package sun.security.provider.certpath;

import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.provider.certpath.PKIX;
import sun.security.provider.certpath.URICertStore;
import sun.security.util.Debug;
import sun.security.x509.AuthorityKeyIdentifierExtension;
import sun.security.x509.CRLDistributionPointsExtension;
import sun.security.x509.DistributionPoint;
import sun.security.x509.DistributionPointName;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNameInterface;
import sun.security.x509.GeneralNames;
import sun.security.x509.IssuingDistributionPointExtension;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.RDN;
import sun.security.x509.ReasonFlags;
import sun.security.x509.SerialNumber;
import sun.security.x509.URIName;
import sun.security.x509.X500Name;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:Contents/Home/lib/rt.jar:sun/security/provider/certpath/DistributionPointFetcher.class */
public class DistributionPointFetcher {
    private static final Debug debug = Debug.getInstance("certpath");
    private static final boolean[] ALL_REASONS = {true, true, true, true, true, true, true, true, true};

    private DistributionPointFetcher() {
    }

    public static Collection<X509CRL> getCRLs(X509CRLSelector x509CRLSelector, boolean z, PublicKey publicKey, String str, List<CertStore> list, boolean[] zArr, Set<TrustAnchor> set, Date date, String str2) throws CertStoreException {
        return getCRLs(x509CRLSelector, z, publicKey, null, str, list, zArr, set, date, str2, null);
    }

    public static Collection<X509CRL> getCRLs(X509CRLSelector x509CRLSelector, boolean z, PublicKey publicKey, String str, List<CertStore> list, boolean[] zArr, Set<TrustAnchor> set, Date date) throws CertStoreException {
        if (set.isEmpty()) {
            throw new CertStoreException("at least one TrustAnchor must be specified");
        }
        return getCRLs(x509CRLSelector, z, publicKey, null, str, list, zArr, set, date, "plugin code signing", set.iterator().next());
    }

    public static Collection<X509CRL> getCRLs(X509CRLSelector x509CRLSelector, boolean z, PublicKey publicKey, X509Certificate x509Certificate, String str, List<CertStore> list, boolean[] zArr, Set<TrustAnchor> set, Date date, String str2, TrustAnchor trustAnchor) throws CertStoreException {
        X509Certificate certificateChecking = x509CRLSelector.getCertificateChecking();
        if (certificateChecking == null) {
            return Collections.emptySet();
        }
        try {
            X509CertImpl impl = X509CertImpl.toImpl(certificateChecking);
            if (debug != null) {
                debug.println("DistributionPointFetcher.getCRLs: Checking CRLDPs for " + ((Object) impl.getSubjectX500Principal()));
            }
            CRLDistributionPointsExtension cRLDistributionPointsExtension = impl.getCRLDistributionPointsExtension();
            if (cRLDistributionPointsExtension == null) {
                if (debug != null) {
                    debug.println("No CRLDP ext");
                }
                return Collections.emptySet();
            }
            List<DistributionPoint> list2 = cRLDistributionPointsExtension.get(CRLDistributionPointsExtension.POINTS);
            HashSet hashSet = new HashSet();
            Iterator<DistributionPoint> it = list2.iterator();
            while (it.hasNext() && !Arrays.equals(zArr, ALL_REASONS)) {
                hashSet.addAll(getCRLs(x509CRLSelector, impl, it.next(), zArr, z, publicKey, x509Certificate, str, list, set, date, str2, trustAnchor));
            }
            if (debug != null) {
                debug.println("Returning " + hashSet.size() + " CRLs");
            }
            return hashSet;
        } catch (IOException | CertificateException e) {
            return Collections.emptySet();
        }
    }

