package org.bouncycastle.jce.provider;

import androidx.appcompat.widget.z0;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.jcajce.PKIXCertStoreSelector;
import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters;
import org.bouncycastle.jcajce.PKIXExtendedParameters;
import org.bouncycastle.jcajce.util.BCJcaJceHelper;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
import org.bouncycastle.util.Selector;
import org.bouncycastle.x509.ExtendedPKIXParameters;
import org.bouncycastle.x509.X509AttributeCertStoreSelector;
import org.bouncycastle.x509.X509AttributeCertificate;
import org.bouncycastle.x509.X509CertStoreSelector;

/* loaded from: classes2.dex */
public class PKIXAttrCertPathValidatorSpi extends CertPathValidatorSpi {
    private final JcaJceHelper helper = new BCJcaJceHelper();

    @Override // java.security.cert.CertPathValidatorSpi
    public final CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        PKIXExtendedParameters pKIXExtendedParameters;
        Date date;
        boolean z5 = certPathParameters instanceof ExtendedPKIXParameters;
        if (!z5 && !(certPathParameters instanceof PKIXExtendedParameters)) {
            throw new InvalidAlgorithmParameterException("Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
        }
        Set hashSet = new HashSet();
        Set<String> hashSet2 = new HashSet();
        Set<String> hashSet3 = new HashSet();
        HashSet hashSet4 = new HashSet();
        if (certPathParameters instanceof PKIXParameters) {
            PKIXExtendedParameters.Builder builder = new PKIXExtendedParameters.Builder((PKIXParameters) certPathParameters);
            if (z5) {
                ExtendedPKIXParameters extendedPKIXParameters = (ExtendedPKIXParameters) certPathParameters;
                builder.s(extendedPKIXParameters.h());
                builder.t(extendedPKIXParameters.g());
                hashSet = extendedPKIXParameters.b();
                hashSet2 = extendedPKIXParameters.d();
                hashSet3 = extendedPKIXParameters.c();
            }
            pKIXExtendedParameters = new PKIXExtendedParameters(builder);
        } else {
            pKIXExtendedParameters = (PKIXExtendedParameters) certPathParameters;
        }
        PKIXExtendedParameters pKIXExtendedParameters2 = pKIXExtendedParameters;
        Date date2 = new Date();
        String str = CertPathValidatorUtilities.CERTIFICATE_POLICIES;
        Date C = pKIXExtendedParameters2.C();
        Date date3 = C == null ? date2 : C;
        Selector z10 = pKIXExtendedParameters2.z();
        if (!(z10 instanceof X509AttributeCertStoreSelector)) {
            throw new InvalidAlgorithmParameterException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + getClass().getName() + " class.");
        }
        X509AttributeCertificate a2 = ((X509AttributeCertStoreSelector) z10).a();
        int i5 = RFC3281CertPathUtilities.f8604a;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (a2.f().b() != null) {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSerialNumber(a2.f().d());
            Principal[] b10 = a2.f().b();
            int i10 = 0;
            while (i10 < b10.length) {
                try {
                    Principal principal = b10[i10];
                    Principal[] principalArr = b10;
                    if (principal instanceof X500Principal) {
                        x509CertSelector.setIssuer(((X500Principal) principal).getEncoded());
                    }
                    CertPathValidatorUtilities.a(linkedHashSet, new PKIXCertStoreSelector.Builder(x509CertSelector).a(), pKIXExtendedParameters2.o());
                    i10++;
                    b10 = principalArr;
                } catch (IOException e10) {
                    throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e10);
                } catch (AnnotatedException e11) {
                    throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e11);
                }
            }
            if (linkedHashSet.isEmpty()) {
                throw new CertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            }
        }
        if (a2.f().a() != null) {
            X509CertStoreSelector x509CertStoreSelector = new X509CertStoreSelector();
            Principal[] a10 = a2.f().a();
            int i11 = 0;
            while (i11 < a10.length) {
                try {
                    Principal principal2 = a10[i11];
                    Principal[] principalArr2 = a10;
                    if (principal2 instanceof X500Principal) {
                        x509CertStoreSelector.setIssuer(((X500Principal) principal2).getEncoded());
                    }
                    CertPathValidatorUtilities.a(linkedHashSet, new PKIXCertStoreSelector.Builder(x509CertStoreSelector).a(), pKIXExtendedParameters2.o());
                    i11++;
                    a10 = principalArr2;
                } catch (IOException e12) {
                    throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e12);
                } catch (AnnotatedException e13) {
                    throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e13);
                }
            }
            if (linkedHashSet.isEmpty()) {
