package iaik.pki.pathvalidation;

import iaik.asn1.ObjectID;
import iaik.asn1.structures.GeneralName;
import iaik.asn1.structures.Name;
import iaik.logging.Log;
import iaik.logging.LogFactory;
import iaik.logging.TransactionId;
import iaik.pki.PKIException;
import iaik.pki.PKIModule;
import iaik.pki.RevocationTrustProfileImpl;
import iaik.pki.revocation.CertificateStatusChecker;
import iaik.pki.revocation.RevocationProfile;
import iaik.pki.revocation.RevocationStatus;
import iaik.pki.store.certinfo.CertInfo;
import iaik.pki.store.certinfo.CertInfoStoreException;
import iaik.pki.store.certinfo.CertIssuer;
import iaik.pki.store.revocation.RevocationFactory;
import iaik.pki.store.revocation.RevocationInfo;
import iaik.pki.store.revocation.SupplementalRevocationSources;
import iaik.pki.utils.CertUtil;
import iaik.pki.utils.Constants;
import iaik.pki.utils.DBTypeParser;
import iaik.pki.utils.NameUtils;
import iaik.pki.utils.UtilsException;
import iaik.utils.CryptoUtils;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.BasicConstraints;
import iaik.x509.extensions.CertificatePolicies;
import iaik.x509.extensions.InhibitAnyPolicy;
import iaik.x509.extensions.KeyUsage;
import iaik.x509.extensions.NameConstraints;
import iaik.x509.extensions.PolicyConstraints;
import iaik.x509.extensions.PolicyMappings;
import iaik.x509.extensions.SubjectAltName;
import iaik.x509.extensions.SubjectKeyIdentifier;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BKULocal.war:WEB-INF/lib/iaik_pki-2.00-MOA-MOCCA.jar:iaik/pki/pathvalidation/Q.class */
public class Q implements Validator, ValidationStatus {
    public static final String N = "iaik.pki.pathvalidation.CheckOneCertChainValidity";
    static boolean D;
    protected static Log Q;
    protected ValidationConfiguration H;
    protected ValidationProfile J;
    protected G L;
    protected int P;
    protected int G;
    protected int M;
    protected int B;
    protected int O;
    protected int A;
    protected boolean F;
    protected List<CertInfo> E;
    protected CertificateStatusChecker I;
    protected E C;
    protected K K;

    public Q(ValidationProfile validationProfile) {
        if (validationProfile == null) {
            throw new NullPointerException("null profile not allowed");
        }
        if (validationProfile.getInitialPolicySet() == null) {
            throw new NullPointerException("Initial policy set mustn't be null");
        }
        this.J = validationProfile;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized void A(ValidationConfiguration validationConfiguration, TransactionId transactionId) throws ValidationException {
        if (validationConfiguration == null) {
            throw new NullPointerException("Valdiation configuration must not be null.");
        }
        if (this.H != null) {
            Q.error(transactionId, "Validator is already configured.", null);
            throw new ValidationException("Validator is already configured.", null, getClass().getName() + ":7");
        }
        Q.debug(transactionId, "Validator successfully configured.", null);
        this.H = validationConfiguration;
    }

    @Override // iaik.pki.pathvalidation.Validator
    public void setCertificateStatusChecker(CertificateStatusChecker certificateStatusChecker) {
        if (certificateStatusChecker == null) {
            throw new NullPointerException("Staus checker must not be set to null");
        }
        this.I = certificateStatusChecker;
    }

    protected void B(List<CertInfo> list, TransactionId transactionId) throws ValidationException {
        if (list == null) {
            throw new NullPointerException("Can't validate null certpath");
        }
        if (list.size() == 0) {
            Q.error(transactionId, "Certificate chain must at least contain one cert", null);
            throw new ValidationException("Can't validate empty chain", null, getClass().getName() + ":1");
        }
        this.E = list;
        if (list.size() > 1) {
            this.P = 0;
            int size = list.size() - 1;
            if (this.J.getPolicyProcessing()) {
                this.L = new G();
                this.G = this.J.getInitialAnyPolicyInhibit() ? 0 : size + 1;
                this.M = this.J.getInitialPolicyMappingInhibit() ? 0 : size + 1;
                this.B = this.J.getInitialExplicitPolicy() ? 0 : size + 1;
                if (Q.isDebugEnabled()) {
                    Q.debug(transactionId, "inhibitAnyPolicy = " + this.G + Constants.LINE_SEPARATOR + "inhibitPolicyMapping = " + this.M + Constants.LINE_SEPARATOR + "requireExplicitPolicy = " + this.B, null);
                }
            } else {
                this.L = null;
            }
            if (this.J.getNameConstraintsProcessing()) {
                this.C = new E();
