package sun.security.provider.certpath;

import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CRLReason;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.Extension;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.provider.certpath.OCSP;
import sun.security.provider.certpath.OCSPResponse;
import sun.security.provider.certpath.PKIX;
import sun.security.util.Debug;
import sun.security.validator.Validator;
import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.CRLDistributionPointsExtension;
import sun.security.x509.DistributionPoint;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNames;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.X500Name;
import sun.security.x509.X509CRLEntryImpl;
import sun.security.x509.X509CertImpl;

/* JADX WARN: Classes with same name are omitted:
  input_file:uab-bootstrap-1.2.13/bin/java/unix/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker.class
 */
/* loaded from: input_file:uab-bootstrap-1.2.13/bin/java/win/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker.class */
class RevocationChecker extends PKIXRevocationChecker {
    private TrustAnchor anchor;
    private PKIX.ValidatorParams params;
    private boolean onlyEE;
    private boolean softFail;
    private boolean crlDP;
    private URI responderURI;
    private X509Certificate responderCert;
    private List<CertStore> certStores;
    private Map<X509Certificate, byte[]> ocspResponses;
    private List<Extension> ocspExtensions;
    private OCSPResponse.IssuerInfo issuerInfo;
    private PublicKey prevPubKey;
    private boolean crlSignFlag;
    private int certIndex;
    private static final long MAX_CLOCK_SKEW = 900000;
    private static final String HEX_DIGITS = "0123456789ABCDEFabcdef";
    private static final Debug debug = Debug.getInstance("certpath");
    private static final boolean[] ALL_REASONS = {true, true, true, true, true, true, true, true, true};
    private static final boolean[] CRL_SIGN_USAGE = {false, false, false, false, false, false, true};
    private LinkedList<CertPathValidatorException> softFailExceptions = new LinkedList<>();
    private Mode mode = Mode.PREFER_OCSP;
    private final boolean legacy = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:uab-bootstrap-1.2.13/bin/java/unix/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker$Mode.class
     */
    /* loaded from: input_file:uab-bootstrap-1.2.13/bin/java/win/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker$Mode.class */
    public enum Mode {
        PREFER_OCSP,
        PREFER_CRLS,
        ONLY_CRLS,
        ONLY_OCSP
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:uab-bootstrap-1.2.13/bin/java/unix/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker$RejectKeySelector.class
     */
    /* loaded from: input_file:uab-bootstrap-1.2.13/bin/java/win/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker$RejectKeySelector.class */
    public static class RejectKeySelector extends X509CertSelector {
        private final Set<PublicKey> badKeySet;

        RejectKeySelector(Set<PublicKey> set) {
            this.badKeySet = set;
        }

        @Override // java.security.cert.X509CertSelector, java.security.cert.CertSelector
        public boolean match(Certificate certificate) {
            if (!super.match(certificate)) {
                return false;
            }
            if (this.badKeySet.contains(certificate.getPublicKey())) {
                if (RevocationChecker.debug == null) {
                    return false;
                }
                RevocationChecker.debug.println("RejectKeySelector.match: bad key");
                return false;
            }
            if (RevocationChecker.debug == null) {
                return true;
            }
            RevocationChecker.debug.println("RejectKeySelector.match: returning true");
            return true;
        }

        @Override // java.security.cert.X509CertSelector
        public String toString() {
            return "RejectKeySelector: [\n" + super.toString() + ((Object) this.badKeySet) + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:uab-bootstrap-1.2.13/bin/java/unix/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker$RevocationProperties.class
     */
    /* loaded from: input_file:uab-bootstrap-1.2.13/bin/java/win/1.8.0_265/lib/rt.jar:sun/security/provider/certpath/RevocationChecker$RevocationProperties.class */
    public static class RevocationProperties {
        boolean onlyEE;
        boolean ocspEnabled;
        boolean crlDPEnabled;
        String ocspUrl;
        String ocspSubject;
        String ocspIssuer;
        String ocspSerial;

