package org.bouncycastle.jsse.provider;

import java.io.IOException;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: classes2.dex */
public class i0 extends PKIXCertPathChecker {
    public static final Map f = i();
    public static final Set g = j();
    public static final byte[] h = {5, 0};
    public static final String i = a0.v("SHA256withRSAandMGF1", "RSASSA-PSS");
    public static final String j = a0.v("SHA384withRSAandMGF1", "RSASSA-PSS");
    public static final String k = a0.v("SHA512withRSAandMGF1", "RSASSA-PSS");
    public static final String l = a0.v("SHA256withRSAandMGF1", "RSA");
    public static final String m = a0.v("SHA384withRSAandMGF1", "RSA");
    public static final String n = a0.v("SHA512withRSAandMGF1", "RSA");
    public final boolean b;
    public final org.bouncycastle.jcajce.util.b c;
    public final org.bouncycastle.jsse.java.security.a d;
    public X509Certificate e;

    public i0(boolean z, org.bouncycastle.jcajce.util.b bVar, org.bouncycastle.jsse.java.security.a aVar) {
        if (bVar == null) {
            throw new NullPointerException("'helper' cannot be null");
        }
        if (aVar == null) {
            throw new NullPointerException("'algorithmConstraints' cannot be null");
        }
        this.b = z;
        this.c = bVar;
        this.d = aVar;
        this.e = null;
    }

    public static void c(org.bouncycastle.jcajce.util.b bVar, org.bouncycastle.jsse.java.security.a aVar, X509Certificate[] x509CertificateArr, org.bouncycastle.asn1.x509.f fVar, int i2) {
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        if (x509CertificateArr.length > 1) {
            h(bVar, aVar, x509CertificateArr[x509CertificateArr.length - 2], x509Certificate);
        }
        e(bVar, aVar, x509CertificateArr[0], fVar, i2);
    }

    public static void d(boolean z, org.bouncycastle.jcajce.util.b bVar, org.bouncycastle.jsse.java.security.a aVar, Set set, X509Certificate[] x509CertificateArr, org.bouncycastle.asn1.x509.f fVar, int i2) {
        int length = x509CertificateArr.length;
        while (length > 0 && set.contains(x509CertificateArr[length - 1])) {
            length--;
        }
        if (length < x509CertificateArr.length) {
            X509Certificate x509Certificate = x509CertificateArr[length];
            if (length > 0) {
                h(bVar, aVar, x509CertificateArr[length - 1], x509Certificate);
            }
        } else {
            g(bVar, aVar, x509CertificateArr[length - 1]);
        }
        i0 i0Var = new i0(z, bVar, aVar);
        i0Var.init(false);
        for (int i3 = length - 1; i3 >= 0; i3--) {
            i0Var.check(x509CertificateArr[i3], Collections.emptySet());
        }
        e(bVar, aVar, x509CertificateArr[0], fVar, i2);
    }

    public static void e(org.bouncycastle.jcajce.util.b bVar, org.bouncycastle.jsse.java.security.a aVar, X509Certificate x509Certificate, org.bouncycastle.asn1.x509.f fVar, int i2) {
        if (fVar != null && !r(x509Certificate, fVar)) {
            throw new CertPathValidatorException("Certificate doesn't support '" + k(fVar) + "' ExtendedKeyUsage");
        }
        if (i2 >= 0) {
            if (!t(x509Certificate, i2)) {
                throw new CertPathValidatorException("Certificate doesn't support '" + l(i2) + "' KeyUsage");
            }
            if (aVar.permits(m(i2), x509Certificate.getPublicKey())) {
                return;
            }
            throw new CertPathValidatorException("Public key not permitted for '" + l(i2) + "' KeyUsage");
        }
    }

    public static void g(org.bouncycastle.jcajce.util.b bVar, org.bouncycastle.jsse.java.security.a aVar, X509Certificate x509Certificate) {
        String n2 = n(x509Certificate, null);
        if (!a0.Q(n2)) {
            throw new CertPathValidatorException("Signature algorithm could not be determined");
        }
        if (aVar.permits(a0.i, n2, o(bVar, x509Certificate))) {
            return;
        }
        throw new CertPathValidatorException("Signature algorithm '" + n2 + "' not permitted with given parameters");
    }

    public static void h(org.bouncycastle.jcajce.util.b bVar, org.bouncycastle.jsse.java.security.a aVar, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        String n2 = n(x509Certificate, x509Certificate2);
        if (!a0.Q(n2)) {
            throw new CertPathValidatorException("Signature algorithm could not be determined");
        }
        if (aVar.permits(a0.i, n2, x509Certificate2.getPublicKey(), o(bVar, x509Certificate))) {
            return;
        }
        throw new CertPathValidatorException("Signature algorithm '" + n2 + "' not permitted with given parameters and issuer public key");
    }

    public static Map i() {
        HashMap hashMap = new HashMap(4);
        hashMap.put(org.bouncycastle.asn1.edec.a.d.z(), "Ed25519");
        hashMap.put(org.bouncycastle.asn1.edec.a.e.z(), "Ed448");
        hashMap.put(org.bouncycastle.asn1.oiw.a.j.z(), "SHA1withDSA");
        hashMap.put(org.bouncycastle.asn1.x9.e.X0.z(), "SHA1withDSA");
        return Collections.unmodifiableMap(hashMap);
    }

