package org.bouncycastle.jce.provider;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1OutputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralSubtree;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.cert.CertPath;
import org.bouncycastle.jce.cert.CertPathParameters;
import org.bouncycastle.jce.cert.CertPathValidatorException;
import org.bouncycastle.jce.cert.CertPathValidatorResult;
import org.bouncycastle.jce.cert.CertPathValidatorSpi;
import org.bouncycastle.jce.cert.CertStore;
import org.bouncycastle.jce.cert.CertStoreException;
import org.bouncycastle.jce.cert.PKIXCertPathChecker;
import org.bouncycastle.jce.cert.PKIXCertPathValidatorResult;
import org.bouncycastle.jce.cert.PKIXParameters;
import org.bouncycastle.jce.cert.PolicyQualifierInfo;
import org.bouncycastle.jce.cert.TrustAnchor;
import org.bouncycastle.jce.cert.X509CRLSelector;
import org.bouncycastle.jce.cert.X509CertSelector;

/* loaded from: input_file:WEB-INF/lib/ghn-core-runtime-1.0.0.jar:org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.class */
public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi {
    private static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId();
    private static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId();
    private static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId();
    private static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId();
    private static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId();
    private static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId();
    private static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId();
    private static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId();
    private static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId();
    private static final String KEY_USAGE = X509Extensions.KeyUsage.getId();
    private static final String CRL_NUMBER = X509Extensions.CRLNumber.getId();
    private static final String ANY_POLICY = "2.5.29.32.0";
    private static final int KEY_CERT_SIGN = 5;
    private static final int CRL_SIGN = 6;

    private DERObject getExtensionValue(X509Extension x509Extension, String str) throws CertPathValidatorException {
        byte[] extensionValue = x509Extension.getExtensionValue(str);
        if (extensionValue == null) {
            return null;
        }
        try {
            return new ASN1InputStream(new ByteArrayInputStream(((ASN1OctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets())).readObject();
        } catch (IOException e) {
            throw new CertPathValidatorException(new StringBuffer().append("exception processing extension ").append(str).toString());
        }
    }

    private boolean withinDNSubtree(ASN1Sequence aSN1Sequence, ASN1Sequence aSN1Sequence2) {
        if (aSN1Sequence2.size() < 1 || aSN1Sequence2.size() > aSN1Sequence.size()) {
            return false;
        }
        for (int size = aSN1Sequence2.size() - 1; size >= 0; size--) {
            if (!aSN1Sequence2.getObjectAt(size).equals(aSN1Sequence.getObjectAt(size))) {
                return false;
            }
        }
        return true;
    }

    private List sortCerts(List list, X509Certificate x509Certificate) throws CertPathValidatorException {
        ArrayList arrayList = new ArrayList(list.size());
        try {
            X509Principal issuerX509Principal = PrincipalUtil.getIssuerX509Principal(x509Certificate);
            for (int size = list.size(); size > 0; size--) {
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    X509Certificate x509Certificate2 = (X509Certificate) it.next();
                    if (PrincipalUtil.getIssuerX509Principal(x509Certificate2).equals(issuerX509Principal)) {
                        issuerX509Principal = PrincipalUtil.getSubjectX509Principal(x509Certificate2);
                        arrayList.add(0, x509Certificate2);
                        it.remove();
                    }
                }
            }
            return arrayList;
        } catch (CertificateEncodingException e) {
            throw new CertPathValidatorException(e.getMessage());
        }
    }

    private void checkPermittedDN(HashSet hashSet, ASN1Sequence aSN1Sequence) throws CertPathValidatorException {
        if (hashSet.isEmpty()) {
            return;
        }
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (withinDNSubtree(aSN1Sequence, (ASN1Sequence) it.next())) {
                return;
            }
        }
        throw new CertPathValidatorException("Subject distinguished name is not from a permitted subtree");
    }

    private void checkExcludedDN(HashSet hashSet, ASN1Sequence aSN1Sequence) throws CertPathValidatorException {
        if (hashSet.isEmpty()) {
            return;
        }
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (withinDNSubtree(aSN1Sequence, (ASN1Sequence) it.next())) {
                throw new CertPathValidatorException("Subject distinguished name is from an excluded subtree");
            }
        }
    }

    private HashSet intersectDN(HashSet hashSet, ASN1Sequence aSN1Sequence) {
        if (hashSet.isEmpty()) {
            hashSet.add(aSN1Sequence);
            return hashSet;
        }
        HashSet hashSet2 = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            ASN1Sequence aSN1Sequence2 = (ASN1Sequence) it.next();
            if (withinDNSubtree(aSN1Sequence, aSN1Sequence2)) {
                hashSet2.add(aSN1Sequence);
            } else if (withinDNSubtree(aSN1Sequence2, aSN1Sequence)) {
                hashSet2.add(aSN1Sequence2);
            }
        }
        return hashSet2;
    }

    private HashSet unionDN(HashSet hashSet, ASN1Sequence aSN1Sequence) {
        if (hashSet.isEmpty()) {
            hashSet.add(aSN1Sequence);
            return hashSet;
        }
        HashSet hashSet2 = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            ASN1Sequence aSN1Sequence2 = (ASN1Sequence) it.next();
            if (withinDNSubtree(aSN1Sequence, aSN1Sequence2)) {
                hashSet2.add(aSN1Sequence2);
            } else if (withinDNSubtree(aSN1Sequence2, aSN1Sequence)) {
                hashSet2.add(aSN1Sequence);
            } else {
                hashSet2.add(aSN1Sequence2);
                hashSet2.add(aSN1Sequence);
            }
        }
        return hashSet2;
    }

