package ru.CryptoPro.reprov.certpath;

import java.io.IOException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import ru.CryptoPro.JCP.tools.JCPLogger;
import ru.CryptoPro.reprov.cl_9;
import ru.CryptoPro.reprov.x509.NameConstraintsExtension;
import ru.CryptoPro.reprov.x509.PKIXExtensions;
import ru.CryptoPro.reprov.x509.X509CertImpl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes3.dex */
public class ConstraintsChecker extends PKIXCertPathChecker {

    /* renamed from: e, reason: collision with root package name */
    private static Set f18409e;

    /* renamed from: a, reason: collision with root package name */
    private final int f18410a;

    /* renamed from: b, reason: collision with root package name */
    private int f18411b;

    /* renamed from: c, reason: collision with root package name */
    private int f18412c;

    /* renamed from: d, reason: collision with root package name */
    private NameConstraintsExtension f18413d;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int a(X509Certificate x509Certificate, int i10) {
        int basicConstraints = x509Certificate.getBasicConstraints();
        if (!X509CertImpl.isSelfIssued(x509Certificate)) {
            i10--;
        }
        return basicConstraints < i10 ? basicConstraints : i10;
    }

    static NameConstraintsExtension a(X509Certificate x509Certificate, NameConstraintsExtension nameConstraintsExtension) {
        try {
            NameConstraintsExtension nameConstraintsExtension2 = X509CertImpl.toImpl(x509Certificate).getNameConstraintsExtension();
            JCPLogger.finer("prevNC = ", nameConstraintsExtension);
            JCPLogger.finer("newNC = ", String.valueOf(nameConstraintsExtension2));
            if (nameConstraintsExtension == null) {
                JCPLogger.finer("mergedNC = ", String.valueOf(nameConstraintsExtension2));
                return nameConstraintsExtension2 == null ? nameConstraintsExtension2 : (NameConstraintsExtension) nameConstraintsExtension2.clone();
            }
            try {
                nameConstraintsExtension.merge(nameConstraintsExtension2);
                JCPLogger.finer("mergedNC = ", nameConstraintsExtension);
                return nameConstraintsExtension;
            } catch (IOException e10) {
                throw new CertPathValidatorException(e10);
            }
        } catch (CertificateException e11) {
            throw new CertPathValidatorException(e11);
        }
    }

    private void a(X509Certificate x509Certificate) {
        JCPLogger.finerFormat("---checking {0}...", "name constraints");
        if (this.f18413d != null && (this.f18412c == this.f18410a || !X509CertImpl.isSelfIssued(x509Certificate))) {
            JCPLogger.finer("prevNC = ", this.f18413d);
            JCPLogger.finer("currDN = ", x509Certificate.getSubjectX500Principal());
            try {
                if (!this.f18413d.verify(x509Certificate)) {
                    if (cl_9.a()) {
                        throw new CertPathValidatorException("name constraints check failed", null, null, -1, PKIXReason.INVALID_NAME);
                    }
                    throw new CertPathValidatorException("name constraints check failed");
                }
            } catch (IOException e10) {
                throw new CertPathValidatorException(e10);
            }
        }
        this.f18413d = a(x509Certificate, this.f18413d);
        JCPLogger.finerFormat("{0} verified.", "name constraints");
    }

    private void b(X509Certificate x509Certificate) {
        JCPLogger.finerFormat("---checking {0}...", "basic constraints");
        JCPLogger.finer("i = ", Integer.valueOf(this.f18412c));
        JCPLogger.finer("maxPathLength = ", Integer.valueOf(this.f18411b));
        if (this.f18412c < this.f18410a) {
            int basicConstraints = x509Certificate.getVersion() < 3 ? (this.f18412c == 1 && X509CertImpl.isSelfIssued(x509Certificate)) ? Integer.MAX_VALUE : -1 : x509Certificate.getBasicConstraints();
            if (basicConstraints == -1) {
                if (cl_9.a()) {
                    throw new CertPathValidatorException("basic constraints check failed: this is not a CA certificate", null, null, -1, PKIXReason.NOT_CA_CERT);
                }
                throw new CertPathValidatorException("basic constraints check failed: this is not a CA certificate");
            }
            if (!X509CertImpl.isSelfIssued(x509Certificate)) {
                int i10 = this.f18411b;
                if (i10 <= 0) {
                    if (cl_9.a()) {
                        throw new CertPathValidatorException("basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path", null, null, -1, PKIXReason.PATH_TOO_LONG);
                    }
                    throw new CertPathValidatorException("basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path");
                }
                this.f18411b = i10 - 1;
            }
            if (basicConstraints < this.f18411b) {
                this.f18411b = basicConstraints;
            }
        }
        JCPLogger.finer("after processing, maxPathLength = ", Integer.valueOf(this.f18411b));
        JCPLogger.finerFormat("{0} verified:", "basic constraints");
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        this.f18412c++;
        b(x509Certificate);
        a(x509Certificate);
        if (collection == null || collection.isEmpty()) {
            return;
        }
        collection.remove(PKIXExtensions.BasicConstraints_Id.toString());
        collection.remove(PKIXExtensions.NameConstraints_Id.toString());
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        if (f18409e == null) {
            HashSet hashSet = new HashSet();
            f18409e = hashSet;
            hashSet.add(PKIXExtensions.BasicConstraints_Id.toString());
            f18409e.add(PKIXExtensions.NameConstraints_Id.toString());
            f18409e = Collections.unmodifiableSet(f18409e);
        }
        return f18409e;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z10) {
        if (z10) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.f18412c = 0;
        this.f18411b = this.f18410a;
        this.f18413d = null;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }
}
