package by.avest.crypto.certpath;

import by.avest.certstore.GeneralCertPathException;
import by.avest.certstore.Util;
import by.avest.certstore.X509CRLSelector;
import by.avest.certstore.X509CertSelector;
import by.avest.crypto.x509.X509AttributeCertificate;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertSelector;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.provider.certpath.AdjacencyList;
import sun.security.provider.certpath.BuildStep;
import sun.security.provider.certpath.SunCertPathBuilderException;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.X509CRLEntryImpl;

/* loaded from: input_file:by/avest/crypto/certpath/PKIXAttrCertPathValidator.class */
public class PKIXAttrCertPathValidator extends CertPathValidatorSpi {
    static final int UNSPECIFIED = 0;
    static final int KEY_COMPROMISE = 1;
    static final int CA_COMPROMISE = 2;
    static final int AFFLIATION_CHANGED = 3;
    static final int SUPERSEDED = 4;
    static final int CESSATION_OF_OPERATION = 5;
    static final int CERTIFICATE_HOLD = 6;
    static final int REMOVE_FROM_CRL = 8;
    static final int PRIVILEGE_WITHDRAWN = 9;
    static final int AA_COMPROMISE = 10;
    private static final String DETERMINE_REVOCATION_STATUS_MSG = "Could not determine revocation status";

    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        if (Util.isDebug()) {
            Util.log(Util.getClassName(this) + ".engineValidate(" + Util.getClassName(certPathParameters) + ")");
        }
        if (!(certPathParameters instanceof PKIXBuilderParameters)) {
            throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName());
        }
        PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) certPathParameters;
        CertSelector targetCertConstraints = pKIXBuilderParameters.getTargetCertConstraints();
        if (!(targetCertConstraints instanceof X509CertSelector)) {
            throw new InvalidAlgorithmParameterException("Parameters must have targetCertConstraints field with type " + X509CertSelector.class.getName());
        }
        X509AttributeCertificate attributeCertificate = ((X509CertSelector) targetCertConstraints).getAttributeCertificate();
        if (attributeCertificate == null) {
            throw new InvalidAlgorithmParameterException("Parameters must have targetCertConstraints field attribute certificae field");
        }
        try {
            buildHolderCertPath(pKIXBuilderParameters, attributeCertificate);
            CertPathValidatorResult validateIssuerCertPath = validateIssuerCertPath(certPath, pKIXBuilderParameters);
            validateIssuerCertificate(certPath, (X509Certificate) certPath.getCertificates().get(0), 0);
            checkAttributeCertificateValidity(attributeCertificate, pKIXBuilderParameters.getDate());
            if (pKIXBuilderParameters.isRevocationEnabled()) {
                checkRevocation(attributeCertificate, pKIXBuilderParameters, certPath);
            }
            return validateIssuerCertPath;
        } catch (GeneralCertPathException e) {
            throw new CertPathValidatorException(e.getMessage(), e);
        }
    }