    private HashSet intersectEmail(HashSet hashSet, String str) {
        String substring = str.substring(str.indexOf(64) + 1);
        if (hashSet.isEmpty()) {
            hashSet.add(substring);
            return hashSet;
        }
        HashSet hashSet2 = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (substring.endsWith(str2)) {
                hashSet2.add(substring);
            } else if (str2.endsWith(substring)) {
                hashSet2.add(str2);
            }
        }
        return hashSet2;
    }

    private HashSet unionEmail(HashSet hashSet, String str) {
        String substring = str.substring(str.indexOf(64) + 1);
        if (hashSet.isEmpty()) {
            hashSet.add(substring);
            return hashSet;
        }
        HashSet hashSet2 = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (substring.endsWith(str2)) {
                hashSet2.add(str2);
            } else if (str2.endsWith(substring)) {
                hashSet2.add(substring);
            } else {
                hashSet2.add(str2);
                hashSet2.add(substring);
            }
        }
        return hashSet2;
    }

    private HashSet intersectIP(HashSet hashSet, byte[] bArr) {
        return hashSet;
    }

    private HashSet unionIP(HashSet hashSet, byte[] bArr) {
        return hashSet;
    }

    private void checkPermittedEmail(HashSet hashSet, String str) throws CertPathValidatorException {
        if (hashSet.isEmpty()) {
            return;
        }
        String substring = str.substring(str.indexOf(64) + 1);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (substring.endsWith((String) it.next())) {
                return;
            }
        }
        throw new CertPathValidatorException("Subject email address is not from a permitted subtree");
    }

    private void checkExcludedEmail(HashSet hashSet, String str) throws CertPathValidatorException {
        if (hashSet.isEmpty()) {
            return;
        }
        String substring = str.substring(str.indexOf(64) + 1);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (substring.endsWith((String) it.next())) {
                throw new CertPathValidatorException("Subject email address is from an excluded subtree");
            }
        }
    }

    private void checkPermittedIP(HashSet hashSet, byte[] bArr) throws CertPathValidatorException {
        if (hashSet.isEmpty()) {
        }
    }

    private void checkExcludedIP(HashSet hashSet, byte[] bArr) throws CertPathValidatorException {
        if (hashSet.isEmpty()) {
        }
    }

    private PKIXPolicyNode removePolicyNode(PKIXPolicyNode pKIXPolicyNode, ArrayList[] arrayListArr, PKIXPolicyNode pKIXPolicyNode2) {
        PKIXPolicyNode pKIXPolicyNode3 = (PKIXPolicyNode) pKIXPolicyNode2.getParent();
        if (pKIXPolicyNode == null) {
            return null;
        }
        if (pKIXPolicyNode3 != null) {
            pKIXPolicyNode3.removeChild(pKIXPolicyNode2);
            removePolicyNodeRecurse(arrayListArr, pKIXPolicyNode2);
            return pKIXPolicyNode;
        }
        for (int i = 0; i < arrayListArr.length; i++) {
            arrayListArr[i] = new ArrayList();
        }
        return null;
    }

    private void removePolicyNodeRecurse(ArrayList[] arrayListArr, PKIXPolicyNode pKIXPolicyNode) {
        arrayListArr[pKIXPolicyNode.getDepth()].remove(pKIXPolicyNode);
        if (pKIXPolicyNode.hasChildren()) {
            Iterator children = pKIXPolicyNode.getChildren();
            while (children.hasNext()) {
                removePolicyNodeRecurse(arrayListArr, (PKIXPolicyNode) children.next());
            }
        }
    }

    private boolean isSelfIssued(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN());
    }

    private boolean isAnyPolicy(Set set) {
        return set.contains(ANY_POLICY) || set.size() == 0;
    }

    private AlgorithmIdentifier getAlgorithmIdentifier(PublicKey publicKey) throws CertPathValidatorException {
        try {
            return SubjectPublicKeyInfo.getInstance(new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded())).readObject()).getAlgorithmId();
        } catch (IOException e) {
            throw new CertPathValidatorException("exception processing public key");
        }
    }

    private final Set getQualifierSet(ASN1Sequence aSN1Sequence) throws CertPathValidatorException {
        HashSet hashSet = new HashSet();
        if (aSN1Sequence == null) {
            return hashSet;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ASN1OutputStream aSN1OutputStream = new ASN1OutputStream(byteArrayOutputStream);
        Enumeration objects = aSN1Sequence.getObjects();
        while (objects.hasMoreElements()) {
            try {
                aSN1OutputStream.writeObject(objects.nextElement());
                hashSet.add(new PolicyQualifierInfo(byteArrayOutputStream.toByteArray()));
                byteArrayOutputStream.reset();
            } catch (IOException e) {
                throw new CertPathValidatorException(new StringBuffer().append("exception building qualifier set: ").append(e).toString());
            }
        }
        return hashSet;
    }

    private boolean processCertD1i(int i, ArrayList[] arrayListArr, DERObjectIdentifier dERObjectIdentifier, Set set) {
        ArrayList arrayList = arrayListArr[i - 1];
        for (int i2 = 0; i2 < arrayList.size(); i2++) {
            PKIXPolicyNode pKIXPolicyNode = (PKIXPolicyNode) arrayList.get(i2);
            if (pKIXPolicyNode.getExpectedPolicies().contains(dERObjectIdentifier.getId())) {
                HashSet hashSet = new HashSet();
                hashSet.add(dERObjectIdentifier.getId());
                PKIXPolicyNode pKIXPolicyNode2 = new PKIXPolicyNode(new ArrayList(), i, hashSet, pKIXPolicyNode, set, dERObjectIdentifier.getId(), false);
                pKIXPolicyNode.addChild(pKIXPolicyNode2);
                arrayListArr[i].add(pKIXPolicyNode2);
                return true;
            }
        }
        return false;
    }