                this.K = new K();
            }
            this.O = size;
        }
    }

    protected static int A(int i) {
        return i > 0 ? i - 1 : i;
    }

    protected boolean A(List<CertInfo> list, int i, PublicKey publicKey, TransactionId transactionId) throws CertInfoStoreException, ValidationException {
        ListIterator<CertInfo> listIterator = list.listIterator(i + 1);
        CertIssuer certIssuer = (CertIssuer) listIterator.previous();
        while (listIterator.hasPrevious()) {
            CertInfo previous = listIterator.previous();
            if (!A(previous, previous.isSelfIssued(), certIssuer, publicKey, transactionId)) {
                return false;
            }
            publicKey = M.A(previous.getCertificate(transactionId).getPublicKey(), publicKey, transactionId);
            if (listIterator.hasPrevious()) {
                certIssuer = (CertIssuer) previous;
            }
        }
        return true;
    }

    protected List<X509Certificate> A(List<CertInfo> list, TransactionId transactionId) {
        if (list == null) {
            return new ArrayList();
        }
        ArrayList arrayList = new ArrayList();
        ListIterator<CertInfo> listIterator = list.listIterator();
        while (listIterator.hasNext()) {
            try {
                arrayList.add(listIterator.next().getCertificate(transactionId));
            } catch (CertInfoStoreException e) {
                Q.error(transactionId, "Cannot get certificate out of certinfo", e);
            }
        }
        return arrayList;
    }

    @Override // iaik.pki.pathvalidation.Validator
    public ValidationResult validateChain(List<CertInfo> list, Date date, PKIModule pKIModule, RevocationProfile revocationProfile, SupplementalRevocationSources supplementalRevocationSources, boolean z, TransactionId transactionId) throws PKIException {
        Date date2;
        U u;
        if (this.H == null) {
            Q.error(transactionId, "Validator not yet configured", null);
            throw new ValidationException("Validator not yet configured", null, getClass().getName() + ":2");
        }
        B(list, transactionId);
        if (date == null) {
            throw new ValidationException("Profile returned null as validation date", null, getClass().getName() + ":3");
        }
        Q.debug(transactionId, "Validation date: " + date, null);
        if (list.size() == 1) {
            CertInfo certInfo = list.get(0);
            X509Certificate certificate = certInfo.getCertificate(transactionId);
            String chainingMode = this.H.getChainingMode(certificate);
            Q.info(transactionId, "Only one element (\"" + certificate.getSubjectDN() + "\") in the chain.", null);
            if (this.J.getRevocationChecking()) {
                Q.info(transactionId, "Don't perform revocation checking for trust anchor", null);
            }
            int A = A(certificate, date, transactionId);
            if (!D || A == 0) {
                if (A != 0) {
                    if (A == -1) {
                        Q.warn(transactionId, "Certificate not valid (expired) at " + date + ". Accepting anyway, because it is a trust anchor.", null);
                    } else {
                        Q.warn(transactionId, "Certificate not yet valid at " + date + ". Accepting anyway, because it is a trust anchor.", null);
                    }
                }
                u = new U(ValidationResult.VALID, certInfo.getCertificate(transactionId).getPublicKey(), null, chainingMode, A(list, transactionId));
            } else {
                Q.info(transactionId, "certificate not valid at " + date, null);
                u = new U(ValidationResult.INVALID, certInfo.getCertificate(transactionId).getPublicKey(), null, chainingMode, A(list, transactionId));
                if (A == -1) {
                    u.A(ValidationResultInvalid.CERTIFICATE_EXPIRED);
                } else {
                    u.A(ValidationResultInvalid.CERTIFICATE_NOT_YET_VALID);
                }
            }
            return u;
        }
        int size = list.size() - 1;
        Q.debug(transactionId, "chain.size(): " + list.size(), null);
        ListIterator<CertInfo> listIterator = list.listIterator(size + 1);
        CertInfo previous = listIterator.previous();
        if (Q.isDebugEnabled()) {
            Q.debug(transactionId, "trust anchor " + previous.getCertificate(transactionId), null);
        }
        X509Certificate certificate2 = previous.getCertificate(transactionId);
        String chainingMode2 = this.H.getChainingMode(certificate2);
        if (!ChainingModes.ALL.contains(chainingMode2)) {
            throw new ValidationException("Invalid chaining mode: " + chainingMode2, null, getClass().getName() + ":4");
        }
