package org.bouncycastle.jsse.provider;

import java.io.IOException;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.jsse.java.security.BCCryptoPrimitive;

/* loaded from: classes2.dex */
public class i0 extends PKIXCertPathChecker {

    /* renamed from: e, reason: collision with root package name */
    public static final Map<String, String> f9261e = f();

    /* renamed from: f, reason: collision with root package name */
    public static final Set<String> f9262f = g();

    /* renamed from: g, reason: collision with root package name */
    public static final byte[] f9263g = {5, 0};

    /* renamed from: h, reason: collision with root package name */
    public static final String f9264h = z.w("SHA256withRSAandMGF1", "RSASSA-PSS");

    /* renamed from: i, reason: collision with root package name */
    public static final String f9265i = z.w("SHA384withRSAandMGF1", "RSASSA-PSS");

    /* renamed from: j, reason: collision with root package name */
    public static final String f9266j = z.w("SHA512withRSAandMGF1", "RSASSA-PSS");

    /* renamed from: k, reason: collision with root package name */
    public static final String f9267k = z.w("SHA256withRSAandMGF1", "RSA");

    /* renamed from: l, reason: collision with root package name */
    public static final String f9268l = z.w("SHA384withRSAandMGF1", "RSA");

    /* renamed from: m, reason: collision with root package name */
    public static final String f9269m = z.w("SHA512withRSAandMGF1", "RSA");

    /* renamed from: a, reason: collision with root package name */
    public final boolean f9270a;

    /* renamed from: b, reason: collision with root package name */
    public final h8.c f9271b;

    /* renamed from: c, reason: collision with root package name */
    public final m8.a f9272c;

    /* renamed from: d, reason: collision with root package name */
    public X509Certificate f9273d;

    public i0(boolean z10, h8.c cVar, m8.a aVar) {
        if (cVar == null) {
            throw new NullPointerException("'helper' cannot be null");
        }
        if (aVar == null) {
            throw new NullPointerException("'algorithmConstraints' cannot be null");
        }
        this.f9270a = z10;
        this.f9271b = cVar;
        this.f9272c = aVar;
        this.f9273d = null;
    }

    public static void a(h8.c cVar, m8.a aVar, X509Certificate[] x509CertificateArr, n7.i iVar, int i10) throws CertPathValidatorException {
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        if (x509CertificateArr.length > 1) {
            e(cVar, aVar, x509CertificateArr[x509CertificateArr.length - 2], x509Certificate);
        }
        c(cVar, aVar, x509CertificateArr[0], iVar, i10);
    }

    public static void b(boolean z10, h8.c cVar, m8.a aVar, Set<X509Certificate> set, X509Certificate[] x509CertificateArr, n7.i iVar, int i10) throws CertPathValidatorException {
        int length = x509CertificateArr.length;
        while (length > 0 && set.contains(x509CertificateArr[length - 1])) {
            length--;
        }
        if (length < x509CertificateArr.length) {
            X509Certificate x509Certificate = x509CertificateArr[length];
            if (length > 0) {
                e(cVar, aVar, x509CertificateArr[length - 1], x509Certificate);
            }
        } else {
            d(cVar, aVar, x509CertificateArr[length - 1]);
        }
        i0 i0Var = new i0(z10, cVar, aVar);
        i0Var.init(false);
        for (int i11 = length - 1; i11 >= 0; i11--) {
            i0Var.check(x509CertificateArr[i11], Collections.emptySet());
        }
        c(cVar, aVar, x509CertificateArr[0], iVar, i10);
    }

    public static void c(h8.c cVar, m8.a aVar, X509Certificate x509Certificate, n7.i iVar, int i10) throws CertPathValidatorException {
        if (iVar != null && !o(x509Certificate, iVar)) {
            throw new CertPathValidatorException("Certificate doesn't support '" + h(iVar) + "' ExtendedKeyUsage");
        }
        if (i10 >= 0) {
            if (!q(x509Certificate, i10)) {
                throw new CertPathValidatorException("Certificate doesn't support '" + i(i10) + "' KeyUsage");
            }
            if (aVar.permits(j(i10), x509Certificate.getPublicKey())) {
                return;
            }
            throw new CertPathValidatorException("Public key not permitted for '" + i(i10) + "' KeyUsage");
        }
    }

    public static void d(h8.c cVar, m8.a aVar, X509Certificate x509Certificate) throws CertPathValidatorException {
        String k10 = k(x509Certificate, null);
        if (!z.T(k10)) {
            throw new CertPathValidatorException("Signature algorithm could not be determined");
        }
        if (aVar.permits(z.f9534j, k10, l(cVar, x509Certificate))) {
            return;
        }
        throw new CertPathValidatorException("Signature algorithm '" + k10 + "' not permitted with given parameters");
    }

    public static void e(h8.c cVar, m8.a aVar, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException {
        String k10 = k(x509Certificate, x509Certificate2);
        if (!z.T(k10)) {
            throw new CertPathValidatorException("Signature algorithm could not be determined");
        }
        if (aVar.permits(z.f9534j, k10, x509Certificate2.getPublicKey(), l(cVar, x509Certificate))) {
            return;
        }
        throw new CertPathValidatorException("Signature algorithm '" + k10 + "' not permitted with given parameters and issuer public key");
    }