    public static Set j() {
        HashSet hashSet = new HashSet();
        hashSet.add(org.bouncycastle.asn1.oiw.a.j.z());
        hashSet.add(org.bouncycastle.asn1.x9.e.X0.z());
        hashSet.add(org.bouncycastle.asn1.pkcs.a.k.z());
        return Collections.unmodifiableSet(hashSet);
    }

    public static String k(org.bouncycastle.asn1.x509.f fVar) {
        if (org.bouncycastle.asn1.x509.f.f.equals(fVar)) {
            return "clientAuth";
        }
        if (org.bouncycastle.asn1.x509.f.e.equals(fVar)) {
            return "serverAuth";
        }
        return "(" + fVar + ")";
    }

    public static String l(int i2) {
        if (i2 == 0) {
            return "digitalSignature";
        }
        if (i2 == 2) {
            return "keyEncipherment";
        }
        if (i2 == 4) {
            return "keyAgreement";
        }
        return "(" + i2 + ")";
    }

    public static Set m(int i2) {
        return i2 != 2 ? i2 != 4 ? a0.i : a0.g : a0.h;
    }

    public static String n(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        org.bouncycastle.asn1.u i2;
        String sigAlgOID = x509Certificate.getSigAlgOID();
        String str = (String) f.get(sigAlgOID);
        if (str != null) {
            return str;
        }
        if (!org.bouncycastle.asn1.pkcs.a.k.z().equals(sigAlgOID)) {
            return x509Certificate.getSigAlgName();
        }
        org.bouncycastle.asn1.pkcs.c j2 = org.bouncycastle.asn1.pkcs.c.j(x509Certificate.getSigAlgParams());
        if (j2 != null && (i2 = j2.i().i()) != null) {
            if (x509Certificate2 != null) {
                x509Certificate = x509Certificate2;
            }
            try {
                org.bouncycastle.tls.crypto.impl.jcajce.g gVar = new org.bouncycastle.tls.crypto.impl.jcajce.g((org.bouncycastle.tls.crypto.impl.jcajce.h) null, x509Certificate);
                if (org.bouncycastle.asn1.nist.b.c.o(i2)) {
                    if (gVar.z((short) 9)) {
                        return i;
                    }
                    if (gVar.z((short) 4)) {
                        return l;
                    }
                } else if (org.bouncycastle.asn1.nist.b.d.o(i2)) {
                    if (gVar.z((short) 10)) {
                        return j;
                    }
                    if (gVar.z((short) 5)) {
                        return m;
                    }
                } else if (org.bouncycastle.asn1.nist.b.e.o(i2)) {
                    if (gVar.z((short) 11)) {
                        return k;
                    }
                    if (gVar.z((short) 6)) {
                        return n;
                    }
                }
            } catch (IOException unused) {
            }
        }
        return null;
    }

    public static AlgorithmParameters o(org.bouncycastle.jcajce.util.b bVar, X509Certificate x509Certificate) {
        byte[] sigAlgParams = x509Certificate.getSigAlgParams();
        if (sigAlgParams == null) {
            return null;
        }
        String sigAlgOID = x509Certificate.getSigAlgOID();
        if (g.contains(sigAlgOID) && org.bouncycastle.util.a.d(h, sigAlgParams)) {
            return null;
        }
        try {
            AlgorithmParameters g2 = bVar.g(sigAlgOID);
            try {
                g2.init(sigAlgParams);
                return g2;
            } catch (Exception e) {
                throw new CertPathValidatorException(e);
            }
        } catch (GeneralSecurityException unused) {
            return null;
        }
    }

    public static boolean p(PublicKey publicKey) {
        try {
            org.bouncycastle.asn1.x509.a i2 = org.bouncycastle.asn1.x509.g.j(publicKey.getEncoded()).i();
            if (!org.bouncycastle.asn1.x9.e.m0.o(i2.i())) {
                return true;
            }
            org.bouncycastle.asn1.g l2 = i2.l();
            if (l2 != null) {
                return l2.b() instanceof org.bouncycastle.asn1.u;
            }
            return false;
        } catch (Exception unused) {
            return false;
        }
    }

    public static boolean q(PublicKey publicKey, boolean[] zArr, int i2, org.bouncycastle.jsse.java.security.a aVar) {
        return u(zArr, i2) && aVar.permits(m(i2), publicKey);
    }

    public static boolean r(X509Certificate x509Certificate, org.bouncycastle.asn1.x509.f fVar) {
        try {
            return s(x509Certificate.getExtendedKeyUsage(), fVar);
        } catch (CertificateParsingException unused) {
            return false;
        }
    }

    public static boolean s(List list, org.bouncycastle.asn1.x509.f fVar) {
        return list == null || list.contains(fVar.i()) || list.contains(org.bouncycastle.asn1.x509.f.d.i());
    }

    public static boolean t(X509Certificate x509Certificate, int i2) {
        return u(x509Certificate.getKeyUsage(), i2);
    }

    public static boolean u(boolean[] zArr, int i2) {
        return zArr == null || (zArr.length > i2 && zArr[i2]);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) {
        if (!(certificate instanceof X509Certificate)) {
            throw new CertPathValidatorException("checker can only be used for X.509 certificates");
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        if (this.b && !p(x509Certificate.getPublicKey())) {
            throw new CertPathValidatorException("non-FIPS public key found");
        }
        X509Certificate x509Certificate2 = this.e;
        if (x509Certificate2 != null) {
            h(this.c, this.d, x509Certificate, x509Certificate2);
        }
        this.e = x509Certificate;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.e = null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }
}
