package com.rsa.cryptoj.o;

import com.rsa.jsafe.cert.CertComplianceAdjustment;
import com.rsa.jsafe.cert.CertCreationException;
import com.rsa.jsafe.cert.CertCreationParameterSpec;
import com.rsa.jsafe.cert.DistributionPoint;
import com.rsa.jsafe.cert.GeneralName;
import com.rsa.jsafe.cert.GeneralSubtree;
import com.rsa.jsafe.cert.IssuerInformation;
import com.rsa.jsafe.cert.ObjectID;
import com.rsa.jsafe.cert.Version;
import com.rsa.jsafe.cert.X509ExtensionSpec;
import java.math.BigInteger;
import java.security.cert.PolicyQualifierInfo;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: classes.dex */
public abstract class om {

    /* renamed from: a, reason: collision with root package name */
    public static final int f2033a = 9;

    /* renamed from: b, reason: collision with root package name */
    private static final List<ov> f2034b = Collections.unmodifiableList(Arrays.asList(ov.cJ, ov.cI, ov.cL, ov.cK, ov.cD, ov.cy, ov.cG, ov.cH, ov.cB, ov.cC, ov.cE, ov.cN, ov.cx, ov.cM, ov.cw, ov.cF, ov.dd, ov.cA));

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(CertCreationParameterSpec certCreationParameterSpec) throws CertCreationException {
        X509ExtensionSpec extensions = certCreationParameterSpec.getExtensions();
        if (extensions == null) {
            return;
        }
        Set<ObjectID> criticalExtOIDS = extensions.getCriticalExtOIDS();
        if (criticalExtOIDS.contains(ObjectID.AUTH_KEY_ID_EXTN) && extensions.getAuthorityKeyIdentifier() == null) {
            throw new CertCreationException("Authority key identifier extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.AUTH_INFO_ACCESS_EXTN) && extensions.getAuthorityAccessInformation() == null) {
            throw new CertCreationException("Authority information access extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.BASIC_CONSTRAINTS_EXTN) && extensions.getBasicConstraints() == -1) {
            throw new CertCreationException("Basic constraints extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.CRL_DIST_POINTS_EXTN) && extensions.getCrlDistributionPoint() == null) {
            throw new CertCreationException("CRL distribution point extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.EXTENDED_KEY_USAGE_EXTN) && extensions.getExtendedKeyUsage() == null) {
            throw new CertCreationException("Extended key usage extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.FRESHEST_CRL_EXTN) && extensions.getFreshestCRL() == null) {
            throw new CertCreationException("Freshest CRL extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.INHIBIT_ANY_POLICY_EXTN) && extensions.getInhibitAnyPolicy() == -1) {
            throw new CertCreationException("Inhibit any policy extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.ISSUER_ALT_NAME_EXTN) && extensions.getIssuerAlternativeNames() == null) {
            throw new CertCreationException("Issuer alternative names extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.SUBJECT_INFO_ACCESS_EXTN) && extensions.getSubjectAccessInformation() == null) {
            throw new CertCreationException("Subject access information extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.SUBJECT_KEY_ID_EXTN) && extensions.getSubjectKeyIdentifier() == null) {
            throw new CertCreationException("Subject key identifier extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.CERT_POLICIES_EXTN) && extensions.getCertificatePolicies() == null) {
            throw new CertCreationException("Certificate policies extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.KEY_USAGE_EXTN) && extensions.getKeyUsage() == null) {
            throw new CertCreationException("Key usage extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.NAME_CONSTRAINTS_EXTN) && extensions.getNameConstraintsExcluded() == null && extensions.getNameConstraintsPermitted() == null) {
            throw new CertCreationException("Name constraints extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.POLICY_CONSTRAINTS_EXTN) && extensions.getInhibitPolicyMapping() == -1 && extensions.getRequireExplicitPolicy() == -1) {
            throw new CertCreationException("Policy constraints extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.POLICY_MAPPINGS_EXTN) && extensions.getPolicyMappings() == null) {
            throw new CertCreationException("Policy mappings extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.SUBJECT_ALT_NAME_EXTN) && extensions.getSubjectAlternativeNames() == null) {
