package ru.CryptoPro.reprov.certpath;

import java.io.IOException;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import ru.CryptoPro.JCP.Random.BioRandomFrame;
import ru.CryptoPro.JCP.tools.JCPLogger;
import ru.CryptoPro.reprov.certpath.URICertStore;
import ru.CryptoPro.reprov.utils.GetPropertyAction;
import ru.CryptoPro.reprov.x509.CRLDistributionPointsExtension;
import ru.CryptoPro.reprov.x509.DistributionPoint;
import ru.CryptoPro.reprov.x509.DistributionPointName;
import ru.CryptoPro.reprov.x509.GeneralName;
import ru.CryptoPro.reprov.x509.GeneralNameInterface;
import ru.CryptoPro.reprov.x509.GeneralNames;
import ru.CryptoPro.reprov.x509.IssuingDistributionPointExtension;
import ru.CryptoPro.reprov.x509.PKIXExtensions;
import ru.CryptoPro.reprov.x509.RDN;
import ru.CryptoPro.reprov.x509.ReasonFlags;
import ru.CryptoPro.reprov.x509.URIName;
import ru.CryptoPro.reprov.x509.X500Name;
import ru.CryptoPro.reprov.x509.X509CRLImpl;
import ru.CryptoPro.reprov.x509.X509CertImpl;
import ru.CryptoPro.ssl.pc_10.cl_4;

/* loaded from: classes3.dex */
public class DistributionPointFetcher {

    /* renamed from: a, reason: collision with root package name */
    private static final boolean[] f18440a = {true, true, true, true, true, true, true, true, true};

    /* renamed from: b, reason: collision with root package name */
    private static final boolean f18441b;

    /* renamed from: c, reason: collision with root package name */
    private static final DistributionPointFetcher f18442c;

    static {
        f18441b = getBooleanProperty("com.sun.security.enableCRLDP", false) || getBooleanProperty("com.ibm.security.enableCRLDP", false);
        f18442c = new DistributionPointFetcher();
    }

    private DistributionPointFetcher() {
    }

    private static X509CRL a(URIName uRIName) {
        try {
            Collection<? extends CRL> cRLs = URICertStore.a(new URICertStore.URICertStoreParameters(uRIName.getURI())).getCRLs(null);
            if (cRLs.isEmpty()) {
                return null;
            }
            return (X509CRL) cRLs.iterator().next();
        } catch (Exception e10) {
            JCPLogger.warning("Exception getting CRL from CertStore: ", (Throwable) e10);
            return null;
        }
    }

    private static Collection a(X509CRLSelector x509CRLSelector, X509CertImpl x509CertImpl, DistributionPoint distributionPoint, boolean[] zArr, boolean z10, PublicKey publicKey, String str, List list, Set set, Date date) {
        X509CRL a10;
        Object name;
        GeneralNames fullName = distributionPoint.getFullName();
        if (fullName == null) {
            RDN relativeName = distributionPoint.getRelativeName();
            if (relativeName == null) {
                return Collections.EMPTY_SET;
            }
            try {
                GeneralNames cRLIssuer = distributionPoint.getCRLIssuer();
                if (cRLIssuer == null) {
                    name = x509CertImpl.getIssuerDN();
                } else {
                    if (cRLIssuer.size() != 1) {
                        return Collections.EMPTY_SET;
                    }
                    name = cRLIssuer.get(0).getName();
                }
                fullName = a((X500Name) name, relativeName);
            } catch (IOException unused) {
                return Collections.EMPTY_SET;
            }
        }
        ArrayList<X509CRL> arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList(2);
        Iterator it = fullName.iterator();
        while (it.hasNext()) {
            GeneralName generalName = (GeneralName) it.next();
            if (generalName.getType() == 4) {
                arrayList.addAll(a((X500Name) generalName.getName(), x509CertImpl.getIssuerX500Principal(), list));
            } else if (generalName.getType() == 6 && (a10 = a((URIName) generalName.getName())) != null) {
                arrayList.add(a10);
            }
        }
        for (X509CRL x509crl : arrayList) {
            try {
                x509CRLSelector.setIssuerNames(null);
                if (x509CRLSelector.match(x509crl) && a(x509CertImpl, distributionPoint, x509crl, zArr, z10, publicKey, str, set, list, date)) {
                    arrayList2.add(x509crl);
                } else {
                    JCPLogger.finer("CRL does not satisfy the cert selector (match) or some other options (verifyCRL)");
                }
            } catch (Exception e10) {
                JCPLogger.subThrown("Exception verifying CRL:", e10);
            }
        }
        return arrayList2;
    }

