package com.wolfssl.provider.jce;

import com.microsoft.identity.broker4j.workplacejoin.ProviderUtil;
import com.wolfssl.wolfcrypt.Fips;
import com.wolfssl.wolfcrypt.WolfCrypt;
import com.wolfssl.wolfcrypt.WolfCryptException;
import com.wolfssl.wolfcrypt.WolfSSLCertManager;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CRL;
import java.security.cert.CertPath;
import java.security.cert.CertPathChecker;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes5.dex */
public class WolfCryptPKIXCertPathValidator extends CertPathValidatorSpi {
    private WolfCryptDebug debug;

    public WolfCryptPKIXCertPathValidator() {
        if (WolfCryptDebug.DEBUG) {
            log("created new WolfCryptPKIXCertPathValidator");
        }
    }

    private void callCertPathCheckers(X509Certificate x509Certificate, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        if (x509Certificate == null || pKIXParameters == null) {
            throw new CertPathValidatorException("X509Certificate in chain or PKIXParameters is null");
        }
        List<PKIXCertPathChecker> certPathCheckers = pKIXParameters.getCertPathCheckers();
        if (certPathCheckers == null) {
            throw new CertPathValidatorException("PKIXParameters.getCertPathCheckers() should not return null");
        }
        if (certPathCheckers.isEmpty()) {
            return;
        }
        for (int i = 0; i < certPathCheckers.size(); i++) {
            if (WolfCryptDebug.DEBUG) {
                log("calling CertPathChecker: " + certPathCheckers.get(i));
            }
            certPathCheckers.get(i).check(x509Certificate);
        }
    }

    private void checkRevocationEnabledAndLoadCRLs(PKIXParameters pKIXParameters, WolfSSLCertManager wolfSSLCertManager, X509Certificate x509Certificate) throws CertPathValidatorException {
        if (pKIXParameters == null || wolfSSLCertManager == null) {
            throw new CertPathValidatorException("PKIXParameters or WolfSSLCertManager is null");
        }
        if (!pKIXParameters.isRevocationEnabled()) {
            if (WolfCryptDebug.DEBUG) {
                log("revocation not enabled in PKIXParameters");
                return;
            }
            return;
        }
        if (WolfCryptDebug.DEBUG) {
            log("revocation enabled in PKIXParameters, checking for CRLs to load");
        }
        if (!WolfCrypt.CrlEnabled()) {
            throw new CertPathValidatorException("Revocation enabled in PKIXParameters but native wolfCrypt CRL not compiled in");
        }
        wolfSSLCertManager.CertManagerEnableCRL(WolfCrypt.WOLFSSL_CRL_CHECK);
        if (WolfCryptDebug.DEBUG) {
            log("CRL support enabled in native WolfSSLCertManager");
        }
        List<CertStore> certStores = pKIXParameters.getCertStores();
        if (certStores == null || certStores.isEmpty()) {
            if (WolfCryptDebug.DEBUG) {
                log("no CertStores in PKIXParameters to load CRLs");
                return;
            }
            return;
        }
        X509CRLSelector x509CRLSelector = new X509CRLSelector();
        x509CRLSelector.setCertificateChecking(x509Certificate);
        int i = 0;
        for (int i2 = 0; i2 < certStores.size(); i2++) {
            try {
                for (CRL crl : certStores.get(i2).getCRLs(x509CRLSelector)) {
                    if (crl instanceof X509CRL) {
                        wolfSSLCertManager.CertManagerLoadCRL((X509CRL) crl);
                        i++;
                    }
                }
            } catch (CertStoreException e) {
                throw new CertPathValidatorException(e);
            }
        }
        if (WolfCryptDebug.DEBUG) {
            log("loaded " + i + " CRLs into WolfSSLCertManager");
        }
    }

    private void checkTargetCertConstraints(X509Certificate x509Certificate, int i, CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        if (x509Certificate == null || pKIXParameters == null) {
            throw new CertPathValidatorException("X509Certificate in chain or PKIXParameters is null");
        }
        if (i != 0) {
            return;
        }
        CertSelector targetCertConstraints = pKIXParameters.getTargetCertConstraints();
        if (targetCertConstraints == null) {
            if (WolfCryptDebug.DEBUG) {
                log("no cert constraints in params, not checking CertSelector");
            }
        } else {
            if (WolfCryptDebug.DEBUG) {
                log("checking target cert constraints against CertSelector");
            }
            if (!(targetCertConstraints instanceof X509CertSelector)) {
                throw new CertPathValidatorException("CertSelector not of type X509CertSelector");
            }
            if (!((X509CertSelector) targetCertConstraints).match(x509Certificate)) {
                throw new CertPathValidatorException("Target certificate did not pass CertConstraints check");
            }
        }
    }