        private RevocationProperties() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevocationChecker() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevocationChecker(TrustAnchor trustAnchor, PKIX.ValidatorParams validatorParams) throws CertPathValidatorException {
        init(trustAnchor, validatorParams);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Failed to find 'out' block for switch in B:11:0x006d. Please report as an issue. */
    public void init(TrustAnchor trustAnchor, PKIX.ValidatorParams validatorParams) throws CertPathValidatorException {
        RevocationProperties revocationProperties = getRevocationProperties();
        URI ocspResponder = getOcspResponder();
        this.responderURI = ocspResponder == null ? toURI(revocationProperties.ocspUrl) : ocspResponder;
        X509Certificate ocspResponderCert = getOcspResponderCert();
        this.responderCert = ocspResponderCert == null ? getResponderCert(revocationProperties, validatorParams.trustAnchors(), validatorParams.certStores()) : ocspResponderCert;
        Set<PKIXRevocationChecker.Option> options = getOptions();
        for (PKIXRevocationChecker.Option option : options) {
            switch (option) {
                case ONLY_END_ENTITY:
                case PREFER_CRLS:
                case SOFT_FAIL:
                case NO_FALLBACK:
                default:
                    throw new CertPathValidatorException("Unrecognized revocation parameter option: " + ((Object) option));
            }
        }
        this.softFail = options.contains(PKIXRevocationChecker.Option.SOFT_FAIL);
        if (this.legacy) {
            this.mode = revocationProperties.ocspEnabled ? Mode.PREFER_OCSP : Mode.ONLY_CRLS;
            this.onlyEE = revocationProperties.onlyEE;
        } else {
            if (options.contains(PKIXRevocationChecker.Option.NO_FALLBACK)) {
                if (options.contains(PKIXRevocationChecker.Option.PREFER_CRLS)) {
                    this.mode = Mode.ONLY_CRLS;
                } else {
                    this.mode = Mode.ONLY_OCSP;
                }
            } else if (options.contains(PKIXRevocationChecker.Option.PREFER_CRLS)) {
                this.mode = Mode.PREFER_CRLS;
            }
            this.onlyEE = options.contains(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        }
        if (this.legacy) {
            this.crlDP = revocationProperties.crlDPEnabled;
        } else {
            this.crlDP = true;
        }
        this.ocspResponses = getOcspResponses();
        this.ocspExtensions = getOcspExtensions();
        this.anchor = trustAnchor;
        this.params = validatorParams;
        this.certStores = new ArrayList(validatorParams.certStores());
        try {
            this.certStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(validatorParams.certificates())));
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            if (debug != null) {
                debug.println("RevocationChecker: error creating Collection CertStore: " + e);
            }
        }
    }

    private static URI toURI(String str) throws CertPathValidatorException {
        if (str == null) {
            return null;
        }
        try {
            return new URI(str);
        } catch (URISyntaxException e) {
            throw new CertPathValidatorException("cannot parse ocsp.responderURL property", e);
        }
    }

    private static RevocationProperties getRevocationProperties() {
        return (RevocationProperties) AccessController.doPrivileged(new PrivilegedAction<RevocationProperties>() { // from class: sun.security.provider.certpath.RevocationChecker.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            /* renamed from: run */
            public RevocationProperties run2() {
                RevocationProperties revocationProperties = new RevocationProperties();
                String property = Security.getProperty("com.sun.security.onlyCheckRevocationOfEECert");
                revocationProperties.onlyEE = property != null && property.equalsIgnoreCase("true");
                String property2 = Security.getProperty("ocsp.enable");
                revocationProperties.ocspEnabled = property2 != null && property2.equalsIgnoreCase("true");
                revocationProperties.ocspUrl = Security.getProperty("ocsp.responderURL");
                revocationProperties.ocspSubject = Security.getProperty("ocsp.responderCertSubjectName");
                revocationProperties.ocspIssuer = Security.getProperty("ocsp.responderCertIssuerName");
                revocationProperties.ocspSerial = Security.getProperty("ocsp.responderCertSerialNumber");
                revocationProperties.crlDPEnabled = Boolean.getBoolean("com.sun.security.enableCRLDP");
                return revocationProperties;
            }
        });
    }