    private static Collection a(X500Name x500Name, X500Principal x500Principal, List list) {
        JCPLogger.finer("Trying to fetch CRL from DP ", x500Name);
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.addIssuer(new X500Principal(x500Name.asX500Principal().getEncoded()));
        x509CRLSelector.addIssuer(x500Principal);
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            try {
                Iterator<? extends CRL> it2 = ((CertStore) it.next()).getCRLs(x509CRLSelector).iterator();
                while (it2.hasNext()) {
                    arrayList.add((X509CRL) it2.next());
                }
            } catch (CertStoreException e10) {
                JCPLogger.fine("Non-fatal exception while retrieving CRLs: ", (Throwable) e10);
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DistributionPointFetcher a() {
        return f18442c;
    }

    private static GeneralNames a(X500Name x500Name, RDN rdn) {
        ArrayList arrayList = new ArrayList(x500Name.rdns());
        arrayList.add(rdn);
        X500Name x500Name2 = new X500Name((RDN[]) arrayList.toArray(new RDN[0]));
        GeneralNames generalNames = new GeneralNames();
        generalNames.add(new GeneralName(x500Name2));
        return generalNames;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean a(X509CertImpl x509CertImpl, DistributionPoint distributionPoint, X509CRL x509crl, boolean[] zArr, boolean z10, PublicKey publicKey, String str, Set set, List list, Date date) {
        boolean z11;
        X500Name x500Name;
        String str2;
        Object clone;
        PublicKey publicKey2;
        X509CRLImpl impl = X509CRLImpl.toImpl(x509crl);
        IssuingDistributionPointExtension issuingDistributionPointExtension = impl.getIssuingDistributionPointExtension();
        X500Name x500Name2 = (X500Name) x509CertImpl.getIssuerDN();
        X500Name x500Name3 = (X500Name) impl.getIssuerDN();
        GeneralNames cRLIssuer = distributionPoint.getCRLIssuer();
        if (cRLIssuer != null) {
            if (issuingDistributionPointExtension == null || ((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.INDIRECT_CRL)).equals(Boolean.FALSE)) {
                return false;
            }
            Iterator it = cRLIssuer.iterator();
            boolean z12 = false;
            x500Name = null;
            while (!z12 && it.hasNext()) {
                GeneralNameInterface name = ((GeneralName) it.next()).getName();
                if (x500Name3.equals(name)) {
                    x500Name = (X500Name) name;
                    z12 = true;
                }
            }
            if (!z12) {
                return false;
            }
            z11 = true;
        } else {
            if (!x500Name3.equals(x500Name2)) {
                str2 = "crl issuer does not equal cert issuer";
                JCPLogger.finer(str2);
                return false;
            }
            z11 = false;
            x500Name = null;
        }
        if (!z11 && !z10) {
            return false;
        }
        if (issuingDistributionPointExtension != null) {
            DistributionPointName distributionPointName = (DistributionPointName) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.POINT);
            if (distributionPointName != null) {
                GeneralNames fullName = distributionPointName.getFullName();
                if (fullName == null) {
                    RDN relativeName = distributionPointName.getRelativeName();
                    if (relativeName == null) {
                        str2 = "IDP must be relative or full DN";
                        JCPLogger.finer(str2);
                        return false;
                    }
                    JCPLogger.finer("IDP relativeName:", relativeName);
                    fullName = a(x500Name3, relativeName);
                }
                if (distributionPoint.getFullName() == null && distributionPoint.getRelativeName() == null) {
                    Iterator it2 = cRLIssuer.iterator();
                    boolean z13 = false;
                    while (!z13 && it2.hasNext()) {
                        GeneralNameInterface name2 = ((GeneralName) it2.next()).getName();
                        Iterator it3 = fullName.iterator();
                        while (!z13 && it3.hasNext()) {
                            z13 = name2.equals(((GeneralName) it3.next()).getName());
                        }
                    }
                    if (!z13) {
                        return false;
                    }
                } else {
                    GeneralNames fullName2 = distributionPoint.getFullName();
                    if (fullName2 == null) {
                        RDN relativeName2 = distributionPoint.getRelativeName();
                        if (relativeName2 == null) {
                            str2 = "DP must be relative or full DN";
                        } else {
                            JCPLogger.finer("DP relativeName:", relativeName2);
                            if (!z11) {
                                fullName2 = a(x500Name2, relativeName2);
                            } else if (cRLIssuer.size() != 1) {
                                str2 = "must only be one CRL issuer when relative name present";
                            } else {
                                fullName2 = a(x500Name, relativeName2);
                            }
                        }
                        JCPLogger.finer(str2);
                        return false;
                    }
                    Iterator it4 = fullName.iterator();
                    boolean z14 = false;
                    while (!z14 && it4.hasNext()) {
                        GeneralNameInterface name3 = ((GeneralName) it4.next()).getName();
