package org.bouncycastle.jce.provider;

import b.b.a.a.a;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.jcajce.PKIXCertStoreSelector;
import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters;
import org.bouncycastle.jcajce.PKIXExtendedParameters;
import org.bouncycastle.jcajce.interfaces.BCX509Certificate;
import org.bouncycastle.jcajce.util.BCJcaJceHelper;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
import org.bouncycastle.x509.ExtendedPKIXParameters;

/* loaded from: classes3.dex */
public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi {
    public final JcaJceHelper a;

    /* renamed from: b, reason: collision with root package name */
    public final boolean f5773b;

    public PKIXCertPathValidatorSpi() {
        this.a = new BCJcaJceHelper();
        this.f5773b = false;
    }

    public PKIXCertPathValidatorSpi(boolean z2) {
        this.a = new BCJcaJceHelper();
        this.f5773b = z2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static void a(X509Certificate x509Certificate) throws AnnotatedException {
        if (x509Certificate instanceof BCX509Certificate) {
            RuntimeException runtimeException = null;
            try {
                if (((BCX509Certificate) x509Certificate).j() != null) {
                    return;
                }
            } catch (RuntimeException e) {
                runtimeException = e;
            }
            throw new AnnotatedException("unable to process TBSCertificate", runtimeException);
        }
        try {
            TBSCertificate.l(x509Certificate.getTBSCertificate());
        } catch (IllegalArgumentException e2) {
            throw new AnnotatedException(e2.getMessage());
        } catch (CertificateEncodingException e3) {
            throw new AnnotatedException("unable to process TBSCertificate", e3);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r15v3, types: [java.security.cert.X509Certificate, org.bouncycastle.jce.provider.PKIXNameConstraintValidator] */
    /* JADX WARN: Type inference failed for: r22v4, types: [java.util.List[], boolean] */
    /* JADX WARN: Type inference failed for: r24v2, types: [int] */
    /* JADX WARN: Type inference failed for: r7v7, types: [org.bouncycastle.jce.provider.PKIXPolicyNode, int] */
    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        PKIXExtendedParameters pKIXExtendedParameters;
        List<? extends Certificate> list;
        X500Name e;
        PublicKey cAPublicKey;
        boolean z2;
        HashSet hashSet;
        int i;
        ArrayList[] arrayListArr;
        List<PKIXCertPathChecker> list2;
        int i2;
        int i3;
        X509Certificate x509Certificate;
        int i4;
        HashSet hashSet2;
        if (certPathParameters instanceof PKIXParameters) {
            PKIXExtendedParameters.Builder builder = new PKIXExtendedParameters.Builder((PKIXParameters) certPathParameters);
            if (certPathParameters instanceof ExtendedPKIXParameters) {
                ExtendedPKIXParameters extendedPKIXParameters = (ExtendedPKIXParameters) certPathParameters;
                builder.f5628k = extendedPKIXParameters.g3;
                builder.f5627j = extendedPKIXParameters.f3;
            }
            pKIXExtendedParameters = builder.a();
        } else if (certPathParameters instanceof PKIXExtendedBuilderParameters) {
            pKIXExtendedParameters = ((PKIXExtendedBuilderParameters) certPathParameters).a;
        } else {
            if (!(certPathParameters instanceof PKIXExtendedParameters)) {
                StringBuilder W = a.W("Parameters must be a ");
                W.append(PKIXParameters.class.getName());
                W.append(" instance.");
                throw new InvalidAlgorithmParameterException(W.toString());
            }
            pKIXExtendedParameters = (PKIXExtendedParameters) certPathParameters;
        }
        if (pKIXExtendedParameters.i3 == null) {
            throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for certification path validation.");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size();
        if (certificates.isEmpty()) {
            throw new CertPathValidatorException("Certification path is empty.", null, certPath, -1);
        }
        Date p2 = CertPathValidatorUtilities.p(pKIXExtendedParameters, new Date());
        Set<String> initialPolicies = pKIXExtendedParameters.a.getInitialPolicies();
        try {
            TrustAnchor d = CertPathValidatorUtilities.d((X509Certificate) certificates.get(certificates.size() - 1), pKIXExtendedParameters.i3, pKIXExtendedParameters.b());
            if (d == null) {
                list = certificates;
                try {
