package com.sun.net.ssl.internal.ssl;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.NetscapeCertTypeExtension;

/* compiled from: DashoA6275 */
/* loaded from: input_file:119165-02/patchzip-dps-5.2Patch4--WINNT.zip:nsjre.zip:bin/base/jre/lib/jsse.jar:com/sun/net/ssl/internal/ssl/X509TrustManagerImpl.class */
final class X509TrustManagerImpl implements X509TrustManager {
    private static final String b = "2.5.29.19";
    private static final String c = "2.5.29.15";
    private static final String d = "2.5.29.37";
    private static final String e = "2.16.840.1.113730.1.1";
    private static final String f = "1.3.6.1.5.5.7.3.1";
    private static final String g = "1.3.6.1.5.5.7.3.2";
    private static final String h = "2.5.29.37.0";
    private static final String i = "ssl_client";
    private static final String j = "ssl_server";
    private static final String k = "ssl_ca";
    private Set l = new HashSet();
    private Map m = new HashMap();
    private static final boolean a = Debug.a("com.sun.net.ssl.allowV1CACerts", false);
    private static final Debug n = Debug.getInstance("ssl");

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManagerImpl(KeyStore keyStore) throws KeyStoreException {
        Certificate[] certificateChain;
        if (keyStore == null) {
            return;
        }
        Enumeration aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String str = (String) aliases.nextElement();
            if (keyStore.isCertificateEntry(str)) {
                Certificate certificate = keyStore.getCertificate(str);
                if (certificate instanceof X509Certificate) {
                    if (n != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("adding as trusted cert: ").append(certificate).toString());
                    }
                    a((X509Certificate) certificate);
                }
            } else if (keyStore.isKeyEntry(str) && (certificateChain = keyStore.getCertificateChain(str)) != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate)) {
                if (n != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("adding private entry as trusted cert: ").append(certificateChain[0]).toString());
                }
                a((X509Certificate) certificateChain[0]);
            }
        }
    }

    private void a(X509Certificate x509Certificate) {
        this.l.add(x509Certificate);
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        Collection collection = (Collection) this.m.get(subjectX500Principal);
        if (collection == null) {
            collection = new ArrayList();
            this.m.put(subjectX500Principal, collection);
        }
        collection.add(x509Certificate);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        a(x509CertificateArr, new StringBuffer().append("Client.").append(str).toString());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        a(x509CertificateArr, str);
    }

    private void a(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("null or zero-length certificate chain");
        }
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length authentication type");
        }
        X509Certificate[] a2 = a(x509CertificateArr, new Date());
        for (int i2 = 0; i2 < a2.length; i2++) {
            X509Certificate x509Certificate = a2[i2];
            if (b(x509Certificate)) {
                if (n == null || !Debug.isOn("trustmanager")) {
                    return;
                }
                System.out.println(new StringBuffer().append("stop on trusted cert: ").append(x509Certificate).toString());
                return;
            }
            try {
                a(x509Certificate, i2, str);
                X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
                X509Certificate x509Certificate2 = i2 + 1 < a2.length ? a2[i2 + 1] : x509Certificate;
                if (!issuerX500Principal.equals(x509Certificate2.getSubjectX500Principal())) {
                    throw new CertificateException(i2 + 1 < a2.length ? "Certificate chaining error: issuer DN != subject DN" : "Could not find trusted certificate");
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                } catch (Exception e2) {
                    if (n != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("verify failed: ").append(x509Certificate).toString());
                        System.out.println(new StringBuffer().append("verify exception was: ").append(e2).toString());
                    }
                    if (!(e2 instanceof CertificateException)) {
                        throw ((CertificateException) new CertificateException("Signature verification failed").initCause(e2));
                    }
                    throw ((CertificateException) e2);
                }
            } catch (Exception e3) {
                if (n != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("failed extension check: ").append(x509Certificate).toString());
                    System.out.println(new StringBuffer().append("ext exception was: ").append(e3).toString());
                }
                if (!(e3 instanceof CertificateException)) {
                    throw ((CertificateException) new CertificateException("failed extensions check").initCause(e3));
                }
                throw ((CertificateException) e3);
            }
        }
        throw new CertificateException("Couldn't find trusted certificate");
    }

