package sun.security.provider.certpath;

import java.security.AlgorithmConstraints;
import java.security.AlgorithmParameters;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
import java.security.spec.DSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
import java.util.Set;
import sun.security.util.AnchorCertificates;
import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.util.KeyUtil;
import sun.security.validator.Validator;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:sun/security/provider/certpath/AlgorithmChecker.class */
public final class AlgorithmChecker extends PKIXCertPathChecker {
    private final AlgorithmConstraints constraints;
    private final PublicKey trustedPubKey;
    private final Date pkixdate;
    private PublicKey prevPubKey;
    private final Timestamp jarTimestamp;
    private final String variant;
    private boolean trustedMatch;
    private static final Debug debug = Debug.getInstance("certpath");
    private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
    private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT));
    private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints(DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
    private static final boolean publicCALimits = certPathDefaultConstraints.checkProperty("jdkCA");

    public AlgorithmChecker(TrustAnchor trustAnchor, String str) {
        this(trustAnchor, certPathDefaultConstraints, null, null, str);
    }

    public AlgorithmChecker(AlgorithmConstraints algorithmConstraints, Timestamp timestamp, String str) {
        this(null, algorithmConstraints, null, timestamp, str);
    }

    public AlgorithmChecker(TrustAnchor trustAnchor, AlgorithmConstraints algorithmConstraints, Date date, Timestamp timestamp, String str) {
        this.trustedMatch = false;
        if (trustAnchor == null) {
            this.trustedPubKey = null;
            if (debug != null) {
                debug.println("TrustAnchor is null, trustedMatch is false.");
            }
        } else if (trustAnchor.getTrustedCert() != null) {
            this.trustedPubKey = trustAnchor.getTrustedCert().getPublicKey();
            this.trustedMatch = checkFingerprint(trustAnchor.getTrustedCert());
            if (this.trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            this.trustedPubKey = trustAnchor.getCAPublicKey();
        }
        this.prevPubKey = this.trustedPubKey;
        this.constraints = algorithmConstraints == null ? certPathDefaultConstraints : algorithmConstraints;
        this.pkixdate = timestamp != null ? timestamp.getTimestamp() : date;
        this.jarTimestamp = timestamp;
        this.variant = str == null ? Validator.VAR_GENERIC : str;
    }

    public AlgorithmChecker(TrustAnchor trustAnchor, Date date, String str) {
        this(trustAnchor, certPathDefaultConstraints, date, null, str);
    }

    private static boolean checkFingerprint(X509Certificate x509Certificate) {
        if (!publicCALimits) {
            return false;
        }
        if (debug != null) {
            debug.println("AlgorithmChecker.contains: " + x509Certificate.getSigAlgName());
        }
        return AnchorCertificates.contains(x509Certificate);
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        if (this.trustedPubKey != null) {
            this.prevPubKey = this.trustedPubKey;
        } else {
            this.prevPubKey = null;
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        if (!(certificate instanceof X509Certificate) || this.constraints == null) {
            return;
        }
        boolean[] keyUsage = ((X509Certificate) certificate).getKeyUsage();
        if (keyUsage != null && keyUsage.length < 9) {
            throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
        }
        try {
            X509CertImpl impl = X509CertImpl.toImpl((X509Certificate) certificate);
            AlgorithmParameters parameters = ((AlgorithmId) impl.get(X509CertImpl.SIG_ALG)).getParameters();
            PublicKey publicKey = certificate.getPublicKey();
            String sigAlgName = impl.getSigAlgName();
            if (!this.constraints.permits(SIGNATURE_PRIMITIVE_SET, sigAlgName, parameters)) {
                throw new CertPathValidatorException("Algorithm constraints check failed on signature algorithm: " + sigAlgName, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
            }
            Set<CryptoPrimitive> set = KU_PRIMITIVE_SET;
            if (keyUsage != null) {
                set = EnumSet.noneOf(CryptoPrimitive.class);
                if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
                    set.add(CryptoPrimitive.SIGNATURE);
                }
                if (keyUsage[2]) {
                    set.add(CryptoPrimitive.KEY_ENCAPSULATION);
                }
                if (keyUsage[3]) {
                    set.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
                }
                if (keyUsage[4]) {
                    set.add(CryptoPrimitive.KEY_AGREEMENT);
                }
                if (set.isEmpty()) {
                    throw new CertPathValidatorException("incorrect KeyUsage extension bits", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
                }
            }
            ConstraintsParameters constraintsParameters = new ConstraintsParameters((X509Certificate) certificate, this.trustedMatch, this.pkixdate, this.jarTimestamp, this.variant);
            if (this.constraints instanceof DisabledAlgorithmConstraints) {
                ((DisabledAlgorithmConstraints) this.constraints).permits(sigAlgName, constraintsParameters);
            } else {
                certPathDefaultConstraints.permits(sigAlgName, constraintsParameters);
                if (!this.constraints.permits(set, publicKey)) {
                    throw new CertPathValidatorException("Algorithm constraints check failed on key " + publicKey.getAlgorithm() + " with size of " + KeyUtil.getKeySize(publicKey) + "bits", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
                }
            }
            if (this.prevPubKey == null) {
                this.prevPubKey = publicKey;
                return;
            }
            if (!this.constraints.permits(SIGNATURE_PRIMITIVE_SET, sigAlgName, this.prevPubKey, parameters)) {
                throw new CertPathValidatorException("Algorithm constraints check failed on signature algorithm: " + sigAlgName, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
            }
            if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
                if (!(this.prevPubKey instanceof DSAPublicKey)) {
                    throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters");
                }
                DSAParams params = ((DSAPublicKey) this.prevPubKey).getParams();
                if (params == null) {
                    throw new CertPathValidatorException("Key parameters missing from public key.");
                }
                try {
                    publicKey = KeyFactory.getInstance("DSA").generatePublic(new DSAPublicKeySpec(((DSAPublicKey) publicKey).getY(), params.getP(), params.getQ(), params.getG()));
                } catch (GeneralSecurityException e) {
                    throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + e.getMessage(), e);
                }
            }
            this.prevPubKey = publicKey;
        } catch (CertificateException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void trySetTrustAnchor(TrustAnchor trustAnchor) {
        if (this.prevPubKey == null) {
            if (trustAnchor == null) {
                throw new IllegalArgumentException("The trust anchor cannot be null");
            }
            if (trustAnchor.getTrustedCert() == null) {
                this.prevPubKey = trustAnchor.getCAPublicKey();
                return;
            }
            this.prevPubKey = trustAnchor.getTrustedCert().getPublicKey();
            this.trustedMatch = checkFingerprint(trustAnchor.getTrustedCert());
            if (!this.trustedMatch || debug == null) {
                return;
            }
            debug.println("trustedMatch = true");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void check(PublicKey publicKey, X509CRL x509crl, String str) throws CertPathValidatorException {
        try {
            check(publicKey, X509CRLImpl.toImpl(x509crl).getSigAlgId(), str);
        } catch (CRLException e) {
            throw new CertPathValidatorException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void check(PublicKey publicKey, AlgorithmId algorithmId, String str) throws CertPathValidatorException {
        certPathDefaultConstraints.permits(new ConstraintsParameters(algorithmId.getName(), algorithmId.getParameters(), publicKey, str));
    }
}
