package com.amazon.coral.internal.org.bouncycastle.jce.provider;

import com.amazon.coral.internal.org.bouncycastle.asn1.C$ASN1InputStream;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$CRLDistPoint;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$DistributionPoint;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$DistributionPointName;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$GeneralName;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$GeneralNames;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$TargetInformation;
import com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$X509Extensions;
import com.amazon.coral.internal.org.bouncycastle.jcajce.C$PKIXCRLStore;
import com.amazon.coral.internal.org.bouncycastle.jcajce.C$PKIXCertStoreSelector;
import com.amazon.coral.internal.org.bouncycastle.jcajce.C$PKIXExtendedBuilderParameters;
import com.amazon.coral.internal.org.bouncycastle.jcajce.C$PKIXExtendedParameters;
import com.amazon.coral.internal.org.bouncycastle.jcajce.util.C$JcaJceHelper;
import com.amazon.coral.internal.org.bouncycastle.jce.exception.C$ExtCertPathValidatorException;
import com.amazon.coral.internal.org.bouncycastle.x509.C$PKIXAttrCertChecker;
import com.amazon.coral.internal.org.bouncycastle.x509.C$X509AttributeCertificate;
import com.amazon.coral.internal.org.bouncycastle.x509.C$X509CertStoreSelector;
import com.amazonaws.services.s3.model.InstructionFileId;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* renamed from: com.amazon.coral.internal.org.bouncycastle.jce.provider.$RFC3281CertPathUtilities, reason: invalid class name */
/* loaded from: classes2.dex */
class C$RFC3281CertPathUtilities {
    private static final String TARGET_INFORMATION = C$X509Extensions.TargetInformation.getId();
    private static final String NO_REV_AVAIL = C$X509Extensions.NoRevAvail.getId();
    private static final String CRL_DISTRIBUTION_POINTS = C$X509Extensions.CRLDistributionPoints.getId();
    private static final String AUTHORITY_INFO_ACCESS = C$X509Extensions.AuthorityInfoAccess.getId();

    C$RFC3281CertPathUtilities() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void additionalChecks(C$X509AttributeCertificate c$X509AttributeCertificate, Set set, Set set2) throws CertPathValidatorException {
        Iterator it = set.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (c$X509AttributeCertificate.getAttributes(str) != null) {
                throw new CertPathValidatorException("Attribute certificate contains prohibited attribute: " + str + InstructionFileId.DOT);
            }
        }
        Iterator it2 = set2.iterator();
        while (it2.hasNext()) {
            String str2 = (String) it2.next();
            if (c$X509AttributeCertificate.getAttributes(str2) == null) {
                throw new CertPathValidatorException("Attribute certificate does not contain necessary attribute: " + str2 + InstructionFileId.DOT);
            }
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:47:0x00f6, code lost:
    
        throw r11;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static void checkCRL(com.amazon.coral.internal.org.bouncycastle.asn1.x509.C$DistributionPoint r16, com.amazon.coral.internal.org.bouncycastle.x509.C$X509AttributeCertificate r17, com.amazon.coral.internal.org.bouncycastle.jcajce.C$PKIXExtendedParameters r18, java.util.Date r19, java.security.cert.X509Certificate r20, com.amazon.coral.internal.org.bouncycastle.jce.provider.C$CertStatus r21, com.amazon.coral.internal.org.bouncycastle.jce.provider.C$ReasonsMask r22, java.util.List r23, com.amazon.coral.internal.org.bouncycastle.jcajce.util.C$JcaJceHelper r24) throws com.amazon.coral.internal.org.bouncycastle.jce.provider.C$AnnotatedException {
        /*
            Method dump skipped, instructions count: 247
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.amazon.coral.internal.org.bouncycastle.jce.provider.C$RFC3281CertPathUtilities.checkCRL(com.amazon.coral.internal.org.bouncycastle.asn1.x509.$DistributionPoint, com.amazon.coral.internal.org.bouncycastle.x509.$X509AttributeCertificate, com.amazon.coral.internal.org.bouncycastle.jcajce.$PKIXExtendedParameters, java.util.Date, java.security.cert.X509Certificate, com.amazon.coral.internal.org.bouncycastle.jce.provider.$CertStatus, com.amazon.coral.internal.org.bouncycastle.jce.provider.$ReasonsMask, java.util.List, com.amazon.coral.internal.org.bouncycastle.jcajce.util.$JcaJceHelper):void");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void checkCRLs(C$X509AttributeCertificate c$X509AttributeCertificate, C$PKIXExtendedParameters c$PKIXExtendedParameters, X509Certificate x509Certificate, Date date, List list, C$JcaJceHelper c$JcaJceHelper) throws CertPathValidatorException {