    private void processCertD1ii(int i, ArrayList[] arrayListArr, DERObjectIdentifier dERObjectIdentifier, Set set) {
        ArrayList arrayList = arrayListArr[i - 1];
        for (int i2 = 0; i2 < arrayList.size(); i2++) {
            PKIXPolicyNode pKIXPolicyNode = (PKIXPolicyNode) arrayList.get(i2);
            pKIXPolicyNode.getExpectedPolicies();
            if (ANY_POLICY.equals(pKIXPolicyNode.getValidPolicy())) {
                HashSet hashSet = new HashSet();
                hashSet.add(dERObjectIdentifier.getId());
                PKIXPolicyNode pKIXPolicyNode2 = new PKIXPolicyNode(new ArrayList(), i, hashSet, pKIXPolicyNode, set, dERObjectIdentifier.getId(), false);
                pKIXPolicyNode.addChild(pKIXPolicyNode2);
                arrayListArr[i].add(pKIXPolicyNode2);
                return;
            }
        }
    }

    @Override // org.bouncycastle.jce.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        X509Principal x509Principal;
        PublicKey cAPublicKey;
        PKIXPolicyNode pKIXPolicyNode;
        BigInteger pathLenConstraint;
        int intValue;
        int intValue2;
        String str;
        boolean[] keyUsage;
        if (!(certPathParameters instanceof PKIXParameters)) {
            throw new InvalidAlgorithmParameterException("params must be a PKIXParameters instance");
        }
        PKIXParameters pKIXParameters = (PKIXParameters) certPathParameters;
        if (pKIXParameters.getTrustAnchors() == null) {
            throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for path validation");
        }
        List certificates = certPath.getCertificates();
        int size = certificates.size();
        if (certificates.isEmpty()) {
            throw new CertPathValidatorException("CertPath is empty", null, certPath, 0);
        }
        Date date = pKIXParameters.getDate();
        if (date == null) {
            date = new Date();
        }
        Set initialPolicies = pKIXParameters.getInitialPolicies();
        TrustAnchor trustAnchor = null;
        for (int i = 0; i < certificates.size(); i++) {
            trustAnchor = findTrustAnchor((X509Certificate) certificates.get(certificates.size() - 1), pKIXParameters.getTrustAnchors());
            if (trustAnchor != null) {
                break;
            }
        }
        if (trustAnchor == null) {
            throw new CertPathValidatorException("TrustAnchor for CertPath not found", null, certPath, 0);
        }
        List sortCerts = sortCerts(certificates, trustAnchor.getTrustedCert());
        new HashSet();
        new HashSet();
        ArrayList[] arrayListArr = new ArrayList[size + 1];
        for (int i2 = 0; i2 < arrayListArr.length; i2++) {
            arrayListArr[i2] = new ArrayList();
        }
        HashSet hashSet = new HashSet();
        hashSet.add(ANY_POLICY);
        PKIXPolicyNode pKIXPolicyNode2 = new PKIXPolicyNode(new ArrayList(), 0, hashSet, null, new HashSet(), ANY_POLICY, false);
        arrayListArr[0].add(pKIXPolicyNode2);
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        HashSet hashSet4 = new HashSet();
        HashSet hashSet5 = new HashSet();
        HashSet hashSet6 = new HashSet();
        HashSet hashSet7 = new HashSet();
        Set set = null;
        int i3 = pKIXParameters.isExplicitPolicyRequired() ? 0 : size + 1;
        int i4 = pKIXParameters.isAnyPolicyInhibited() ? 0 : size + 1;
        int i5 = pKIXParameters.isPolicyMappingInhibited() ? 0 : size + 1;
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        try {
            if (trustedCert != null) {
                x509Principal = PrincipalUtil.getSubjectX509Principal(trustedCert);
                cAPublicKey = trustedCert.getPublicKey();
            } else {
                x509Principal = new X509Principal(trustAnchor.getCAName());
                cAPublicKey = trustAnchor.getCAPublicKey();
            }
            AlgorithmIdentifier algorithmIdentifier = getAlgorithmIdentifier(cAPublicKey);
            algorithmIdentifier.getObjectId();
            algorithmIdentifier.getParameters();
            int i6 = size;
            if (pKIXParameters.getTargetCertConstraints() != null && !pKIXParameters.getTargetCertConstraints().match((X509Certificate) sortCerts.get(0))) {
                throw new CertPathValidatorException("target certificate in certpath does not match targetcertconstraints", null, certPath, 0);
            }
            Iterator it = pKIXParameters.getCertPathCheckers().iterator();
            while (it.hasNext()) {
                ((PKIXCertPathChecker) it.next()).init(false);
            }
            X509Certificate x509Certificate = null;
            int size2 = sortCerts.size() - 1;
            while (size2 >= 0) {
                int i7 = size - size2;
                x509Certificate = (X509Certificate) sortCerts.get(size2);
                try {
                    x509Certificate.verify(cAPublicKey, "BC");
                    x509Certificate.checkValidity(date);
                    if (pKIXParameters.isRevocationEnabled()) {
                        boolean z = false;
                        X509CRLSelector x509CRLSelector = new X509CRLSelector();
                        try {
                            x509CRLSelector.addIssuerName(PrincipalUtil.getIssuerX509Principal(x509Certificate).getEncoded());
                            x509CRLSelector.setCertificateChecking(x509Certificate);
                            for (X509CRL x509crl : findCRLs(x509CRLSelector, pKIXParameters.getCertStores())) {
                                if (date.after(x509crl.getThisUpdate())) {
                                    if (x509crl.getNextUpdate() == null || date.before(x509crl.getNextUpdate())) {
                                        z = true;
                                    }
                                    if (trustedCert != null && (keyUsage = trustedCert.getKeyUsage()) != null && (keyUsage.length < 7 || !keyUsage[6])) {
                                        throw new CertPathValidatorException(new StringBuffer().append("Issuer certificate keyusage extension does not permit crl signing.\n").append(trustedCert).toString(), null, certPath, size2);
                                    }
                                    try {
                                        x509crl.verify(cAPublicKey, "BC");
                                        X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate.getSerialNumber());
                                        if (revokedCertificate != null && !date.before(revokedCertificate.getRevocationDate())) {
                                            throw new CertPathValidatorException(new StringBuffer().append("Certificate revocation after ").append(revokedCertificate.getRevocationDate()).toString(), null, certPath, size2);
                                        }
                                        DERObject extensionValue = getExtensionValue(x509crl, ISSUING_DISTRIBUTION_POINT);
                                        DERObject extensionValue2 = getExtensionValue(x509crl, DELTA_CRL_INDICATOR);
                                        if (extensionValue2 != null) {
                                            X509CRLSelector x509CRLSelector2 = new X509CRLSelector();
                                            try {
                                                x509CRLSelector2.addIssuerName(((X509Principal) x509crl.getIssuerDN()).getEncoded());
                                                x509CRLSelector2.setMinCRLNumber(((DERInteger) extensionValue2).getPositiveValue());
                                                x509CRLSelector2.setMaxCRLNumber(((DERInteger) getExtensionValue(x509crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1L)));
                                                boolean z2 = false;