        Q.debug(transactionId, "Using chaining mode: " + chainingMode2, null);
        if (chainingMode2.equals(ChainingModes.CHAIN_MODE) && listIterator.hasPrevious()) {
            Date A2 = A(listIterator.previous().getCertificate(transactionId), transactionId);
            int A3 = A(certificate2, A2, transactionId);
            if (A3 != 0) {
                Q.info(transactionId, "TrustAnchor not valid at " + A2, null);
                U u2 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u2.A(size);
                if (A3 == -1) {
                    u2.A(ValidationResultInvalid.CERTIFICATE_EXPIRED);
                } else {
                    u2.A(ValidationResultInvalid.CERTIFICATE_NOT_YET_VALID);
                }
                return u2;
            }
            listIterator.next();
        }
        PublicKey A4 = M.A(certificate2, this.H, transactionId);
        ArrayList arrayList = new ArrayList();
        if (RevocationFactory.getInstance(transactionId).createRevocationInfo(certificate2, Collections.emptyList()) != null) {
            arrayList.add(RevocationFactory.getInstance(transactionId).createRevocationInfo(certificate2, Collections.emptyList()));
        }
        int size2 = list.size();
        while (listIterator.hasPrevious()) {
            CertInfo previous2 = listIterator.previous();
            this.P++;
            size2--;
            X509Certificate certificate3 = previous2.getCertificate(transactionId);
            if (Q.isDebugEnabled()) {
                Q.debug(transactionId, "current certificate: " + certificate3, null);
            }
            boolean isSelfIssued = previous2.isSelfIssued();
            Q.debug(transactionId, "selfIssued: " + isSelfIssued, null);
            if (!chainingMode2.equals(ChainingModes.CHAIN_MODE)) {
                date2 = date;
            } else if (listIterator.hasPrevious()) {
                date2 = A(listIterator.previous().getCertificate(transactionId), transactionId);
                listIterator.next();
            } else {
                date2 = date;
            }
            int A5 = A(certificate3, date2, transactionId);
            if (A5 != 0) {
                U u3 = new U(ValidationResult.INVALID, previous2.getCertificate(transactionId).getPublicKey(), null, chainingMode2, A(list, transactionId));
                if (A5 == 1) {
                    Q.warn(transactionId, "Certificate not yet valid", null);
                    u3.A(ValidationResultInvalid.CERTIFICATE_NOT_YET_VALID);
                }
                if (A5 == -1) {
                    Q.warn(transactionId, "Certificate expired", null);
                    u3.A(ValidationResultInvalid.CERTIFICATE_EXPIRED);
                }
                u3.A(size2);
                u3.A((Collection<RevocationInfo>) arrayList);
                return u3;
            }
            if (Q.isDebugEnabled()) {
                Q.debug(transactionId, "verifying the signature with the issuer: " + previous.getCertificate(transactionId), null);
            }
            if (!A(previous2, isSelfIssued, (CertIssuer) previous, A4, transactionId)) {
                Q.info(transactionId, "Signature error: chain invalid.", null);
                U u4 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u4.A(size2);
                u4.A(ValidationResultInvalid.CHAINING_FAILED);
                u4.A((Collection<RevocationInfo>) arrayList);
                return u4;
            }
            this.F = false;
            this.A = -1;
            try {
                BasicConstraints basicConstraints = (BasicConstraints) certificate3.getExtension(ObjectID.getObjectID(BasicConstraints.oid.getID()));
                if (basicConstraints != null) {
                    this.F = basicConstraints.ca();
                    if (this.F) {
                        this.A = basicConstraints.getPathLenConstraint();
                    }
                }
            } catch (X509ExtensionInitException e) {
                this.F = false;
                this.A = -1;
            }
            if (this.J.getRevocationChecking()) {
                if (!z || listIterator.hasPrevious()) {
                    try {
                        RevocationStatus certificateStatus = this.I.getCertificateStatus(certificate3, this.F, previous.getCertificate(transactionId), A4, date2, chainingMode2, supplementalRevocationSources, new RevocationTrustProfileImpl(previous, A4, pKIModule), revocationProfile, transactionId);
                        Collection<RevocationInfo> revocationInfoList = certificateStatus.getRevocationInfoList();
                        if (revocationInfoList != null) {
                            for (RevocationInfo revocationInfo : revocationInfoList) {
                                if (!arrayList.contains(revocationInfo)) {