        boolean z;
        if (c$PKIXExtendedParameters.isRevocationEnabled()) {
            if (c$X509AttributeCertificate.getExtensionValue(NO_REV_AVAIL) != null) {
                if (c$X509AttributeCertificate.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || c$X509AttributeCertificate.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) {
                    throw new CertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
                }
                return;
            }
            try {
                C$CRLDistPoint c$CRLDistPoint = C$CRLDistPoint.getInstance(C$CertPathValidatorUtilities.getExtensionValue(c$X509AttributeCertificate, CRL_DISTRIBUTION_POINTS));
                List arrayList = new ArrayList();
                try {
                    arrayList.addAll(C$CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(c$CRLDistPoint, c$PKIXExtendedParameters.getNamedCRLStoreMap()));
                    C$PKIXExtendedParameters.Builder builder = new C$PKIXExtendedParameters.Builder(c$PKIXExtendedParameters);
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        builder.addCRLStore((C$PKIXCRLStore) arrayList);
                    }
                    C$PKIXExtendedParameters build = builder.build();
                    C$CertStatus c$CertStatus = new C$CertStatus();
                    C$ReasonsMask c$ReasonsMask = new C$ReasonsMask();
                    C$AnnotatedException c$AnnotatedException = null;
                    if (c$CRLDistPoint != null) {
                        try {
                            C$DistributionPoint[] distributionPoints = c$CRLDistPoint.getDistributionPoints();
                            z = false;
                            for (int i = 0; i < distributionPoints.length && c$CertStatus.getCertStatus() == 11 && !c$ReasonsMask.isAllReasons(); i++) {
                                try {
                                    checkCRL(distributionPoints[i], c$X509AttributeCertificate, (C$PKIXExtendedParameters) build.clone(), date, x509Certificate, c$CertStatus, c$ReasonsMask, list, c$JcaJceHelper);
                                    z = true;
                                } catch (C$AnnotatedException e) {
                                    c$AnnotatedException = new C$AnnotatedException("No valid CRL for distribution point found.", e);
                                }
                            }
                        } catch (Exception e2) {
                            throw new C$ExtCertPathValidatorException("Distribution points could not be read.", e2);
                        }
                    } else {
                        z = false;
                    }
                    if (c$CertStatus.getCertStatus() == 11) {
                        try {
                            if (!c$ReasonsMask.isAllReasons()) {
                                try {
                                    checkCRL(new C$DistributionPoint(new C$DistributionPointName(0, new C$GeneralNames(new C$GeneralName(4, new C$ASN1InputStream(((X500Principal) c$X509AttributeCertificate.getIssuer().getPrincipals()[0]).getEncoded()).readObject()))), null, null), c$X509AttributeCertificate, (C$PKIXExtendedParameters) build.clone(), date, x509Certificate, c$CertStatus, c$ReasonsMask, list, c$JcaJceHelper);
                                    z = true;
                                } catch (Exception e3) {
                                    throw new C$AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e3);
                                }
                            }
                        } catch (C$AnnotatedException e4) {
                            c$AnnotatedException = new C$AnnotatedException("No valid CRL for distribution point found.", e4);
                        }
                    }
                    if (!z) {
                        throw new C$ExtCertPathValidatorException("No valid CRL found.", c$AnnotatedException);
                    }
                    if (c$CertStatus.getCertStatus() != 11) {
                        throw new CertPathValidatorException(("Attribute certificate revocation after " + c$CertStatus.getRevocationDate()) + ", reason: " + C$RFC3280CertPathUtilities.crlReasons[c$CertStatus.getCertStatus()]);
                    }
                    if (!c$ReasonsMask.isAllReasons() && c$CertStatus.getCertStatus() == 11) {
                        c$CertStatus.setCertStatus(12);
                    }
                    if (c$CertStatus.getCertStatus() == 12) {
                        throw new CertPathValidatorException("Attribute certificate status could not be determined.");