    private static X509Certificate getResponderCert(RevocationProperties revocationProperties, Set<TrustAnchor> set, List<CertStore> list) throws CertPathValidatorException {
        if (revocationProperties.ocspSubject != null) {
            return getResponderCert(revocationProperties.ocspSubject, set, list);
        }
        if (revocationProperties.ocspIssuer != null && revocationProperties.ocspSerial != null) {
            return getResponderCert(revocationProperties.ocspIssuer, revocationProperties.ocspSerial, set, list);
        }
        if (revocationProperties.ocspIssuer == null && revocationProperties.ocspSerial == null) {
            return null;
        }
        throw new CertPathValidatorException("Must specify both ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties");
    }

    private static X509Certificate getResponderCert(String str, Set<TrustAnchor> set, List<CertStore> list) throws CertPathValidatorException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(new X500Principal(str));
            return getResponderCert(x509CertSelector, set, list);
        } catch (IllegalArgumentException e) {
            throw new CertPathValidatorException("cannot parse ocsp.responderCertSubjectName property", e);
        }
    }

    private static X509Certificate getResponderCert(String str, String str2, Set<TrustAnchor> set, List<CertStore> list) throws CertPathValidatorException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setIssuer(new X500Principal(str));
            try {
                x509CertSelector.setSerialNumber(new BigInteger(stripOutSeparators(str2), 16));
                return getResponderCert(x509CertSelector, set, list);
            } catch (NumberFormatException e) {
                throw new CertPathValidatorException("cannot parse ocsp.responderCertSerialNumber property", e);
            }
        } catch (IllegalArgumentException e2) {
            throw new CertPathValidatorException("cannot parse ocsp.responderCertIssuerName property", e2);
        }
    }

    private static X509Certificate getResponderCert(X509CertSelector x509CertSelector, Set<TrustAnchor> set, List<CertStore> list) throws CertPathValidatorException {
        Collection<? extends Certificate> certificates;
        Iterator<TrustAnchor> iterator2 = set.iterator2();
        while (iterator2.hasNext()) {
            X509Certificate trustedCert = iterator2.next().getTrustedCert();
            if (trustedCert != null && x509CertSelector.match(trustedCert)) {
                return trustedCert;
            }
        }
        Iterator<CertStore> iterator22 = list.iterator2();
        while (iterator22.hasNext()) {
            try {
                certificates = iterator22.next().getCertificates(x509CertSelector);
            } catch (CertStoreException e) {
                if (debug != null) {
                    debug.println("CertStore exception:" + ((Object) e));
                }
            }
            if (!certificates.isEmpty()) {
                return (X509Certificate) certificates.iterator2().next();
            }
            continue;
        }
        throw new CertPathValidatorException("Cannot find the responder's certificate (set using the OCSP security properties).");
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        if (this.anchor != null) {
            this.issuerInfo = new OCSPResponse.IssuerInfo(this.anchor);
            this.prevPubKey = this.issuerInfo.getPublicKey();
        }
        this.crlSignFlag = true;
        if (this.params == null || this.params.certPath() == null) {
            this.certIndex = -1;
        } else {
            this.certIndex = this.params.certPath().getCertificates().size() - 1;
        }
        this.softFailExceptions.clear();
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return null;
    }

    @Override // java.security.cert.PKIXRevocationChecker
    public List<CertPathValidatorException> getSoftFailExceptions() {
        return Collections.unmodifiableList(this.softFailExceptions);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        check((X509Certificate) certificate, collection, this.prevPubKey, this.crlSignFlag);
    }

