package cfca.sadk.tls.sun.security.ssl.manager;

import cfca.sadk.tls.pure.impl.SM2Helper;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/manager/CertCheckType.class */
enum CertCheckType {
    NONE(new String[0]),
    CLIENT(new String[]{"2.5.29.37.0", "1.3.6.1.5.5.7.3.2"}),
    SERVER(new String[]{"2.5.29.37.0", "1.3.6.1.5.5.7.3.1", "2.16.840.1.113730.4.1", "1.3.6.1.4.1.311.10.3.3"});

    final Set<String> validEku;

    CertCheckType(String[] strArr) {
        this.validEku = new HashSet(Arrays.asList(strArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final CertCheckResult check(X509Certificate x509Certificate, Date date) {
        if (x509Certificate == null || date == null) {
            throw new IllegalArgumentException("parameters cert and date must not null");
        }
        CertCheckResult certCheckResult = CertCheckResult.OK;
        if (this == NONE) {
            return certCheckResult;
        }
        CertCheckResult checkExtensions = checkExtensions(x509Certificate);
        return checkExtensions != CertCheckResult.OK ? checkExtensions : checkValidity(x509Certificate, date);
    }

    private final CertCheckResult checkExtensions(X509Certificate x509Certificate) {
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage != null && Collections.disjoint(this.validEku, extendedKeyUsage)) {
                return CertCheckResult.EXTENSION_MISMATCH;
            }
            CertKeyUsage certKeyUsage = new CertKeyUsage(x509Certificate.getKeyUsage());
            if (certKeyUsage.enabled()) {
                String algorithm = x509Certificate.getPublicKey().getAlgorithm();
                boolean digitalSignature = certKeyUsage.digitalSignature();
                if (SM2Helper.isSM2Type(algorithm) && !digitalSignature && (this == CLIENT || !certKeyUsage.keyEncipherment())) {
                    return CertCheckResult.EXTENSION_MISMATCH;
                }
            }
            return CertCheckResult.OK;
        } catch (CertificateException e) {
            return CertCheckResult.EXTENSION_MISMATCH;
        }
    }

    private final CertCheckResult checkValidity(X509Certificate x509Certificate, Date date) {
        CertCheckResult certCheckResult = CertCheckResult.OK;
        try {
            x509Certificate.checkValidity(date);
        } catch (CertificateExpiredException e) {
            certCheckResult = CertCheckResult.EXPIRED;
        } catch (CertificateNotYetValidException e2) {
            certCheckResult = CertCheckResult.NOTYETVALID;
        }
        return certCheckResult;
    }
}