                        JCPLogger.finer("idpName: ", name3);
                        Iterator it5 = fullName2.iterator();
                        while (!z14 && it5.hasNext()) {
                            GeneralNameInterface name4 = ((GeneralName) it5.next()).getName();
                            JCPLogger.finer("pointName: ", name4);
                            z14 = name3.equals(name4);
                        }
                    }
                    if (!z14) {
                        str2 = "IDP name does not match DP name";
                        JCPLogger.finer(str2);
                        return false;
                    }
                }
            }
            Boolean bool = (Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.ONLY_USER_CERTS);
            Boolean bool2 = Boolean.TRUE;
            if (bool.equals(bool2) && x509CertImpl.getBasicConstraints() != -1) {
                str2 = "cert must be a EE cert";
            } else if (((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.ONLY_CA_CERTS)).equals(bool2) && x509CertImpl.getBasicConstraints() == -1) {
                str2 = "cert must be a CA cert";
            } else if (((Boolean) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.ONLY_ATTRIBUTE_CERTS)).equals(bool2)) {
                str2 = "cert must not be an AA cert";
            }
            JCPLogger.finer(str2);
            return false;
        }
        boolean[] zArr2 = new boolean[9];
        ReasonFlags reasonFlags = issuingDistributionPointExtension != null ? (ReasonFlags) issuingDistributionPointExtension.get(IssuingDistributionPointExtension.REASONS) : null;
        boolean[] reasonFlags2 = distributionPoint.getReasonFlags();
        if (reasonFlags != null) {
            boolean[] flags = reasonFlags.getFlags();
            if (reasonFlags2 != null) {
                for (int i10 = 0; i10 < flags.length; i10++) {
                    if (flags[i10] && reasonFlags2[i10]) {
                        zArr2[i10] = true;
                    }
                }
            } else {
                clone = flags.clone();
                zArr2 = (boolean[]) clone;
            }
        } else if (issuingDistributionPointExtension == null || reasonFlags == null) {
            if (reasonFlags2 != null) {
                clone = reasonFlags2.clone();
                zArr2 = (boolean[]) clone;
            } else {
                zArr2 = new boolean[9];
                Arrays.fill(zArr2, true);
            }
        }
        boolean z15 = false;
        for (int i11 = 0; i11 < zArr2.length && !z15; i11++) {
            if (!zArr[i11] && zArr2[i11]) {
                z15 = true;
            }
        }
        if (!z15) {
            return false;
        }
        if (z11) {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x500Name3.asX500Principal());
            x509CertSelector.setKeyUsage(new boolean[]{false, false, false, false, false, false, true});
            try {
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) set, x509CertSelector);
                pKIXBuilderParameters.setCertStores(list);
                pKIXBuilderParameters.setSigProvider(str);
                pKIXBuilderParameters.setDate(date);
                try {
                    publicKey2 = ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance(cl_4.f19520i).build(pKIXBuilderParameters)).getPublicKey();
                } catch (Exception e10) {
                    CRLException cRLException = new CRLException();
                    cRLException.initCause(e10.getCause());
                    throw cRLException;
                }
            } catch (InvalidAlgorithmParameterException e11) {
                CRLException cRLException2 = new CRLException();
                cRLException2.initCause(e11.getCause());
                throw cRLException2;
            }
        } else {
            publicKey2 = publicKey;
        }
        try {
            AlgorithmChecker.a(publicKey2, x509crl);
            try {
                x509crl.verify(publicKey2, str);
                Set<String> criticalExtensionOIDs = x509crl.getCriticalExtensionOIDs();
                if (criticalExtensionOIDs != null) {
                    criticalExtensionOIDs.remove(PKIXExtensions.IssuingDistributionPoint_Id.toString());
                    if (!criticalExtensionOIDs.isEmpty()) {
                        JCPLogger.finer("Unrecognized critical extension(s) in CRL:" + criticalExtensionOIDs);
                        Iterator<String> it6 = criticalExtensionOIDs.iterator();
                        while (it6.hasNext()) {
                            JCPLogger.finer(it6.next());
                        }
                        return false;
                    }
                }
                for (int i12 = 0; i12 < zArr2.length; i12++) {
                    if (!zArr[i12] && zArr2[i12]) {
                        zArr[i12] = true;
                    }
                }
                return true;
            } catch (Exception unused) {
                StringBuilder sb2 = new StringBuilder();
                sb2.append("CRL signature failed to verify, cert: ");
                sb2.append(x509CertImpl.getClass().getCanonicalName());
                sb2.append(", key: ");
                sb2.append(publicKey2 != null ? publicKey2.getClass().getCanonicalName() : null);
                sb2.append(", provider: ");
                sb2.append(str);
                sb2.append(", class: ");
                sb2.append(x509crl.getClass().getCanonicalName());
                str2 = sb2.toString();
            }
        } catch (CertPathValidatorException e12) {
            str2 = "CRL signature algorithm check failed: " + e12;
        }
    }