                                                Iterator it2 = findCRLs(x509CRLSelector2, pKIXParameters.getCertStores()).iterator();
                                                while (true) {
                                                    if (it2.hasNext()) {
                                                        Object extensionValue3 = getExtensionValue((X509CRL) it2.next(), ISSUING_DISTRIBUTION_POINT);
                                                        if (extensionValue == null) {
                                                            if (extensionValue3 == null) {
                                                                z2 = true;
                                                            }
                                                        } else if (extensionValue.equals(extensionValue3)) {
                                                            z2 = true;
                                                        }
                                                    }
                                                }
                                                if (!z2) {
                                                    throw new CertPathValidatorException("No base CRL for delta CRL");
                                                }
                                            } catch (IOException e) {
                                                throw new CertPathValidatorException(new StringBuffer().append("can't extract issuer from certificate: ").append(e).toString());
                                            }
                                        }
                                        if (extensionValue != null) {
                                            IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(extensionValue);
                                            BasicConstraints basicConstraints = BasicConstraints.getInstance(getExtensionValue(x509Certificate, BASIC_CONSTRAINTS));
                                            if (issuingDistributionPoint.onlyContainsUserCerts() && (basicConstraints == null || basicConstraints.isCA())) {
                                                throw new CertPathValidatorException("CA Cert CRL only contains user certificates");
                                            }
                                            if (issuingDistributionPoint.onlyContainsCACerts() && (basicConstraints == null || !basicConstraints.isCA())) {
                                                throw new CertPathValidatorException("End CRL only contains CA certificates");
                                            }
                                            if (issuingDistributionPoint.onlyContainsAttributeCerts()) {
                                                throw new CertPathValidatorException("onlyContainsAttributeCerts boolean is asserted");
                                            }
                                        } else {
                                            continue;
                                        }
                                    } catch (Exception e2) {
                                        throw new CertPathValidatorException(new StringBuffer().append("can't verify CRL: ").append(e2).toString());
                                    }
                                }
                            }
                            if (!z) {
                                throw new CertPathValidatorException("no valid CRL found", null, certPath, size2);
                            }
                        } catch (Exception e3) {
                            throw new CertPathValidatorException(new StringBuffer().append("can't extract issuer from certificate: ").append(e3).toString());
                        }
                    }
                    try {
                        if (!PrincipalUtil.getIssuerX509Principal(x509Certificate).equals(x509Principal)) {
                            throw new CertPathValidatorException(new StringBuffer().append("IssuerName(").append(PrincipalUtil.getIssuerX509Principal(x509Certificate)).append(") does not match SubjectName(").append(x509Principal).append(") of signing certificate").toString(), null, certPath, size2);
                        }
                        if (!isSelfIssued(x509Certificate) || i7 >= size) {
                            try {
                                ASN1Sequence aSN1Sequence = (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(PrincipalUtil.getSubjectX509Principal(x509Certificate).getEncoded())).readObject();
                                checkPermittedDN(hashSet2, aSN1Sequence);
                                checkExcludedDN(hashSet5, aSN1Sequence);
                                ASN1Sequence aSN1Sequence2 = (ASN1Sequence) getExtensionValue(x509Certificate, SUBJECT_ALTERNATIVE_NAME);
                                if (aSN1Sequence2 != null) {
                                    for (int i8 = 0; i8 < aSN1Sequence2.size(); i8++) {
                                        ASN1TaggedObject aSN1TaggedObject = (ASN1TaggedObject) aSN1Sequence2.getObjectAt(i8);
                                        switch (aSN1TaggedObject.getTagNo()) {
                                            case 1:
                                                String string = DERIA5String.getInstance(aSN1TaggedObject, true).getString();
                                                checkPermittedEmail(hashSet3, string);
                                                checkExcludedEmail(hashSet6, string);
                                                break;
                                            case 4:
                                                ASN1Sequence aSN1Sequence3 = ASN1Sequence.getInstance(aSN1TaggedObject, true);
                                                checkPermittedDN(hashSet2, aSN1Sequence3);
                                                checkExcludedDN(hashSet5, aSN1Sequence3);
                                                break;
                                            case 7:
                                                byte[] octets = ASN1OctetString.getInstance(aSN1TaggedObject, true).getOctets();
                                                checkPermittedIP(hashSet4, octets);
                                                checkExcludedIP(hashSet7, octets);
                                                break;
                                        }
                                    }
                                }
                            } catch (Exception e4) {
                                throw new CertPathValidatorException("exception extracting subject name when checking subtrees");
                            }
                        }
                        ASN1Sequence aSN1Sequence4 = (ASN1Sequence) getExtensionValue(x509Certificate, CERTIFICATE_POLICIES);
                        if (aSN1Sequence4 != null && pKIXPolicyNode2 != null) {
                            Enumeration objects = aSN1Sequence4.getObjects();
                            HashSet hashSet8 = new HashSet();
                            while (objects.hasMoreElements()) {
                                PolicyInformation policyInformation = PolicyInformation.getInstance(objects.nextElement());
                                DERObjectIdentifier policyIdentifier = policyInformation.getPolicyIdentifier();
                                hashSet8.add(policyIdentifier.getId());
                                if (!ANY_POLICY.equals(policyIdentifier.getId())) {
                                    Set qualifierSet = getQualifierSet(policyInformation.getPolicyQualifiers());
                                    if (!processCertD1i(i7, arrayListArr, policyIdentifier, qualifierSet)) {
