package sun.security.provider.certpath;

import java.security.cert.CertPathValidatorException;
import java.security.cert.CertSelector;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import sun.security.util.Debug;
import sun.security.x509.PKIXExtensions;

/* loaded from: input_file:sol142hybrid-20050921-sdk.jar:sdk/jre/lib/rt.jar:sun/security/provider/certpath/KeyChecker.class */
class KeyChecker extends PKIXCertPathChecker {
    private static final Debug debug = Debug.getInstance("certpath");
    private static final int keyCertSign = 5;
    private final int certPathLen;
    private CertSelector targetConstraints;
    private int remainingCerts;
    private Set supportedExts;

    @Override // java.security.cert.PKIXCertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.remainingCerts = this.certPathLen;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyChecker(int i, CertSelector certSelector) throws CertPathValidatorException {
        this.certPathLen = i;
        this.targetConstraints = certSelector;
        init(false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyCAKeyUsage(X509Certificate x509Certificate) throws CertPathValidatorException {
        if (debug != null) {
            debug.println(new StringBuffer().append("KeyChecker.verifyCAKeyUsage() ---checking ").append("CA key usage").append("...").toString());
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return;
        }
        if (!keyUsage[5]) {
            throw new CertPathValidatorException(new StringBuffer().append("CA key usage").append(" check failed: ").append("keyCertSign bit is not set").toString());
        }
        if (debug != null) {
            debug.println(new StringBuffer().append("KeyChecker.verifyCAKeyUsage() ").append("CA key usage").append(" verified.").toString());
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        if (this.supportedExts == null) {
            this.supportedExts = new HashSet();
            this.supportedExts.add(PKIXExtensions.KeyUsage_Id.toString());
            this.supportedExts.add(PKIXExtensions.ExtendedKeyUsage_Id.toString());
            this.supportedExts.add(PKIXExtensions.SubjectAlternativeName_Id.toString());
            this.supportedExts = Collections.unmodifiableSet(this.supportedExts);
        }
        return this.supportedExts;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        this.remainingCerts--;
        if (this.remainingCerts != 0) {
            verifyCAKeyUsage(x509Certificate);
        } else if (this.targetConstraints != null && !this.targetConstraints.match(x509Certificate)) {
            throw new CertPathValidatorException("target certificate constraints check failed");
        }
        if (collection == null || collection.isEmpty()) {
            return;
        }
        collection.remove(PKIXExtensions.KeyUsage_Id.toString());
        collection.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
        collection.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
    }
}
