package cfca.sadk.tls.sun.security.validator;

import cfca.sadk.tls.sun.security.ssl.sec.JSSEJCE;
import cfca.sadk.tls.sun.security.util.GMSSLConstants;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:cfca/sadk/tls/sun/security/validator/TLSPKIXValidator.class */
public final class TLSPKIXValidator extends TLSValidator {
    private final Set<X509Certificate> trustedCerts;
    private final PKIXBuilderParameters params;
    private final PluginValidator plugin;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:cfca/sadk/tls/sun/security/validator/TLSPKIXValidator$PluginValidator.class */
    public static final class PluginValidator {
        Map<X500Principal, List<PublicKey>> trustedSubjects;
        CertificateFactory factory;

        PluginValidator() {
        }

        boolean isEmpty() {
            return this.trustedSubjects == null || this.factory == null;
        }

        boolean contains(X500Principal x500Principal, PublicKey publicKey) {
            List<PublicKey> list = this.trustedSubjects.get(x500Principal);
            return list != null && list.contains(publicKey);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TLSPKIXValidator(TLSValidatorVariant tLSValidatorVariant, Collection<X509Certificate> collection) {
        super(tLSValidatorVariant);
        Set<X509Certificate> buildTrustedCerts = buildTrustedCerts(collection);
        this.params = buildBuilderParameters(tLSValidatorVariant, collection);
        this.plugin = buildPluginValidator(buildTrustedCerts);
        this.trustedCerts = buildTrustedCerts;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TLSPKIXValidator(TLSValidatorVariant tLSValidatorVariant, PKIXBuilderParameters pKIXBuilderParameters) {
        super(tLSValidatorVariant);
        Set<X509Certificate> buildTrustedCerts = buildTrustedCerts(pKIXBuilderParameters);
        this.params = pKIXBuilderParameters;
        this.plugin = buildPluginValidator(buildTrustedCerts);
        this.trustedCerts = buildTrustedCerts;
    }

    @Override // cfca.sadk.tls.sun.security.validator.TLSValidator
    public final Collection<X509Certificate> getTrustedCertificates() {
        return this.trustedCerts;
    }

    @Override // cfca.sadk.tls.sun.security.validator.TLSValidator
    X509Certificate[] engineValidate(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, GMAlgorithmConstraints gMAlgorithmConstraints) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("null or zero-length certificate chain");
        }
        if (this.params == null) {
            throw new CertificateException("null builder parameters");
        }
        if (this.plugin == null || this.plugin.isEmpty()) {
            throw new CertificateException("plugin is null or the param of plugin missing");
        }
        PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.params.clone();
        if (gMAlgorithmConstraints != null) {
            pKIXBuilderParameters.addCertPathChecker(new GMAlgorithmChecker(gMAlgorithmConstraints));
        }
        X509Certificate[] checkOrder = checkOrder(x509CertificateArr, collection, pKIXBuilderParameters);
        if (checkOrder == null) {
            checkOrder = this.plugin.trustedSubjects.containsKey(x509CertificateArr[x509CertificateArr.length - 1].getIssuerX500Principal()) ? doValidate(x509CertificateArr, pKIXBuilderParameters, this.plugin.factory) : buildTrustedCerts(x509CertificateArr, collection, pKIXBuilderParameters);
        }
        return checkOrder;
    }

    /* JADX WARN: Code restructure failed: missing block: B:24:0x0066, code lost:
    
        if (r13 != 0) goto L20;
     */
    /* JADX WARN: Code restructure failed: missing block: B:25:0x0069, code lost:
    
        r12 = new java.security.cert.X509Certificate[]{r7[0]};
     */
    /* JADX WARN: Code restructure failed: missing block: B:26:0x0078, code lost:
    
