package ru.CryptoPro.reprov.certpath;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import ru.CryptoPro.JCP.tools.JCPLogger;
import ru.CryptoPro.reprov.cl_6;
import ru.CryptoPro.reprov.x509.NameConstraintsExtension;
import ru.CryptoPro.reprov.x509.PKIXExtensions;
import ru.CryptoPro.reprov.x509.X500Name;
import ru.CryptoPro.reprov.x509.X500Principal;
import ru.CryptoPro.reprov.x509.X509CertImpl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes4.dex */
public class ReverseBuilder extends Builder {
    Set f;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes4.dex */
    public class PKIXCertComparator implements Comparator {
        PKIXCertComparator() {
        }

        @Override // java.util.Comparator
        public int compare(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
            if (x509Certificate.getSubjectX500Principal().equals(ReverseBuilder.this.b)) {
                return -1;
            }
            if (x509Certificate2.getSubjectX500Principal().equals(ReverseBuilder.this.b)) {
                return 1;
            }
            try {
                X500Name asX500Name = X500Name.asX500Name(ReverseBuilder.this.b);
                int a2 = Builder.a((NameConstraintsExtension) null, x509Certificate, asX500Name);
                int a3 = Builder.a((NameConstraintsExtension) null, x509Certificate2, asX500Name);
                if (a2 == a3) {
                    return 0;
                }
                return (a2 != -1 && a2 < a3) ? -1 : 1;
            } catch (IOException e) {
                JCPLogger.error("IOException in call to Builder.targetDistance", (Throwable) e);
                throw new ClassCastException("Invalid target subject distinguished name");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReverseBuilder(PKIXBuilderParameters pKIXBuilderParameters, X500Principal x500Principal) {
        super(pKIXBuilderParameters, x500Principal);
        Set<String> initialPolicies = pKIXBuilderParameters.getInitialPolicies();
        this.f = new HashSet();
        if (initialPolicies.isEmpty()) {
            this.f.add("2.5.29.32.0");
            return;
        }
        Iterator<String> it2 = initialPolicies.iterator();
        while (it2.hasNext()) {
            this.f.add(it2.next());
        }
    }

    private Collection a(ReverseState reverseState, List list) throws CertStoreException, CertificateException, IOException {
        X509CertSelector x509CertSelector = (X509CertSelector) this.d.clone();
        x509CertSelector.setIssuer(reverseState.f1794a.getEncoded());
        x509CertSelector.setCertificateValid(this.c);
        if (reverseState.e == 0) {
            x509CertSelector.setPolicy(a());
        }
        x509CertSelector.setBasicConstraints(-2);
        HashSet hashSet = new HashSet();
        a(x509CertSelector, list, hashSet, true);
        JCPLogger.subSubTraceFormat("ReverseBuilder.getMatchingEECerts got {0} certs.", Integer.valueOf(hashSet.size()));
        return hashSet;
    }