    private static Collection<X509CRL> getCRLs(X509CRLSelector x509CRLSelector, X509CertImpl x509CertImpl, DistributionPoint distributionPoint, boolean[] zArr, boolean z, PublicKey publicKey, X509Certificate x509Certificate, String str, List<CertStore> list, Set<TrustAnchor> set, Date date, String str2, TrustAnchor trustAnchor) throws CertStoreException {
        X509CRL crl;
        GeneralNames fullName = distributionPoint.getFullName();
        if (fullName == null) {
            RDN relativeName = distributionPoint.getRelativeName();
            if (relativeName == null) {
                return Collections.emptySet();
            }
            try {
                GeneralNames cRLIssuer = distributionPoint.getCRLIssuer();
                if (cRLIssuer == null) {
                    fullName = getFullNames((X500Name) x509CertImpl.getIssuerDN(), relativeName);
                } else {
                    if (cRLIssuer.size() != 1) {
                        return Collections.emptySet();
                    }
                    fullName = getFullNames((X500Name) cRLIssuer.get(0).getName(), relativeName);
                }
            } catch (IOException e) {
                return Collections.emptySet();
            }
        }
        ArrayList<X509CRL> arrayList = new ArrayList();
        CertStoreException certStoreException = null;
        Iterator<GeneralName> it = fullName.iterator();
        while (it.hasNext()) {
            try {
                GeneralName next = it.next();
                if (next.getType() == 4) {
                    arrayList.addAll(getCRLs((X500Name) next.getName(), x509CertImpl.getIssuerX500Principal(), list));
                } else if (next.getType() == 6 && (crl = getCRL((URIName) next.getName())) != null) {
                    arrayList.add(crl);
                }
            } catch (CertStoreException e2) {
                certStoreException = e2;
            }
        }
        if (arrayList.isEmpty() && certStoreException != null) {
            throw certStoreException;
        }
        ArrayList arrayList2 = new ArrayList(2);
        for (X509CRL x509crl : arrayList) {
            try {
                x509CRLSelector.setIssuerNames(null);
                if (x509CRLSelector.match(x509crl) && verifyCRL(x509CertImpl, distributionPoint, x509crl, zArr, z, publicKey, x509Certificate, str, set, list, date, str2, trustAnchor)) {
                    arrayList2.add(x509crl);
                }
            } catch (IOException | CRLException e3) {
                if (debug != null) {
                    debug.println("Exception verifying CRL: " + e3.getMessage());
                    e3.printStackTrace();
                }
            }
        }
        return arrayList2;
    }

    private static X509CRL getCRL(URIName uRIName) throws CertStoreException {
        URI uri = uRIName.getURI();
        if (debug != null) {
            debug.println("Trying to fetch CRL from DP " + ((Object) uri));
        }
        try {
            Collection<? extends CRL> cRLs = URICertStore.getInstance(new URICertStore.URICertStoreParameters(uri)).getCRLs(null);
            if (cRLs.isEmpty()) {
                return null;
            }
            return (X509CRL) cRLs.iterator().next();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            if (debug == null) {
                return null;
            }
            debug.println("Can't create URICertStore: " + e.getMessage());
            return null;
        }
    }

