package com.sun.net.ssl.internal.ssl;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.NetscapeCertTypeExtension;

/* compiled from: DashoA6275 */
/* loaded from: input_file:com/sun/net/ssl/internal/ssl/X509TrustManagerImpl.class */
final class X509TrustManagerImpl implements X509TrustManager {
    private Collection a = new HashSet();
    private Map b = new HashMap();
    private static final Debug c = Debug.getInstance("ssl");

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManagerImpl(KeyStore keyStore) throws KeyStoreException {
        Certificate[] certificateChain;
        if (keyStore == null) {
            return;
        }
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isCertificateEntry(nextElement)) {
                Certificate certificate = keyStore.getCertificate(nextElement);
                if (certificate instanceof X509Certificate) {
                    if (c != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("adding as trusted cert: ").append(certificate).toString());
                    }
                    a((X509Certificate) certificate);
                }
            } else if (keyStore.isKeyEntry(nextElement) && (certificateChain = keyStore.getCertificateChain(nextElement)) != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate)) {
                if (c != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("adding private entry as trusted cert: ").append(certificateChain[0]).toString());
                }
                a((X509Certificate) certificateChain[0]);
            }
        }
    }

    private void a(X509Certificate x509Certificate) {
        this.a.add(x509Certificate);
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        Collection collection = (Collection) this.b.get(subjectX500Principal);
        if (collection == null) {
            collection = new ArrayList();
            this.b.put(subjectX500Principal, collection);
        }
        collection.add(x509Certificate);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        a(x509CertificateArr, new StringBuffer().append("Client.").append(str).toString());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        a(x509CertificateArr, str);
    }

    private void a(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("null or zero-length certificate chain");
        }
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length authentication type");
        }
        X509Certificate[] a = a(x509CertificateArr, new Date());
        for (int i = 0; i < a.length; i++) {
            X509Certificate x509Certificate = a[i];
            try {
                a(x509Certificate, i, str);
                if (b(x509Certificate)) {
                    if (c == null || !Debug.isOn("trustmanager")) {
                        return;
                    }
                    System.out.println(new StringBuffer().append("stop on trusted cert: ").append(x509Certificate).toString());
                    return;
                }
                Principal issuerDN = x509Certificate.getIssuerDN();
                X509Certificate x509Certificate2 = i + 1 < a.length ? a[i + 1] : x509Certificate;
                if (!issuerDN.equals(x509Certificate2.getSubjectDN())) {
                    throw new CertificateException(i + 1 < a.length ? "Certificate chaining error: issuer DN != subject DN" : "Could not find trusted certificate");
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                } catch (Exception e) {
                    if (c != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("verify failed: ").append(x509Certificate).toString());
                        System.out.println(new StringBuffer().append("verify exception was: ").append(e).toString());
                    }
                    throw new CertificateException(e.getMessage());
                }
            } catch (Exception e2) {
                if (c != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("failed critical extension check: ").append(x509Certificate).toString());
                    System.out.println(new StringBuffer().append("ext exception was: ").append(e2).toString());
                }
                throw new CertificateException("failed critical extension check");
            }
        }
        throw new CertificateException("Couldn't find trusted certificate");
    }

    private X509Certificate[] a(X509Certificate[] x509CertificateArr, Date date) {
        X509Certificate b;
        ArrayList arrayList = new ArrayList(x509CertificateArr.length);
        boolean z = false;
        if (x509CertificateArr.length == 0) {
            return x509CertificateArr;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            X509Certificate a = a(x509Certificate, date);
            if (a == null) {
                try {
                    x509Certificate.checkValidity(date);
                } catch (Exception e) {
                    if (c != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("out of date cert: ").append(x509Certificate).toString());
                    }
                    return new X509Certificate[0];
                }
            } else {
                x509Certificate = a;
                z = true;
                if (c != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("updated cert with: ").append(x509Certificate).toString());
                }
            }
            arrayList.add(x509Certificate);
        }
        int length = x509CertificateArr.length - 1;
        if (!x509CertificateArr[length].getIssuerDN().equals(x509CertificateArr[length].getSubjectDN()) && (b = b(x509CertificateArr[length], date)) != null) {
            if (c != null && Debug.isOn("trustmanager")) {
                System.out.println(new StringBuffer().append("add missing root cert: ").append(b).toString());
            }
            z = true;
            arrayList.add(b);
        }
        return z ? (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]) : x509CertificateArr;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.a.size()];
        this.a.toArray(x509CertificateArr);
        return x509CertificateArr;
    }

    private boolean b(X509Certificate x509Certificate) {
        return this.a.contains(x509Certificate);
    }