                    }
                } catch (C$AnnotatedException e5) {
                    throw new CertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", e5);
                }
            } catch (C$AnnotatedException e6) {
                throw new CertPathValidatorException("CRL distribution point extension could not be read.", e6);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static CertPath processAttrCert1(C$X509AttributeCertificate c$X509AttributeCertificate, C$PKIXExtendedParameters c$PKIXExtendedParameters) throws CertPathValidatorException {
        C$ExtCertPathValidatorException c$ExtCertPathValidatorException;
        HashSet hashSet = new HashSet();
        if (c$X509AttributeCertificate.getHolder().getIssuer() != null) {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSerialNumber(c$X509AttributeCertificate.getHolder().getSerialNumber());
            Principal[] issuer = c$X509AttributeCertificate.getHolder().getIssuer();
            for (int i = 0; i < issuer.length; i++) {
                try {
                    if (issuer[i] instanceof X500Principal) {
                        x509CertSelector.setIssuer(((X500Principal) issuer[i]).getEncoded());
                    }
                    hashSet.addAll(C$CertPathValidatorUtilities.findCertificates(new C$PKIXCertStoreSelector.Builder(x509CertSelector).build(), c$PKIXExtendedParameters.getCertStores()));
                } catch (C$AnnotatedException e) {
                    throw new C$ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
                } catch (IOException e2) {
                    throw new C$ExtCertPathValidatorException("Unable to encode X500 principal.", e2);
                }
            }
            if (hashSet.isEmpty()) {
                throw new CertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            }
        }
        if (c$X509AttributeCertificate.getHolder().getEntityNames() != null) {
            C$X509CertStoreSelector c$X509CertStoreSelector = new C$X509CertStoreSelector();
            Principal[] entityNames = c$X509AttributeCertificate.getHolder().getEntityNames();
            for (int i2 = 0; i2 < entityNames.length; i2++) {
                try {
                    if (entityNames[i2] instanceof X500Principal) {
                        c$X509CertStoreSelector.setIssuer(((X500Principal) entityNames[i2]).getEncoded());
                    }
                    hashSet.addAll(C$CertPathValidatorUtilities.findCertificates(new C$PKIXCertStoreSelector.Builder(c$X509CertStoreSelector).build(), c$PKIXExtendedParameters.getCertStores()));
                } catch (C$AnnotatedException e3) {
                    throw new C$ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e3);
                } catch (IOException e4) {
                    throw new C$ExtCertPathValidatorException("Unable to encode X500 principal.", e4);
                }
            }
            if (hashSet.isEmpty()) {
                throw new CertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
            }
        }
        C$PKIXExtendedParameters.Builder builder = new C$PKIXExtendedParameters.Builder(c$PKIXExtendedParameters);
        Iterator it = hashSet.iterator();
        C$ExtCertPathValidatorException c$ExtCertPathValidatorException2 = null;
        CertPathBuilderResult certPathBuilderResult = null;
        while (it.hasNext()) {
            C$X509CertStoreSelector c$X509CertStoreSelector2 = new C$X509CertStoreSelector();
            c$X509CertStoreSelector2.setCertificate((X509Certificate) it.next());
            builder.setTargetConstraints(new C$PKIXCertStoreSelector.Builder(c$X509CertStoreSelector2).build());
            try {
                try {
                    certPathBuilderResult = CertPathBuilder.getInstance("PKIX", C$BouncyCastleProvider.PROVIDER_NAME).build(new C$PKIXExtendedBuilderParameters.Builder(builder.build()).build());
                    c$ExtCertPathValidatorException = c$ExtCertPathValidatorException2;
                } catch (InvalidAlgorithmParameterException e5) {
                    throw new RuntimeException(e5.getMessage());
                } catch (CertPathBuilderException e6) {
                    c$ExtCertPathValidatorException = new C$ExtCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", e6);
                }
                c$ExtCertPathValidatorException2 = c$ExtCertPathValidatorException;
            } catch (NoSuchAlgorithmException e7) {
                throw new C$ExtCertPathValidatorException("Support class could not be created.", e7);
            } catch (NoSuchProviderException e8) {