    private X509Certificate[] a(X509Certificate[] x509CertificateArr, Date date) throws CertificateException {
        X509Certificate b2;
        ArrayList arrayList = new ArrayList(x509CertificateArr.length);
        boolean z = false;
        if (x509CertificateArr.length == 0) {
            return x509CertificateArr;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            X509Certificate a2 = a(x509Certificate, date);
            if (a2 == null) {
                try {
                    x509Certificate.checkValidity(date);
                } catch (CertificateException e2) {
                    if (n != null && Debug.isOn("trustmanager")) {
                        System.out.println(new StringBuffer().append("out of date cert: ").append(x509Certificate).toString());
                    }
                    throw e2;
                }
            } else {
                x509Certificate = a2;
                z = true;
                if (n != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("updated cert with: ").append(x509Certificate).toString());
                }
            }
            arrayList.add(x509Certificate);
        }
        int length = x509CertificateArr.length - 1;
        if (!x509CertificateArr[length].getIssuerX500Principal().equals(x509CertificateArr[length].getSubjectX500Principal()) && (b2 = b(x509CertificateArr[length], date)) != null) {
            if (n != null && Debug.isOn("trustmanager")) {
                System.out.println(new StringBuffer().append("add missing root cert: ").append(b2).toString());
            }
            z = true;
            arrayList.add(b2);
        }
        return z ? (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]) : x509CertificateArr;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.l.size()];
        this.l.toArray(x509CertificateArr);
        return x509CertificateArr;
    }

    private boolean b(X509Certificate x509Certificate) {
        return this.l.contains(x509Certificate);
    }

    private X509Certificate a(X509Certificate x509Certificate, Date date) {
        List<X509Certificate> list = (List) this.m.get(x509Certificate.getSubjectX500Principal());
        if (list == null) {
            return null;
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        PublicKey publicKey = x509Certificate.getPublicKey();
        for (X509Certificate x509Certificate2 : list) {
            if (!x509Certificate2.equals(x509Certificate) && x509Certificate2.getIssuerX500Principal().equals(issuerX500Principal) && x509Certificate2.getPublicKey().equals(publicKey)) {
                try {
                    x509Certificate2.checkValidity(date);
                    return x509Certificate2;
                } catch (Exception e2) {
                }
            }
        }
        return null;
    }

    private X509Certificate b(X509Certificate x509Certificate, Date date) {
        List<X509Certificate> list = (List) this.m.get(x509Certificate.getIssuerX500Principal());
        if (list == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate2.checkValidity(date);
                return x509Certificate2;
            } catch (Exception e2) {
                if (n != null && Debug.isOn("trustmanager")) {
                    System.out.println(new StringBuffer().append("local root cert is invalid: ").append(x509Certificate2).toString());
                }
            }
        }
        return null;
    }

    private void a(X509Certificate x509Certificate, int i2, String str) throws CertificateException, IOException {
        Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.EMPTY_SET;
        }
        a(x509Certificate, criticalExtensionOIDs, i2);
        if (i2 == 0) {
            a(x509Certificate, criticalExtensionOIDs, str);
        } else {
            a(x509Certificate, criticalExtensionOIDs);
        }
        if (!criticalExtensionOIDs.isEmpty()) {
            throw new CertificateException(new StringBuffer().append("Certificate contains unknown critical extensions: ").append(criticalExtensionOIDs).toString());
        }
    }