                    throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
                } catch (AnnotatedException e2) {
                    e = e2;
                    throw new CertPathValidatorException(e.getMessage(), e.a, certPath, list.size() - 1);
                }
            }
            a(d.getTrustedCert());
            PKIXExtendedParameters.Builder builder2 = new PKIXExtendedParameters.Builder(pKIXExtendedParameters);
            builder2.f5629l = Collections.singleton(d);
            PKIXExtendedParameters a = builder2.a();
            int i5 = size + 1;
            ArrayList[] arrayListArr2 = new ArrayList[i5];
            for (int i6 = 0; i6 < i5; i6++) {
                arrayListArr2[i6] = new ArrayList();
            }
            HashSet hashSet3 = new HashSet();
            hashSet3.add("2.5.29.32.0");
            PKIXPolicyNode pKIXPolicyNode = new PKIXPolicyNode(new ArrayList(), 0, hashSet3, null, new HashSet(), "2.5.29.32.0", false);
            arrayListArr2[0].add(pKIXPolicyNode);
            PKIXNameConstraintValidator pKIXNameConstraintValidator = new PKIXNameConstraintValidator();
            HashSet hashSet4 = new HashSet();
            int i7 = a.c() ? 0 : i5;
            int i8 = a.a.isAnyPolicyInhibited() ? 0 : i5;
            if (a.a.isPolicyMappingInhibited()) {
                i5 = 0;
            }
            X509Certificate trustedCert = d.getTrustedCert();
            try {
                if (trustedCert != null) {
                    e = PrincipalUtils.d(trustedCert);
                    cAPublicKey = trustedCert.getPublicKey();
                } else {
                    e = PrincipalUtils.e(d.getCA());
                    cAPublicKey = d.getCAPublicKey();
                }
                try {
                    ASN1ObjectIdentifier aSN1ObjectIdentifier = CertPathValidatorUtilities.g(cAPublicKey).a;
                    PKIXCertStoreSelector pKIXCertStoreSelector = a.f5625b;
                    int i9 = i5;
                    if (pKIXCertStoreSelector == null) {
                        z2 = false;
                    } else {
                        if (!pKIXCertStoreSelector.L((X509Certificate) certificates.get(0))) {
                            throw new ExtCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
                        }
                        z2 = false;
                    }
                    List<PKIXCertPathChecker> certPathCheckers = a.a.getCertPathCheckers();
                    Iterator<PKIXCertPathChecker> it2 = certPathCheckers.iterator();
                    while (it2.hasNext()) {
                        it2.next().init(z2);
                        certPathCheckers = certPathCheckers;
                    }
                    List<PKIXCertPathChecker> list3 = certPathCheckers;
                    ProvCrlRevocationChecker provCrlRevocationChecker = a.f3 ? new ProvCrlRevocationChecker(this.a) : null;
                    PublicKey publicKey = cAPublicKey;
                    PKIXPolicyNode pKIXPolicyNode2 = pKIXPolicyNode;
                    int i10 = i9;
                    X500Name x500Name = e;
                    X509Certificate x509Certificate2 = trustedCert;
                    int i11 = i8;
                    int size2 = certificates.size() - 1;
                    int i12 = size;
                    int i13 = i7;
                    X509Certificate x509Certificate3 = null;
                    int i14 = i13;
                    while (size2 >= 0) {
                        int i15 = size - size2;
                        Set<String> set = initialPolicies;
                        X509Certificate x509Certificate4 = (X509Certificate) certificates.get(size2);
                        boolean z3 = size2 == certificates.size() + (-1);
                        try {
                            a(x509Certificate4);
                            List<PKIXCertPathChecker> list4 = list3;
                            List<? extends Certificate> list5 = certificates;
                            int i16 = i11;
                            PKIXExtendedParameters pKIXExtendedParameters2 = a;
                            ?? r24 = a;
                            int i17 = i14;
                            Date date = p2;
                            int i18 = size2;
                            ?? r15 = pKIXNameConstraintValidator;
                            ?? r22 = arrayListArr2;
                            TrustAnchor trustAnchor = d;
                            RFC3280CertPathUtilities.x(certPath, pKIXExtendedParameters2, p2, provCrlRevocationChecker, size2, publicKey, r22, x500Name, x509Certificate2);
                            RFC3280CertPathUtilities.y(certPath, i18, r15, this.f5773b);