                                        processCertD1ii(i7, arrayListArr, policyIdentifier, qualifierSet);
                                    }
                                }
                            }
                            if (set == null) {
                                set = hashSet8;
                            } else {
                                HashSet hashSet9 = new HashSet();
                                for (Object obj : set) {
                                    if (hashSet8.contains(obj)) {
                                        hashSet9.add(obj);
                                    }
                                }
                                set = hashSet9;
                            }
                            if (i4 > 0 || (i7 < size && isSelfIssued(x509Certificate))) {
                                Enumeration objects2 = aSN1Sequence4.getObjects();
                                while (true) {
                                    if (objects2.hasMoreElements()) {
                                        PolicyInformation policyInformation2 = PolicyInformation.getInstance(objects2.nextElement());
                                        if (!ANY_POLICY.equals(policyInformation2.getPolicyIdentifier().getId())) {
                                            Set qualifierSet2 = getQualifierSet(policyInformation2.getPolicyQualifiers());
                                            ArrayList arrayList = arrayListArr[i7 - 1];
                                            for (int i9 = 0; i9 < arrayList.size(); i9++) {
                                                PKIXPolicyNode pKIXPolicyNode3 = (PKIXPolicyNode) arrayList.get(i9);
                                                for (Object obj2 : pKIXPolicyNode3.getExpectedPolicies()) {
                                                    if (obj2 instanceof String) {
                                                        str = (String) obj2;
                                                    } else if (obj2 instanceof DERObjectIdentifier) {
                                                        str = ((DERObjectIdentifier) obj2).getId();
                                                    }
                                                    boolean z3 = false;
                                                    Iterator children = pKIXPolicyNode3.getChildren();
                                                    while (children.hasNext()) {
                                                        if (str.equals(((PKIXPolicyNode) children.next()).getValidPolicy())) {
                                                            z3 = true;
                                                        }
                                                    }
                                                    if (!z3) {
                                                        HashSet hashSet10 = new HashSet();
                                                        hashSet10.add(str);
                                                        PKIXPolicyNode pKIXPolicyNode4 = new PKIXPolicyNode(new ArrayList(), i7, hashSet10, pKIXPolicyNode3, qualifierSet2, str, false);
                                                        pKIXPolicyNode3.addChild(pKIXPolicyNode4);
                                                        arrayListArr[i7].add(pKIXPolicyNode4);
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                            for (int i10 = i7 - 1; i10 >= 0; i10--) {
                                ArrayList arrayList2 = arrayListArr[i10];
                                for (int i11 = 0; i11 < arrayList2.size(); i11++) {
                                    PKIXPolicyNode pKIXPolicyNode5 = (PKIXPolicyNode) arrayList2.get(i11);
                                    if (!pKIXPolicyNode5.hasChildren()) {
                                        pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode5);
                                        if (pKIXPolicyNode2 == null) {
                                            break;
                                        }
                                    }
                                }
                            }
                            Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                            if (criticalExtensionOIDs != null) {
                                boolean contains = criticalExtensionOIDs.contains(CERTIFICATE_POLICIES);
                                ArrayList arrayList3 = arrayListArr[i7];
                                for (int i12 = 0; i12 < arrayList3.size(); i12++) {
                                    ((PKIXPolicyNode) arrayList3.get(i12)).setCritical(contains);
                                }
                            }
                            for (int i13 = i7 - 1; i13 >= 0; i13--) {
                                ArrayList arrayList4 = arrayListArr[i13];
                                for (int i14 = 0; i14 < arrayList4.size(); i14++) {
                                    PKIXPolicyNode pKIXPolicyNode6 = (PKIXPolicyNode) arrayList4.get(i14);
                                    if (!pKIXPolicyNode6.hasChildren()) {
                                        pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode6);
                                    }
                                }
                            }
                        }
                        if (aSN1Sequence4 == null) {
                            pKIXPolicyNode2 = null;
                        }
                        if (i3 <= 0 && pKIXPolicyNode2 == null && !isAnyPolicy(set)) {
                            throw new CertPathValidatorException("Failure in process (f)");
                        }
                        if (i7 != size) {
                            if (x509Certificate != null && x509Certificate.getVersion() == 1) {
                                throw new CertPathValidatorException("Version 1 certs can't be used as CA ones");
                            }
                            DERObject extensionValue4 = getExtensionValue(x509Certificate, POLICY_MAPPINGS);
                            if (extensionValue4 != null) {
                                ASN1Sequence aSN1Sequence5 = (ASN1Sequence) extensionValue4;
                                for (int i15 = 0; i15 < aSN1Sequence5.size(); i15++) {
                                    ASN1Sequence aSN1Sequence6 = (ASN1Sequence) aSN1Sequence5.getObjectAt(i15);
                                    DERObjectIdentifier dERObjectIdentifier = (DERObjectIdentifier) aSN1Sequence6.getObjectAt(0);
                                    DERObjectIdentifier dERObjectIdentifier2 = (DERObjectIdentifier) aSN1Sequence6.getObjectAt(1);
                                    if (ANY_POLICY.equals(dERObjectIdentifier.getId())) {
                                        throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy");
                                    }
                                    if (ANY_POLICY.equals(dERObjectIdentifier2.getId())) {
                                        throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy");
                                    }
                                }
                            }
                            ASN1Sequence aSN1Sequence7 = (ASN1Sequence) getExtensionValue(x509Certificate, NAME_CONSTRAINTS);
                            if (aSN1Sequence7 != null) {
                                NameConstraints nameConstraints = new NameConstraints(aSN1Sequence7);
                                ASN1Sequence permittedSubtrees = nameConstraints.getPermittedSubtrees();
                                if (permittedSubtrees != null) {
                                    Enumeration objects3 = permittedSubtrees.getObjects();
                                    while (objects3.hasMoreElements()) {