    private void check(X509Certificate x509Certificate, Collection<String> collection, PublicKey publicKey, boolean z) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("RevocationChecker.check: checking cert\n  SN: " + Debug.toHexString(x509Certificate.getSerialNumber()) + "\n  Subject: " + ((Object) x509Certificate.getSubjectX500Principal()) + "\n  Issuer: " + ((Object) x509Certificate.getIssuerX500Principal()));
        }
        try {
            try {
                if (this.onlyEE && x509Certificate.getBasicConstraints() != -1) {
                    if (debug != null) {
                        debug.println("Skipping revocation check; cert is not an end entity cert");
                    }
                    updateState(x509Certificate);
                } else {
                    switch (this.mode) {
                        case PREFER_OCSP:
                        case ONLY_OCSP:
                            checkOCSP(x509Certificate, collection);
                            break;
                        case PREFER_CRLS:
                        case ONLY_CRLS:
                            checkCRLs(x509Certificate, collection, null, publicKey, z);
                            break;
                    }
                    updateState(x509Certificate);
                }
            } catch (CertPathValidatorException e) {
                if (e.getReason() == CertPathValidatorException.BasicReason.REVOKED) {
                    throw e;
                }
                boolean isSoftFailException = isSoftFailException(e);
                if (isSoftFailException) {
                    if (this.mode == Mode.ONLY_OCSP || this.mode == Mode.ONLY_CRLS) {
                        updateState(x509Certificate);
                        return;
                    }
                } else if (this.mode == Mode.ONLY_OCSP || this.mode == Mode.ONLY_CRLS) {
                    throw e;
                }
                if (debug != null) {
                    debug.println("RevocationChecker.check() " + e.getMessage());
                    debug.println("RevocationChecker.check() preparing to failover");
                }
                try {
                    switch (this.mode) {
                        case PREFER_OCSP:
                            checkCRLs(x509Certificate, collection, null, publicKey, z);
                            break;
                        case PREFER_CRLS:
                            checkOCSP(x509Certificate, collection);
                            break;
                    }
                } catch (CertPathValidatorException e2) {
                    if (debug != null) {
                        debug.println("RevocationChecker.check() failover failed");
                        debug.println("RevocationChecker.check() " + e2.getMessage());
                    }
                    if (e2.getReason() == CertPathValidatorException.BasicReason.REVOKED) {
                        throw e2;
                    }
                    if (!isSoftFailException(e2)) {
                        e.addSuppressed(e2);
                        throw e;
                    }
                    if (!isSoftFailException) {
                        throw e;
                    }
                }
                updateState(x509Certificate);
            }
        } catch (Throwable th) {
            updateState(x509Certificate);
            throw th;
        }
    }

    private boolean isSoftFailException(CertPathValidatorException certPathValidatorException) {
        if (!this.softFail || certPathValidatorException.getReason() != CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
            return false;
        }
        this.softFailExceptions.addFirst(new CertPathValidatorException(certPathValidatorException.getMessage(), certPathValidatorException.getCause(), this.params.certPath(), this.certIndex, certPathValidatorException.getReason()));
        return true;
    }

    private void updateState(X509Certificate x509Certificate) throws CertPathValidatorException {
        this.issuerInfo = new OCSPResponse.IssuerInfo(this.anchor, x509Certificate);
        PublicKey publicKey = x509Certificate.getPublicKey();
        if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
            publicKey = BasicChecker.makeInheritedParamsKey(publicKey, this.prevPubKey);
        }
        this.prevPubKey = publicKey;
        this.crlSignFlag = certCanSignCrl(x509Certificate);
        if (this.certIndex > 0) {
            this.certIndex--;
        }
    }

    private void checkCRLs(X509Certificate x509Certificate, Collection<String> collection, Set<X509Certificate> set, PublicKey publicKey, boolean z) throws CertPathValidatorException {
        checkCRLs(x509Certificate, publicKey, null, z, true, set, this.params.trustAnchors());
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:13:0x0063. Please report as an issue. */
    static boolean isCausedByNetworkIssue(String str, CertStoreException certStoreException) {
        boolean z;
        Throwable cause = certStoreException.getCause();
        boolean z2 = -1;
        switch (str.hashCode()) {
            case 84300:
                if (str.equals("URI")) {
                    z2 = 2;
                    break;
                }
                break;
            case 2331559:
                if (str.equals("LDAP")) {
                    z2 = false;
                    break;
                }
                break;
            case 133315663:
                if (str.equals("SSLServer")) {
                    z2 = true;
                    break;
                }
                break;
        }
        switch (z2) {
            case false:
                if (cause != null) {
                    String name = cause.getClass().getName();
                    z = name.equals("javax.naming.ServiceUnavailableException") || name.equals("javax.naming.CommunicationException");
                } else {
                    z = false;
                }
                return z;
            case true:
                z = cause != null && (cause instanceof IOException);
                return z;
            case true:
                z = cause != null && (cause instanceof IOException);
                return z;
            default:
                return false;
        }
    }