                                    arrayList.add(revocationInfo);
                                }
                            }
                        }
                        if (Q.isDebugEnabled()) {
                            Q.debug(transactionId, "Certificate status: " + certificateStatus, null);
                        }
                        if (!certificateStatus.getStatusCode().equals(RevocationStatus.VALID)) {
                            Q.info(transactionId, "Certificate revocation check failed " + certificateStatus.getStatusCode(), null);
                            U u5 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                            u5.A(size2);
                            if (A(list, size2, A4, transactionId)) {
                                u5.A(ValidationResultInvalid.REVOCATION_FAILED);
                                u5.A(certificateStatus);
                            } else {
                                u5.A(ValidationResultInvalid.CHAINING_FAILED);
                            }
                            u5.A((Collection<RevocationInfo>) arrayList);
                            return u5;
                        }
                    } catch (Exception e2) {
                        Q.info(transactionId, "Certificate status checking failed", e2);
                        throw new ValidationException("Certificate status checking failed", e2, getClass().getName() + ":5");
                    }
                } else if (Q.isDebugEnabled()) {
                    Q.debug(transactionId, "Do not check status of certificate - \"NoCheck\" extension is included.", null);
                }
            }
            PublicKey publicKey = A4;
            PublicKey publicKey2 = previous2.getCertificate(transactionId).getPublicKey();
            if (Q.isDebugEnabled()) {
                Q.debug(transactionId, "new working key: " + publicKey2.toString(), null);
            }
            A4 = M.A(publicKey2, publicKey, transactionId);
            previous = previous2;
            Q.debug(transactionId, "checking extensions", null);
            HashSet hashSet = new HashSet();
            Set criticalExtensionOIDs = certificate3.getCriticalExtensionOIDs();
            if (criticalExtensionOIDs != null) {
                hashSet.addAll(criticalExtensionOIDs);
                Q.debug(transactionId, criticalExtensionOIDs.size() + " critical extensions found", null);
            } else {
                Q.debug(transactionId, "no critical extensions found", null);
            }
            Set nonCriticalExtensionOIDs = certificate3.getNonCriticalExtensionOIDs();
            if (nonCriticalExtensionOIDs != null) {
                hashSet.addAll(nonCriticalExtensionOIDs);
                Q.debug(transactionId, nonCriticalExtensionOIDs.size() + " non critical extensions found", null);
            } else {
                Q.debug(transactionId, "no non critical extensions found", null);
            }
            Q.debug(transactionId, "handling extensions", null);
            if (!this.J.getNameConstraintsProcessing()) {
                hashSet.remove(SubjectAltName.oid.getID());
            } else if ((!isSelfIssued || !listIterator.hasPrevious()) && !A(SubjectAltName.oid, certificate3, hashSet, transactionId)) {
                U u6 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u6.A(size2);
                u6.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u6.A((Collection<RevocationInfo>) arrayList);
                return u6;
            }
            if (!this.J.getPolicyProcessing()) {
                hashSet.remove(CertificatePolicies.oid.getID());
            } else if (!A(CertificatePolicies.oid, certificate3, hashSet, transactionId)) {
                U u7 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u7.A(size2);
                u7.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u7.A((Collection<RevocationInfo>) arrayList);
                return u7;
            }
            if (!listIterator.hasPrevious()) {
                Q.debug(transactionId, " -------------------- WRAP UP --------------------", null);
                if (this.J.getPolicyProcessing()) {
                    if (!isSelfIssued) {
                        this.B = A(this.B);
                        Q.debug(transactionId, "requireExplicitPolicy (final value) = " + this.B, null);
                    }
                    if (!A(PolicyConstraints.oid, certificate3, hashSet, transactionId)) {
                        U u8 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                        u8.A(size2);
                        u8.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                        u8.A((Collection<RevocationInfo>) arrayList);
                        return u8;
                    }