                throw new C$ExtCertPathValidatorException("Support class could not be created.", e8);
            }
        }
        if (c$ExtCertPathValidatorException2 != null) {
            throw c$ExtCertPathValidatorException2;
        }
        return certPathBuilderResult.getCertPath();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static CertPathValidatorResult processAttrCert2(CertPath certPath, C$PKIXExtendedParameters c$PKIXExtendedParameters) throws CertPathValidatorException {
        try {
            try {
                return CertPathValidator.getInstance("PKIX", C$BouncyCastleProvider.PROVIDER_NAME).validate(certPath, c$PKIXExtendedParameters);
            } catch (InvalidAlgorithmParameterException e) {
                throw new RuntimeException(e.getMessage());
            } catch (CertPathValidatorException e2) {
                throw new C$ExtCertPathValidatorException("Certification path for issuer certificate of attribute certificate could not be validated.", e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new C$ExtCertPathValidatorException("Support class could not be created.", e3);
        } catch (NoSuchProviderException e4) {
            throw new C$ExtCertPathValidatorException("Support class could not be created.", e4);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void processAttrCert3(X509Certificate x509Certificate, C$PKIXExtendedParameters c$PKIXExtendedParameters) throws CertPathValidatorException {
        if (x509Certificate.getKeyUsage() != null && !x509Certificate.getKeyUsage()[0] && !x509Certificate.getKeyUsage()[1]) {
            throw new CertPathValidatorException("Attribute certificate issuer public key cannot be used to validate digital signatures.");
        }
        if (x509Certificate.getBasicConstraints() != -1) {
            throw new CertPathValidatorException("Attribute certificate issuer is also a public key certificate issuer.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void processAttrCert4(X509Certificate x509Certificate, Set set) throws CertPathValidatorException {
        boolean z;
        boolean z2 = false;
        Iterator it = set.iterator();
        while (true) {
            z = z2;
            if (!it.hasNext()) {
                break;
            }
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            z2 = (x509Certificate.getSubjectX500Principal().getName("RFC2253").equals(trustAnchor.getCAName()) || x509Certificate.equals(trustAnchor.getTrustedCert())) ? true : z;
        }
        if (!z) {
            throw new CertPathValidatorException("Attribute certificate issuer is not directly trusted.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void processAttrCert5(C$X509AttributeCertificate c$X509AttributeCertificate, C$PKIXExtendedParameters c$PKIXExtendedParameters) throws CertPathValidatorException {
        try {
            c$X509AttributeCertificate.checkValidity(C$CertPathValidatorUtilities.getValidDate(c$PKIXExtendedParameters));
        } catch (CertificateExpiredException e) {
            throw new C$ExtCertPathValidatorException("Attribute certificate is not valid.", e);
        } catch (CertificateNotYetValidException e2) {
            throw new C$ExtCertPathValidatorException("Attribute certificate is not valid.", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void processAttrCert7(C$X509AttributeCertificate c$X509AttributeCertificate, CertPath certPath, CertPath certPath2, C$PKIXExtendedParameters c$PKIXExtendedParameters, Set set) throws CertPathValidatorException {
        Set<String> criticalExtensionOIDs = c$X509AttributeCertificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs.contains(TARGET_INFORMATION)) {
            try {
                C$TargetInformation.getInstance(C$CertPathValidatorUtilities.getExtensionValue(c$X509AttributeCertificate, TARGET_INFORMATION));
            } catch (C$AnnotatedException e) {
                throw new C$ExtCertPathValidatorException("Target information extension could not be read.", e);
            } catch (IllegalArgumentException e2) {
                throw new C$ExtCertPathValidatorException("Target information extension could not be read.", e2);
            }
        }
        criticalExtensionOIDs.remove(TARGET_INFORMATION);
        Iterator it = set.iterator();
        while (it.hasNext()) {
            ((C$PKIXAttrCertChecker) it.next()).check(c$X509AttributeCertificate, certPath, certPath2, criticalExtensionOIDs);
        }
        if (!criticalExtensionOIDs.isEmpty()) {
            throw new CertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + criticalExtensionOIDs);
        }
    }
}