    private void checkCRLs(X509Certificate x509Certificate, PublicKey publicKey, X509Certificate x509Certificate2, boolean z, boolean z2, Set<X509Certificate> set, Set<TrustAnchor> set2) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("RevocationChecker.checkCRLs() ---checking revocation status ...");
        }
        if (set != null && set.contains(x509Certificate)) {
            if (debug != null) {
                debug.println("RevocationChecker.checkCRLs() circular dependency");
            }
            throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setCertificateChecking(x509Certificate);
        CertPathHelper.setDateAndTime(x509CRLSelector, this.params.date(), MAX_CLOCK_SKEW);
        CertPathValidatorException certPathValidatorException = null;
        for (CertStore certStore : this.certStores) {
            try {
                Iterator<? extends CRL> iterator2 = certStore.getCRLs(x509CRLSelector).iterator2();
                while (iterator2.hasNext()) {
                    hashSet.add((X509CRL) iterator2.next());
                }
            } catch (CertStoreException e) {
                if (debug != null) {
                    debug.println("RevocationChecker.checkCRLs() CertStoreException: " + e.getMessage());
                }
                if (certPathValidatorException == null && isCausedByNetworkIssue(certStore.getType(), e)) {
                    certPathValidatorException = new CertPathValidatorException("Unable to determine revocation status due to network error", e, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                }
            }
        }
        if (debug != null) {
            debug.println("RevocationChecker.checkCRLs() possible crls.size() = " + hashSet.size());
        }
        boolean[] zArr = new boolean[9];
        if (!hashSet.isEmpty()) {
            hashSet2.addAll(verifyPossibleCRLs(hashSet, x509Certificate, publicKey, z, zArr, set2));
        }
        if (debug != null) {
            debug.println("RevocationChecker.checkCRLs() approved crls.size() = " + hashSet2.size());
        }
        if (!hashSet2.isEmpty() && Arrays.equals(zArr, ALL_REASONS)) {
            checkApprovedCRLs(x509Certificate, hashSet2);
            return;
        }
        try {
            if (this.crlDP) {
                hashSet2.addAll(DistributionPointFetcher.getCRLs(x509CRLSelector, z, publicKey, x509Certificate2, this.params.sigProvider(), this.certStores, zArr, set2, null, this.params.variant()));
            }
            if (!hashSet2.isEmpty() && Arrays.equals(zArr, ALL_REASONS)) {
                checkApprovedCRLs(x509Certificate, hashSet2);
                return;
            }
            if (!z2) {
                if (certPathValidatorException == null) {
                    throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                }
                throw certPathValidatorException;
            }
            try {
                verifyWithSeparateSigningKey(x509Certificate, publicKey, z, set);
            } catch (CertPathValidatorException e2) {
                if (certPathValidatorException == null) {
                    throw e2;
                }
                throw certPathValidatorException;
            }
        } catch (CertStoreException e3) {
            if (!(e3 instanceof PKIX.CertStoreTypeException) || !isCausedByNetworkIssue(((PKIX.CertStoreTypeException) e3).getType(), e3)) {
                throw new CertPathValidatorException(e3);
            }
            throw new CertPathValidatorException("Unable to determine revocation status due to network error", e3, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
        }
    }