            throw new CertCreationException("Subject alternative names extension OID was set as critical, but the extension was not set.");
        }
        if (criticalExtOIDS.contains(ObjectID.SUBJECT_DIR_ATTR_EXTN) && extensions.getSubjectDirectoryAttributes() == null) {
            throw new CertCreationException("Subject directory attributes extension OID was set as critical, but the extension was not set.");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(CertCreationParameterSpec certCreationParameterSpec, IssuerInformation issuerInformation) throws CertCreationException {
        if (certCreationParameterSpec.getSubjectPublicKey() == null) {
            throw new CertCreationException("Subject public key MUST be present");
        }
        if (issuerInformation.getIssuerName() == null || issuerInformation.getIssuerName().getName().length() == 0) {
            throw new CertCreationException("Issuer name MUST be present");
        }
        if (certCreationParameterSpec.getNotAfter() != null) {
            if (!certCreationParameterSpec.getNotAfter().after(certCreationParameterSpec.getNotBefore() == null ? new Date() : certCreationParameterSpec.getNotBefore())) {
                throw new CertCreationException("notAfter date is before notBefore date");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(CertCreationParameterSpec certCreationParameterSpec, IssuerInformation issuerInformation, d dVar) throws CertCreationException {
        a(certCreationParameterSpec.getSerialNum());
        if (a(dVar, 0)) {
            throw new CertCreationException("There can only be one extension of the same type");
        }
        X509ExtensionSpec extensions = certCreationParameterSpec.getExtensions();
        if (extensions == null || extensions.isEmpty()) {
            if (certCreationParameterSpec.getSubject() == null || certCreationParameterSpec.getSubject().getName().length() == 0) {
                throw new CertCreationException("Subject name MUST not be empty when extensions are not specified");
            }
            if (!certCreationParameterSpec.getSubject().equals(issuerInformation.getIssuerName())) {
                throw new CertCreationException("Extensions MUST be present except for self-signed certificates");
            }
            return;
        }
        if (certCreationParameterSpec.getVersion() != Version.V3) {
            throw new CertCreationException("Version number MUST be V3 if extensions are present");
        }
        if (extensions.getOtherExtensions() != null) {
            d(extensions.getOtherExtensions());
        }
        boolean[] keyUsage = extensions.getKeyUsage();
        Set<ObjectID> criticalExtOIDS = extensions.getCriticalExtOIDS();
        if (certCreationParameterSpec.getSubject() == null || certCreationParameterSpec.getSubject().getName().length() == 0) {
            if (extensions.getBasicConstraints() > -1) {
                throw new CertCreationException("Subject name MUST be present for CA certificates");
            }
            if (keyUsage != null && keyUsage.length >= 7 && keyUsage[6]) {
                throw new CertCreationException("Subject name MUST be present for CRL Issuers");
            }
            if (extensions.getSubjectAlternativeNames() == null || extensions.getSubjectAlternativeNames().isEmpty()) {
                throw new CertCreationException("Subject alternate name MUST be present if subject name field is empty");
            }
            if (!criticalExtOIDS.contains(ObjectID.SUBJECT_ALT_NAME_EXTN)) {
                throw new CertCreationException("Subject alternate name MUST be marked as critical if subject name is not specified");
            }
        }
        if (extensions.getAuthorityKeyIdentifier() != null) {
            if (criticalExtOIDS.contains(ObjectID.AUTH_KEY_ID_EXTN)) {
                throw new CertCreationException("Auth key ID MUST not be set as critical");
            }
            if (!issuerInformation.getIssuerName().equals(certCreationParameterSpec.getSubject())) {
                X509Certificate issuerCertificate = issuerInformation.getIssuerCertificate();
                if (issuerCertificate == null) {
                    throw new CertCreationException("Issuer certificate is required to create all certificates except for self-signed certificate");
                }
                byte[] extensionValue = issuerCertificate.getExtensionValue(ObjectID.SUBJECT_KEY_ID_EXTN.toString());