    private void disallowCertPolicyUse(PKIXParameters pKIXParameters) throws CertPathValidatorException {
        if (pKIXParameters == null) {
            throw new CertPathValidatorException("PKIXParameters is null when checking for cert policies");
        }
        if (!pKIXParameters.getInitialPolicies().isEmpty()) {
            throw new CertPathValidatorException("Certificate policies not supported by wolfJCE CertPathValidator, PKIXParameters.getInitialPolicies() is not empty");
        }
        if (WolfCryptDebug.DEBUG) {
            log("PKIXParameters.getPolicyQualifiersRejected(): " + pKIXParameters.getPolicyQualifiersRejected());
            log("PKIXParameters.isPolicyMappingInhibited(): " + pKIXParameters.isPolicyMappingInhibited());
        }
        if (pKIXParameters.isAnyPolicyInhibited()) {
            throw new CertPathValidatorException("Certificate policies not supported by wolfJCE CertPathValidator. PKIXParameters.setAnyPolicyInhibited() must be set to false (default)");
        }
        if (pKIXParameters.isExplicitPolicyRequired()) {
            throw new CertPathValidatorException("Certificate policies not supported by wolfJCE CertPathValidator. PKIXParameters.setExplicitPolicyRequired() must be set to false (default)");
        }
    }

    private void loadTrustAnchorsIntoCertManager(PKIXParameters pKIXParameters, WolfSSLCertManager wolfSSLCertManager) throws CertPathValidatorException {
        if (WolfCryptDebug.DEBUG) {
            log("loading TrustAnchors into native WolfSSLCertManager");
        }
        if (pKIXParameters == null || wolfSSLCertManager == null) {
            throw new CertPathValidatorException("PKIXParameters or WolfSSLCertManager are null when loading TrustAnchors");
        }
        Set<TrustAnchor> trustAnchors = pKIXParameters.getTrustAnchors();
        if (trustAnchors == null || trustAnchors.isEmpty()) {
            throw new CertPathValidatorException("No TrustAnchors in PKIXParameters");
        }
        Iterator<TrustAnchor> it = trustAnchors.iterator();
        while (it.hasNext()) {
            X509Certificate trustedCert = it.next().getTrustedCert();
            if (trustedCert != null) {
                try {
                    wolfSSLCertManager.CertManagerLoadCA(trustedCert);
                    if (WolfCryptDebug.DEBUG) {
                        log("loaded TrustAnchor: " + trustedCert.getSubjectX500Principal().getName());
                    }
                } catch (WolfCryptException e) {
                    throw new CertPathValidatorException(e);
                }
            }
        }
    }

    private void log(String str) {
        WolfCryptDebug.print("[CertPathValidator] " + str);
    }

    private void sanitizeCertPath(CertPath certPath) throws InvalidAlgorithmParameterException, CertPathValidatorException {
        if (WolfCryptDebug.DEBUG) {
            log("sanitizing CertPath");
        }
        if (!certPath.getType().equals(ProviderUtil.X509)) {
            throw new InvalidAlgorithmParameterException("PKIX CertPathValidator only supports X.509");
        }
        Iterator<String> encodings = certPath.getEncodings();
        boolean z = false;
        while (encodings.hasNext()) {
            if (encodings.next().equals("PkiPath")) {
                z = true;
            }
        }
        if (!z) {
            throw new CertPathValidatorException("PkiPath CertPath encoding not supported but required");
        }
    }

    private void sanitizeCertPathParameters(CertPathParameters certPathParameters) throws InvalidAlgorithmParameterException {
        if (WolfCryptDebug.DEBUG) {
            log("sanitizing CertPathParameters");
        }
        if (certPathParameters == null) {
            throw new InvalidAlgorithmParameterException("CertPathParameters is null");
        }
        if (!(certPathParameters instanceof PKIXParameters)) {
            throw new InvalidAlgorithmParameterException("params not of type PKIXParameters");
        }
    }

    private void sanitizeX509Certificate(X509Certificate x509Certificate, int i, CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        if (x509Certificate == null || pKIXParameters == null) {
            throw new CertPathValidatorException("X509Certificate in chain or PKIXParameters is null");
        }
        checkTargetCertConstraints(x509Certificate, i, certPath, pKIXParameters);
        disallowCertPolicyUse(pKIXParameters);
    }

    private void verifyCertChain(CertPath certPath, PKIXParameters pKIXParameters, List<X509Certificate> list, WolfSSLCertManager wolfSSLCertManager) throws CertPathValidatorException {
        if (certPath == null || pKIXParameters == null || list == null || wolfSSLCertManager == null) {
            throw new CertPathValidatorException("Input args to verifyCertChain are null");
        }
        if (WolfCryptDebug.DEBUG) {
            log("verifying certificate chain (chain size: " + list.size() + ")");
        }
        for (int size = list.size() - 1; size >= 0; size--) {
            X509Certificate x509Certificate = list.get(size);
            try {
                wolfSSLCertManager.CertManagerVerify(x509Certificate);
                if (WolfCryptDebug.DEBUG) {
                    log("verified chain [" + size + "]: " + x509Certificate.getSubjectX500Principal().getName());
                }
                if (size > 0 && x509Certificate.getBasicConstraints() >= 0) {
                    try {
                        wolfSSLCertManager.CertManagerLoadCA(x509Certificate);
                        if (WolfCryptDebug.DEBUG) {
                            log("chain [" + size + "] is intermediate, loading as root");
                        }
                    } catch (WolfCryptException unused) {
                        if (WolfCryptDebug.DEBUG) {
                            log("chain [" + size + "] is CA, but failed to load as trusted root, not loading");
                        }
                    }
                }
            } catch (WolfCryptException e) {
                if (WolfCryptDebug.DEBUG) {
                    log("failed verification chain [" + size + "]: " + x509Certificate.getSubjectX500Principal().getName());
                }
                throw new CertPathValidatorException("Failed verification on certificate", e, certPath, size);
            }
        }
    }