    private void a(X509Certificate x509Certificate, Set set, int i2) throws CertificateException {
        set.remove(b);
        if (i2 == 0) {
            return;
        }
        if (x509Certificate.getExtensionValue(b) == null) {
            if (!a) {
                throw new CertificateException("CA certificate does not include basic constraints extension");
            }
            if (x509Certificate.getVersion() >= 3) {
                throw new CertificateException("Intermediate X.509v3 certificate without basic constraints extension");
            }
            return;
        }
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (basicConstraints < 0) {
            throw new CertificateException("End user tried to act as a CA");
        }
        if (i2 - 1 > basicConstraints) {
            throw new CertificateException("Violated path length constraints");
        }
    }

    private void a(X509Certificate x509Certificate, Set set, String str) throws CertificateException, IOException {
        set.remove(c);
        set.remove(e);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            if (keyUsage.length == 0) {
                throw new CertificateException("Invalid key usage extension.");
            }
            boolean z = keyUsage[0];
            boolean z2 = keyUsage.length >= 3 ? keyUsage[2] : false;
            if (str.indexOf("Client") != -1) {
                if (!z) {
                    throw new CertificateException("Wrong key usage. Expected digitalSignature.");
                }
            } else if (str.indexOf("DHE_DSS") != -1) {
                if (!z) {
                    throw new CertificateException("Wrong key usage. Expected digitalSignature.");
                }
            } else if (str.indexOf("DHE_RSA") != -1) {
                if (!z) {
                    throw new CertificateException("Wrong key usage. Expected digitalSignature.");
                }
            } else if (str.indexOf("RSA_EXPORT") != -1) {
                if (!z) {
                    throw new CertificateException("Wrong key usage. Expected digitalSignature.");
                }
            } else if (str.indexOf("RSA") != -1) {
                if (!z2) {
                    throw new CertificateException("Wrong key usage. Expected keyEncipherment.");
                }
            } else {
                if (str.indexOf("UNKNOWN") == -1) {
                    throw new CertificateException(new StringBuffer().append("Unknown authType").append(str).toString());
                }
                if (!z) {
                    throw new CertificateException("Wrong key usage. Expected digitalSignature.");
                }
            }
        }
        List extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage != null && set.contains(d)) {
            set.remove(d);
            if (!extendedKeyUsage.contains(h)) {
                if (str.indexOf("Client") == -1) {
                    if (!extendedKeyUsage.contains(f)) {
                        throw new CertificateException(new StringBuffer().append("Extended key usage does not permit use for TLS ").append("server").toString());
                    }
                } else if (!extendedKeyUsage.contains(g)) {
                    throw new CertificateException(new StringBuffer().append("Extended key usage does not permit use for TLS ").append("client").toString());
                }
            }
        }
        if (x509Certificate.getExtensionValue(e) != null) {
            if (str.indexOf("Client") != -1) {
                if (!a(x509Certificate, "ssl_client")) {
                    throw new CertificateException(new StringBuffer().append("Invalid Netscape CertType extension for SSL ").append("client").toString());
                }
            } else if (!a(x509Certificate, "ssl_server")) {
                throw new CertificateException(new StringBuffer().append("Invalid Netscape CertType extension for SSL ").append("server").toString());
            }
        }
    }

    private void a(X509Certificate x509Certificate, Set set) throws CertificateException, IOException {
        set.remove(c);
        set.remove(e);
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 6 || !keyUsage[5])) {
            throw new CertificateException("Wrong key usage: expect keyCertSign");
        }
        List extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage != null && set.contains(d)) {
            set.remove(d);
            if (!extendedKeyUsage.contains(h)) {
                throw new CertificateException("Extended key usage in CA certificates must include anyExtendedKeyUsage");
            }
        }
        if (x509Certificate.getExtensionValue(e) != null && !a(x509Certificate, "ssl_ca")) {
            throw new CertificateException("Invalid Netscape CertType extension for CA certificate");
        }
    }

    private boolean a(X509Certificate x509Certificate, String str) throws CertificateException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(e);
        if (extensionValue == null) {
            return false;
        }
        return ((Boolean) new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get(str)).booleanValue();
    }
}