    private static Collection<X509CRL> getCRLs(X500Name x500Name, X500Principal x500Principal, List<CertStore> list) throws CertStoreException {
        if (debug != null) {
            debug.println("Trying to fetch CRL from DP " + ((Object) x500Name));
        }
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.addIssuer(x500Name.asX500Principal());
        x509CRLSelector.addIssuer(x500Principal);
        ArrayList arrayList = new ArrayList();
        PKIX.CertStoreTypeException certStoreTypeException = null;
        for (CertStore certStore : list) {
            try {
                Iterator<? extends CRL> it = certStore.getCRLs(x509CRLSelector).iterator();
                while (it.hasNext()) {
                    arrayList.add((X509CRL) it.next());
                }
            } catch (CertStoreException e) {
                if (debug != null) {
                    debug.println("Exception while retrieving CRLs: " + ((Object) e));
                    e.printStackTrace();
                }
                certStoreTypeException = new PKIX.CertStoreTypeException(certStore.getType(), e);
            }
        }
        if (!arrayList.isEmpty() || certStoreTypeException == null) {
            return arrayList;
        }
        throw certStoreTypeException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean verifyCRL(X509CertImpl x509CertImpl, DistributionPoint distributionPoint, X509CRL x509crl, boolean[] zArr, boolean z, PublicKey publicKey, X509Certificate x509Certificate, String str, Set<TrustAnchor> set, List<CertStore> list, Date date, String str2, TrustAnchor trustAnchor) throws CRLException, IOException {
        if (debug != null) {
            debug.println("DistributionPointFetcher.verifyCRL: checking revocation status for\n  SN: " + Debug.toHexString(x509CertImpl.getSerialNumber()) + "\n  Subject: " + ((Object) x509CertImpl.getSubjectX500Principal()) + "\n  Issuer: " + ((Object) x509CertImpl.getIssuerX500Principal()));
        }
        boolean z2 = false;
        X509CRLImpl impl = X509CRLImpl.toImpl(x509crl);
        IssuingDistributionPointExtension issuingDistributionPointExtension = impl.getIssuingDistributionPointExtension();
        X500Name x500Name = (X500Name) x509CertImpl.getIssuerDN();
        X500Name x500Name2 = (X500Name) impl.getIssuerDN();
        GeneralNames cRLIssuer = distributionPoint.getCRLIssuer();
        X500Name x500Name3 = null;
        if (cRLIssuer != null) {
            if (issuingDistributionPointExtension == null || ((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.INDIRECT_CRL)).equals(Boolean.FALSE)) {
                return false;
            }
            boolean z3 = false;
            Iterator<GeneralName> it = cRLIssuer.iterator();
            while (!z3 && it.hasNext()) {
                GeneralNameInterface name = it.next().getName();
                if (x500Name2.equals(name)) {
                    x500Name3 = (X500Name) name;
                    z3 = true;
                }
            }
            if (!z3) {
                return false;
            }
            if (issues(x509CertImpl, impl, str)) {
                publicKey = x509CertImpl.getPublicKey();
            } else {
                z2 = true;
            }
        } else {
            if (!x500Name2.equals(x500Name)) {
                if (debug == null) {
                    return false;
                }
                debug.println("crl issuer does not equal cert issuer.\ncrl issuer: " + ((Object) x500Name2) + "\ncert issuer: " + ((Object) x500Name));
                return false;
            }
            KeyIdentifier authKeyId = x509CertImpl.getAuthKeyId();
            KeyIdentifier authKeyId2 = impl.getAuthKeyId();
            if (authKeyId == null || authKeyId2 == null) {
                if (issues(x509CertImpl, impl, str)) {
                    publicKey = x509CertImpl.getPublicKey();
                }
            } else if (!authKeyId.equals(authKeyId2)) {
                if (issues(x509CertImpl, impl, str)) {
                    publicKey = x509CertImpl.getPublicKey();
                } else {
                    z2 = true;
                }
            }
        }
        if (!z2 && !z) {
            return false;
        }
        if (issuingDistributionPointExtension != null) {
            DistributionPointName distributionPointName = (DistributionPointName) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.POINT);
            if (distributionPointName != null) {
                GeneralNames fullName = distributionPointName.getFullName();
                if (fullName == null) {
                    RDN relativeName = distributionPointName.getRelativeName();
                    if (relativeName == null) {
                        if (debug == null) {
                            return false;
                        }
                        debug.println("IDP must be relative or full DN");
                        return false;
                    }
                    if (debug != null) {
                        debug.println("IDP relativeName:" + ((Object) relativeName));
                    }
                    fullName = getFullNames(x500Name2, relativeName);
                }
                if (distributionPoint.getFullName() == null && distributionPoint.getRelativeName() == null) {
                    boolean z4 = false;
                    Iterator<GeneralName> it2 = cRLIssuer.iterator();
                    while (!z4 && it2.hasNext()) {
                        GeneralNameInterface name2 = it2.next().getName();
                        Iterator<GeneralName> it3 = fullName.iterator();
                        while (!z4 && it3.hasNext()) {
                            z4 = name2.equals(it3.next().getName());
                        }
                    }
                    if (!z4) {
                        return false;
                    }
                } else {
                    GeneralNames fullName2 = distributionPoint.getFullName();
                    if (fullName2 == null) {
                        RDN relativeName2 = distributionPoint.getRelativeName();
                        if (relativeName2 == null) {
                            if (debug == null) {
                                return false;
                            }
                            debug.println("DP must be relative or full DN");
                            return false;
                        }
                        if (debug != null) {
                            debug.println("DP relativeName:" + ((Object) relativeName2));
                        }
                        if (!z2) {
                            fullName2 = getFullNames(x500Name, relativeName2);
                        } else {
                            if (cRLIssuer.size() != 1) {
                                if (debug == null) {
                                    return false;
                                }
                                debug.println("must only be one CRL issuer when relative name present");
                                return false;