    public static Map<String, String> f() {
        HashMap hashMap = new HashMap(4);
        hashMap.put(w6.a.id_Ed25519.w(), "Ed25519");
        hashMap.put(w6.a.id_Ed448.w(), "Ed448");
        hashMap.put(e7.b.dsaWithSHA1.w(), "SHA1withDSA");
        hashMap.put(o7.m.id_dsa_with_sha1.w(), "SHA1withDSA");
        return Collections.unmodifiableMap(hashMap);
    }

    public static Set<String> g() {
        HashSet hashSet = new HashSet();
        hashSet.add(e7.b.dsaWithSHA1.w());
        hashSet.add(o7.m.id_dsa_with_sha1.w());
        hashSet.add(f7.c.id_RSASSA_PSS.w());
        return Collections.unmodifiableSet(hashSet);
    }

    public static String h(n7.i iVar) {
        if (n7.i.id_kp_clientAuth.equals(iVar)) {
            return "clientAuth";
        }
        if (n7.i.id_kp_serverAuth.equals(iVar)) {
            return "serverAuth";
        }
        return "(" + iVar + ")";
    }

    public static String i(int i10) {
        if (i10 == 0) {
            return "digitalSignature";
        }
        if (i10 == 2) {
            return "keyEncipherment";
        }
        if (i10 == 4) {
            return "keyAgreement";
        }
        return "(" + i10 + ")";
    }

    public static Set<BCCryptoPrimitive> j(int i10) {
        return i10 != 2 ? i10 != 4 ? z.f9534j : z.f9532h : z.f9533i;
    }

    public static String k(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        p6.t g10;
        String sigAlgOID = x509Certificate.getSigAlgOID();
        String str = f9261e.get(sigAlgOID);
        if (str != null) {
            return str;
        }
        if (!f7.c.id_RSASSA_PSS.w().equals(sigAlgOID)) {
            return x509Certificate.getSigAlgName();
        }
        f7.g h10 = f7.g.h(x509Certificate.getSigAlgParams());
        if (h10 != null && (g10 = h10.g().g()) != null) {
            if (x509Certificate2 != null) {
                x509Certificate = x509Certificate2;
            }
            try {
                ma.i iVar = new ma.i((ma.j) null, x509Certificate);
                if (c7.b.id_sha256.n(g10)) {
                    if (iVar.y((short) 9)) {
                        return f9264h;
                    }
                    if (iVar.y((short) 4)) {
                        return f9267k;
                    }
                } else if (c7.b.id_sha384.n(g10)) {
                    if (iVar.y((short) 10)) {
                        return f9265i;
                    }
                    if (iVar.y((short) 5)) {
                        return f9268l;
                    }
                } else if (c7.b.id_sha512.n(g10)) {
                    if (iVar.y((short) 11)) {
                        return f9266j;
                    }
                    if (iVar.y((short) 6)) {
                        return f9269m;
                    }
                }
            } catch (IOException unused) {
            }
        }
        return null;
    }

    public static AlgorithmParameters l(h8.c cVar, X509Certificate x509Certificate) throws CertPathValidatorException {
        byte[] sigAlgParams = x509Certificate.getSigAlgParams();
        if (sigAlgParams == null) {
            return null;
        }
        String sigAlgOID = x509Certificate.getSigAlgOID();
        if (f9262f.contains(sigAlgOID) && org.bouncycastle.util.a.d(f9263g, sigAlgParams)) {
            return null;
        }
        try {
            AlgorithmParameters i10 = cVar.i(sigAlgOID);
            try {
                i10.init(sigAlgParams);
                return i10;
            } catch (Exception e10) {
                throw new CertPathValidatorException(e10);
            }
        } catch (GeneralSecurityException unused) {
            return null;
        }
    }

    public static boolean m(PublicKey publicKey) {
        try {
            n7.a g10 = n7.k.h(publicKey.getEncoded()).g();
            if (!o7.m.id_ecPublicKey.n(g10.g())) {
                return true;
            }
            p6.f j10 = g10.j();
            if (j10 != null) {
                return j10.d() instanceof p6.t;
            }
            return false;
        } catch (Exception unused) {
            return false;
        }
    }

    public static boolean n(PublicKey publicKey, boolean[] zArr, int i10, m8.a aVar) {
        return r(zArr, i10) && aVar.permits(j(i10), publicKey);
    }

    public static boolean o(X509Certificate x509Certificate, n7.i iVar) {
        try {
            return p(x509Certificate.getExtendedKeyUsage(), iVar);
        } catch (CertificateParsingException unused) {
            return false;
        }
    }

    public static boolean p(List<String> list, n7.i iVar) {
        return list == null || list.contains(iVar.g()) || list.contains(n7.i.anyExtendedKeyUsage.g());
    }

    public static boolean q(X509Certificate x509Certificate, int i10) {
        return r(x509Certificate.getKeyUsage(), i10);
    }

    public static boolean r(boolean[] zArr, int i10) {
        return zArr == null || (zArr.length > i10 && zArr[i10]);
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void check(Certificate certificate) throws CertPathValidatorException {
        check(certificate, Collections.emptySet());
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        if (!(certificate instanceof X509Certificate)) {
            throw new CertPathValidatorException("checker can only be used for X.509 certificates");
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        if (this.f9270a && !m(x509Certificate.getPublicKey())) {
            throw new CertPathValidatorException("non-FIPS public key found");
        }
        X509Certificate x509Certificate2 = this.f9273d;
        if (x509Certificate2 != null) {
            e(this.f9271b, this.f9272c, x509Certificate, x509Certificate2);
        }
        this.f9273d = x509Certificate;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z10) throws CertPathValidatorException {
        if (z10) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.f9273d = null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }
}