                                        GeneralName base = GeneralSubtree.getInstance(objects3.nextElement()).getBase();
                                        switch (base.getTagNo()) {
                                            case 1:
                                                hashSet3 = intersectEmail(hashSet3, DERIA5String.getInstance(base.getName()).getString());
                                                break;
                                            case 4:
                                                hashSet2 = intersectDN(hashSet2, (ASN1Sequence) base.getName());
                                                break;
                                            case 7:
                                                hashSet4 = intersectIP(hashSet4, ASN1OctetString.getInstance(base.getName()).getOctets());
                                                break;
                                        }
                                    }
                                }
                                ASN1Sequence excludedSubtrees = nameConstraints.getExcludedSubtrees();
                                if (excludedSubtrees != null) {
                                    Enumeration objects4 = excludedSubtrees.getObjects();
                                    while (objects4.hasMoreElements()) {
                                        GeneralName base2 = GeneralSubtree.getInstance(objects4.nextElement()).getBase();
                                        switch (base2.getTagNo()) {
                                            case 1:
                                                hashSet6 = unionEmail(hashSet6, DERIA5String.getInstance(base2.getName()).getString());
                                                break;
                                            case 4:
                                                hashSet5 = unionDN(hashSet5, (ASN1Sequence) base2.getName());
                                                break;
                                            case 7:
                                                hashSet7 = unionIP(hashSet7, ASN1OctetString.getInstance(base2.getName()).getOctets());
                                                break;
                                        }
                                    }
                                }
                            }
                            if (!isSelfIssued(x509Certificate)) {
                                if (i3 != 0) {
                                    i3--;
                                }
                                if (i5 != 0) {
                                    i5--;
                                }
                                if (i4 != 0) {
                                    i4--;
                                }
                            }
                            ASN1Sequence aSN1Sequence8 = (ASN1Sequence) getExtensionValue(x509Certificate, POLICY_CONSTRAINTS);
                            if (aSN1Sequence8 != null) {
                                Enumeration objects5 = aSN1Sequence8.getObjects();
                                while (objects5.hasMoreElements()) {
                                    ASN1TaggedObject aSN1TaggedObject2 = (ASN1TaggedObject) objects5.nextElement();
                                    switch (aSN1TaggedObject2.getTagNo()) {
                                        case 0:
                                            int intValue3 = DERInteger.getInstance(aSN1TaggedObject2).getValue().intValue();
                                            if (intValue3 < i3) {
                                                i3 = intValue3;
                                                break;
                                            } else {
                                                break;
                                            }
                                        case 1:
                                            int intValue4 = DERInteger.getInstance(aSN1TaggedObject2).getValue().intValue();
                                            if (intValue4 < i4) {
                                                i4 = intValue4;
                                                break;
                                            } else {
                                                break;
                                            }
                                    }
                                }
                            }
                            DERInteger dERInteger = (DERInteger) getExtensionValue(x509Certificate, INHIBIT_ANY_POLICY);
                            if (dERInteger != null && (intValue2 = dERInteger.getValue().intValue()) < i4) {
                                i4 = intValue2;
                            }
                            BasicConstraints basicConstraints2 = BasicConstraints.getInstance(getExtensionValue(x509Certificate, BASIC_CONSTRAINTS));
                            if (basicConstraints2 == null) {
                                throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints");
                            }
                            if (!basicConstraints2.isCA()) {
                                throw new CertPathValidatorException("Not a CA certificate");
                            }
                            if (!isSelfIssued(x509Certificate)) {
                                if (i6 <= 0) {
                                    throw new CertPathValidatorException("Max path length not greater than zero");
                                }
                                i6--;
                            }
                            if (basicConstraints2 != null && (pathLenConstraint = basicConstraints2.getPathLenConstraint()) != null && (intValue = pathLenConstraint.intValue()) < i6) {
                                i6 = intValue;
                            }
                            boolean[] keyUsage2 = x509Certificate.getKeyUsage();
                            if (keyUsage2 != null && !keyUsage2[5]) {
                                throw new CertPathValidatorException("Issuer certificate keyusage extension is critical an does not permit key signing.\n", null, certPath, size2);
                            }
                            if (x509Certificate.hasUnsupportedCriticalExtension()) {
                                HashSet hashSet11 = new HashSet(x509Certificate.getCriticalExtensionOIDs());
                                hashSet11.remove(KEY_USAGE);
                                hashSet11.remove(CERTIFICATE_POLICIES);
                                hashSet11.remove(POLICY_MAPPINGS);
                                hashSet11.remove(INHIBIT_ANY_POLICY);
                                hashSet11.remove(ISSUING_DISTRIBUTION_POINT);
                                hashSet11.remove(DELTA_CRL_INDICATOR);
                                hashSet11.remove(POLICY_CONSTRAINTS);
                                hashSet11.remove(BASIC_CONSTRAINTS);
                                hashSet11.remove(SUBJECT_ALTERNATIVE_NAME);
                                hashSet11.remove(NAME_CONSTRAINTS);
                                Iterator it3 = pKIXParameters.getCertPathCheckers().iterator();
                                while (it3.hasNext()) {
                                    ((PKIXCertPathChecker) it3.next()).check(x509Certificate, hashSet11);
                                }
                                if (!hashSet11.isEmpty()) {
                                    throw new CertPathValidatorException("Certificate has unsupported critical extension", null, certPath, size2);
                                }
                            }
                        }
                        trustedCert = x509Certificate;