                            }
                            fullName2 = getFullNames(x500Name3, relativeName2);
                        }
                    }
                    boolean z5 = false;
                    Iterator<GeneralName> it4 = fullName.iterator();
                    while (!z5 && it4.hasNext()) {
                        GeneralNameInterface name3 = it4.next().getName();
                        if (debug != null) {
                            debug.println("idpName: " + ((Object) name3));
                        }
                        Iterator<GeneralName> it5 = fullName2.iterator();
                        while (!z5 && it5.hasNext()) {
                            GeneralNameInterface name4 = it5.next().getName();
                            if (debug != null) {
                                debug.println("pointName: " + ((Object) name4));
                            }
                            z5 = name3.equals(name4);
                        }
                    }
                    if (!z5) {
                        if (debug == null) {
                            return false;
                        }
                        debug.println("IDP name does not match DP name");
                        return false;
                    }
                }
            }
            if (((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.ONLY_USER_CERTS)).equals(Boolean.TRUE) && x509CertImpl.getBasicConstraints() != -1) {
                if (debug == null) {
                    return false;
                }
                debug.println("cert must be a EE cert");
                return false;
            }
            if (((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.ONLY_CA_CERTS)).equals(Boolean.TRUE) && x509CertImpl.getBasicConstraints() == -1) {
                if (debug == null) {
                    return false;
                }
                debug.println("cert must be a CA cert");
                return false;
            }
            if (((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.ONLY_ATTRIBUTE_CERTS)).equals(Boolean.TRUE)) {
                if (debug == null) {
                    return false;
                }
                debug.println("cert must not be an AA cert");
                return false;
            }
        }
        boolean[] zArr2 = new boolean[9];
        ReasonFlags reasonFlags = issuingDistributionPointExtension != null ? (ReasonFlags) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.REASONS) : null;
        boolean[] reasonFlags2 = distributionPoint.getReasonFlags();
        if (reasonFlags != null) {
            if (reasonFlags2 != null) {
                boolean[] flags = reasonFlags.getFlags();
                int i = 0;
                while (i < zArr2.length) {
                    zArr2[i] = i < flags.length && flags[i] && i < reasonFlags2.length && reasonFlags2[i];
                    i++;
                }
            } else {
                zArr2 = (boolean[]) reasonFlags.getFlags().clone();
            }
        } else if (issuingDistributionPointExtension == null || reasonFlags == null) {
            if (reasonFlags2 != null) {
                zArr2 = (boolean[]) reasonFlags2.clone();
            } else {
                Arrays.fill(zArr2, true);
            }
        }
        boolean z6 = false;
        for (int i2 = 0; i2 < zArr2.length && !z6; i2++) {
            if (zArr2[i2] && (i2 >= zArr.length || !zArr[i2])) {
                z6 = true;
            }
        }
        if (!z6) {
            return false;
        }
        if (z2) {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x500Name2.asX500Principal());
            x509CertSelector.setKeyUsage(new boolean[]{false, false, false, false, false, false, true});
            AuthorityKeyIdentifierExtension authKeyIdExtension = impl.getAuthKeyIdExtension();
            if (authKeyIdExtension != null) {
                byte[] encodedKeyIdentifier = authKeyIdExtension.getEncodedKeyIdentifier();
                if (encodedKeyIdentifier != null) {
                    x509CertSelector.setSubjectKeyIdentifier(encodedKeyIdentifier);
                }
                SerialNumber serialNumber = (SerialNumber) authKeyIdExtension.get(AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
                if (serialNumber != null) {
                    x509CertSelector.setSerialNumber(serialNumber.getNumber());
                }
            }
            HashSet hashSet = new HashSet(set);
            if (publicKey != null) {
                hashSet.add(x509Certificate != null ? new TrustAnchor(x509Certificate, null) : new TrustAnchor(x509CertImpl.getIssuerX500Principal(), publicKey, (byte[]) null));
            }
            try {
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
                pKIXBuilderParameters.setCertStores(list);
                pKIXBuilderParameters.setSigProvider(str);
                pKIXBuilderParameters.setDate(date);
                try {
                    publicKey = ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters)).getPublicKey();
                } catch (GeneralSecurityException e) {
                    throw new CRLException(e);
                }
            } catch (InvalidAlgorithmParameterException e2) {
                throw new CRLException(e2);
            }
        }
        try {
            AlgorithmChecker.check(publicKey, x509crl, str2, trustAnchor);
            try {
                x509crl.verify(publicKey, str);
                Set<String> criticalExtensionOIDs = x509crl.getCriticalExtensionOIDs();
                if (criticalExtensionOIDs != null) {
                    criticalExtensionOIDs.remove(PKIXExtensions.IssuingDistributionPoint_Id.toString());
                    if (!criticalExtensionOIDs.isEmpty()) {
                        if (debug == null) {
                            return false;
                        }
                        debug.println("Unrecognized critical extension(s) in CRL: " + ((Object) criticalExtensionOIDs));
                        Iterator<String> it6 = criticalExtensionOIDs.iterator();
                        while (it6.hasNext()) {
                            debug.println(it6.next());
                        }
                        return false;
                    }
                }
                int i3 = 0;
                while (i3 < zArr.length) {
                    zArr[i3] = zArr[i3] || (i3 < zArr2.length && zArr2[i3]);
                    i3++;
                }
                return true;
            } catch (GeneralSecurityException e3) {
                if (debug == null) {
                    return false;
                }
                debug.println("CRL signature failed to verify");
                return false;
            }
        } catch (CertPathValidatorException e4) {
            if (debug == null) {
                return false;
            }
            debug.println("CRL signature algorithm check failed: " + ((Object) e4));
            return false;
        }
    }

