package defpackage;

import java.io.IOException;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.q;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class zb6 extends PKIXCertPathChecker {
    private static final Map<String, String> e = f();
    private static final Set<String> f = g();
    private static final byte[] g = {5, 0};
    private static final String h = sq3.v("SHA256withRSAandMGF1", "RSASSA-PSS");
    private static final String i = sq3.v("SHA384withRSAandMGF1", "RSASSA-PSS");
    private static final String j = sq3.v("SHA512withRSAandMGF1", "RSASSA-PSS");
    private static final String k = sq3.v("SHA256withRSAandMGF1", "RSA");
    private static final String l = sq3.v("SHA384withRSAandMGF1", "RSA");
    private static final String m = sq3.v("SHA512withRSAandMGF1", "RSA");
    private final boolean a;
    private final ol3 b;
    private final jt c;
    private X509Certificate d;

    /* JADX INFO: Access modifiers changed from: package-private */
    public zb6(boolean z, ol3 ol3Var, jt jtVar) {
        if (ol3Var == null) {
            throw new NullPointerException("'helper' cannot be null");
        }
        if (jtVar == null) {
            throw new NullPointerException("'algorithmConstraints' cannot be null");
        }
        this.a = z;
        this.b = ol3Var;
        this.c = jtVar;
        this.d = null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(ol3 ol3Var, jt jtVar, X509Certificate[] x509CertificateArr, dw3 dw3Var, int i2) throws CertPathValidatorException {
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        if (x509CertificateArr.length > 1) {
            e(ol3Var, jtVar, x509CertificateArr[x509CertificateArr.length - 2], x509Certificate);
        }
        c(ol3Var, jtVar, x509CertificateArr[0], dw3Var, i2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void b(boolean z, ol3 ol3Var, jt jtVar, Set<X509Certificate> set, X509Certificate[] x509CertificateArr, dw3 dw3Var, int i2) throws CertPathValidatorException {
        int length = x509CertificateArr.length;
        while (length > 0 && set.contains(x509CertificateArr[length - 1])) {
            length--;
        }
        if (length < x509CertificateArr.length) {
            X509Certificate x509Certificate = x509CertificateArr[length];
            if (length > 0) {
                e(ol3Var, jtVar, x509CertificateArr[length - 1], x509Certificate);
            }
        } else {
            d(ol3Var, jtVar, x509CertificateArr[length - 1]);
        }
        zb6 zb6Var = new zb6(z, ol3Var, jtVar);
        zb6Var.init(false);
        for (int i3 = length - 1; i3 >= 0; i3--) {
            zb6Var.check(x509CertificateArr[i3], Collections.emptySet());
        }
        c(ol3Var, jtVar, x509CertificateArr[0], dw3Var, i2);
    }

    private static void c(ol3 ol3Var, jt jtVar, X509Certificate x509Certificate, dw3 dw3Var, int i2) throws CertPathValidatorException {
        if (dw3Var != null && !p(x509Certificate, dw3Var)) {
            throw new CertPathValidatorException("Certificate doesn't support '" + h(dw3Var) + "' ExtendedKeyUsage");
        }
        if (i2 >= 0) {
            if (!r(x509Certificate, i2)) {
                throw new CertPathValidatorException("Certificate doesn't support '" + i(i2) + "' KeyUsage");
            }
            if (jtVar.permits(j(i2), x509Certificate.getPublicKey())) {
                return;
            }
            throw new CertPathValidatorException("Public key not permitted for '" + i(i2) + "' KeyUsage");
        }
    }

    private static void d(ol3 ol3Var, jt jtVar, X509Certificate x509Certificate) throws CertPathValidatorException {
        String k2 = k(x509Certificate, null);
        if (!sq3.Q(k2)) {
            throw new CertPathValidatorException("Signature algorithm could not be determined");
        }
        if (jtVar.permits(sq3.i, k2, l(ol3Var, x509Certificate))) {
            return;
        }
        throw new CertPathValidatorException("Signature algorithm '" + k2 + "' not permitted with given parameters");
    }

    private static void e(ol3 ol3Var, jt jtVar, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException {
        String k2 = k(x509Certificate, x509Certificate2);
        if (!sq3.Q(k2)) {
            throw new CertPathValidatorException("Signature algorithm could not be determined");
        }
        if (jtVar.permits(sq3.i, k2, x509Certificate2.getPublicKey(), l(ol3Var, x509Certificate))) {
            return;
        }
        throw new CertPathValidatorException("Signature algorithm '" + k2 + "' not permitted with given parameters and issuer public key");
    }

    private static Map<String, String> f() {
        HashMap hashMap = new HashMap(4);
        hashMap.put(fu1.d.D(), "Ed25519");
        hashMap.put(fu1.e.D(), "Ed448");
        hashMap.put(zc5.j.D(), "SHA1withDSA");
        hashMap.put(lm9.s5.D(), "SHA1withDSA");
        return Collections.unmodifiableMap(hashMap);
    }

