package com.ibm.security.validator;

import com.ibm.security.x509.X509CertImpl;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:efixes/PK12679_aix/components/prereq.jdk/update.jar:/java/jre/lib/ibmpkcs.jar:com/ibm/security/validator/EndEntityChecker.class */
public class EndEntityChecker {
    private static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
    private static final String OID_EKU_TLS_SERVER = "1.3.6.1.5.5.7.3.1";
    private static final String OID_EKU_TLS_CLIENT = "1.3.6.1.5.5.7.3.2";
    private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String NSCT_SSL_CLIENT = "ssl_client";
    private static final String NSCT_SSL_SERVER = "ssl_server";
    private static final String NSCT_CODE_SIGNING = "object_signing";
    private static final int KU_SIGNATURE = 0;
    private static final int KU_KEY_ENCIPHERMENT = 2;
    private static final Collection KU_SERVER_SIGNATURE = Arrays.asList(new String[]{"DHE_DSS", "DHE_RSA", "RSA_EXPORT", "UNKNOWN"});
    private static final Collection KU_SERVER_ENCRYPTION = Arrays.asList(new String[]{"RSA"});
    private final String variant;
    private final String type;

    private EndEntityChecker(String str, String str2) {
        this.type = str;
        this.variant = str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static EndEntityChecker getInstance(String str, String str2) {
        return new EndEntityChecker(str, str2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void check(X509Certificate x509Certificate, Object obj) throws CertificateException {
        if (this.variant.equals(Validator.VAR_GENERIC)) {
            return;
        }
        if (this.variant.equals(Validator.VAR_TLS_SERVER)) {
            checkTLSServer(x509Certificate, (String) obj);
            return;
        }
        if (this.variant.equals(Validator.VAR_TLS_CLIENT)) {
            checkTLSClient(x509Certificate);
        } else if (this.variant.equals(Validator.VAR_CODE_SIGNING)) {
            checkCodeSigning(x509Certificate);
        } else {
            if (!this.variant.equals(Validator.VAR_JCE_SIGNING)) {
                throw new CertificateException(new StringBuffer().append("Unknown variant: ").append(this.variant).toString());
            }
            checkCodeSigning(x509Certificate);
        }
    }

    private Set getCriticalExtensions(X509Certificate x509Certificate) {
        Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.EMPTY_SET;
        }
        return criticalExtensionOIDs;
    }

    private void checkRemainingExtensions(Set set) throws CertificateException {
        set.remove(X509CertImpl.BASIC_CONSTRAINT_OID);
        if (!set.isEmpty()) {
            throw new CertificateException(new StringBuffer().append("Certificate contains unsupported critical extensions: ").append(set).toString());
        }
    }

    private boolean checkEKU(X509Certificate x509Certificate, Set set, String str) throws CertificateException {
        List extendedKeyUsage;
        return (this.type.equals(Validator.TYPE_SIMPLE) && !set.contains("2.5.29.37")) || (extendedKeyUsage = x509Certificate.getExtendedKeyUsage()) == null || extendedKeyUsage.contains(str) || extendedKeyUsage.contains(OID_EKU_ANY_USAGE);
    }

    private boolean checkKeyUsage(X509Certificate x509Certificate, int i) throws CertificateException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return true;
        }
        return keyUsage.length > i && keyUsage[i];
    }

    private void checkTLSClient(X509Certificate x509Certificate) throws CertificateException {
        Set criticalExtensions = getCriticalExtensions(x509Certificate);
        if (!checkKeyUsage(x509Certificate, 0)) {
            throw new ValidatorException("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        if (!checkEKU(x509Certificate, criticalExtensions, OID_EKU_TLS_CLIENT)) {
            throw new ValidatorException("Extended key usage does not permit use for TLS client authentication", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        if (!SimpleValidator.getNetscapeCertTypeBit(x509Certificate, "ssl_client")) {
            throw new ValidatorException("Netscape cert type does not permit use for SSL client", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        criticalExtensions.remove(X509CertImpl.KEY_USAGE_OID);
        criticalExtensions.remove("2.5.29.37");
        criticalExtensions.remove("2.16.840.1.113730.1.1");
        checkRemainingExtensions(criticalExtensions);
    }

    private void checkTLSServer(X509Certificate x509Certificate, String str) throws CertificateException {
        Set criticalExtensions = getCriticalExtensions(x509Certificate);
        if (KU_SERVER_ENCRYPTION.contains(str)) {
            if (!checkKeyUsage(x509Certificate, 2)) {
                throw new ValidatorException("KeyUsage does not allow key encipherment", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
            }
        } else {
            if (!KU_SERVER_SIGNATURE.contains(str)) {
                throw new CertificateException(new StringBuffer().append("Unknown authType: ").append(str).toString());
            }
            if (!checkKeyUsage(x509Certificate, 0)) {
                throw new ValidatorException("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
            }
        }
        if (!checkEKU(x509Certificate, criticalExtensions, OID_EKU_TLS_SERVER)) {
            throw new ValidatorException("Extended key usage does not permit use for TLS server authentication", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        if (!SimpleValidator.getNetscapeCertTypeBit(x509Certificate, "ssl_server")) {
            throw new ValidatorException("Netscape cert type does not permit use for SSL server", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        criticalExtensions.remove(X509CertImpl.KEY_USAGE_OID);
        criticalExtensions.remove("2.5.29.37");
        criticalExtensions.remove("2.16.840.1.113730.1.1");
        checkRemainingExtensions(criticalExtensions);
    }

    private void checkCodeSigning(X509Certificate x509Certificate) throws CertificateException {
        Set criticalExtensions = getCriticalExtensions(x509Certificate);
        if (!checkKeyUsage(x509Certificate, 0)) {
            throw new ValidatorException("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        if (!checkEKU(x509Certificate, criticalExtensions, OID_EKU_CODE_SIGNING)) {
            throw new ValidatorException("Extended key usage does not permit use for code signing", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
        }
        if (!this.variant.equals(Validator.VAR_JCE_SIGNING)) {
            if (!SimpleValidator.getNetscapeCertTypeBit(x509Certificate, "object_signing")) {
                throw new ValidatorException("Netscape cert type does not permit use for code signing", ValidatorException.T_EE_EXTENSIONS, x509Certificate);
            }
            criticalExtensions.remove("2.16.840.1.113730.1.1");
        }
        criticalExtensions.remove(X509CertImpl.KEY_USAGE_OID);
        criticalExtensions.remove("2.5.29.37");
        checkRemainingExtensions(criticalExtensions);
    }
}