                        cAPublicKey = trustedCert.getPublicKey();
                        try {
                            x509Principal = PrincipalUtil.getSubjectX509Principal(trustedCert);
                            AlgorithmIdentifier algorithmIdentifier2 = getAlgorithmIdentifier(cAPublicKey);
                            algorithmIdentifier2.getObjectId();
                            algorithmIdentifier2.getParameters();
                            size2--;
                        } catch (Exception e5) {
                            throw new CertPathValidatorException(new StringBuffer().append(trustedCert.getSubjectDN().getName()).append(" :").append(e5.toString()).toString());
                        }
                    } catch (CertificateEncodingException e6) {
                        throw new CertPathValidatorException("Encoding error on issuer.");
                    }
                } catch (GeneralSecurityException e7) {
                    throw new CertPathValidatorException(new StringBuffer().append("couldn't validate certificate: ").append(e7).toString());
                }
            }
            if (!isSelfIssued(x509Certificate) && i3 != 0) {
                i3--;
            }
            ASN1Sequence aSN1Sequence9 = (ASN1Sequence) getExtensionValue(x509Certificate, POLICY_CONSTRAINTS);
            if (aSN1Sequence9 != null) {
                Enumeration objects6 = aSN1Sequence9.getObjects();
                while (objects6.hasMoreElements()) {
                    ASN1TaggedObject aSN1TaggedObject3 = (ASN1TaggedObject) objects6.nextElement();
                    switch (aSN1TaggedObject3.getTagNo()) {
                        case 0:
                            if (DERInteger.getInstance(aSN1TaggedObject3).getValue().intValue() == 0) {
                                i3 = 0;
                                break;
                            } else {
                                break;
                            }
                    }
                }
            }
            if (x509Certificate.hasUnsupportedCriticalExtension()) {
                HashSet hashSet12 = new HashSet(x509Certificate.getCriticalExtensionOIDs());
                hashSet12.remove(KEY_USAGE);
                hashSet12.remove(CERTIFICATE_POLICIES);
                hashSet12.remove(POLICY_MAPPINGS);
                hashSet12.remove(INHIBIT_ANY_POLICY);
                hashSet12.remove(ISSUING_DISTRIBUTION_POINT);
                hashSet12.remove(DELTA_CRL_INDICATOR);
                hashSet12.remove(POLICY_CONSTRAINTS);
                hashSet12.remove(BASIC_CONSTRAINTS);
                hashSet12.remove(SUBJECT_ALTERNATIVE_NAME);
                hashSet12.remove(NAME_CONSTRAINTS);
                Iterator it4 = pKIXParameters.getCertPathCheckers().iterator();
                while (it4.hasNext()) {
                    ((PKIXCertPathChecker) it4.next()).check(x509Certificate, hashSet12);
                }
                if (!hashSet12.isEmpty()) {
                    throw new CertPathValidatorException("Certificate has unsupported critical extension", null, certPath, size2);
                }
            }
            if (pKIXPolicyNode2 == null) {
                pKIXPolicyNode = null;
            } else if (isAnyPolicy(initialPolicies)) {
                if (pKIXParameters.isExplicitPolicyRequired()) {
                    if (set.isEmpty()) {
                        throw new CertPathValidatorException("Explicit policy requested but none avaliable");
                    }
                    HashSet<PKIXPolicyNode> hashSet13 = new HashSet();
                    for (ArrayList arrayList5 : arrayListArr) {
                        for (int i16 = 0; i16 < arrayList5.size(); i16++) {
                            PKIXPolicyNode pKIXPolicyNode7 = (PKIXPolicyNode) arrayList5.get(i16);
                            if (ANY_POLICY.equals(pKIXPolicyNode7.getValidPolicy())) {
                                Iterator children2 = pKIXPolicyNode7.getChildren();
                                while (children2.hasNext()) {
                                    hashSet13.add(children2.next());
                                }
                            }
                        }
                    }
                    for (PKIXPolicyNode pKIXPolicyNode8 : hashSet13) {
                        if (!set.contains(pKIXPolicyNode8.getValidPolicy())) {
                            pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode8);
                        }
                    }
                    if (pKIXPolicyNode2 != null) {
                        for (int i17 = size - 1; i17 >= 0; i17--) {
                            ArrayList arrayList6 = arrayListArr[i17];
                            for (int i18 = 0; i18 < arrayList6.size(); i18++) {
                                PKIXPolicyNode pKIXPolicyNode9 = (PKIXPolicyNode) arrayList6.get(i18);
                                if (!pKIXPolicyNode9.hasChildren()) {
                                    pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode9);
                                }
                            }
                        }
                    }
                }
                pKIXPolicyNode = pKIXPolicyNode2;
            } else {
                HashSet<PKIXPolicyNode> hashSet14 = new HashSet();
                for (ArrayList arrayList7 : arrayListArr) {
                    for (int i19 = 0; i19 < arrayList7.size(); i19++) {
                        PKIXPolicyNode pKIXPolicyNode10 = (PKIXPolicyNode) arrayList7.get(i19);
                        if (ANY_POLICY.equals(pKIXPolicyNode10.getValidPolicy())) {
                            Iterator children3 = pKIXPolicyNode10.getChildren();
                            while (children3.hasNext()) {
                                hashSet14.add(children3.next());
                            }
                        }
                    }
                }
                for (PKIXPolicyNode pKIXPolicyNode11 : hashSet14) {
                    if (!initialPolicies.contains(pKIXPolicyNode11.getValidPolicy())) {
                        pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode11);
                    }
                }
                for (PKIXPolicyNode pKIXPolicyNode12 : hashSet14) {
                    if (!set.contains(pKIXPolicyNode12.getValidPolicy())) {
                        pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode12);
                    }
                }
                if (pKIXPolicyNode2 != null) {
                    for (int i20 = size - 1; i20 >= 0; i20--) {
                        ArrayList arrayList8 = arrayListArr[i20];
                        for (int i21 = 0; i21 < arrayList8.size(); i21++) {
                            PKIXPolicyNode pKIXPolicyNode13 = (PKIXPolicyNode) arrayList8.get(i21);
                            if (!pKIXPolicyNode13.hasChildren()) {
                                pKIXPolicyNode2 = removePolicyNode(pKIXPolicyNode2, arrayListArr, pKIXPolicyNode13);
                            }
                        }
                    }
                }
                pKIXPolicyNode = pKIXPolicyNode2;
            }
            if (i3 > 0 || pKIXPolicyNode != null || isAnyPolicy(set)) {
                return new PKIXCertPathValidatorResult(trustAnchor, pKIXPolicyNode, cAPublicKey);
            }
            throw new CertPathValidatorException("Path processing failed");
        } catch (IllegalArgumentException e8) {
            throw new CertPathValidatorException(new StringBuffer().append("TrustAnchor subjectDN: ").append(e8.toString()).toString());
        } catch (CertificateEncodingException e9) {
            throw new CertPathValidatorException(new StringBuffer().append("TrustAnchor subjectDN: ").append(e9.toString()).toString());
        }
    }