    public static boolean getBooleanProperty(String str, boolean z10) {
        String str2 = (String) AccessController.doPrivileged(new GetPropertyAction(str));
        if (str2 == null) {
            return z10;
        }
        if (str2.equalsIgnoreCase("false")) {
            return false;
        }
        if (str2.equalsIgnoreCase(BioRandomFrame.STR_DIALOG_PROPERTY_VALUE)) {
            return true;
        }
        throw new RuntimeException("Value of " + str + " must either be 'true' or 'false'");
    }

    public static Collection getCRLs(X509CRLSelector x509CRLSelector, boolean z10, PublicKey publicKey, String str, List list, boolean[] zArr, Set set, Date date) {
        X509Certificate certificateChecking;
        if (f18441b && (certificateChecking = x509CRLSelector.getCertificateChecking()) != null) {
            try {
                X509CertImpl impl = X509CertImpl.toImpl(certificateChecking);
                CRLDistributionPointsExtension cRLDistributionPointsExtension = impl.getCRLDistributionPointsExtension();
                if (cRLDistributionPointsExtension == null) {
                    JCPLogger.finer("No CRLDP ext");
                    return Collections.EMPTY_SET;
                }
                List list2 = (List) cRLDistributionPointsExtension.get(CRLDistributionPointsExtension.POINTS);
                HashSet hashSet = new HashSet();
                Iterator it = list2.iterator();
                while (it.hasNext() && !Arrays.equals(zArr, f18440a)) {
                    hashSet.addAll(a(x509CRLSelector, impl, (DistributionPoint) it.next(), zArr, z10, publicKey, str, list, set, date));
                }
                JCPLogger.finerFormat("Returning {0} CRLs", Integer.valueOf(hashSet.size()));
                return hashSet;
            } catch (IOException unused) {
                return Collections.EMPTY_SET;
            } catch (CertificateException unused2) {
                return Collections.EMPTY_SET;
            }
        }
        return Collections.EMPTY_SET;
    }
}
