package com.blackberry.security.trustmgr.x509;

import com.blackberry.security.trustmgr.CertificateUsageType;
import com.blackberry.security.trustmgr.ValidationException;
import com.blackberry.security.trustmgr.internal.f;
import com.blackberry.security.trustmgr.internal.q;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;

/* loaded from: classes.dex */
public class X509CertUsageVerifier implements f {
    private static final String EKU_ANY = "2.5.29.37.0";
    private static final String EKU_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
    private static final String EKU_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4";
    private static final String EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
    private static final String EKU_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
    private static final String EKU_nsSGC = "2.16.840.1.113730.4.1";
    private static final int KU_DIGITAL_SIGNATURE = 0;
    private static final int KU_NON_REPUDIATION = 1;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.blackberry.security.trustmgr.x509.X509CertUsageVerifier$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$blackberry$security$trustmgr$CertificateUsageType;

        static {
            int[] iArr = new int[CertificateUsageType.values().length];
            $SwitchMap$com$blackberry$security$trustmgr$CertificateUsageType = iArr;
            try {
                iArr[CertificateUsageType.SMIME_PEER.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$blackberry$security$trustmgr$CertificateUsageType[CertificateUsageType.SSL_CLIENT.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$com$blackberry$security$trustmgr$CertificateUsageType[CertificateUsageType.SSL_SERVER.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
        }
    }

    private void addWarning(List<q> list, q qVar) {
        if (qVar == null) {
            return;
        }
        for (q qVar2 : list) {
            if (qVar2.getType() == qVar.getType()) {
                qVar2.b(qVar.a());
                return;
            }
        }
        list.add(qVar);
    }

    private q verifyExtendedKeyUsage(CertificateUsageType certificateUsageType, X509Certificate x509Certificate) {
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage == null) {
                return null;
            }
            HashSet hashSet = new HashSet();
            hashSet.add(EKU_ANY);
            int i10 = AnonymousClass1.$SwitchMap$com$blackberry$security$trustmgr$CertificateUsageType[certificateUsageType.ordinal()];
            boolean z10 = true;
            if (i10 == 1) {
                hashSet.add(EKU_EMAIL_PROTECTION);
            } else if (i10 == 2) {
                hashSet.add(EKU_CLIENT_AUTH);
            } else {
                if (i10 != 3) {
                    return null;
                }
                hashSet.add(EKU_SERVER_AUTH);
                hashSet.add(EKU_MS_SGC);
                hashSet.add(EKU_nsSGC);
            }
            Iterator<String> it = extendedKeyUsage.iterator();
            while (true) {
                if (!it.hasNext()) {
                    z10 = false;
                    break;
                }
                if (hashSet.contains(it.next())) {
                    break;
                }
            }
            if (z10) {
                return null;
            }
            q qVar = new q(q.a.WARN_INVALID_USAGE);
            qVar.c("Expected extended key usage(s): " + hashSet);
            return qVar;
        } catch (CertificateParsingException e10) {
            throw new ValidationException("Failed to parse certificate", e10);
        }
    }

    private q verifyKeyUsage(CertificateUsageType certificateUsageType, X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        q qVar = null;
        if (keyUsage == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        int i10 = AnonymousClass1.$SwitchMap$com$blackberry$security$trustmgr$CertificateUsageType[certificateUsageType.ordinal()];
        if (i10 == 1) {
            hashSet.add(0);
        } else if (i10 == 2) {
            hashSet.add(0);
        } else {
            if (i10 != 3) {
                return null;
            }
            hashSet.add(0);
        }
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            int intValue = ((Integer) it.next()).intValue();
            if (intValue >= 0 && keyUsage.length > intValue && !keyUsage[intValue]) {
                if (qVar == null) {
                    qVar = new q(q.a.WARN_INVALID_USAGE);
                }
                qVar.c("Missing key usage: " + intValue);
            }
        }
        return qVar;
    }

    @Override // com.blackberry.security.trustmgr.internal.f
    public List<q> verify(CertificateUsageType certificateUsageType, Certificate certificate) {
        if (!(certificate instanceof X509Certificate)) {
            throw new IllegalArgumentException("Unsupported certificate type: " + certificate.getType());
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        ArrayList arrayList = new ArrayList();
        addWarning(arrayList, verifyKeyUsage(certificateUsageType, x509Certificate));
        addWarning(arrayList, verifyExtendedKeyUsage(certificateUsageType, x509Certificate));
        return arrayList;
    }
}
