package com.rsa.ssl.external;

import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cert.extensions.BasicConstraints;
import com.rsa.certj.cert.extensions.KeyUsage;
import com.rsa.certj.cert.extensions.X509V3Extension;
import com.rsa.ssl.AlertException;
import com.rsa.ssl.CipherSuite;
import com.rsa.ssl.SSLException;
import com.rsa.ssl.SSLParams;
import java.util.Date;

/* loaded from: input_file:lib/external/sslj.jar:com/rsa/ssl/external/CertVerifier.class */
public class CertVerifier implements Truster {
    protected Date today;
    protected int currentChainIndex;
    protected X509Certificate currentCert;
    protected CipherSuite currentCipher;
    protected boolean currentCertIsRootCA;

    @Override // com.rsa.ssl.external.Truster
    public int verifyCertificate(SSLParams sSLParams, X509Certificate[] x509CertificateArr, CipherSuite cipherSuite) throws AlertException, SSLException {
        this.today = new Date();
        this.currentCipher = cipherSuite;
        this.currentCertIsRootCA = false;
        X509Certificate[] cACertificates = sSLParams.getCACertificates();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                this.currentChainIndex = i;
                this.currentCert = x509CertificateArr[i];
                if (i > 0) {
                    checkCertChaining(x509CertificateArr[i - 1], sSLParams);
                }
                basicCertCheck();
                int a = a(this.currentCert, cACertificates, sSLParams);
                if (a > -1) {
                    this.currentChainIndex = i + 1;
                    this.currentCert = cACertificates[a];
                    this.currentCertIsRootCA = true;
                    basicCertCheck();
                    return a;
                }
            } catch (AlertException e) {
                throw e;
            } catch (Exception e2) {
                throw new SSLException(new StringBuffer().append("Cannot verify certificate: ").append(e2.getMessage()).toString());
            }
        }
        return -1;
    }

    protected void checkCertChaining(X509Certificate x509Certificate, SSLParams sSLParams) throws AlertException, CertificateException {
        if (a(x509Certificate, new X509Certificate[]{this.currentCert}, sSLParams) == -1) {
            certificateChainBadNames();
        }
    }

    private int a(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, SSLParams sSLParams) throws AlertException, CertificateException {
        int a = a(x509Certificate, x509CertificateArr);
        if (a > -1) {
            a(x509Certificate, x509CertificateArr[a], sSLParams);
        }
        return a;
    }

    private int a(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (x509CertificateArr[i].getSubjectName().equals(x509Certificate.getIssuerName())) {
                return i;
            }
        }
        return -1;
    }

    private void a(X509Certificate x509Certificate, X509Certificate x509Certificate2, SSLParams sSLParams) throws AlertException, CertificateException {
        if (x509Certificate.verifyCertificateSignature(sSLParams.getDevice(), x509Certificate2.getSubjectPublicKey(sSLParams.getDevice()), sSLParams.getRandom())) {
            return;
        }
        certificateChainBadSignatures();
    }

    protected void basicCertCheck() throws AlertException, CertificateException {
        checkCertificateExpiration();
        X509V3Extensions extensions = this.currentCert.getExtensions();
        if (extensions == null) {
            return;
        }
        if (this.currentCert.getVersion() != 2) {
            certificateInvalidNotV3WithExt();
            return;
        }
        checkBasicConstraints(extensions);
        checkKeyUsage(extensions);
        checkUnknownCriticalExtensions(extensions);
    }

    protected void checkCertificateExpiration() throws AlertException {
        if (this.currentCert.checkValidityDate(this.today)) {
            return;
        }
        certificateExpirationCheckFailed();
    }

    protected void checkBasicConstraints(X509V3Extensions x509V3Extensions) throws AlertException, CertificateException {
        BasicConstraints basicConstraints = (BasicConstraints) x509V3Extensions.getExtensionByType(19);
        if (basicConstraints != null && basicConstraints.getCriticality()) {
            if (this.currentChainIndex <= 0) {
                if (basicConstraints.getCA()) {
                    basicConstraintsCheckFailedCA();
                }
            } else {
                if (!basicConstraints.getCA()) {
                    basicConstraintsCheckFailedCAEndEntity();
                    return;
                }
                int pathLen = basicConstraints.getPathLen();
                if (basicConstraints.getPathLen() == -1 || pathLen >= this.currentChainIndex - 1) {
                    return;
                }
                basicConstraintsCheckFailedPathLength();
            }
        }
    }

    protected void checkKeyUsage(X509V3Extensions x509V3Extensions) throws AlertException, CertificateException {
        KeyUsage keyUsage = (KeyUsage) x509V3Extensions.getExtensionByType(15);
        if (keyUsage != null && keyUsage.getCriticality()) {
            if (this.currentChainIndex != 0) {
                if (keyUsage.verifyKeyUsage(67108864)) {
                    return;
                }
                keyUsageCheckFailed("CA certificate has invalid key usage certificate extension");
            } else if (!this.currentCipher.isRSA()) {
                if (keyUsage.verifyKeyUsage(Integer.MIN_VALUE)) {
                    return;
                }
                keyUsageCheckFailed("Not signing certificate");
            } else {
                if (keyUsage.verifyKeyUsage(536870912) || keyUsage.verifyKeyUsage(268435456) || keyUsage.verifyKeyUsage(Integer.MIN_VALUE)) {
                    return;
                }
                keyUsageCheckFailed("Invalid RSA cipher certificate");
            }
        }
    }

    protected void checkUnknownCriticalExtensions(X509V3Extensions x509V3Extensions) throws AlertException, CertificateException {
        int extensionCount = x509V3Extensions.getExtensionCount();
        for (int i = 0; i < extensionCount; i++) {
            X509V3Extension extensionByIndex = x509V3Extensions.getExtensionByIndex(i);
            int extensionType = extensionByIndex.getExtensionType();
            if (extensionByIndex.getCriticality() && extensionType != 15 && extensionType != 19 && extensionType != 37) {
                unknownCriticalExtensionCheckFailed();
                return;
            }
        }
    }

    protected void certificateChainBadNames() throws AlertException {
        throw new AlertException("Bad certificate in chain: issuer name and subject names do not match.", 2, 42);
    }

    protected void certificateChainBadSignatures() throws AlertException {
        throw new AlertException("Bad certificate in chain: invalid signature.", 2, 42);
    }

    protected void certificateExpirationCheckFailed() throws AlertException {
        throw new AlertException("Certificate expired", 2, 45);
    }

    protected void certificateInvalidNotV3WithExt() throws AlertException {
        throw new AlertException("Not a supported Certificate type", 2, 43);
    }

    protected void basicConstraintsCheckFailedCAEndEntity() throws AlertException {
        throw new AlertException("CA certificate basic constraints indicates end-entity certificate", 2, 43);
    }

    protected void basicConstraintsCheckFailedCA() throws AlertException {
        throw new AlertException("End-entity certificate basic constraints indicates CA certificate", 2, 43);
    }

    protected void basicConstraintsCheckFailedPathLength() throws AlertException {
        throw new AlertException("A CA certificate's path length constraint has been breached.", 2, 43);
    }

    protected void keyUsageCheckFailed(String str) throws AlertException {
        throw new AlertException(str, 2, 43);
    }

    protected void unknownCriticalExtensionCheckFailed() throws AlertException {
        throw new AlertException("Unknown critical certificate extension.", 2, 43);
    }
}