    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathChecker engineGetRevocationChecker() throws UnsupportedOperationException {
        throw new UnsupportedOperationException("getRevocationChecker() not supported by wolfJCE");
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // java.security.cert.CertPathValidatorSpi
    public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters certPathParameters) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        if (WolfCryptDebug.DEBUG) {
            log("entered engineValidate(), FIPS enabled: " + Fips.enabled);
        }
        sanitizeCertPathParameters(certPathParameters);
        sanitizeCertPath(certPath);
        PKIXParameters pKIXParameters = (PKIXParameters) certPathParameters;
        if (Fips.enabled && pKIXParameters.getSigProvider() != "wolfJCE") {
            if (pKIXParameters.getSigProvider() != null) {
                throw new CertPathValidatorException("CertPathParameters Signature Provider must be wolfJCE when using wolfCrypt FIPS: " + pKIXParameters.getSigProvider());
            }
            pKIXParameters.setSigProvider("wolfJCE");
        }
        try {
            WolfSSLCertManager wolfSSLCertManager = new WolfSSLCertManager();
            try {
                if (pKIXParameters.getDate() != null) {
                    throw new CertPathValidatorException("Overriding date not supported with wolfJCE CertPathValidator implementation yet");
                }
                List<? extends Certificate> certificates = certPath.getCertificates();
                if (certificates == null || certificates.size() == 0) {
                    throw new CertPathValidatorException("No Certificate objects in CertPath");
                }
                for (int i = 0; i < certificates.size(); i++) {
                    sanitizeX509Certificate((X509Certificate) certificates.get(i), i, certPath, pKIXParameters);
                    callCertPathCheckers((X509Certificate) certificates.get(i), pKIXParameters);
                }
                loadTrustAnchorsIntoCertManager(pKIXParameters, wolfSSLCertManager);
                checkRevocationEnabledAndLoadCRLs(pKIXParameters, wolfSSLCertManager, (X509Certificate) certificates.get(0));
                verifyCertChain(certPath, pKIXParameters, certificates, wolfSSLCertManager);
                TrustAnchor findTrustAnchor = findTrustAnchor(pKIXParameters, (X509Certificate) certificates.get(certificates.size() - 1));
                wolfSSLCertManager.free();
                return new PKIXCertPathValidatorResult(findTrustAnchor, null, ((X509Certificate) certificates.get(0)).getPublicKey());
            } catch (Throwable th) {
                wolfSSLCertManager.free();
                throw th;
            }
        } catch (WolfCryptException unused) {
            throw new CertPathValidatorException("Failed to create native WolfSSLCertManager");
        }
    }

    public TrustAnchor findTrustAnchor(PKIXParameters pKIXParameters, X509Certificate x509Certificate) throws CertPathValidatorException {
        if (pKIXParameters == null || x509Certificate == null) {
            throw new CertPathValidatorException("Input parameters are null to findTrustAnchor");
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        if (issuerX500Principal == null) {
            throw new CertPathValidatorException("Unable to get expected issuer name");
        }
        Set<TrustAnchor> trustAnchors = pKIXParameters.getTrustAnchors();
        if (trustAnchors == null || trustAnchors.isEmpty()) {
            throw new CertPathValidatorException("No TrustAnchors in PKIXParameters");
        }
        try {
            WolfSSLCertManager wolfSSLCertManager = new WolfSSLCertManager();
            TrustAnchor trustAnchor = null;
            for (TrustAnchor trustAnchor2 : trustAnchors) {
                X509Certificate trustedCert = trustAnchor2.getTrustedCert();
                if (trustedCert != null && trustedCert.getSubjectX500Principal().equals(issuerX500Principal)) {
                    try {
                        wolfSSLCertManager.CertManagerUnloadCAs();
                        try {
                            wolfSSLCertManager.CertManagerLoadCA(trustedCert);
                            wolfSSLCertManager.CertManagerVerify(x509Certificate);
                            trustAnchor = trustAnchor2;
                        } catch (WolfCryptException unused) {
                        }
                    } catch (WolfCryptException unused2) {
                        wolfSSLCertManager.free();
                        throw new CertPathValidatorException("Unable to unload CAs from native WolfSSLCertManager");
                    }
                }
            }
            wolfSSLCertManager.free();
            return trustAnchor;
        } catch (WolfCryptException unused3) {
            throw new CertPathValidatorException("Failed to create native WolfSSLCertManager");
        }
    }
}
