package sun.security.provider.certpath;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:sol142hybrid-20050921-sdk.jar:sdk/jre/lib/rt.jar:sun/security/provider/certpath/ReverseBuilder.class */
class ReverseBuilder extends Builder {
    private Debug debug;
    private Date date;
    private X509CertSelector targetCertSelector;
    Set initPolicies;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:sol142hybrid-20050921-sdk.jar:sdk/jre/lib/rt.jar:sun/security/provider/certpath/ReverseBuilder$PKIXCertComparator.class */
    public class PKIXCertComparator implements Comparator {
        private Debug debug = Debug.getInstance("certpath");
        private final ReverseBuilder this$0;

        PKIXCertComparator(ReverseBuilder reverseBuilder) {
            this.this$0 = reverseBuilder;
        }

        @Override // java.util.Comparator
        public int compare(Object obj, Object obj2) {
            X509Certificate x509Certificate = (X509Certificate) obj;
            X509Certificate x509Certificate2 = (X509Certificate) obj2;
            if (x509Certificate.getSubjectX500Principal().equals(this.this$0.targetSubjectDN)) {
                return -1;
            }
            if (x509Certificate2.getSubjectX500Principal().equals(this.this$0.targetSubjectDN)) {
                return 1;
            }
            try {
                X500Name asX500Name = X500Name.asX500Name(this.this$0.targetSubjectDN);
                int targetDistance = Builder.targetDistance(null, x509Certificate, asX500Name);
                int targetDistance2 = Builder.targetDistance(null, x509Certificate2, asX500Name);
                if (targetDistance == targetDistance2) {
                    return 0;
                }
                return (targetDistance != -1 && targetDistance < targetDistance2) ? -1 : 1;
            } catch (IOException e) {
                if (this.debug != null) {
                    this.debug.println("IOException in call to Builder.targetDistance");
                    e.printStackTrace();
                }
                throw new ClassCastException("Invalid target subject distinguished name");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.provider.certpath.Builder
    public boolean isPathCompleted(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().equals(this.targetSubjectDN);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.provider.certpath.Builder
    public void removeFinalCertFromPath(LinkedList linkedList) {
        linkedList.removeLast();
    }

    private Collection getMatchingCACerts(ReverseState reverseState) throws CertificateException, CertStoreException, IOException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        CertPathHelper.setIssuer(x509CertSelector, reverseState.subjectDN);
        x509CertSelector.setCertificateValid(this.date);
        x509CertSelector.addPathToName(4, this.targetCertSelector.getSubjectAsBytes());
        if (reverseState.explicitPolicy == 0) {
            x509CertSelector.setPolicy(getMatchingPolicies());
        }
        x509CertSelector.setBasicConstraints(0);
        ArrayList arrayList = new ArrayList();
        addMatchingCerts(x509CertSelector, this.buildParams.getCertStores(), arrayList);
        Collections.sort(arrayList, new PKIXCertComparator(this));
        if (this.debug != null) {
            this.debug.println(new StringBuffer().append("ReverseBuilder.getMatchingCACerts got ").append(arrayList.size()).append(" certs.").toString());
        }
        return arrayList;
    }