                            PKIXPolicyNode pKIXPolicyNode3 = pKIXPolicyNode2;
                            PKIXPolicyNode A = RFC3280CertPathUtilities.A(certPath, i18, RFC3280CertPathUtilities.z(certPath, i18, hashSet4, pKIXPolicyNode3, r22, i16, this.f5773b));
                            if (i17 <= 0 && A == null) {
                                throw new ExtCertPathValidatorException("No valid policy tree found when one expected.", null, certPath, i18);
                            }
                            if (pKIXPolicyNode3 == size) {
                                i = i16;
                                arrayListArr = r22;
                                list2 = list4;
                                i2 = r24;
                                i3 = i18;
                                x509Certificate = r15;
                            } else {
                                if (r15 != 0 && r15.getVersion() == 1) {
                                    if (pKIXPolicyNode3 == 1) {
                                        x509Certificate = r15;
                                        if (x509Certificate.equals(trustAnchor.getTrustedCert())) {
                                            i = i16;
                                            arrayListArr = r22;
                                            list2 = list4;
                                            i2 = r24;
                                            i3 = i18;
                                        }
                                    }
                                    throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, i18);
                                }
                                x509Certificate = r15;
                                RFC3280CertPathUtilities.d(certPath, i18);
                                arrayListArr = r22;
                                PKIXPolicyNode c = RFC3280CertPathUtilities.c(certPath, i18, arrayListArr, A, i18);
                                RFC3280CertPathUtilities.e(certPath, i18, r15);
                                int f = RFC3280CertPathUtilities.f(certPath, i18, i17);
                                int g = RFC3280CertPathUtilities.g(certPath, i18, i18);
                                int h = RFC3280CertPathUtilities.h(certPath, i18, i16);
                                i17 = RFC3280CertPathUtilities.i(certPath, i18, f);
                                int j2 = RFC3280CertPathUtilities.j(certPath, i18, g);
                                RFC3280CertPathUtilities.k(certPath, i18, h);
                                RFC3280CertPathUtilities.l(certPath, i18);
                                int n2 = RFC3280CertPathUtilities.n(certPath, i18, RFC3280CertPathUtilities.m(certPath, i18, r24));
                                RFC3280CertPathUtilities.o(certPath, i18);
                                Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                                if (criticalExtensionOIDs != null) {
                                    hashSet2 = new HashSet(criticalExtensionOIDs);
                                    hashSet2.remove(RFC3280CertPathUtilities.f5783m);
                                    hashSet2.remove(RFC3280CertPathUtilities.f5779b);
                                    hashSet2.remove(RFC3280CertPathUtilities.c);
                                    hashSet2.remove(RFC3280CertPathUtilities.d);
                                    hashSet2.remove(RFC3280CertPathUtilities.e);
                                    hashSet2.remove(RFC3280CertPathUtilities.f);
                                    hashSet2.remove(RFC3280CertPathUtilities.g);
                                    hashSet2.remove(RFC3280CertPathUtilities.h);
                                    hashSet2.remove(RFC3280CertPathUtilities.f5780j);
                                    hashSet2.remove(RFC3280CertPathUtilities.f5781k);
                                } else {
                                    hashSet2 = new HashSet();
                                }
                                list2 = list4;
                                RFC3280CertPathUtilities.p(certPath, i18, hashSet2, list2);
                                X500Name d2 = PrincipalUtils.d(x509Certificate);
                                try {
                                    PublicKey m2 = CertPathValidatorUtilities.m(certPath.getCertificates(), i18, this.a);
                                    ASN1ObjectIdentifier aSN1ObjectIdentifier2 = CertPathValidatorUtilities.g(m2).a;
                                    pKIXPolicyNode2 = c;
                                    x509Certificate2 = x509Certificate;
                                    i12 = n2;
                                    x500Name = d2;
