package sun.security.provider.certpath;

import java.io.IOException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import sun.security.util.Debug;
import sun.security.x509.NameConstraintsExtension;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:efixes/PK42528_Hpux_PaRISC/components/prereq.jdk/update.jar:/java/jre/lib/rt.jar:sun/security/provider/certpath/ConstraintsChecker.class */
class ConstraintsChecker extends PKIXCertPathChecker {
    private static final Debug debug = Debug.getInstance("certpath");
    private final int certPathLength;
    private int maxPathLength;
    private int i;
    private NameConstraintsExtension prevNC;
    private Set supportedExts;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ConstraintsChecker(int i) throws CertPathValidatorException {
        this.certPathLength = i;
        init(false);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.i = 0;
        this.maxPathLength = this.certPathLength;
        this.prevNC = null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        if (this.supportedExts == null) {
            this.supportedExts = new HashSet();
            this.supportedExts.add(PKIXExtensions.BasicConstraints_Id.toString());
            this.supportedExts.add(PKIXExtensions.NameConstraints_Id.toString());
            this.supportedExts = Collections.unmodifiableSet(this.supportedExts);
        }
        return this.supportedExts;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        this.i++;
        checkBasicConstraints(x509Certificate);
        verifyNameConstraints(x509Certificate);
        if (collection == null || collection.isEmpty()) {
            return;
        }
        collection.remove(PKIXExtensions.BasicConstraints_Id.toString());
        collection.remove(PKIXExtensions.NameConstraints_Id.toString());
    }

    private void verifyNameConstraints(X509Certificate x509Certificate) throws CertPathValidatorException {
        if (debug != null) {
            debug.println(new StringBuffer().append("---checking ").append("name constraints").append("...").toString());
        }
        if (this.prevNC != null && (this.i == this.certPathLength || !X509CertImpl.isSelfIssued(x509Certificate))) {
            if (debug != null) {
                debug.println(new StringBuffer().append("prevNC = ").append(this.prevNC).toString());
                debug.println(new StringBuffer().append("currDN = ").append(x509Certificate.getSubjectX500Principal()).toString());
            }
            try {
                if (!this.prevNC.verify(x509Certificate)) {
                    throw new CertPathValidatorException(new StringBuffer().append("name constraints").append(" check failed").toString());
                }
            } catch (IOException e) {
                throw new CertPathValidatorException(e);
            }
        }
        this.prevNC = mergeNameConstraints(x509Certificate, this.prevNC);
        if (debug != null) {
            debug.println(new StringBuffer().append("name constraints").append(" verified.").toString());
        }
    }

    static NameConstraintsExtension mergeNameConstraints(X509Certificate x509Certificate, NameConstraintsExtension nameConstraintsExtension) throws CertPathValidatorException {
        try {
            NameConstraintsExtension nameConstraintsExtension2 = X509CertImpl.toImpl(x509Certificate).getNameConstraintsExtension();
            if (debug != null) {
                debug.println(new StringBuffer().append("prevNC = ").append(nameConstraintsExtension).toString());
                debug.println(new StringBuffer().append("newNC = ").append(String.valueOf(nameConstraintsExtension2)).toString());
            }
            if (nameConstraintsExtension == null) {
                if (debug != null) {
                    debug.println(new StringBuffer().append("mergedNC = ").append(String.valueOf(nameConstraintsExtension2)).toString());
                }
                return nameConstraintsExtension2;
            }
            try {
                nameConstraintsExtension.merge(nameConstraintsExtension2);
                if (debug != null) {
                    debug.println(new StringBuffer().append("mergedNC = ").append(nameConstraintsExtension).toString());
                }
                return nameConstraintsExtension;
            } catch (IOException e) {
                throw new CertPathValidatorException(e);
            }
        } catch (CertificateException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    private void checkBasicConstraints(X509Certificate x509Certificate) throws CertPathValidatorException {
        if (debug != null) {
            debug.println(new StringBuffer().append("---checking ").append("basic constraints").append("...").toString());
            debug.println(new StringBuffer().append("i = ").append(this.i).toString());
            debug.println(new StringBuffer().append("maxPathLength = ").append(this.maxPathLength).toString());
        }
        if (this.i < this.certPathLength) {
            int basicConstraints = x509Certificate.getBasicConstraints();
            if (basicConstraints == -1) {
                throw new CertPathValidatorException(new StringBuffer().append("basic constraints").append(" check failed: ").append("this is not a CA certificate").toString());
            }
            if (!X509CertImpl.isSelfIssued(x509Certificate)) {
                if (this.maxPathLength <= 0) {
                    throw new CertPathValidatorException(new StringBuffer().append("basic constraints").append(" check failed: pathLenConstraint violated - ").append("this cert must be the last cert in the ").append("certification path").toString());
                }
                this.maxPathLength--;
            }
            if (basicConstraints < this.maxPathLength) {
                this.maxPathLength = basicConstraints;
            }
        }
        if (debug != null) {
            debug.println(new StringBuffer().append("after processing, maxPathLength = ").append(this.maxPathLength).toString());
            debug.println(new StringBuffer().append("basic constraints").append(" verified.").toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int mergeBasicConstraints(X509Certificate x509Certificate, int i) {
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (!X509CertImpl.isSelfIssued(x509Certificate)) {
            i--;
        }
        if (basicConstraints < i) {
            i = basicConstraints;
        }
        return i;
    }
}