                throw new CertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
            }
        }
        PKIXExtendedParameters.Builder builder2 = new PKIXExtendedParameters.Builder(pKIXExtendedParameters2);
        Iterator it2 = linkedHashSet.iterator();
        ExtCertPathValidatorException extCertPathValidatorException = null;
        CertPathBuilderResult certPathBuilderResult = null;
        while (true) {
            date = date2;
            if (!it2.hasNext()) {
                break;
            }
            X509CertStoreSelector x509CertStoreSelector2 = new X509CertStoreSelector();
            Iterator it3 = it2;
            x509CertStoreSelector2.setCertificate((X509Certificate) it2.next());
            builder2.q(new PKIXCertStoreSelector.Builder(x509CertStoreSelector2).a());
            try {
                try {
                    certPathBuilderResult = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME).build(new PKIXExtendedBuilderParameters(new PKIXExtendedBuilderParameters.Builder(new PKIXExtendedParameters(builder2))));
                } catch (InvalidAlgorithmParameterException e14) {
                    throw new RuntimeException(e14.getMessage());
                } catch (CertPathBuilderException e15) {
                    extCertPathValidatorException = new ExtCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", e15);
                }
                date2 = date;
                it2 = it3;
            } catch (NoSuchAlgorithmException e16) {
                throw new ExtCertPathValidatorException("Support class could not be created.", e16);
            } catch (NoSuchProviderException e17) {
                throw new ExtCertPathValidatorException("Support class could not be created.", e17);
            }
        }
        if (extCertPathValidatorException != null) {
            throw extCertPathValidatorException;
        }
        CertPath certPath2 = certPathBuilderResult.getCertPath();
        try {
            try {
                CertPathValidatorResult validate = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME).validate(certPath, pKIXExtendedParameters2);
                boolean z11 = false;
                X509Certificate x509Certificate = (X509Certificate) certPath.getCertificates().get(0);
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if (keyUsage != null && ((keyUsage.length <= 0 || !keyUsage[0]) && (keyUsage.length <= 1 || !keyUsage[1]))) {
                    throw new CertPathValidatorException("Attribute certificate issuer public key cannot be used to validate digital signatures.");
                }
                if (x509Certificate.getBasicConstraints() != -1) {
                    throw new CertPathValidatorException("Attribute certificate issuer is also a public key certificate issuer.");
                }
                Iterator it4 = hashSet4.iterator();
                while (it4.hasNext()) {
                    TrustAnchor trustAnchor = (TrustAnchor) it4.next();
                    if (x509Certificate.getSubjectX500Principal().getName("RFC2253").equals(trustAnchor.getCAName()) || x509Certificate.equals(trustAnchor.getTrustedCert())) {
                        z11 = true;
                    }
                }
                if (!z11) {
                    throw new CertPathValidatorException("Attribute certificate issuer is not directly trusted.");
                }
                try {
                    a2.checkValidity(date3);
                    RFC3281CertPathUtilities.c(a2, certPath, certPath2, hashSet);
                    for (String str2 : hashSet2) {
                        if (a2.g(str2) != null) {
                            throw new CertPathValidatorException(z0.j("Attribute certificate contains prohibited attribute: ", str2, "."));
                        }
                    }
                    for (String str3 : hashSet3) {
                        if (a2.g(str3) == null) {
                            throw new CertPathValidatorException(z0.j("Attribute certificate does not contain necessary attribute: ", str3, "."));
                        }
                    }
                    RFC3281CertPathUtilities.b(a2, pKIXExtendedParameters2, date, date3, x509Certificate, certPath.getCertificates(), this.helper);
                    return validate;
                } catch (CertificateExpiredException e18) {
                    throw new ExtCertPathValidatorException("Attribute certificate is not valid.", e18);
                } catch (CertificateNotYetValidException e19) {
                    throw new ExtCertPathValidatorException("Attribute certificate is not valid.", e19);
                }
            } catch (InvalidAlgorithmParameterException e20) {
                throw new RuntimeException(e20.getMessage());
            } catch (CertPathValidatorException e21) {
                throw new ExtCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", e21);
            }
        } catch (NoSuchAlgorithmException e22) {
            throw new ExtCertPathValidatorException("Support class could not be created.", e22);
        } catch (NoSuchProviderException e23) {
            throw new ExtCertPathValidatorException("Support class could not be created.", e23);
        }
    }
}
