package ru.CryptoPro.ssl.pc_4;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import ru.CryptoPro.AdES.tools.AdESUtility;
import ru.CryptoPro.JCPRequest.KeyUsage;
import ru.CryptoPro.reprov.x509.NetscapeCertTypeExtension;
import ru.CryptoPro.ssl.gost.GostConstants;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes4.dex */
public class cl_0 {

    /* renamed from: a, reason: collision with root package name */
    private static final Collection f1924a = Arrays.asList("DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA", "RSA_EXPORT", "UNKNOWN");
    private static final Collection b = Arrays.asList("RSA");
    private static final Collection c = Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");
    private final String d;
    private final String e;

    private cl_0(String str, String str2) {
        this.e = str;
        this.d = str2;
    }

    private Set a(X509Certificate x509Certificate) {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        return criticalExtensionOIDs == null ? Collections.emptySet() : criticalExtensionOIDs;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static cl_0 a(String str, String str2) {
        return new cl_0(str, str2);
    }

    private void a(X509Certificate x509Certificate, String str) throws CertificateException {
        if (str.equalsIgnoreCase(GostConstants.GR3410) || str.equalsIgnoreCase(GostConstants.GR3410_2012_256) || str.equalsIgnoreCase(GostConstants.GR3410_2012_256_KUZN) || str.equalsIgnoreCase(GostConstants.GR3410_2012_256_MAGMA)) {
            return;
        }
        Set a2 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new cl_5("KeyUsage does not allow digital signatures", cl_5.b, x509Certificate);
        }
        if (!a(x509Certificate, a2, "1.3.6.1.5.5.7.3.2")) {
            throw new cl_5("Extended key usage does not permit use for TLS client authentication", cl_5.b, x509Certificate);
        }
        if (!cl_3.a(x509Certificate, NetscapeCertTypeExtension.SSL_CLIENT)) {
            throw new cl_5("Netscape cert type does not permit use for SSL client", cl_5.b, x509Certificate);
        }
        a2.remove(AdESUtility.KEY_USAGE);
        a2.remove(AdESUtility.EXTENDED_KEY_USAGE);
        a2.remove("2.16.840.1.113730.1.1");
        a(a2);
    }

    private void a(Set set) throws CertificateException {
        set.remove("2.5.29.19");
        set.remove("2.5.29.17");
        if (!set.isEmpty()) {
            throw new CertificateException("Certificate contains unsupported critical extensions: " + set);
        }
    }

    private boolean a(X509Certificate x509Certificate, int i) throws CertificateException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return true;
        }
        return keyUsage.length > i && keyUsage[i];
    }

    private boolean a(X509Certificate x509Certificate, Set set, String str) throws CertificateException {
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        return extendedKeyUsage == null || extendedKeyUsage.contains(str) || extendedKeyUsage.contains("2.5.29.37.0");
    }

    private void b(X509Certificate x509Certificate) throws CertificateException {
        Set a2 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new cl_5("KeyUsage does not allow digital signatures", cl_5.b, x509Certificate);
        }
        if (!a(x509Certificate, a2, KeyUsage.STR_OID_PKIX_CODE_SIGNING)) {
            throw new cl_5("Extended key usage does not permit use for code signing", cl_5.b, x509Certificate);
        }
        if (!this.d.equals("jce signing")) {
            if (!cl_3.a(x509Certificate, NetscapeCertTypeExtension.OBJECT_SIGNING)) {
                throw new cl_5("Netscape cert type does not permit use for code signing", cl_5.b, x509Certificate);
            }
            a2.remove("2.16.840.1.113730.1.1");
        }
        a2.remove(AdESUtility.KEY_USAGE);
        a2.remove(AdESUtility.EXTENDED_KEY_USAGE);
        a(a2);
    }

    private void b(X509Certificate x509Certificate, String str) throws CertificateException {
        Set a2 = a(x509Certificate);
        if (b.contains(str)) {
            if (!a(x509Certificate, 2)) {
                throw new cl_5("KeyUsage does not allow key encipherment", cl_5.b, x509Certificate);
            }
        } else if (f1924a.contains(str)) {
            if (!a(x509Certificate, 0)) {
                throw new cl_5("KeyUsage does not allow digital signatures", cl_5.b, x509Certificate);
            }
        } else if (c.contains(str)) {
            if (!a(x509Certificate, 4)) {
                throw new cl_5("KeyUsage does not allow key agreement", cl_5.b, x509Certificate);
            }
        } else if (!str.equalsIgnoreCase(GostConstants.GR3410) && !str.equalsIgnoreCase(GostConstants.GR3410_2012_256) && !str.equalsIgnoreCase(GostConstants.GR3410_2012_256_KUZN) && !str.equalsIgnoreCase(GostConstants.GR3410_2012_256_MAGMA)) {
            throw new CertificateException("Unknown authType: " + str);
        }
        if (!a(x509Certificate, a2, KeyUsage.STR_OID_PKIX_SERVER_AUTH) && !a(x509Certificate, a2, "1.3.6.1.4.1.311.10.3.3") && !a(x509Certificate, a2, "2.16.840.1.113730.4.1")) {
            throw new cl_5("Extended key usage does not permit use for TLS server authentication", cl_5.b, x509Certificate);
        }
        if (!cl_3.a(x509Certificate, NetscapeCertTypeExtension.SSL_SERVER)) {
            throw new cl_5("Netscape cert type does not permit use for SSL server", cl_5.b, x509Certificate);
        }
        a2.remove(AdESUtility.KEY_USAGE);
        a2.remove(AdESUtility.EXTENDED_KEY_USAGE);
        a2.remove("2.16.840.1.113730.1.1");
        a(a2);
    }

    private void c(X509Certificate x509Certificate) throws CertificateException {
        Set a2 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new cl_5("KeyUsage does not allow digital signatures", cl_5.b, x509Certificate);
        }
        if (x509Certificate.getExtendedKeyUsage() == null) {
            throw new cl_5("Certificate does not contain an extended key usage extension required for a TSA server", cl_5.b, x509Certificate);
        }
        if (!a(x509Certificate, a2, "1.3.6.1.5.5.7.3.8")) {
            throw new cl_5("Extended key usage does not permit use for TSA server", cl_5.b, x509Certificate);
        }
        a2.remove(AdESUtility.KEY_USAGE);
        a2.remove(AdESUtility.EXTENDED_KEY_USAGE);
        a(a2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void a(X509Certificate x509Certificate, Object obj) throws CertificateException {
        if (this.d.equals("generic")) {
            return;
        }
        if (this.d.equals("tls server")) {
            b(x509Certificate, (String) obj);
            return;
        }
        if (this.d.equals("tls client")) {
            a(x509Certificate, (String) obj);
            return;
        }
        if (this.d.equals("code signing") || this.d.equals("jce signing") || this.d.equals("plugin code signing")) {
            b(x509Certificate);
        } else {
            if (!this.d.equals("tsa server")) {
                throw new CertificateException("Unknown variant: " + this.d);
            }
            c(x509Certificate);
        }
    }
}