    private X509Certificate a(X509Certificate x509Certificate, Date date) {
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        List<X509Certificate> list = (List) this.b.get(issuerX500Principal);
        if (list == null) {
            return null;
        }
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        PublicKey publicKey = x509Certificate.getPublicKey();
        for (X509Certificate x509Certificate2 : list) {
            if (!x509Certificate2.equals(x509Certificate) && x509Certificate2.getSubjectX500Principal().equals(subjectX500Principal) && x509Certificate2.getIssuerX500Principal().equals(issuerX500Principal) && x509Certificate2.getPublicKey().equals(publicKey)) {
                try {
                    x509Certificate2.checkValidity(date);
                    return x509Certificate2;
                } catch (Exception e) {
                }
            }
        }
        return null;
    }

    private X509Certificate b(X509Certificate x509Certificate, Date date) {
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        List<X509Certificate> list = (List) this.b.get(issuerX500Principal);
        if (list == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : list) {
            if (x509Certificate2.getSubjectX500Principal().equals(issuerX500Principal)) {
                try {
                    x509Certificate2.checkValidity(date);
                    return x509Certificate2;
                } catch (Exception e) {
                    if (c != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("local root cert is invalid: ").append(x509Certificate2).toString());
                    }
                }
            }
        }
        return null;
    }

    private void a(X509Certificate x509Certificate, int i, String str) throws Exception {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null || criticalExtensionOIDs.size() == 0) {
            return;
        }
        a(criticalExtensionOIDs);
        a(x509Certificate, criticalExtensionOIDs, i);
        if (i == 0) {
            a(x509Certificate, criticalExtensionOIDs, str);
        } else {
            a(x509Certificate, criticalExtensionOIDs);
        }
        b(x509Certificate, criticalExtensionOIDs);
    }

    private void a(Set set) throws Exception {
        Iterator it = set.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (!str.equals("2.5.29.19") && !str.equals("2.5.29.15") && !str.equals("2.5.29.37") && !str.equals("2.16.840.1.113730.1.1")) {
                throw new Exception("Contains unknown critical extensions");
            }
        }
    }

    private void a(X509Certificate x509Certificate, Set set, int i) throws Exception {
        int basicConstraints;
        if (set != null && !set.isEmpty() && set.contains(new String("2.5.29.19")) && (basicConstraints = x509Certificate.getBasicConstraints()) >= 0 && i > 0 && i - 1 > basicConstraints) {
            throw new Exception("Violated basic constraints");
        }
    }

    private void a(X509Certificate x509Certificate, Set set, String str) throws Exception {
        if (set == null || set.isEmpty()) {
            return;
        }
        if (set.contains("2.5.29.15")) {
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            if (keyUsage == null || keyUsage.length == 0) {
                throw new Exception("Invalid key usage extension.");
            }
            boolean z = keyUsage[0];
            boolean z2 = keyUsage.length >= 3 ? keyUsage[2] : false;
            if (str.indexOf("Client") != -1) {
                if (!z) {
                    throw new Exception("Wrong key usage. Expect digitalSignature.");
                }
            } else if (str.indexOf("DHE_DSS") != -1) {
                if (!z) {
                    throw new Exception("Wrong key usage. Expect digitalSignature");
                }
            } else if (str.indexOf("DHE_RSA") != -1) {
                if (!z) {
                    throw new Exception("Wrong key usage. Expect digitalSignature");
                }
            } else if (str.indexOf("RSA_EXPORT") != -1) {
                if (!z) {
                    throw new Exception("Wrong key usage. Expect digitalSignature.");
                }
            } else if (str.indexOf("RSA") != -1) {
                if (!z2) {
                    throw new Exception("Wrong key usage. Expect keyEncipherment.");
                }
            } else {
                if (str.indexOf("UNKNOWN") == -1) {
                    throw new Exception("Wrong key usage");
                }
                if (!z) {
                    throw new Exception("Wrong key usage. Expect digitalSignature.");
                }
            }
        }
        if (set.contains("2.5.29.37")) {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if ((str.indexOf("Client") == -1 && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.1")) || (str.indexOf("Client") != -1 && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.2"))) {
                throw new Exception("Wrong extended key usage.");
            }
        }
    }

    private void a(X509Certificate x509Certificate, Set set) throws Exception {
        boolean[] keyUsage;
        if (set != null && !set.isEmpty() && set.contains(new String("2.5.29.15")) && (keyUsage = x509Certificate.getKeyUsage()) != null && keyUsage.length > 5 && !keyUsage[5]) {
            throw new Exception("Wrong key usage");
        }
    }

    private void b(X509Certificate x509Certificate, Set set) throws Exception {
        if (set == null || set.isEmpty() || !set.contains(new String("2.16.840.1.113730.1.1"))) {
            return;
        }
        byte[] extensionValue = x509Certificate.getExtensionValue("2.16.840.1.113730.1.1");
        if (extensionValue == null) {
            throw new Exception("Empty NetscapeCertType extension");
        }
        boolean[] keyUsageMappedBits = new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).getKeyUsageMappedBits();
        if (keyUsageMappedBits != null && keyUsageMappedBits.length > 5 && !keyUsageMappedBits[5]) {
            throw new Exception("Invalid NetscapeCertType extension");
        }
    }
}