    private void checkRevocation(X509AttributeCertificate x509AttributeCertificate, PKIXBuilderParameters pKIXBuilderParameters, CertPath certPath) throws CertPathValidatorException {
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setDateAndTime(pKIXBuilderParameters.getDate());
        x509CRLSelector.setAttributeCertificateChecking(x509AttributeCertificate);
        X500Principal x500Principal = Util.getX500Principal(x509AttributeCertificate.getIssuer().getIssuerName());
        if (x500Principal != null) {
            try {
                x509CRLSelector.addIssuerName(x500Principal.getEncoded());
            } catch (IOException e) {
                throw new CertPathValidatorException(e.getMessage(), e);
            }
        }
        Set<X509CRL> findCRLs = Util.findCRLs(pKIXBuilderParameters, x509CRLSelector);
        if (findCRLs.isEmpty()) {
            throw new CertPathValidatorException("No CRLs found for attribute certificate issuer");
        }
        GeneralCertPathException generalCertPathException = null;
        HashSet<X509CRL> hashSet = new HashSet();
        for (X509CRL x509crl : findCRLs) {
            try {
                verifyCRL(x509crl, findIssuerValidKeys(x509crl, certPath, pKIXBuilderParameters));
                hashSet.add(x509crl);
            } catch (GeneralCertPathException e2) {
                generalCertPathException = e2;
            }
        }
        if (hashSet.isEmpty()) {
            if (generalCertPathException != null) {
                throw new CertPathValidatorException(generalCertPathException.getMessage(), generalCertPathException);
            }
            throw new CertPathValidatorException("Could not find valid CRL");
        }
        X509CRL x509crl2 = null;
        for (X509CRL x509crl3 : hashSet) {
            if (x509crl2 == null || x509crl3.getThisUpdate().after(x509crl2.getThisUpdate())) {
                x509crl2 = x509crl3;
            }
        }
        X509CRLEntry revokedCertificate = x509crl2.getRevokedCertificate(x509AttributeCertificate.getSerialNumber().getNumber());
        if (revokedCertificate != null) {
            try {
                X509CRLEntryImpl impl = X509CRLEntryImpl.toImpl(revokedCertificate);
                Integer reasonCode = impl.getReasonCode();
                int intValue = reasonCode == null ? 0 : reasonCode.intValue();
                Set criticalExtensionOIDs = impl.getCriticalExtensionOIDs();
                if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                    criticalExtensionOIDs.remove(PKIXExtensions.ReasonCode_Id.toString());
                    criticalExtensionOIDs.remove(PKIXExtensions.CertificateIssuer_Id.toString());
                    if (!criticalExtensionOIDs.isEmpty()) {
                        throw new CertPathValidatorException(DETERMINE_REVOCATION_STATUS_MSG);
                    }
                }
                throw new CertPathValidatorException("Certificate has been revoked, reason: " + reasonToString(intValue));
            } catch (Exception e3) {
                throw new CertPathValidatorException(e3);
            }
        }
    }

    private static String reasonToString(int i) {
        switch (i) {
            case 0:
                return "unspecified";
            case 1:
                return "key compromise";
            case 2:
                return "CA compromise";
            case 3:
                return "affiliation changed";
            case 4:
                return "superseded";
            case 5:
                return "cessation of operation";
            case 6:
                return "certificate hold";
            case 7:
            default:
                return "unrecognized reason code";
            case 8:
                return "remove from CRL";
        }
    }

    private PublicKey verifyCRL(X509CRL x509crl, Set<PublicKey> set) throws GeneralCertPathException {
        Exception exc = null;
        for (PublicKey publicKey : set) {
            try {
                x509crl.verify(publicKey);
                return publicKey;
            } catch (Exception e) {
                exc = e;
            }
        }
        throw new GeneralCertPathException("Cannot verify CRL", exc);
    }

    private Set<PublicKey> findIssuerValidKeys(X509CRL x509crl, CertPath certPath, PKIXBuilderParameters pKIXBuilderParameters) throws GeneralCertPathException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(x509crl.getIssuerX500Principal().getEncoded());
            Set<X509Certificate> findCerts = Util.findCerts(x509CertSelector, pKIXBuilderParameters);
            HashSet hashSet = new HashSet();
            GeneralCertPathException generalCertPathException = null;
            for (X509Certificate x509Certificate : findCerts) {
                X509CertSelector x509CertSelector2 = new X509CertSelector();
                x509CertSelector2.setCertificate(x509Certificate);
                PKIXParameters pKIXParameters = (PKIXParameters) pKIXBuilderParameters.clone();
                pKIXParameters.setTargetCertConstraints(x509CertSelector2);
                PKIXBuilderParameters pKIXBuilderParameters2 = (PKIXBuilderParameters) pKIXParameters;
                if (certPath.getCertificates().contains(x509Certificate)) {
                    pKIXBuilderParameters2.setRevocationEnabled(false);
                } else {
                    pKIXBuilderParameters2.setRevocationEnabled(true);
                }
                try {
                    X509Certificate x509Certificate2 = (X509Certificate) CertPathBuilder.getInstance("PKIX").build(pKIXParameters).getCertPath().getCertificates().get(0);
                    boolean[] keyUsage = x509Certificate2.getKeyUsage();
                    if (keyUsage == null || (keyUsage.length >= 7 && keyUsage[6])) {
                        hashSet.add(x509Certificate2.getPublicKey());
                    } else {
                        generalCertPathException = new GeneralCertPathException("Issuer certificate key usage extension does not permit CRL signing");
                    }
                } catch (Exception e) {
                    throw new GeneralCertPathException(e.getMessage(), e);
                }
            }
            if (!hashSet.isEmpty()) {
                return hashSet;
            }
            if (generalCertPathException == null) {
                throw new GeneralCertPathException("Could not find valid issuer certificate");
            }
            throw generalCertPathException;
        } catch (IOException e2) {
            throw new GeneralCertPathException(e2.getMessage(), e2);
        }
    }