    private static Set<String> g() {
        HashSet hashSet = new HashSet();
        hashSet.add(zc5.j.D());
        hashSet.add(lm9.s5.D());
        hashSet.add(am5.d1.D());
        return Collections.unmodifiableSet(hashSet);
    }

    static String h(dw3 dw3Var) {
        if (dw3.e.equals(dw3Var)) {
            return "clientAuth";
        }
        if (dw3.d.equals(dw3Var)) {
            return "serverAuth";
        }
        return "(" + dw3Var + ")";
    }

    static String i(int i2) {
        if (i2 == 0) {
            return "digitalSignature";
        }
        if (i2 == 2) {
            return "keyEncipherment";
        }
        if (i2 == 4) {
            return "keyAgreement";
        }
        return "(" + i2 + ")";
    }

    static Set<lt> j(int i2) {
        return i2 != 2 ? i2 != 4 ? sq3.i : sq3.g : sq3.h;
    }

    static String k(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        q l2;
        String sigAlgOID = x509Certificate.getSigAlgOID();
        String str = e.get(sigAlgOID);
        if (str != null) {
            return str;
        }
        if (!am5.d1.D().equals(sigAlgOID)) {
            return x509Certificate.getSigAlgName();
        }
        of6 m2 = of6.m(x509Certificate.getSigAlgParams());
        if (m2 != null && (l2 = m2.l().l()) != null) {
            if (x509Certificate2 != null) {
                x509Certificate = x509Certificate2;
            }
            try {
                rl3 rl3Var = new rl3((sl3) null, x509Certificate);
                if (m15.c.r(l2)) {
                    if (rl3Var.z((short) 9)) {
                        return h;
                    }
                    if (rl3Var.z((short) 4)) {
                        return k;
                    }
                } else if (m15.d.r(l2)) {
                    if (rl3Var.z((short) 10)) {
                        return i;
                    }
                    if (rl3Var.z((short) 5)) {
                        return l;
                    }
                } else if (m15.e.r(l2)) {
                    if (rl3Var.z((short) 11)) {
                        return j;
                    }
                    if (rl3Var.z((short) 6)) {
                        return m;
                    }
                }
            } catch (IOException unused) {
            }
        }
        return null;
    }

    static AlgorithmParameters l(ol3 ol3Var, X509Certificate x509Certificate) throws CertPathValidatorException {
        byte[] sigAlgParams = x509Certificate.getSigAlgParams();
        if (sigAlgParams == null) {
            return null;
        }
        String sigAlgOID = x509Certificate.getSigAlgOID();
        if (f.contains(sigAlgOID) && so.e(g, sigAlgParams)) {
            return null;
        }
        try {
            AlgorithmParameters k2 = ol3Var.k(sigAlgOID);
            try {
                k2.init(sigAlgParams);
                return k2;
            } catch (Exception e2) {
                throw new CertPathValidatorException(e2);
            }
        } catch (GeneralSecurityException unused) {
            return null;
        }
    }

    static boolean n(PublicKey publicKey) {
        try {
            ab l2 = g48.n(publicKey.getEncoded()).l();
            if (!lm9.H4.r(l2.l())) {
                return true;
            }
            InterfaceC0593x o = l2.o();
            if (o != null) {
                return o.g() instanceof q;
            }
            return false;
        } catch (Exception unused) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean o(PublicKey publicKey, boolean[] zArr, int i2, jt jtVar) {
        return s(zArr, i2) && jtVar.permits(j(i2), publicKey);
    }

    static boolean p(X509Certificate x509Certificate, dw3 dw3Var) {
        try {
            return q(x509Certificate.getExtendedKeyUsage(), dw3Var);
        } catch (CertificateParsingException unused) {
            return false;
        }
    }

    static boolean q(List<String> list, dw3 dw3Var) {
        return list == null || list.contains(dw3Var.l()) || list.contains(dw3.c.l());
    }

    static boolean r(X509Certificate x509Certificate, int i2) {
        return s(x509Certificate.getKeyUsage(), i2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean s(boolean[] zArr, int i2) {
        return zArr == null || (zArr.length > i2 && zArr[i2]);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        if (!(certificate instanceof X509Certificate)) {
            throw new CertPathValidatorException("checker can only be used for X.509 certificates");
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        if (this.a && !n(x509Certificate.getPublicKey())) {
            throw new CertPathValidatorException("non-FIPS public key found");
        }
        X509Certificate x509Certificate2 = this.d;
        if (x509Certificate2 != null) {
            e(this.b, this.c, x509Certificate, x509Certificate2);
        }
        this.d = x509Certificate;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.d = null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }
}