    private Collection getMatchingEECerts(ReverseState reverseState) throws CertStoreException, CertificateException, IOException {
        X509CertSelector x509CertSelector = (X509CertSelector) this.buildParams.getTargetCertConstraints();
        CertPathHelper.setIssuer(x509CertSelector, reverseState.subjectDN);
        x509CertSelector.setCertificateValid(this.date);
        if (reverseState.explicitPolicy == 0) {
            x509CertSelector.setPolicy(getMatchingPolicies());
        }
        x509CertSelector.setBasicConstraints(-2);
        HashSet hashSet = new HashSet();
        addMatchingCerts(x509CertSelector, this.buildParams.getCertStores(), hashSet);
        if (this.debug != null) {
            this.debug.println(new StringBuffer().append("ReverseBuilder.getMatchingEECerts got ").append(hashSet.size()).append(" certs.").toString());
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.provider.certpath.Builder
    public Collection getMatchingCerts(State state) throws CertStoreException, CertificateException, IOException {
        ReverseState reverseState = (ReverseState) state;
        if (this.debug != null) {
            this.debug.println("In ReverseBuilder.getMatchingCerts.");
        }
        Collection matchingEECerts = getMatchingEECerts(reverseState);
        matchingEECerts.addAll(getMatchingCACerts(reverseState));
        return matchingEECerts;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.provider.certpath.Builder
    public void addCertToPath(X509Certificate x509Certificate, LinkedList linkedList) {
        linkedList.addLast(x509Certificate);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReverseBuilder(PKIXBuilderParameters pKIXBuilderParameters, X500Principal x500Principal) {
        super(pKIXBuilderParameters, x500Principal);
        this.debug = Debug.getInstance("certpath");
        this.date = pKIXBuilderParameters.getDate();
        if (this.date == null) {
            this.date = new Date();
        }
        this.targetCertSelector = (X509CertSelector) pKIXBuilderParameters.getTargetCertConstraints();
        Set initialPolicies = pKIXBuilderParameters.getInitialPolicies();
        this.initPolicies = new HashSet();
        if (initialPolicies.isEmpty()) {
            this.initPolicies.add("2.5.29.32.0");
            return;
        }
        Iterator it = initialPolicies.iterator();
        while (it.hasNext()) {
            this.initPolicies.add(it.next());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.provider.certpath.Builder
    public void verifyCert(X509Certificate x509Certificate, State state, List list) throws GeneralSecurityException {
        if (this.debug != null) {
            this.debug.println(new StringBuffer().append("ReverseBuilder.verifyCert(SN: ").append(Debug.toHexString(x509Certificate.getSerialNumber())).append("\n  Subject: ").append(x509Certificate.getSubjectX500Principal()).append(")").toString());
        }
        ReverseState reverseState = (ReverseState) state;
        if (reverseState.isInitial()) {
            return;
        }
        if (list != null && !list.isEmpty()) {
            ArrayList<X509Certificate> arrayList = new ArrayList();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(0, it.next());
            }
            boolean z = false;
            for (X509Certificate x509Certificate2 : arrayList) {
                if (X509CertImpl.toImpl(x509Certificate2).getPolicyMappingsExtension() != null) {
                    z = true;
                }
                if (this.debug != null) {
                    this.debug.println(new StringBuffer().append("policyMappingFound = ").append(z).toString());
                }
                if (x509Certificate.equals(x509Certificate2) && (this.buildParams.isPolicyMappingInhibited() || !z)) {
                    if (this.debug != null) {
                        this.debug.println("loop detected!!");
                    }
                    throw new CertPathValidatorException("loop detected");
                }
            }
        }
        boolean equals = x509Certificate.getSubjectX500Principal().equals(this.targetSubjectDN);
        boolean z2 = x509Certificate.getBasicConstraints() != -1;
        if (!equals) {
            if (!z2) {
                throw new CertPathValidatorException("cert is NOT a CA cert");
            }
            if (reverseState.remainingCACerts <= 0 && !X509CertImpl.isSelfIssued(x509Certificate)) {
                throw new CertPathValidatorException("pathLenConstraint violated, path too long");
            }
            KeyChecker.verifyCAKeyUsage(x509Certificate);
        } else if (!this.targetCertSelector.match(x509Certificate)) {
            throw new CertPathValidatorException("target certificate constraints check failed");
        }
        if (this.buildParams.isRevocationEnabled() && !reverseState.crlChecker.check(x509Certificate, reverseState.pubKey, true) && !equals) {
            throw new CertPathValidatorException("cert can't vouch for crl");
        }
        if ((equals || !X509CertImpl.isSelfIssued(x509Certificate)) && reverseState.nc != null) {
            try {
                if (!reverseState.nc.verify(x509Certificate)) {
                    throw new CertPathValidatorException("name constraints check failed");
                }
            } catch (IOException e) {
                throw new CertPathValidatorException(e);
            }
        }
        reverseState.rootNode = PolicyChecker.processPolicies(reverseState.certIndex, this.initPolicies, reverseState.explicitPolicy, reverseState.policyMapping, reverseState.inhibitAnyPolicy, this.buildParams.getPolicyQualifiersRejected(), reverseState.rootNode, X509CertImpl.toImpl(x509Certificate), equals);
        Set criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null) {
            criticalExtensionOIDs = Collections.EMPTY_SET;
        }
        Iterator it2 = reverseState.userCheckers.iterator();
        while (it2.hasNext()) {
            ((PKIXCertPathChecker) it2.next()).check(x509Certificate, criticalExtensionOIDs);
        }
        if (!criticalExtensionOIDs.isEmpty()) {
            criticalExtensionOIDs.remove(PKIXExtensions.BasicConstraints_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.NameConstraints_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.CertificatePolicies_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.PolicyMappings_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.PolicyConstraints_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.KeyUsage_Id.toString());
            criticalExtensionOIDs.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
            if (!criticalExtensionOIDs.isEmpty()) {
                throw new CertificateException("Unrecognized critical extension(s)");
            }
        }
        if (this.buildParams.getSigProvider() != null) {
            x509Certificate.verify(reverseState.pubKey, this.buildParams.getSigProvider());
        } else {
            x509Certificate.verify(reverseState.pubKey);
        }
    }
}