        r0 = new java.security.cert.X509Certificate[r13];
        java.lang.System.arraycopy(r7, 0, r0, 0, r13);
        r12 = doValidate(r0, r9, r6.plugin.factory);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.security.cert.X509Certificate[] checkOrder(java.security.cert.X509Certificate[] r7, java.util.Collection<java.security.cert.X509Certificate> r8, java.security.cert.PKIXBuilderParameters r9) throws java.security.cert.CertificateException {
        /*
            r6 = this;
            r0 = 0
            r10 = r0
            r0 = 0
            r11 = r0
            r0 = 0
            r12 = r0
            r0 = 0
            r13 = r0
        Lc:
            r0 = r13
            r1 = r7
            int r1 = r1.length
            if (r0 >= r1) goto Lab
            r0 = r7
            r1 = r13
            r0 = r0[r1]
            if (r0 != 0) goto L1d
            goto La5
        L1d:
            r0 = r7
            r1 = r13
            r0 = r0[r1]
            javax.security.auth.x500.X500Principal r0 = r0.getSubjectX500Principal()
            r11 = r0
            r0 = r13
            if (r0 == 0) goto L41
            r0 = r11
            r1 = r10
            boolean r0 = r0.equals(r1)
            if (r0 != 0) goto L41
            r0 = r6
            r1 = r7
            r2 = r8
            r3 = r9
            java.security.cert.X509Certificate[] r0 = r0.buildTrustedCerts(r1, r2, r3)
            r12 = r0
            goto Lab
        L41:
            r0 = r6
            java.util.Set<java.security.cert.X509Certificate> r0 = r0.trustedCerts
            r1 = r7
            r2 = r13
            r1 = r1[r2]
            boolean r0 = r0.contains(r1)
            if (r0 != 0) goto L64
            r0 = r6
            cfca.sadk.tls.sun.security.validator.TLSPKIXValidator$PluginValidator r0 = r0.plugin
            r1 = r11
            r2 = r7
            r3 = r13
            r2 = r2[r3]
            java.security.PublicKey r2 = r2.getPublicKey()
            boolean r0 = r0.contains(r1, r2)
            if (r0 == 0) goto L9c
        L64:
            r0 = r13
            if (r0 != 0) goto L78
            r0 = 1
            java.security.cert.X509Certificate[] r0 = new java.security.cert.X509Certificate[r0]
            r1 = r0
            r2 = 0
            r3 = r7
            r4 = 0
            r3 = r3[r4]
            r1[r2] = r3
            r12 = r0
            goto Lab
        L78:
            r0 = r13
            java.security.cert.X509Certificate[] r0 = new java.security.cert.X509Certificate[r0]
            r14 = r0
            r0 = r7
            r1 = 0
            r2 = r14
            r3 = 0
            r4 = r13
            java.lang.System.arraycopy(r0, r1, r2, r3, r4)
            r0 = r6
            r1 = r14
            r2 = r9
            r3 = r6
            cfca.sadk.tls.sun.security.validator.TLSPKIXValidator$PluginValidator r3 = r3.plugin
            java.security.cert.CertificateFactory r3 = r3.factory
            java.security.cert.X509Certificate[] r0 = r0.doValidate(r1, r2, r3)
            r12 = r0
            goto Lab
        L9c:
            r0 = r7
            r1 = r13
            r0 = r0[r1]
            javax.security.auth.x500.X500Principal r0 = r0.getIssuerX500Principal()
            r10 = r0
        La5:
            int r13 = r13 + 1
            goto Lc
        Lab:
            r0 = r12
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: cfca.sadk.tls.sun.security.validator.TLSPKIXValidator.checkOrder(java.security.cert.X509Certificate[], java.util.Collection, java.security.cert.PKIXBuilderParameters):java.security.cert.X509Certificate[]");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v6, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.util.Set] */
    private final Set<X509Certificate> buildTrustedCerts(Collection<X509Certificate> collection) {
        return collection == null ? Collections.emptySet() : collection instanceof Set ? (Set) collection : new HashSet(collection);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v18, types: [java.util.Set] */
    private final Set<X509Certificate> buildTrustedCerts(PKIXBuilderParameters pKIXBuilderParameters) {
        HashSet hashSet;
        X509Certificate trustedCert;
        if (pKIXBuilderParameters == null) {
            hashSet = Collections.emptySet();
        } else {
            hashSet = new HashSet();
            for (TrustAnchor trustAnchor : pKIXBuilderParameters.getTrustAnchors()) {
                if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                    hashSet.add(trustedCert);
                }
            }
        }
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v21, types: [java.util.Set] */
    private final PKIXBuilderParameters buildBuilderParameters(TLSValidatorVariant tLSValidatorVariant, Collection<X509Certificate> collection) {
        HashSet hashSet;
        if (collection == null) {
            hashSet = Collections.emptySet();
        } else {
            hashSet = new HashSet();
            for (X509Certificate x509Certificate : collection) {
                if (x509Certificate != null) {
                    hashSet.add(new TrustAnchor(x509Certificate, null));
                }
            }
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, (CertSelector) null);
            if (tLSValidatorVariant == TLSValidatorVariant.TLS_SERVER || tLSValidatorVariant == TLSValidatorVariant.TLS_CLIENT) {
                pKIXBuilderParameters.setRevocationEnabled(GMSSLConstants.checkTLSRevocation);
            } else {
                pKIXBuilderParameters.setRevocationEnabled(false);
            }
            return pKIXBuilderParameters;
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException("Unexpected error: " + e.toString(), e);
        }
    }