    private void checkAttributeCertificateValidity(X509AttributeCertificate x509AttributeCertificate, Date date) throws CertPathValidatorException {
        try {
            if (date == null) {
                x509AttributeCertificate.checkValidity();
            } else {
                x509AttributeCertificate.checkValidity(date);
            }
        } catch (CertificateExpiredException e) {
            throw new CertPathValidatorException("Attribute certificate is expired", e);
        } catch (CertificateNotYetValidException e2) {
            throw new CertPathValidatorException("Attribute certificate is not yet valid", e2);
        }
    }

    private void validateIssuerCertificate(CertPath certPath, X509Certificate x509Certificate, int i) throws CertPathValidatorException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && !keyUsage[0] && !keyUsage[1]) {
            throw new CertPathValidatorException("Attribute certificate issuer public key cannot be used to validate digital signatures", null, certPath, i);
        }
        if (x509Certificate.getBasicConstraints() != -1) {
            throw new CertPathValidatorException("Attribute certificate should not be able to issue public key certificates", null, certPath, i);
        }
    }

    private CertPathValidatorResult validateIssuerCertPath(CertPath certPath, PKIXBuilderParameters pKIXBuilderParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            PKIXBuilderParameters pKIXBuilderParameters2 = (PKIXBuilderParameters) pKIXBuilderParameters.clone();
            pKIXBuilderParameters2.setTargetCertConstraints(null);
            return certPathValidator.validate(certPath, pKIXBuilderParameters2);
        } catch (NoSuchAlgorithmException e) {
            throw new CertPathValidatorException(e.getMessage(), e);
        }
    }

    private CertPath buildHolderCertPath(PKIXBuilderParameters pKIXBuilderParameters, X509AttributeCertificate x509AttributeCertificate) throws GeneralCertPathException, CertPathValidatorException, InvalidAlgorithmParameterException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setAttributeCertificate(x509AttributeCertificate);
        Set<X509Certificate> findCerts = Util.findCerts(x509CertSelector, pKIXBuilderParameters);
        if (findCerts.isEmpty()) {
            throw new CertPathValidatorException("Could not find holder public key certificate for specified attribute certificate");
        }
        CertPathBuilderException certPathBuilderException = null;
        CertPathBuilderResult certPathBuilderResult = null;
        for (X509Certificate x509Certificate : findCerts) {
            X509CertSelector x509CertSelector2 = new X509CertSelector();
            x509CertSelector2.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters2 = (PKIXBuilderParameters) pKIXBuilderParameters.clone();
            pKIXBuilderParameters2.setTargetCertConstraints(x509CertSelector2);
            try {
                try {
                    try {
                        certPathBuilderResult = CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters2);
                    } catch (SunCertPathBuilderException e) {
                        AdjacencyList adjacencyList = e.getAdjacencyList();
                        if (adjacencyList != null) {
                            Iterator it = adjacencyList.iterator();
                            while (it.hasNext()) {
                                BuildStep buildStep = (BuildStep) it.next();
                                if (buildStep.getThrowable() != null && isRevocationUnavailable(buildStep.getThrowable())) {
                                    throw new CertPathValidatorException(buildStep.getThrowable().getMessage(), e);
                                }
                            }
                        }
                        throw e;
                    }
                } catch (CertPathBuilderException e2) {
                    certPathBuilderException = e2;
                }
            } catch (NoSuchAlgorithmException e3) {
                throw new CertPathValidatorException(e3.getMessage(), e3);
            }
        }
        if (certPathBuilderException != null) {
            throw new CertPathValidatorException(certPathBuilderException.getMessage(), certPathBuilderException);
        }
        return certPathBuilderResult.getCertPath();
    }

    private boolean isRevocationUnavailable(Throwable th) {
        return (th instanceof CertPathValidatorException) && th.getMessage() != null && th.getMessage().startsWith(DETERMINE_REVOCATION_STATUS_MSG);
    }
}
