package com.ibm.security.cert;

import com.ibm.security.x509.BasicConstraintsExtension;
import com.ibm.security.x509.ExtKeyUsageExtension;
import com.ibm.security.x509.KeyUsageExtension;
import com.ibm.security.x509.OIDMap;
import com.ibm.security.x509.X500Name;
import com.ibm.security.x509.X509CertImpl;
import java.io.IOException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:efixes/PQ88647_win/components/prereq.jdk/update.jar:/java/jre/lib/security.jar:com/ibm/security/cert/BasicChecker.class */
public class BasicChecker extends PKIXCertPathChecker {
    static final String[] myExtensions = {OIDMap.getOID(BasicConstraintsExtension.IDENT).toString(), OIDMap.getOID(KeyUsageExtension.IDENT).toString()};
    static final String[] mySometimesExtensions = {OIDMap.getOID(ExtKeyUsageExtension.IDENT).toString()};
    private PublicKey workingPublicKey;
    private Principal workingIssuerName;
    private String workingPubKeyAlg;
    private Set trustBaseSet;
    private Date validationDate;
    private int numberOfCertsInCertPath;
    private CertPath certPath;
    private int currentCertIndex;
    private int maxPathLength;
    private String sigProvider;
    private TrustAnchor anchor;

    public BasicChecker(CertPath certPath, Set set, Date date, String str) throws CertPathValidatorException {
        this.certPath = certPath;
        this.trustBaseSet = set;
        this.validationDate = date;
        this.sigProvider = str;
        List certificates = certPath.getCertificates();
        this.numberOfCertsInCertPath = certificates.size();
        this.maxPathLength = this.numberOfCertsInCertPath;
        this.currentCertIndex = this.numberOfCertsInCertPath - 1;
        if (this.numberOfCertsInCertPath < 1) {
            throw new CertPathValidatorException("No certificates in the path.", null, certPath, 1);
        }
        X509Certificate x509Certificate = (X509Certificate) certificates.get(this.numberOfCertsInCertPath - 1);
        if (x509Certificate == null) {
            throw new CertPathValidatorException("No certificates in the path", null, certPath, this.numberOfCertsInCertPath - 1);
        }
        try {
            this.anchor = CertPathUtil.findIssuer(x509Certificate, set, str);
            X509Certificate trustedCert = this.anchor.getTrustedCert();
            if (!(trustedCert instanceof X509CertImpl)) {
                try {
                    trustedCert = new X509CertImpl(trustedCert.getEncoded());
                } catch (CertificateException e) {
                    throw new CertPathValidatorException(e.getMessage());
                }
            }
            if (trustedCert != null) {
                this.workingPublicKey = trustedCert.getPublicKey();
                this.workingIssuerName = trustedCert.getSubjectDN();
                this.workingPubKeyAlg = this.workingPublicKey.getAlgorithm();
            } else {
                this.workingPublicKey = this.anchor.getCAPublicKey();
                try {
                    this.workingIssuerName = new X500Name(this.anchor.getCAName());
                    this.workingPubKeyAlg = this.workingPublicKey.getAlgorithm();
                } catch (IOException e2) {
                    throw new CertPathValidatorException("I/O error while processing trust anchor's ca name", e2, certPath, this.numberOfCertsInCertPath - 1);
                }
            }
        } catch (CertPathValidatorException e3) {
            throw new CertPathValidatorException(new StringBuffer().append("The certificate issued by ").append(x509Certificate.getIssuerDN().toString()).append(" is not trusted").toString(), e3, certPath, this.numberOfCertsInCertPath - 1);
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("The direction of forward is not supported");
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
        X509CertImpl x509CertImpl;
        if (certificate instanceof X509CertImpl) {
            x509CertImpl = (X509CertImpl) certificate;
        } else {
            try {
                x509CertImpl = new X509CertImpl(certificate.getEncoded());
            } catch (CertificateException e) {
                throw new CertPathValidatorException(e.getMessage());
            }
        }
        try {
            CertPathUtil.verifyIssuer(x509CertImpl, this.workingPublicKey, this.workingIssuerName, this.sigProvider);
            try {
                x509CertImpl.checkValidity(this.validationDate);
                if (this.currentCertIndex > 0) {
                    Object[] basicConstraints = CertPathUtil.getBasicConstraints(x509CertImpl);
                    if (basicConstraints[0] == null) {
                        throw new CertPathValidatorException("The CA certificate did not contain BasicConstraints", null, this.certPath, this.currentCertIndex);
                    }
                    if (!((Boolean) basicConstraints[1]).booleanValue()) {
                        throw new CertPathValidatorException("The certificate is not a CA certificate.", null, this.certPath, this.currentCertIndex);
                    }
                    if (!x509CertImpl.getIssuerDN().equals(x509CertImpl.getSubjectDN())) {
                        if (this.maxPathLength <= 0) {
                            throw new CertPathValidatorException("Max path length incorrect", null, this.certPath, this.currentCertIndex);
                        }
                        this.maxPathLength--;
                    }
                    int intValue = ((Integer) basicConstraints[2]).intValue();
                    if (intValue >= 0 && intValue < this.maxPathLength) {
                        this.maxPathLength = intValue;
                    }
                    String checkKeyUsage = checkKeyUsage(x509CertImpl, collection);
                    if (checkKeyUsage != null) {
                        throw new CertPathValidatorException(checkKeyUsage, null, this.certPath, this.currentCertIndex);
                    }
                    this.workingPublicKey = x509CertImpl.getPublicKey();
                    this.workingIssuerName = x509CertImpl.getSubjectDN();
                    this.currentCertIndex--;
                }
                CertPathUtil.removeExtensions(collection, myExtensions);
            } catch (CertificateExpiredException e2) {
                throw new CertPathValidatorException(new StringBuffer().append("The certificate expired at ").append(x509CertImpl.getNotAfter()).toString(), e2, this.certPath, this.currentCertIndex);
            } catch (CertificateNotYetValidException e3) {
                throw new CertPathValidatorException(new StringBuffer().append("The certificate is not valid until ").append(x509CertImpl.getNotBefore()).toString(), e3, this.certPath, this.currentCertIndex);
            }
        } catch (CertPathValidatorException e4) {
            throw new CertPathValidatorException("Fail to verify issuer", e4, this.certPath, this.currentCertIndex);
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Object clone() {
        return null;
    }

    /* JADX WARN: Code restructure failed: missing block: B:33:0x00dd, code lost:
    
        r10 = true;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    java.lang.String checkKeyUsage(java.security.cert.X509Certificate r4, java.util.Collection r5) throws java.security.cert.CertPathValidatorException {
        /*
            Method dump skipped, instructions count: 247
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.security.cert.BasicChecker.checkKeyUsage(java.security.cert.X509Certificate, java.util.Collection):java.lang.String");
    }

    public TrustAnchor getTrustAnchor() {
        return this.anchor;
    }
}