    private final Collection findCRLs(X509CRLSelector x509CRLSelector, List list) {
        HashSet hashSet = new HashSet();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            try {
                hashSet.addAll(((CertStore) it.next()).getCRLs(x509CRLSelector));
            } catch (CertStoreException e) {
                e.printStackTrace();
            }
        }
        return hashSet;
    }

    final TrustAnchor findTrustAnchor(X509Certificate x509Certificate, Set set) throws CertPathValidatorException {
        Iterator it = set.iterator();
        TrustAnchor trustAnchor = null;
        PublicKey publicKey = null;
        Exception exc = null;
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(PrincipalUtil.getIssuerX509Principal(x509Certificate).getEncoded());
            while (it.hasNext() && trustAnchor == null) {
                trustAnchor = (TrustAnchor) it.next();
                if (trustAnchor.getTrustedCert() != null) {
                    if (x509CertSelector.match(trustAnchor.getTrustedCert())) {
                        publicKey = trustAnchor.getTrustedCert().getPublicKey();
                    } else {
                        trustAnchor = null;
                    }
                } else if (trustAnchor.getCAName() == null || trustAnchor.getCAPublicKey() == null) {
                    trustAnchor = null;
                } else {
                    try {
                        if (PrincipalUtil.getIssuerX509Principal(x509Certificate).equals(new X509Principal(trustAnchor.getCAName()))) {
                            publicKey = trustAnchor.getCAPublicKey();
                        } else {
                            trustAnchor = null;
                        }
                    } catch (Exception e) {
                        trustAnchor = null;
                    }
                }
                if (publicKey != null) {
                    try {
                        x509Certificate.verify(publicKey);
                    } catch (Exception e2) {
                        exc = e2;
                        trustAnchor = null;
                    }
                }
            }
            if (trustAnchor != null || exc == null) {
                return trustAnchor;
            }
            throw new CertPathValidatorException("TrustAnchor found put certificate validation failed", exc);
        } catch (Exception e3) {
            return null;
        }
    }
}