                                    publicKey = m2;
                                    i4 = j2;
                                    i11 = i4;
                                    size2 = i18 - 1;
                                    arrayListArr2 = arrayListArr;
                                    list3 = list2;
                                    pKIXNameConstraintValidator = r15;
                                    initialPolicies = set;
                                    certificates = list5;
                                    p2 = date;
                                    d = trustAnchor;
                                    i10 = i4;
                                    x509Certificate3 = x509Certificate;
                                    i14 = i17;
                                    a = r24;
                                } catch (CertPathValidatorException e3) {
                                    throw new CertPathValidatorException("Next working key could not be retrieved.", e3, certPath, i18);
                                }
                            }
                            pKIXPolicyNode2 = A;
                            i4 = i3;
                            i11 = i;
                            i12 = i2;
                            size2 = i18 - 1;
                            arrayListArr2 = arrayListArr;
                            list3 = list2;
                            pKIXNameConstraintValidator = r15;
                            initialPolicies = set;
                            certificates = list5;
                            p2 = date;
                            d = trustAnchor;
                            i10 = i4;
                            x509Certificate3 = x509Certificate;
                            i14 = i17;
                            a = r24;
                        } catch (AnnotatedException e4) {
                            throw new CertPathValidatorException(e4.getMessage(), e4.a, certPath, size2);
                        }
                    }
                    PKIXExtendedParameters pKIXExtendedParameters3 = a;
                    int i19 = size2;
                    ArrayList[] arrayListArr3 = arrayListArr2;
                    TrustAnchor trustAnchor2 = d;
                    Set<String> set2 = initialPolicies;
                    List<PKIXCertPathChecker> list6 = list3;
                    int i20 = i19 + 1;
                    int C = RFC3280CertPathUtilities.C(certPath, i20, RFC3280CertPathUtilities.B(i14, x509Certificate3));
                    Set<String> criticalExtensionOIDs2 = x509Certificate3.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs2 != null) {
                        hashSet = new HashSet(criticalExtensionOIDs2);
                        hashSet.remove(RFC3280CertPathUtilities.f5783m);
                        hashSet.remove(RFC3280CertPathUtilities.f5779b);
                        hashSet.remove(RFC3280CertPathUtilities.c);
                        hashSet.remove(RFC3280CertPathUtilities.d);
                        hashSet.remove(RFC3280CertPathUtilities.e);
                        hashSet.remove(RFC3280CertPathUtilities.f);
                        hashSet.remove(RFC3280CertPathUtilities.g);
                        hashSet.remove(RFC3280CertPathUtilities.h);
                        hashSet.remove(RFC3280CertPathUtilities.f5780j);
                        hashSet.remove(RFC3280CertPathUtilities.f5781k);
                        hashSet.remove(RFC3280CertPathUtilities.i);
                        hashSet.remove(Extension.n3.f4651b);
                    } else {
                        hashSet = new HashSet();
                    }
                    RFC3280CertPathUtilities.D(certPath, i20, list6, hashSet);
                    X509Certificate x509Certificate5 = x509Certificate3;
                    ?? r7 = pKIXPolicyNode2;
                    PKIXPolicyNode E = RFC3280CertPathUtilities.E(certPath, pKIXExtendedParameters3, set2, r7, arrayListArr3, r7, hashSet4);
                    if (C > 0 || E != null) {
                        return new PKIXCertPathValidatorResult(trustAnchor2, E, x509Certificate5.getPublicKey());
                    }
                    throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, i19);
                } catch (CertPathValidatorException e5) {
                    throw new ExtCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", e5, certPath, -1);
                }
            } catch (RuntimeException e6) {
                throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", e6, certPath, -1);
            }
        } catch (AnnotatedException e7) {
            e = e7;
            list = certificates;
        }
    }
}