                    Set<String> initialPolicySet = this.J.getInitialPolicySet();
                    if (this.L != null && !initialPolicySet.isEmpty()) {
                        Q.debug(transactionId, "Calculating intesection of the valid policy tree and the user initial policy set", null);
                        if (Q.isDebugEnabled()) {
                            Q.debug(transactionId, "User initial policy set(): " + initialPolicySet, null);
                        }
                        if (initialPolicySet.size() != 1 || !initialPolicySet.contains(PolicyNode.X509_ANY_POLICY)) {
                            List<PolicyNode> C = this.L.C();
                            HashSet hashSet2 = new HashSet();
                            Iterator<PolicyNode> it = C.iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                }
                                PolicyNode next = it.next();
                                String validPolicy = next.getValidPolicy();
                                hashSet2.add(validPolicy);
                                if (!validPolicy.equals(PolicyNode.X509_ANY_POLICY) && !initialPolicySet.contains(validPolicy)) {
                                    G g = (G) next.getParent();
                                    if (g == null) {
                                        this.L = null;
                                        break;
                                    }
                                    g.A((G) next);
                                }
                            }
                            if (this.L != null) {
                                Iterator<G> it2 = this.L.B(size).iterator();
                                while (true) {
                                    if (!it2.hasNext()) {
                                        break;
                                    }
                                    G next2 = it2.next();
                                    if (next2.getValidPolicy().equals(PolicyNode.X509_ANY_POLICY)) {
                                        G g2 = (G) next2.getParent();
                                        boolean isCritical = next2.isCritical();
                                        HashSet hashSet3 = new HashSet(next2.getPolicyQualifiers());
                                        for (String str : initialPolicySet) {
                                            if (!hashSet2.contains(str)) {
                                                g2.A(str, hashSet3, isCritical);
                                            }
                                        }
                                        g2.A(next2);
                                    }
                                }
                            }
                        }
                        this.L = this.L.A(size - 1);
                        if (Q.isDebugEnabled()) {
                            Q.debug(transactionId, "Policy tree intersected with initial user policy set:" + Constants.LINE_SEPARATOR + this.L, null);
                        }
                    }
                    if (this.B == 0 && this.L == null) {
                        Q.info(transactionId, "No explicit policy", null);
                        U u9 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                        u9.A(size2);
                        u9.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                        u9.A((Collection<RevocationInfo>) arrayList);
                        return u9;
                    }
                    if (this.L != null) {
                        this.L.A();
                    }
                } else {
                    hashSet.remove(PolicyConstraints.oid.getID());
                    hashSet.remove(PolicyMappings.oid.getID());
                    hashSet.remove(InhibitAnyPolicy.oid.getID());
                }
                for (String str2 : hashSet) {
                    Q.debug(transactionId, "Processing " + ObjectID.getObjectID(str2).getName() + " extension", null);
                    if (!ExtensionHandler.handleExtension(str2, this, certificate3, transactionId)) {
                        U u10 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                        u10.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                        u10.A(size2);
                        u10.A((Collection<RevocationInfo>) arrayList);
                        return u10;
                    }
                }
                U u11 = new U(ValidationResult.VALID, A4, this.L, chainingMode2, A(list, transactionId));
                u11.A((Collection<RevocationInfo>) arrayList);
                return u11;
            }
            if (!this.J.getPolicyProcessing()) {
                hashSet.remove(PolicyMappings.oid.getID());
