package com.ibm.oti.security.provider;

import com.ibm.oti.connection.ssl.Util;
import com.ibm.oti.security.midp.KeyStore;
import java.io.IOException;
import java.util.Date;
import javax.microedition.pki.CertificateException;

/* loaded from: input_file:ive-2.2/runtimes/win32/x86/midp20/lib/jclMidp20/classes.zip:com/ibm/oti/security/provider/CertificateVerifier.class */
public class CertificateVerifier {
    public static final int USAGE_MIDLET_SUITE_INSTALL = 1;
    public static final int USAGE_SSL_SERVER_AUTH = 2;

    public static void verifyCertificateChain(X509Certificate[] x509CertificateArr, Date date, int i) throws CertificateException, IOException {
        int length;
        KeyStore.Entry entry;
        RSAPublicKey publicKey;
        RSAPublicKey rSAPublicKey;
        X509Principal x509Principal;
        X509Principal subject = getSubject(x509CertificateArr[x509CertificateArr.length - 1]);
        if (subject.equals(getIssuer(x509CertificateArr[x509CertificateArr.length - 1]))) {
            length = x509CertificateArr.length - 1;
            entry = KeyStore.getSystemKeyStore().getEntry(subject);
            if (entry == null) {
                throw new CertificateException("certificate chain root is not a trusted Certificate Authority", x509CertificateArr[x509CertificateArr.length - 1], (byte) 4);
            }
            publicKey = entry.getPublicKey();
            if (!Util.equals(entry.getPublicKeyBytes(), x509CertificateArr[x509CertificateArr.length - 1].getPublicKey())) {
                throw new CertificateException(new StringBuffer("root certificate public key does not match certificate public key on device for \"").append(subject).append("\"").toString(), null, (byte) 4);
            }
        } else {
            length = x509CertificateArr.length;
            subject = getIssuer(x509CertificateArr[x509CertificateArr.length - 1]);
            entry = KeyStore.getSystemKeyStore().getEntry(subject);
            if (entry == null) {
                throw new CertificateException("certificate chain root is not a trusted Certificate Authority", x509CertificateArr[x509CertificateArr.length - 1], (byte) 4);
            }
            publicKey = entry.getPublicKey();
        }
        if (i == 2) {
            if ((entry.getUsage() & 1) == 0) {
                throw new CertificateException("certificate chain root is not valid for this use", x509CertificateArr[x509CertificateArr.length - 1], (byte) 4);
            }
        } else if (i == 1 && (entry.getUsage() & 2) == 0) {
            throw new CertificateException("certificate chain root is not valid for this use", x509CertificateArr[x509CertificateArr.length - 1], (byte) 4);
        }
        if (date.getTime() < entry.getValidFrom() || date.getTime() > entry.getValidTo()) {
            throw new CertificateException(new StringBuffer("root certificate has expired: ").append(subject).toString(), null, (byte) 3);
        }
        for (int i2 = 0; i2 < length; i2++) {
            if (i2 < length - 1) {
                rSAPublicKey = new RSAPublicKey(x509CertificateArr[i2 + 1].getPublicKey());
                x509Principal = getSubject(x509CertificateArr[i2 + 1]);
            } else {
                rSAPublicKey = publicKey;
                x509Principal = subject;
            }
            if (!x509Principal.equals(getIssuer(x509CertificateArr[i2]))) {
                throw new CertificateException("issuer of certificate not in chain", x509CertificateArr[i2], (byte) 11);
            }
            verifyCertificateSignature(rSAPublicKey, x509CertificateArr[i2]);
            x509CertificateArr[i2].checkValidity(date);
        }
    }

    private static X509Principal getSubject(X509Certificate x509Certificate) {
        X509Principal x509Principal = new X509Principal();
        x509Principal.initFrom(x509Certificate.getSubject());
        return x509Principal;
    }

    private static X509Principal getIssuer(X509Certificate x509Certificate) {
        X509Principal x509Principal = new X509Principal();
        x509Principal.initFrom(x509Certificate.getIssuer());
        return x509Principal;
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    private static void verifyCertificateSignature(RSAPublicKey rSAPublicKey, X509Certificate x509Certificate) throws CertificateException {
        String sigAlgName = x509Certificate.getSigAlgName();
        if (!sigAlgName.endsWith("withRSA")) {
            throw new CertificateException(x509Certificate, (byte) 9);
        }
        try {
            if (new PKCS1(sigAlgName.substring(0, sigAlgName.indexOf("with"))).verifySSA_PKCS1_v15(rSAPublicKey, x509Certificate.getTBSCertificate(), x509Certificate.getSignature())) {
            } else {
                throw new CertificateException(x509Certificate, (byte) 14);
            }
        } catch (IOException unused) {
            throw new CertificateException(x509Certificate, (byte) 14);
        }
    }
}
