package sun.security.provider.certpath;

import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.ReasonFlags;
import sun.security.x509.X509CRLEntryImpl;

/* loaded from: input_file:119165-02/patchzip-dps-5.2Patch4--WINNT.zip:nsjre.zip:bin/base/jre/lib/rt.jar:sun/security/provider/certpath/CrlRevocationChecker.class */
class CrlRevocationChecker extends PKIXCertPathChecker {
    private static final Debug debug = Debug.getInstance("certpath");
    private final PublicKey mInitPubKey;
    private final List mStores;
    private final String mSigProvider;
    private final Date mCurrentTime;
    private PublicKey mPrevPubKey;
    private boolean mCRLSignFlag;
    private HashSet mPossibleCRLs;
    private HashSet mApprovedCRLs;

    public CrlRevocationChecker(PublicKey publicKey, List list, String str, Date date) throws CertPathValidatorException {
        this.mInitPubKey = publicKey;
        this.mStores = list;
        this.mSigProvider = str;
        if (date != null) {
            this.mCurrentTime = date;
        } else {
            this.mCurrentTime = new Date();
        }
        init(false);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.mPrevPubKey = this.mInitPubKey;
        this.mCRLSignFlag = true;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        verifyRevocationStatus(x509Certificate, this.mPrevPubKey, this.mCRLSignFlag);
        PublicKey publicKey = x509Certificate.getPublicKey();
        if ((publicKey instanceof DSAPublicKey) && ((DSAPublicKey) publicKey).getParams() == null) {
            publicKey = BasicChecker.makeInheritedParamsKey(publicKey, this.mPrevPubKey);
        }
        this.mPrevPubKey = publicKey;
        this.mCRLSignFlag = certCanSignCrl(x509Certificate);
    }

    public boolean check(X509Certificate x509Certificate, PublicKey publicKey, boolean z) throws CertPathValidatorException {
        verifyRevocationStatus(x509Certificate, publicKey, z);
        return certCanSignCrl(x509Certificate);
    }

    public boolean certCanSignCrl(X509Certificate x509Certificate) {
        try {
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            if (keyUsage != null) {
                return ((Boolean) new KeyUsageExtension(keyUsage).get(KeyUsageExtension.CRL_SIGN)).booleanValue();
            }
            return true;
        } catch (Exception e) {
            if (debug == null) {
                return false;
            }
            debug.println("CrlRevocationChecker.certCanSignCRL() unexpected exception");
            e.printStackTrace();
            return false;
        }
    }