    private Collection b(ReverseState reverseState, List list) throws CertificateException, CertStoreException, IOException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setIssuer(reverseState.f1794a.getEncoded());
        x509CertSelector.setCertificateValid(this.c);
        x509CertSelector.addPathToName(4, this.d.getSubjectAsBytes());
        if (reverseState.e == 0) {
            x509CertSelector.setPolicy(a());
        }
        x509CertSelector.setBasicConstraints(0);
        ArrayList arrayList = new ArrayList();
        a(x509CertSelector, list, arrayList, true);
        Collections.sort(arrayList, new PKIXCertComparator());
        JCPLogger.subSubTraceFormat("ReverseBuilder.getMatchingCACerts got {0} certs.", Integer.valueOf(arrayList.size()));
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public Collection a(State state, List list) throws CertStoreException, CertificateException, IOException {
        ReverseState reverseState = (ReverseState) state;
        JCPLogger.subSubTrace("In ReverseBuilder.getMatchingCerts.");
        Collection a2 = a(reverseState, list);
        a2.addAll(b(reverseState, list));
        return a2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public void a(X509Certificate x509Certificate, LinkedList linkedList) {
        linkedList.addLast(x509Certificate);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public void a(X509Certificate x509Certificate, State state, List list) throws GeneralSecurityException {
        JCPLogger.subSubTraceFormat("ReverseBuilder.verifyCert(SN: {0}\n  Subject: {1})", x509Certificate.getSerialNumber(), x509Certificate.getSubjectX500Principal());
        ReverseState reverseState = (ReverseState) state;
        if (reverseState.isInitial()) {
            return;
        }
        reverseState.m.check(x509Certificate, Collections.emptySet());
        if (list != null && !list.isEmpty()) {
            ArrayList<X509Certificate> arrayList = new ArrayList();
            Iterator it2 = list.iterator();
            while (it2.hasNext()) {
                arrayList.add(0, (X509Certificate) it2.next());
            }
            boolean z = false;
            for (X509Certificate x509Certificate2 : arrayList) {
                if (X509CertImpl.toImpl(x509Certificate2).getPolicyMappingsExtension() != null) {
                    z = true;
                }
                JCPLogger.subSubTrace("policyMappingFound = ", Boolean.valueOf(z));
                if (x509Certificate.equals(x509Certificate2) && (this.f1768a.isPolicyMappingInhibited() || !z)) {
                    JCPLogger.subSubTrace("loop detected!!");
                    throw new CertPathValidatorException("loop detected");
                }
            }
        }
        boolean equals = x509Certificate.getSubjectX500Principal().equals(this.b);
        boolean z2 = x509Certificate.getBasicConstraints() != -1;
        if (!equals) {
            if (!z2) {
                throw new CertPathValidatorException("cert is NOT a CA cert");
            }
            if (reverseState.j <= 0 && !X509CertImpl.isSelfIssued(x509Certificate)) {
                if (!cl_6.a()) {
                    throw new CertPathValidatorException("pathLenConstraint violated, path too long");
                }
                throw new CertPathValidatorException("pathLenConstraint violated, path too long", null, null, -1, PKIXReason.PATH_TOO_LONG);
            }
            KeyChecker.a(x509Certificate);
        } else if (!this.d.match(x509Certificate)) {
            throw new CertPathValidatorException("target certificate constraints check failed");
        }
        if (this.f1768a.isRevocationEnabled()) {
            reverseState.crlChecker.check(x509Certificate, reverseState.b, reverseState.crlSign);
        }
        if ((equals || !X509CertImpl.isSelfIssued(x509Certificate)) && reverseState.d != null) {
            try {
                if (!reverseState.d.verify(x509Certificate)) {
                    if (!cl_6.a()) {
                        throw new CertPathValidatorException("name constraints check failed");
                    }
                    throw new CertPathValidatorException("name constraints check failed", null, null, -1, PKIXReason.INVALID_NAME);
                }
            } catch (IOException e) {
                throw new CertPathValidatorException(e);
            }
        }
        reverseState.i = PolicyChecker.a(reverseState.h, this.f, reverseState.e, reverseState.f, reverseState.g, this.f1768a.getPolicyQualifiersRejected(), reverseState.i, X509CertImpl.toImpl(x509Certificate), equals);
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.emptySet();
        }
        reverseState.l.check(x509Certificate, criticalExtensionOIDs);
        Iterator it3 = reverseState.k.iterator();
        while (it3.hasNext()) {
            ((PKIXCertPathChecker) it3.next()).check(x509Certificate, criticalExtensionOIDs);
        }
        if (!criticalExtensionOIDs.isEmpty()) {
            criticalExtensionOIDs.remove(PKIXExtensions.BasicConstraints_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.NameConstraints_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.CertificatePolicies_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.PolicyMappings_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.PolicyConstraints_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.KeyUsage_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
            if (!criticalExtensionOIDs.isEmpty()) {
                String str = "Unrecognized critical extension(s): " + criticalExtensionOIDs;
                JCPLogger.subTrace(str);
                if (!cl_6.a()) {
                    throw new CertificateException(str);
                }
                throw new CertPathValidatorException(str, null, null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
            }
        }
        try {
            if (this.f1768a.getSigProvider() != null) {
                x509Certificate.verify(reverseState.b, this.f1768a.getSigProvider());
            } else {
                x509Certificate.verify(reverseState.b);
            }
        } catch (Exception e2) {
            throw new GeneralSecurityException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public void a(LinkedList linkedList) {
        linkedList.removeLast();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.reprov.certpath.Builder
    public boolean a(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().equals(this.b);
    }
}