    private static GeneralNames getFullNames(X500Name x500Name, RDN rdn) throws IOException {
        ArrayList arrayList = new ArrayList(x500Name.rdns());
        arrayList.add(rdn);
        X500Name x500Name2 = new X500Name((RDN[]) arrayList.toArray(new RDN[0]));
        GeneralNames generalNames = new GeneralNames();
        generalNames.add(new GeneralName(x500Name2));
        return generalNames;
    }

    private static boolean issues(X509CertImpl x509CertImpl, X509CRLImpl x509CRLImpl, String str) throws IOException {
        AdaptableX509CertSelector adaptableX509CertSelector = new AdaptableX509CertSelector();
        boolean[] keyUsage = x509CertImpl.getKeyUsage();
        if (keyUsage != null) {
            keyUsage[6] = true;
            adaptableX509CertSelector.setKeyUsage(keyUsage);
        }
        adaptableX509CertSelector.setSubject(x509CRLImpl.getIssuerX500Principal());
        AuthorityKeyIdentifierExtension authKeyIdExtension = x509CRLImpl.getAuthKeyIdExtension();
        adaptableX509CertSelector.setSkiAndSerialNumber(authKeyIdExtension);
        boolean match = adaptableX509CertSelector.match(x509CertImpl);
        if (match && (authKeyIdExtension == null || x509CertImpl.getAuthorityKeyIdentifierExtension() == null)) {
            try {
                x509CRLImpl.verify(x509CertImpl.getPublicKey(), str);
                match = true;
            } catch (GeneralSecurityException e) {
                match = false;
            }
        }
        return match;
    }
}