    private final PluginValidator buildPluginValidator(Set<X509Certificate> set) {
        PluginValidator pluginValidator = new PluginValidator();
        pluginValidator.trustedSubjects = buildTrustedSubjects(set);
        pluginValidator.factory = buildCertificateFactory();
        return pluginValidator;
    }

    private final CertificateFactory buildCertificateFactory() {
        try {
            return JSSEJCE.getCertificateFactory();
        } catch (CertificateException e) {
            throw new RuntimeException("Internal error", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v24, types: [java.util.List] */
    /* JADX WARN: Type inference failed for: r0v26, types: [java.util.Map] */
    private final Map<X500Principal, List<PublicKey>> buildTrustedSubjects(Collection<X509Certificate> collection) {
        HashMap hashMap;
        ArrayList arrayList;
        if (collection == null) {
            hashMap = Collections.emptyMap();
        } else {
            hashMap = new HashMap();
            for (X509Certificate x509Certificate : collection) {
                if (x509Certificate != null) {
                    X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                    if (hashMap.containsKey(subjectX500Principal)) {
                        arrayList = (List) hashMap.get(subjectX500Principal);
                    } else {
                        arrayList = new ArrayList();
                        hashMap.put(subjectX500Principal, arrayList);
                    }
                    arrayList.add(x509Certificate.getPublicKey());
                }
            }
        }
        return hashMap;
    }

    private final X509Certificate[] doValidate(X509Certificate[] x509CertificateArr, PKIXBuilderParameters pKIXBuilderParameters, CertificateFactory certificateFactory) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new TLSValidatorException("PKIX path building failed: null or zero-length certificate chain");
        }
        if (certificateFactory == null) {
            throw new TLSValidatorException("PKIX path building failed: null certificate factory");
        }
        try {
            pKIXBuilderParameters.setDate(new Date());
            CertPath generateCertPath = certificateFactory.generateCertPath(Arrays.asList(x509CertificateArr));
            List<? extends Certificate> certificates = generateCertPath.getCertificates();
            return TrustAnchorHelper.toArray(generateCertPath, TrustAnchorHelper.findTrustAnchor((X509Certificate) certificates.get(certificates.size() - 1), pKIXBuilderParameters.getTrustAnchors()));
        } catch (Exception e) {
            throw new TLSValidatorException("PKIX path validation failed: " + e.toString(), e);
        }
    }

    private final X509Certificate[] buildTrustedCerts(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection, PKIXBuilderParameters pKIXBuilderParameters) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new TLSValidatorException("PKIX path building failed: null or zero-length certificate chain");
        }
        try {
            X509Certificate x509Certificate = x509CertificateArr[0];
            pKIXBuilderParameters.setDate(new Date());
            pKIXBuilderParameters.setTargetCertConstraints(buildSelector(x509Certificate));
            pKIXBuilderParameters.addCertStore(buildStore(x509CertificateArr, collection));
            TrustAnchor findTrustAnchor = TrustAnchorHelper.findTrustAnchor(x509Certificate, pKIXBuilderParameters.getTrustAnchors());
            if (findTrustAnchor == null) {
                throw new TLSValidatorException("findTrustAnchor failed: TrustAnchor is null! IssuerDN= " + x509Certificate.getIssuerDN());
            }
            return TrustAnchorHelper.toArray(x509CertificateArr, findTrustAnchor);
        } catch (Exception e) {
            throw new TLSValidatorException("PKIX path building failed: " + e.toString(), e);
        }
    }

    private X509CertSelector buildSelector(X509Certificate x509Certificate) {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        return x509CertSelector;
    }

    private CertStore buildStore(X509Certificate[] x509CertificateArr, Collection<X509Certificate> collection) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(x509CertificateArr));
        if (collection != null) {
            arrayList.addAll(collection);
        }
        return JSSEJCE.getCertStore("Collection", new CollectionCertStoreParameters(arrayList));
    }
}