    private void checkApprovedCRLs(X509Certificate x509Certificate, Set<X509CRL> set) throws CertPathValidatorException {
        if (debug != null) {
            BigInteger serialNumber = x509Certificate.getSerialNumber();
            debug.println("RevocationChecker.checkApprovedCRLs() starting the final sweep...");
            debug.println("RevocationChecker.checkApprovedCRLs() cert SN: " + serialNumber.toString());
        }
        CRLReason cRLReason = CRLReason.UNSPECIFIED;
        for (X509CRL x509crl : set) {
            X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate);
            if (revokedCertificate != null) {
                try {
                    X509CRLEntryImpl impl = X509CRLEntryImpl.toImpl(revokedCertificate);
                    if (debug != null) {
                        debug.println("RevocationChecker.checkApprovedCRLs() CRL entry: " + impl.toString());
                    }
                    Set<String> criticalExtensionOIDs = impl.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs != null && !criticalExtensionOIDs.isEmpty()) {
                        criticalExtensionOIDs.remove(PKIXExtensions.ReasonCode_Id.toString());
                        criticalExtensionOIDs.remove(PKIXExtensions.CertificateIssuer_Id.toString());
                        if (!criticalExtensionOIDs.isEmpty()) {
                            throw new CertPathValidatorException("Unrecognized critical extension(s) in revoked CRL entry");
                        }
                    }
                    CRLReason revocationReason = impl.getRevocationReason();
                    if (revocationReason == null) {
                        revocationReason = CRLReason.UNSPECIFIED;
                    }
                    Date revocationDate = impl.getRevocationDate();
                    if (revocationDate.before(this.params.date())) {
                        CertificateRevokedException certificateRevokedException = new CertificateRevokedException(revocationDate, revocationReason, x509crl.getIssuerX500Principal(), impl.getExtensions());
                        throw new CertPathValidatorException(certificateRevokedException.getMessage(), certificateRevokedException, null, -1, CertPathValidatorException.BasicReason.REVOKED);
                    }
                } catch (CRLException e) {
                    throw new CertPathValidatorException(e);
                }
            }
        }
    }

    private void checkOCSP(X509Certificate x509Certificate, Collection<String> collection) throws CertPathValidatorException {
        OCSPResponse check;
        try {
            X509CertImpl impl = X509CertImpl.toImpl(x509Certificate);
            try {
                CertId certId = new CertId(this.issuerInfo.getName(), this.issuerInfo.getPublicKey(), impl.getSerialNumberObject());
                byte[] bArr = this.ocspResponses.get(x509Certificate);
                if (bArr != null) {
                    if (debug != null) {
                        debug.println("Found cached OCSP response");
                    }
                    check = new OCSPResponse(bArr);
                    byte[] bArr2 = null;
                    for (Extension extension : this.ocspExtensions) {
                        if (extension.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
                            bArr2 = extension.getValue();
                        }
                    }
                    check.verify(Collections.singletonList(certId), this.issuerInfo, this.responderCert, this.params.date(), bArr2, this.params.variant());
                } else {
                    URI responderURI = this.responderURI != null ? this.responderURI : OCSP.getResponderURI(impl);
                    if (responderURI == null) {
                        throw new CertPathValidatorException("Certificate does not specify OCSP responder", null, null, -1);
                    }
                    check = OCSP.check((List<CertId>) Collections.singletonList(certId), responderURI, this.issuerInfo, this.responderCert, (Date) null, this.ocspExtensions, this.params.variant());
                }
                OCSPResponse.SingleResponse singleResponse = check.getSingleResponse(certId);
                OCSP.RevocationStatus.CertStatus certStatus = singleResponse.getCertStatus();
                if (certStatus != OCSP.RevocationStatus.CertStatus.REVOKED) {
                    if (certStatus == OCSP.RevocationStatus.CertStatus.UNKNOWN) {
                        throw new CertPathValidatorException("Certificate's revocation status is unknown", null, this.params.certPath(), -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                    }
                } else {
                    Date revocationTime = singleResponse.getRevocationTime();
                    if (revocationTime.before(this.params.date())) {
                        CertificateRevokedException certificateRevokedException = new CertificateRevokedException(revocationTime, singleResponse.getRevocationReason(), check.getSignerCertificate().getSubjectX500Principal(), singleResponse.getSingleExtensions());
                        throw new CertPathValidatorException(certificateRevokedException.getMessage(), certificateRevokedException, null, -1, CertPathValidatorException.BasicReason.REVOKED);
                    }
                }
            } catch (IOException e) {
                throw new CertPathValidatorException("Unable to determine revocation status due to network error", e, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
            }
        } catch (CertificateException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    private static String stripOutSeparators(String str) {
        char[] charArray = str.toCharArray();
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < charArray.length; i++) {
            if (HEX_DIGITS.indexOf(charArray[i]) != -1) {
                sb.append(charArray[i]);
            }
        }
        return sb.toString();
    }