                hashSet.remove(PolicyConstraints.oid.getID());
                hashSet.remove(InhibitAnyPolicy.oid.getID());
            } else {
                if (!A(PolicyMappings.oid, certificate3, hashSet, transactionId)) {
                    U u12 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u12.A(size2);
                    u12.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u12.A((Collection<RevocationInfo>) arrayList);
                    return u12;
                }
                if (!isSelfIssued) {
                    this.B = A(this.B);
                    this.M = A(this.M);
                    this.G = A(this.G);
                    if (Q.isDebugEnabled()) {
                        Q.debug(transactionId, "Updating policy varaibles:" + Constants.LINE_SEPARATOR + "requireExplicitPolicy  = " + this.B + Constants.LINE_SEPARATOR + "inhibitPolicyMapping   = " + this.M + Constants.LINE_SEPARATOR + "inhibitAnyPolicy       = " + this.G, null);
                    }
                }
                if (!A(PolicyConstraints.oid, certificate3, hashSet, transactionId)) {
                    U u13 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u13.A(size2);
                    u13.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u13.A((Collection<RevocationInfo>) arrayList);
                    return u13;
                }
                if (!A(InhibitAnyPolicy.oid, certificate3, hashSet, transactionId)) {
                    U u14 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u14.A(size2);
                    u14.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u14.A((Collection<RevocationInfo>) arrayList);
                    return u14;
                }
            }
            if (!this.J.getNameConstraintsProcessing()) {
                hashSet.remove(NameConstraints.oid.getID());
            } else if (!A(NameConstraints.oid, certificate3, hashSet, transactionId)) {
                U u15 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u15.A(size2);
                u15.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u15.A((Collection<RevocationInfo>) arrayList);
                return u15;
            }
            Q.debug(transactionId, "maxPathLength = " + this.O, null);
            if (!isSelfIssued) {
                int i = this.O;
                this.O = i - 1;
                if (i <= 0) {
                    Q.debug(transactionId, "Path length constraint violation: ", null);
                    U u16 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u16.A(size2);
                    u16.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u16.A((Collection<RevocationInfo>) arrayList);
                    return u16;
                }
                Q.debug(transactionId, "maxPathLength decremented (new value is " + this.O + DefaultExpressionEngine.DEFAULT_INDEX_END, null);
            }
            if (!A(BasicConstraints.oid, certificate3, hashSet, transactionId)) {
                U u17 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u17.A(size2);
                u17.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u17.A((Collection<RevocationInfo>) arrayList);
                return u17;
            }
            if (!A(KeyUsage.oid, certificate3, hashSet, transactionId)) {
                U u18 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                u18.A(size2);
                u18.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                u18.A((Collection<RevocationInfo>) arrayList);
                return u18;
            }
            for (String str3 : hashSet) {
                Q.debug(transactionId, "Processing " + ObjectID.getObjectID(str3).getName() + " extension", null);
                if (!ExtensionHandler.handleExtension(str3, this, certificate3, transactionId)) {
                    U u19 = new U(ValidationResult.INVALID, null, null, chainingMode2, A(list, transactionId));
                    u19.A(size2);
                    u19.A(ValidationResultInvalid.EXTENSION_PROCESSING_FAILED);
                    u19.A((Collection<RevocationInfo>) arrayList);
                    return u19;
                }
            }
        }
        throw new ValidationException("Validation error, maybe got chain with 0 elements", null, getClass().getName() + ":6");
    }

    protected boolean A(CertInfo certInfo, boolean z, CertIssuer certIssuer, PublicKey publicKey, TransactionId transactionId) throws ValidationException {
        int status = certIssuer.getStatus();
        if (status == -1) {
            return false;
        }
        if (status == 3) {
            return true;
        }
        try {
            X509Certificate certificate = certInfo.getCertificate(transactionId);
            X509Certificate certificate2 = certIssuer.getCertificate(transactionId);