                if (extensionValue != null) {
                    if (!Arrays.equals(extensions.getAuthorityKeyIdentifier().getKeyIdentifier(), ((ad) a.a(ac.f1433a, ((ad) a.a(ac.f1433a, extensionValue, 0)).g(), 0)).g())) {
                        throw new CertCreationException("Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same");
                    }
                }
                BigInteger issuerSerialNum = extensions.getAuthorityKeyIdentifier().getIssuerSerialNum();
                if (issuerSerialNum != null && !issuerCertificate.getSerialNumber().equals(issuerSerialNum)) {
                    throw new CertCreationException("Mismatch in issuer certificate serial number and authority key identifier serial number");
                }
            }
        } else if (certCreationParameterSpec.getSubject() != null && !certCreationParameterSpec.getSubject().equals(issuerInformation.getIssuerName())) {
            throw new CertCreationException("Authority key identifier extension MUST be present");
        }
        if (extensions.getSubjectKeyIdentifier() == null || extensions.getSubjectKeyIdentifier().length == 0) {
            if (extensions.getBasicConstraints() > -1) {
                throw new CertCreationException("Subject key identifier extension MUST be present for CA certificates");
            }
        } else if (criticalExtOIDS.contains(ObjectID.SUBJECT_KEY_ID_EXTN)) {
            throw new CertCreationException("Subject key ID MUST not be set as critical");
        }
        if (keyUsage != null) {
            if (!a(keyUsage)) {
                throw new CertCreationException("At least one bit in the key usage extension MUST be set");
            }
            if (keyUsage.length >= 6 && keyUsage[5]) {
                if (extensions.getBasicConstraints() == -1) {
                    throw new CertCreationException("Basic constraints MUST be set if keyCertSign bit is set");
                }
                if (!criticalExtOIDS.contains(ObjectID.BASIC_CONSTRAINTS_EXTN)) {
                    throw new CertCreationException("Basic constraint extension MUST be marked as critical if the keyCertSign bit is set");
                }
            }
        }
        if (extensions.getInhibitAnyPolicy() > -1 && !criticalExtOIDS.contains(ObjectID.INHIBIT_ANY_POLICY_EXTN)) {
            throw new CertCreationException("Inhibit anyPolicy extension MUST be marked as critical");
        }
        List<DistributionPoint> crlDistributionPoint = extensions.getCrlDistributionPoint();
        if (crlDistributionPoint != null) {
            b(crlDistributionPoint);
        }
        List<DistributionPoint> freshestCRL = extensions.getFreshestCRL();
        if (freshestCRL != null) {
            if (criticalExtOIDS.contains(ObjectID.FRESHEST_CRL_EXTN)) {
                throw new CertCreationException("Freshest CRL extension MUST not be set as critical");
            }
            b(freshestCRL);
        }
        if (extensions.getSubjectAccessInformation() != null && criticalExtOIDS.contains(ObjectID.SUBJECT_INFO_ACCESS_EXTN)) {
            throw new CertCreationException("Subject access info extension MUST not be set as critical");
        }
        if (extensions.getAuthorityAccessInformation() != null && criticalExtOIDS.contains(ObjectID.AUTH_INFO_ACCESS_EXTN)) {
            throw new CertCreationException("Authority access info extension MUST not be set as critical");
        }
        List<GeneralSubtree> nameConstraintsExcluded = extensions.getNameConstraintsExcluded();
        List<GeneralSubtree> nameConstraintsPermitted = extensions.getNameConstraintsPermitted();
        a(extensions, nameConstraintsExcluded);
        a(extensions, nameConstraintsPermitted);
        if ((extensions.getInhibitPolicyMapping() != -1 || extensions.getRequireExplicitPolicy() != -1) && !criticalExtOIDS.contains(ObjectID.POLICY_CONSTRAINTS_EXTN)) {
            throw new CertCreationException("Policy constraints extension MUST be set as critical");
        }
        if (extensions.getSubjectAlternativeNames() != null && extensions.getSubjectAlternativeNames().isEmpty()) {
            throw new CertCreationException("SubjectAltName MUST contain at least one entry");
        }
        List<List<ObjectID>> policyMappings = extensions.getPolicyMappings();
        if (policyMappings != null) {
            for (int i = 0; i < policyMappings.size(); i++) {
                if (policyMappings.get(i).contains(ObjectID.ANY_POLICY)) {
