package iaik.pki.pathvalidation;

import iaik.logging.TransactionId;
import iaik.x509.V3Extension;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.KeyUsage;

/* loaded from: input_file:BKULocal.war:WEB-INF/lib/iaik_pki-2.00-MOA-MOCCA.jar:iaik/pki/pathvalidation/LegacyBasicConstraintsHandler.class */
public class LegacyBasicConstraintsHandler extends ExtensionHandler {
    @Override // iaik.pki.pathvalidation.ExtensionHandler, iaik.pki.pathvalidation.ExtensionHandlerInterface
    public boolean handleExtension(ValidationStatus validationStatus, X509Certificate x509Certificate, V3Extension v3Extension, TransactionId transactionId) throws ValidationException {
        boolean z;
        log_.debug(transactionId, "Using LegacyBasicConstraintsHandler.", null);
        if (validationStatus.isLastCertificate()) {
            return true;
        }
        if (x509Certificate.getVersion() < 3) {
            log_.info(transactionId, "Certificate is a V" + x509Certificate.getVersion() + " certificate. Accepting as CA certificate without performing further checks.", null);
            return true;
        }
        if (v3Extension != null) {
            z = checkBasicConstraints(validationStatus, x509Certificate, v3Extension, transactionId);
        } else {
            log_.debug(transactionId, "No BasicConstraints extension extension included ", null);
            try {
                KeyUsage keyUsage = (KeyUsage) x509Certificate.getExtension(KeyUsage.oid);
                if (keyUsage == null) {
                    log_.debug(transactionId, "Certificate is accepted as CA certificate because no KeyUsage extension included", null);
                    z = true;
                } else if (keyUsage.isCritical()) {
                    z = (keyUsage.get() & 32) != 0;
                    if (z) {
                        log_.info(transactionId, "Certificate is accepted as CA certificate because critical KeyUsage extension present and KeyCertSign bit set ", null);
                    }
                } else {
                    z = true;
                    log_.info(transactionId, "Certificate is accepted as CA certificate because KeyUsage extension is not critical", null);
                }
            } catch (X509ExtensionInitException e) {
                log_.debug(transactionId, "Certificate is accepted as CA certificate because KeyUsage cannot be parsed", null);
                z = true;
            }
        }
        if (z) {
            return true;
        }
        log_.info(transactionId, "Not a ca certificate " + x509Certificate, null);
        return false;
    }

    protected boolean checkBasicConstraints(ValidationStatus validationStatus, X509Certificate x509Certificate, V3Extension v3Extension, TransactionId transactionId) throws ValidationException {
        if (validationStatus.isLastCertificate()) {
            return true;
        }
        boolean isCaBooleanSet = validationStatus.isCaBooleanSet();
        log_.debug(transactionId, "Processing BasicConstraints extension ...", null);
        if (isCaBooleanSet) {
            int pathLenConstraint = validationStatus.getPathLenConstraint();
            log_.debug(transactionId, "Ca boolean is set.", null);
            log_.debug(transactionId, "PathLengthConstraint = " + pathLenConstraint + ".", null);
            if (pathLenConstraint >= 0 && pathLenConstraint < validationStatus.getMaxPathLength()) {
                log_.debug(transactionId, "Changing maxPathLength variable from " + validationStatus.getMaxPathLength() + " to " + pathLenConstraint + ".", null);
                validationStatus.setMaxPathLength(pathLenConstraint);
            }
        }
        return isCaBooleanSet;
    }
}
