertificateArr2.length) {
                        break;
                    }
                    if (x509CertificateArr2[i] != null && x509CertificateArr2[i].getSubjectDN().equals(issuerDN)) {
                        vector.addElement(x509CertificateArr2[i]);
                        x509CertificateArr2[i] = null;
                        break;
                    }
                    i++;
                }
            } else {
                java.security.cert.X509Certificate[] x509CertificateArr3 = new java.security.cert.X509Certificate[vector.size()];
                vector.copyInto(x509CertificateArr3);
                return x509CertificateArr3;
            }
        } while (i != x509CertificateArr.length);
        throw new CertificateException(new StringBuffer("Certificate chain incomplete, no certificate found for ").append(issuerDN).toString());
    }

    public abstract boolean isTrustedCertificate(java.security.cert.X509Certificate x509Certificate) throws CertificateException;

    protected void checkExtensions(java.security.cert.X509Certificate[] x509CertificateArr, int i) throws CertificateException {
        Enumeration listExtensions;
        if ((x509CertificateArr[i] instanceof X509Certificate) && (listExtensions = ((X509Certificate) x509CertificateArr[i]).listExtensions()) != null) {
            while (listExtensions.hasMoreElements()) {
                V3Extension v3Extension = (V3Extension) listExtensions.nextElement();
                ObjectID objectID = v3Extension.getObjectID();
                if (objectID.equals(BasicConstraints.oid)) {
                    BasicConstraints basicConstraints = (BasicConstraints) v3Extension;
                    if (basicConstraints.ca()) {
                        if (i == 0) {
                            throw new CertificateException("Extension error: certificate at index 0 is marked CA certificate");
                        }
                        int pathLenConstraint = basicConstraints.getPathLenConstraint();
                        if (pathLenConstraint != -1 && pathLenConstraint < i - 1) {
                            throw new CertificateException("Extension error: pathLenConstraint violated!");
                        }
                    } else if (i != 0) {
                        throw new CertificateException(new StringBuffer("Extension error: certificate at index ").append(i).append(" is marked as non-CA certificate").toString());
                    }
                } else if (objectID.equals(KeyUsage.oid)) {
                    KeyUsage keyUsage = (KeyUsage) v3Extension;
                    if (i > 0 && (keyUsage.get() & 32) == 0) {
                        throw new CertificateException("Extension error: keyusage does not allow certificate signing");
                    }
                } else if (!objectID.equals(AuthorityKeyIdentifier.oid) && !objectID.equals(CRLDistributionPoints.oid) && !objectID.equals(CRLNumber.oid) && !objectID.equals(ExtendedKeyUsage.oid) && !objectID.equals(IssuerAltName.oid) && !objectID.equals(PolicyMappings.oid) && !objectID.equals(ReasonCode.oid) && !objectID.equals(PolicyConstraints.oid) && !objectID.equals(SubjectAltName.oid) && !objectID.equals(SubjectKeyIdentifier.oid) && !objectID.equals(NetscapeBaseUrl.oid) && !objectID.equals(NetscapeCaPolicyUrl.oid) && !objectID.equals(NetscapeCaRevocationUrl.oid) && !objectID.equals(NetscapeCertRenewalUrl.oid) && !objectID.equals(NetscapeComment.oid) && !objectID.equals(NetscapeRevocationUrl.oid) && !objectID.equals(NetscapeSSLServerName.oid) && v3Extension.isCritical()) {
                    throw new CertificateException(new StringBuffer("Unhandled CRITICAL extension: ").append(v3Extension.getObjectID()).toString());
                }
            }
        }
    }
}