            if (status == 0) {
                try {
                    if (!CertUtil.checkPKIXChainNaming(certificate2, certificate)) {
                        certIssuer.setStatus(-1);
                        Q.debug(transactionId, "Chaining invalid, issuerDN of subject cert does not match subjectDN of issuer cert.", null);
                        return false;
                    }
                    certIssuer.setStatus(1);
                } catch (UtilsException e) {
                    throw new ValidationException("Error comparing certificate names.", e, getClass().getName() + DBTypeParser.SEPARATOR);
                }
            }
            if (status != 2) {
                Q.debug(transactionId, "Checking key id.", null);
                try {
                    AuthorityKeyIdentifier authorityKeyIdentifier = (AuthorityKeyIdentifier) certificate.getExtension(AuthorityKeyIdentifier.oid);
                    if (authorityKeyIdentifier != null) {
                        byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
                        if (keyIdentifier == null) {
                            GeneralName[] names = authorityKeyIdentifier.getAuthorityCertIssuer().getNames(4);
                            if (names == null) {
                                Q.debug(transactionId, "Neither a KeyIdentifier nor a AuthorityCertIssuer included in AuthorityKeyIdentifier extension.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                            if (names.length != 1) {
                                Q.debug(transactionId, "More than one Directory Name included in AuthorityCertIssuer of AuthorityKeyIdentifier extension.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                            try {
                                if (!NameUtils.getNormalizedName((Name) names[0].getName()).equals(NameUtils.getNormalizedName((Name) certificate2.getIssuerDN()))) {
                                    Q.debug(transactionId, "AuthorityCertIssuer in AuthorityKeyIdentifier of certificate does not match IssuerDN of issuer certificate.", null);
                                    certIssuer.setStatus(-1);
                                    return false;
                                }
                                BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
                                if (authorityCertSerialNumber == null) {
                                    Q.debug(transactionId, "AuthorityCertIssuer but no AuthorityCertSerialNumber included in AuthorityKeyIdentifier extension.", null);
                                    certIssuer.setStatus(-1);
                                    return false;
                                }
                                if (!authorityCertSerialNumber.equals(certificate2.getSerialNumber())) {
                                    Q.debug(transactionId, "AuthorityCertSerialNumber in AuthorityKeyIdentifier of certificate does not match serial number of issuer certificate.", null);
                                    certIssuer.setStatus(-1);
                                    return false;
                                }
                                Q.debug(transactionId, "AuthorityCertIssuer and AuthorityCertSerialNumber in AuthorityKeyIdentifier of certificate match SubjectDN and serial number of issuer certificate.", null);
                            } catch (UtilsException e2) {
                                Q.debug(transactionId, "Could not compare AuthorityCertIssuer in AuthorityKeyIdentifier extension of certificate with SubjectDN of issuer certificate.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            } catch (ClassCastException e3) {
                                Q.debug(transactionId, "AuthorityCertIssuer in AuthorityKeyIdentifier extension is not a Directory Name.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                        } else {
                            SubjectKeyIdentifier subjectKeyIdentifier = (SubjectKeyIdentifier) certificate2.getExtension(SubjectKeyIdentifier.oid);
                            if (subjectKeyIdentifier == null) {
                                Q.debug(transactionId, "Could not compare key identifiers. No SubjectKeyidentifier included in issuer certificate.", null);
                                certIssuer.setStatus(-1);
                                return false;
                            }
                            if (!Arrays.equals(keyIdentifier, subjectKeyIdentifier.get())) {
                                certIssuer.setStatus(-1);
                                Q.debug(transactionId, "Cert chaining invalid, key identifiers don't match.", null);
                                return false;
                            }
                        }