                    throw new CertCreationException("Policies MUST NOT be mapped to or from the special value anyPolicy");
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(CertCreationParameterSpec certCreationParameterSpec, X509ExtensionSpec x509ExtensionSpec, Set<CertComplianceAdjustment.ChangeItem> set) throws CertCreationException {
        if (x509ExtensionSpec == null || x509ExtensionSpec.isEmpty()) {
            if (!set.contains(CertComplianceAdjustment.ChangeItem.VERSION_NUMBER) && certCreationParameterSpec.getVersion() != Version.V1) {
                throw new CertCreationException("Version number should be V1 if no extensions are present");
            }
            if (!set.contains(CertComplianceAdjustment.ChangeItem.NO_SUBJECT_KEY_ID)) {
                throw new CertCreationException("The subject key identifier extension SHOULD be present for all certificates");
            }
            return;
        }
        if ((x509ExtensionSpec.getSubjectKeyIdentifier() == null || x509ExtensionSpec.getSubjectKeyIdentifier().length == 0) && !set.contains(CertComplianceAdjustment.ChangeItem.NO_SUBJECT_KEY_ID)) {
            throw new CertCreationException("The subject key identifier extension SHOULD be present for all certificates");
        }
        if (x509ExtensionSpec.getKeyUsage() != null && !x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.KEY_USAGE_EXTN) && !set.contains(CertComplianceAdjustment.ChangeItem.NON_CRITICAL_KEY_USAGE)) {
            throw new CertCreationException("The key usage extension SHOULD be marked as critical");
        }
        if (x509ExtensionSpec.getIssuerAlternativeNames() != null && x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.ISSUER_ALT_NAME_EXTN) && !set.contains(CertComplianceAdjustment.ChangeItem.CRITICAL_ISSUER_ALT_NAME)) {
            throw new CertCreationException("The issuer alternative name extension SHOULD be marked as non-critical");
        }
        if (x509ExtensionSpec.getSubjectDirectoryAttributes() != null && x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.SUBJECT_DIR_ATTR_EXTN) && !set.contains(CertComplianceAdjustment.ChangeItem.CRITICAL_SUBJECT_DIR_ATTRIBUTE)) {
            throw new CertCreationException("The subject directory attribute extension SHOULD be marked as non-critical");
        }
        if (x509ExtensionSpec.getCrlDistributionPoint() != null && x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.CRL_DIST_POINTS_EXTN) && !set.contains(CertComplianceAdjustment.ChangeItem.CRITICAL_CRL_DISTRIBUTION_POINT)) {
            throw new CertCreationException("The cRLDistributionPoint extension SHOULD be marked as non-critical");
        }
        List<GeneralSubtree> nameConstraintsExcluded = x509ExtensionSpec.getNameConstraintsExcluded();
        List<GeneralSubtree> nameConstraintsPermitted = x509ExtensionSpec.getNameConstraintsPermitted();
        if ((c(nameConstraintsExcluded) || c(nameConstraintsPermitted)) && !set.contains(CertComplianceAdjustment.ChangeItem.ALL_NAME_FORM_CONSTRAINTS)) {
            throw new CertCreationException("Named constraint extension SHOULD not impose restrictions on x400Address, ediPartyName or registeredID name forms");
        }
        if (certCreationParameterSpec.getSubject() != null && certCreationParameterSpec.getSubject().getName().length() > 0 && x509ExtensionSpec.getSubjectAlternativeNames() != null && x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.SUBJECT_ALT_NAME_EXTN) && !set.contains(CertComplianceAdjustment.ChangeItem.CRITICAL_SUBJECT_ALT_NAME)) {
            throw new CertCreationException("SubjectAltName extension SHOULD not be marked as critical when subject name is present");
        }
        List<List<ObjectID>> policyMappings = x509ExtensionSpec.getPolicyMappings();
        if (policyMappings != null) {
            if (!x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.POLICY_MAPPINGS_EXTN) && !set.contains(CertComplianceAdjustment.ChangeItem.NON_CRITICAL_POLICY_MAPPING)) {
                throw new CertCreationException("Policy mapping extension SHOULD be marked as critical");
            }
            if (!b(x509ExtensionSpec, policyMappings) && !set.contains(CertComplianceAdjustment.ChangeItem.MISSING_CERT_POLICY_EXTN)) {
                throw new CertCreationException("Each issuerDomainPolicy named in the policy mappings extension SHOULD also be asserted in a certificate policies extension");
            }
        }
    }