    static boolean certCanSignCrl(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            return keyUsage[6];
        }
        return false;
    }

    private Collection<X509CRL> verifyPossibleCRLs(Set<X509CRL> set, X509Certificate x509Certificate, PublicKey publicKey, boolean z, boolean[] zArr, Set<TrustAnchor> set2) throws CertPathValidatorException {
        try {
            X509CertImpl impl = X509CertImpl.toImpl(x509Certificate);
            if (debug != null) {
                debug.println("RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for " + ((Object) impl.getSubjectX500Principal()));
            }
            CRLDistributionPointsExtension cRLDistributionPointsExtension = impl.getCRLDistributionPointsExtension();
            List<DistributionPoint> singletonList = cRLDistributionPointsExtension == null ? Collections.singletonList(new DistributionPoint(new GeneralNames().add(new GeneralName((X500Name) impl.getIssuerDN())), (boolean[]) null, (GeneralNames) null)) : cRLDistributionPointsExtension.get(CRLDistributionPointsExtension.POINTS);
            HashSet hashSet = new HashSet();
            for (DistributionPoint distributionPoint : singletonList) {
                for (X509CRL x509crl : set) {
                    if (DistributionPointFetcher.verifyCRL(impl, distributionPoint, x509crl, zArr, z, publicKey, null, this.params.sigProvider(), set2, this.certStores, this.params.date(), this.params.variant())) {
                        hashSet.add(x509crl);
                    }
                }
                if (Arrays.equals(zArr, ALL_REASONS)) {
                    break;
                }
            }
            return hashSet;
        } catch (IOException | CRLException | CertificateException e) {
            if (debug != null) {
                debug.println("Exception while verifying CRL: " + e.getMessage());
                e.printStackTrace();
            }
            return Collections.emptySet();
        }
    }

    private void verifyWithSeparateSigningKey(X509Certificate x509Certificate, PublicKey publicKey, boolean z, Set<X509Certificate> set) throws CertPathValidatorException {
        if (debug != null) {
            debug.println("RevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...");
        }
        if (set != null && set.contains(x509Certificate)) {
            if (debug != null) {
                debug.println("RevocationChecker.verifyWithSeparateSigningKey() circular dependency");
            }
            throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
        }
        if (z) {
            buildToNewKey(x509Certificate, publicKey, set);
        } else {
            buildToNewKey(x509Certificate, null, set);
        }
    }