                    } else if (!z) {
                        certIssuer.setStatus(-1);
                        Q.debug(transactionId, "Cert chaining invalid, no AuthorityKeyidentifier included.", null);
                        return false;
                    }
                } catch (X509ExtensionInitException e4) {
                    Q.info(transactionId, "CertIssuer: exception parsing extensions", e4);
                }
            }
            try {
                PublicKey publicKey2 = certificate2.getPublicKey();
                if (publicKey != null) {
                    publicKey2 = publicKey;
                }
                certificate.verify(publicKey2);
                if (CryptoUtils.compareBlock(certificate.getSignature(), certificate2.getSignature()) == -1 && !certificate2.equals(certificate)) {
                    Q.info(transactionId, "Found two different certificates in the path with the same signature.", null);
                    return false;
                }
                Q.debug(transactionId, "Signature successfully verified.", null);
                certIssuer.setStatus(3);
                certInfo.addIssuer(certIssuer, transactionId);
                return true;
            } catch (Exception e5) {
                Q.debug(transactionId, "Signature verification failed.", e5);
                certIssuer.setStatus(-1);
                return false;
            }
        } catch (CertInfoStoreException e6) {
            Q.error(transactionId, "Can't get certificate", e6);
            return false;
        }
    }

    protected int A(X509Certificate x509Certificate, Date date, TransactionId transactionId) throws ValidationException {
        try {
            Q.debug(transactionId, "Checking certificate validity at " + date, null);
            x509Certificate.checkValidity(date);
            return 0;
        } catch (CertificateExpiredException e) {
            Q.debug(transactionId, "Certificate expired", null);
            return -1;
        } catch (CertificateNotYetValidException e2) {
            Q.debug(transactionId, "Certificate not yet valid ", null);
            return 1;
        }
    }

    protected Date A(X509Certificate x509Certificate, TransactionId transactionId) {
        Q.debug(transactionId, "Getting issuing date for cert " + x509Certificate.getSubjectDN(), null);
        return x509Certificate.getNotBefore();
    }

    protected boolean A(ObjectID objectID, X509Certificate x509Certificate, Set<String> set, TransactionId transactionId) throws ValidationException {
        String id = objectID.getID();
        boolean handleExtension = ExtensionHandler.handleExtension(id, this, x509Certificate, transactionId);
        set.remove(id);
        return handleExtension;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public boolean isLastCertificate() {
        return this.P == this.E.size() - 1;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getMaxPathLength() {
        return this.O;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setMaxPathLength(int i) {
        this.O = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public PolicyNode getPolicyTree() {
        return this.L;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void clearPolicyTree() {
        this.L = null;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getRequireExplicitPolicy() {
        return this.B;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setRequireExplicitPolicy(int i) {
        this.B = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getCertificateIndex() {
        return this.P;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getInhibitPolicyMapping() {
        return this.M;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setInhibitPolicyMapping(int i) {
        this.M = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getInhibitAnyPolicy() {
        return this.G;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setInhibitAnyPolicy(int i) {
        this.G = i;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public E getPermittedSubtrees() {
        return this.C;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setPermtittedSubtrees(E e) {
        this.C = e;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public K getExcludedSubtrees() {
        return this.K;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public void setExcludedSubtrees(K k) {
        this.K = k;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public boolean isCaBooleanSet() {
        return this.F;
    }

    @Override // iaik.pki.pathvalidation.ValidationStatus
    public int getPathLenConstraint() {
        return this.A;
    }

    static {
        D = System.getProperty(N, "false").equals("true");
        Q = LogFactory.getLog(Constants.MODULE_NAME);
    }
}