    private void verifyRevocationStatus(X509Certificate x509Certificate, PublicKey publicKey, boolean z) throws CertPathValidatorException {
        if (debug != null) {
            debug.println(new StringBuffer().append("CrlRevocationChecker.verifyRevocationStatus() ---checking ").append("revocation status").append("...").toString());
        }
        if (!z) {
            throw new CertPathValidatorException("cert can't vouch for CRL");
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        this.mPossibleCRLs = new HashSet();
        this.mApprovedCRLs = new HashSet();
        try {
            X509CRLSelector x509CRLSelector = new X509CRLSelector();
            x509CRLSelector.setCertificateChecking(x509Certificate);
            x509CRLSelector.setDateAndTime(this.mCurrentTime);
            x509CRLSelector.addIssuerName(issuerX500Principal.getName(X500Principal.RFC2253));
            Iterator it = this.mStores.iterator();
            while (it.hasNext()) {
                this.mPossibleCRLs.addAll(((CertStore) it.next()).getCRLs(x509CRLSelector));
            }
            if (this.mPossibleCRLs.isEmpty()) {
                throw new CertPathValidatorException(new StringBuffer().append("revocation status").append(" check failed: no CRL found").toString());
            }
            if (debug != null) {
                debug.println(new StringBuffer().append("CrlRevocationChecker.verifyRevocationStatus() crls.size() = ").append(this.mPossibleCRLs.size()).toString());
            }
            Iterator it2 = this.mPossibleCRLs.iterator();
            while (it2.hasNext()) {
                X509CRL x509crl = (X509CRL) it2.next();
                if (verifyPossibleCRL(x509crl, issuerX500Principal, publicKey)) {
                    this.mApprovedCRLs.add(x509crl);
                }
            }
            if (this.mApprovedCRLs.isEmpty()) {
                throw new CertPathValidatorException("no possible CRLs");
            }
            if (debug != null) {
                debug.println("starting the final sweep...");
            }
            Iterator it3 = this.mApprovedCRLs.iterator();
            BigInteger serialNumber = x509Certificate.getSerialNumber();
            if (debug != null) {
                debug.println(new StringBuffer().append("CrlRevocationChecker.verifyRevocationStatus cert SN: ").append(serialNumber.toString()).toString());
            }
            boolean z2 = false;
            while (it3.hasNext()) {
                X509CRLEntry revokedCertificate = ((X509CRL) it3.next()).getRevokedCertificate(serialNumber);
                if (revokedCertificate != null) {
                    if (debug != null) {
                        debug.println(new StringBuffer().append("CrlRevocationChecker.verifyRevocationStatus CRL entry: ").append(revokedCertificate.toString()).toString());
                    }
                    try {
                        Integer reasonCode = new X509CRLEntryImpl(revokedCertificate.getEncoded()).getReasonCode();
                        int intValue = reasonCode == null ? 0 : reasonCode.intValue();
                        z2 = intValue == 6;
                        if (!z2 && intValue != 8) {
                            throw new CertPathValidatorException(new StringBuffer().append("Certificate has been revoked, reason: ").append(reasonToString(intValue)).toString());
                        }
                        Set criticalExtensionOIDs = revokedCertificate.getCriticalExtensionOIDs();
                        if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                            criticalExtensionOIDs.remove(PKIXExtensions.ReasonCode_Id.toString());
                            if (!criticalExtensionOIDs.isEmpty()) {
                                throw new CertPathValidatorException("Unrecognized critical extension(s) in revoked CRL entry");
                            }
                        }
                    } catch (Exception e) {
                        throw new CertPathValidatorException(e);
                    }
                }
            }
            if (z2) {
                throw new CertPathValidatorException("Certificate is on hold");
            }
        } catch (Exception e2) {
            if (debug != null) {
                debug.println(new StringBuffer().append("CrlRevocationChecker.verifyRevocationStatus() unexpected exception: ").append(e2.getMessage()).toString());
                e2.printStackTrace();
            }
            throw new CertPathValidatorException(e2);
        }
    }

    private static String reasonToString(int i) {
        switch (i) {
            case 0:
                return "unspecified";
            case 1:
                return "key compromise";
            case 2:
                return "CA compromise";
            case 3:
                return "affiliation changed";
            case 4:
                return ReasonFlags.SUPERSEDED;
            case 5:
                return "cessation of operation";
            case 6:
                return "certificate hold";
            case 7:
            default:
                return "unrecognized reason code";
            case 8:
                return "remove from CRL";
        }
    }

    private boolean verifyPossibleCRL(X509CRL x509crl, X500Principal x500Principal, PublicKey publicKey) throws CertPathValidatorException {
        if (!x509crl.getIssuerX500Principal().equals(x500Principal)) {
            if (debug == null) {
                return false;
            }
            debug.println("CRL issuer does not match cert issuer");
            return false;
        }
        try {
            x509crl.verify(publicKey, this.mSigProvider);
            Date nextUpdate = x509crl.getNextUpdate();
            if (nextUpdate != null && nextUpdate.before(this.mCurrentTime)) {
                if (debug == null) {
                    return false;
                }
                debug.println("discarding stale CRL (nextUpdate is before required validation time)");
                return false;
            }
            Set criticalExtensionOIDs = x509crl.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs == null || criticalExtensionOIDs.isEmpty()) {
                return true;
            }
            if (debug != null) {
                Iterator it = criticalExtensionOIDs.iterator();
                while (it.hasNext()) {
                    debug.println((String) it.next());
                }
            }
            throw new CertPathValidatorException("Unrecognized critical extension(s) in CRL");
        } catch (Exception e) {
            if (debug == null) {
                return false;
            }
            debug.println("CRL signature failed to verify");
            e.printStackTrace();
            return false;
        }
    }
}