    private void buildToNewKey(X509Certificate x509Certificate, PublicKey publicKey, Set<X509Certificate> set) throws CertPathValidatorException {
        List<AccessDescription> accessDescriptions;
        if (debug != null) {
            debug.println("RevocationChecker.buildToNewKey() starting work");
        }
        HashSet hashSet = new HashSet();
        if (publicKey != null) {
            hashSet.add(publicKey);
        }
        RejectKeySelector rejectKeySelector = new RejectKeySelector(hashSet);
        rejectKeySelector.setSubject(x509Certificate.getIssuerX500Principal());
        rejectKeySelector.setKeyUsage(CRL_SIGN_USAGE);
        Set<TrustAnchor> trustAnchors = this.anchor == null ? this.params.trustAnchors() : Collections.singleton(this.anchor);
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustAnchors, rejectKeySelector);
            pKIXBuilderParameters.setInitialPolicies(this.params.initialPolicies());
            pKIXBuilderParameters.setCertStores(this.certStores);
            pKIXBuilderParameters.setExplicitPolicyRequired(this.params.explicitPolicyRequired());
            pKIXBuilderParameters.setPolicyMappingInhibited(this.params.policyMappingInhibited());
            pKIXBuilderParameters.setAnyPolicyInhibited(this.params.anyPolicyInhibited());
            pKIXBuilderParameters.setDate(this.params.date());
            pKIXBuilderParameters.setCertPathCheckers(this.params.getPKIXParameters().getCertPathCheckers());
            pKIXBuilderParameters.setSigProvider(this.params.sigProvider());
            pKIXBuilderParameters.setRevocationEnabled(false);
            if (Builder.USE_AIA) {
                X509CertImpl x509CertImpl = null;
                try {
                    x509CertImpl = X509CertImpl.toImpl(x509Certificate);
                } catch (CertificateException e) {
                    if (debug != null) {
                        debug.println("RevocationChecker.buildToNewKey: error decoding cert: " + ((Object) e));
                    }
                }
                AuthorityInfoAccessExtension authorityInfoAccessExtension = x509CertImpl != null ? x509CertImpl.getAuthorityInfoAccessExtension() : null;
                if (authorityInfoAccessExtension != null && (accessDescriptions = authorityInfoAccessExtension.getAccessDescriptions()) != null) {
                    Iterator<AccessDescription> iterator2 = accessDescriptions.iterator2();
                    while (iterator2.hasNext()) {
                        CertStore uRICertStore = URICertStore.getInstance(iterator2.next());
                        if (uRICertStore != null) {
                            if (debug != null) {
                                debug.println("adding AIAext CertStore");
                            }
                            pKIXBuilderParameters.addCertStore(uRICertStore);
                        }
                    }
                }
            }
            try {
                CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(Validator.TYPE_PKIX);
                while (true) {
                    try {
                        if (debug != null) {
                            debug.println("RevocationChecker.buildToNewKey() about to try build ...");
                        }
                        PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
                        if (debug != null) {
                            debug.println("RevocationChecker.buildToNewKey() about to check revocation ...");
                        }
                        if (set == null) {
                            set = new HashSet();
                        }
                        set.add(x509Certificate);
                        TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
                        PublicKey cAPublicKey = trustAnchor.getCAPublicKey();
                        if (cAPublicKey == null) {
                            cAPublicKey = trustAnchor.getTrustedCert().getPublicKey();
                        }
                        boolean z = true;
                        List<? extends Certificate> certificates = pKIXCertPathBuilderResult.getCertPath().getCertificates();
                        try {
                            for (int size = certificates.size() - 1; size >= 0; size--) {
                                X509Certificate x509Certificate2 = (X509Certificate) certificates.get(size);
                                if (debug != null) {
                                    debug.println("RevocationChecker.buildToNewKey() index " + size + " checking " + ((Object) x509Certificate2));
                                }
                                checkCRLs(x509Certificate2, cAPublicKey, null, z, true, set, trustAnchors);
                                z = certCanSignCrl(x509Certificate2);
                                cAPublicKey = x509Certificate2.getPublicKey();
                            }
                            if (debug != null) {
                                debug.println("RevocationChecker.buildToNewKey() got key " + ((Object) pKIXCertPathBuilderResult.getPublicKey()));
                            }
                            PublicKey publicKey2 = pKIXCertPathBuilderResult.getPublicKey();
                            try {
                                checkCRLs(x509Certificate, publicKey2, certificates.isEmpty() ? null : (X509Certificate) certificates.get(0), true, false, null, this.params.trustAnchors());
                                return;
                            } catch (CertPathValidatorException e2) {
                                if (e2.getReason() == CertPathValidatorException.BasicReason.REVOKED) {
                                    throw e2;
                                }
                                hashSet.add(publicKey2);
                            }
                        } catch (CertPathValidatorException e3) {
                            hashSet.add(pKIXCertPathBuilderResult.getPublicKey());
                        }
                    } catch (InvalidAlgorithmParameterException e4) {
                        throw new CertPathValidatorException(e4);
                    } catch (CertPathBuilderException e5) {
                        throw new CertPathValidatorException("Could not determine revocation status", null, null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                    }
                }
            } catch (NoSuchAlgorithmException e6) {
                throw new CertPathValidatorException(e6);
            }
        } catch (InvalidAlgorithmParameterException e7) {
            throw new RuntimeException(e7);
        }
    }

    @Override // java.security.cert.PKIXRevocationChecker, java.security.cert.PKIXCertPathChecker
    public RevocationChecker clone() {
        RevocationChecker revocationChecker = (RevocationChecker) super.clone();
        revocationChecker.softFailExceptions = new LinkedList<>(this.softFailExceptions);
        return revocationChecker;
    }
}