    private static void a(X509ExtensionSpec x509ExtensionSpec, List<GeneralSubtree> list) throws CertCreationException {
        if (list.isEmpty()) {
            return;
        }
        if (!x509ExtensionSpec.getCriticalExtOIDS().contains(ObjectID.NAME_CONSTRAINTS_EXTN)) {
            throw new CertCreationException("Named constraint extension MUST be set as critical");
        }
        if (x509ExtensionSpec.getBasicConstraints() == -1) {
            throw new CertCreationException("Named constraints MUST only be applied to CA certificates");
        }
        for (int i = 0; i < list.size(); i++) {
            if (list.get(i).getMaximum() != -1 || list.get(i).getMinimum() != 0) {
                throw new CertCreationException("Named constraints minimum field MUST be 0 and the maximum field MUST be absent");
            }
        }
    }

    static void a(BigInteger bigInteger) throws CertCreationException {
        if (bigInteger != null) {
            if (bigInteger.signum() == -1) {
                throw new CertCreationException("Serial number cannot be negative");
            }
            if (bigInteger.bitLength() > 160) {
                throw new CertCreationException("Serial number cannot be have more than 20 bytes");
            }
        }
    }

    static boolean a(d dVar, int i) {
        if (dVar != null) {
            HashSet hashSet = new HashSet();
            for (int i2 = 0; i2 < dVar.c(); i2++) {
                oo ooVar = new oo(dVar.a(i2), i);
                if (hashSet.contains(ooVar.d())) {
                    return true;
                }
                hashSet.add(ooVar.d());
            }
        }
        return false;
    }

    static boolean a(DistributionPoint distributionPoint) {
        boolean[] reasonFlags = distributionPoint.getReasonFlags();
        if (reasonFlags == null) {
            return true;
        }
        if (reasonFlags.length != 9) {
            return false;
        }
        for (boolean z : reasonFlags) {
            if (!z) {
                return false;
            }
        }
        return true;
    }

    static boolean a(List<DistributionPoint> list) {
        if (list == null) {
            return false;
        }
        Iterator<DistributionPoint> it = list.iterator();
        while (it.hasNext()) {
            if (a(it.next())) {
                return true;
            }
        }
        return false;
    }

    private static boolean a(boolean[] zArr) {
        if (zArr != null && zArr.length != 0) {
            for (boolean z : zArr) {
                if (z) {
                    return true;
                }
            }
        }
        return false;
    }

    private static void b(List<DistributionPoint> list) throws CertCreationException {
        if (!a(list)) {
            throw new CertCreationException("At least one Distribution Point must cover all reasons");
        }
        for (int i = 0; i < list.size(); i++) {
            List<GeneralName> crLIssuer = list.get(i).getCrLIssuer();
            if (crLIssuer != null && (crLIssuer.size() != 1 || crLIssuer.get(0).getType() != GeneralName.Type.DIRECTORY_NAME)) {
                throw new CertCreationException("The cRLIssuer MUST only contain the distinguished name from the issuer field of the CRL");
            }
        }
    }

    private static boolean b(X509ExtensionSpec x509ExtensionSpec, List<List<ObjectID>> list) {
        Map<ObjectID, List<PolicyQualifierInfo>> certificatePolicies = x509ExtensionSpec.getCertificatePolicies();
        if (certificatePolicies == null || certificatePolicies.isEmpty()) {
            return false;
        }
        Set<ObjectID> keySet = certificatePolicies.keySet();
        for (int i = 0; i < list.size(); i++) {
            if (!keySet.contains(list.get(i).get(0))) {
                return false;
            }
        }
        return true;
    }

    private static boolean c(List<GeneralSubtree> list) {
        if (list != null) {
            for (int i = 0; i < list.size(); i++) {
                if (list.get(i).getBase().getType() == GeneralName.Type.REGISTERED_ID || list.get(i).getBase().getType() == GeneralName.Type.X400_ADDRESS || list.get(i).getBase().getType() == GeneralName.Type.EDI_PARTY_NAME) {
                    return true;
                }
            }
        }
        return false;
    }

    private static void d(List<byte[]> list) throws CertCreationException {
        Iterator<byte[]> it = list.iterator();
        while (it.hasNext()) {
            oo ooVar = new oo(a.a("Extension", it.next(), 0), 0);
            ov d = ooVar.d();
            if (f2034b.contains(d)) {
                throw new CertCreationException("An extension that can be created via the API has been encoded, hence validation is not possible: " + ooVar);
            }
            if (d.a() && ooVar.e()) {
                throw new CertCreationException("Unknown extension is marked as critical: " + ooVar);
            }
        }
    }

    public abstract String a();

    public abstract void a(IssuerInformation issuerInformation, CertCreationParameterSpec certCreationParameterSpec, CertComplianceAdjustment certComplianceAdjustment, d dVar) throws CertCreationException;
}
