package com.tongweb.gmssl.a.a.a.c;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/tongweb/gmssl/a/a/a/c/a.class */
public final class a {
    private static final String a = "2.5.29.37";
    private static final String b = "1.3.6.1.5.5.7.3.1";
    private static final String c = "1.3.6.1.5.5.7.3.2";
    private static final String d = "1.3.6.1.5.5.7.3.3";
    private static final String e = "1.3.6.1.5.5.7.3.8";
    private static final String f = "2.5.29.37.0";
    private static final String g = "2.16.840.1.113730.4.1";
    private static final String h = "1.3.6.1.4.1.311.10.3.3";
    private static final String i = "2.5.29.17";
    private static final String j = "ssl_client";
    private static final String k = "ssl_server";
    private static final String l = "object_signing";
    private static final int m = 0;
    private static final int n = 2;
    private static final int o = 4;
    private static final Collection<String> p = Arrays.asList("DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA", "RSA_EXPORT", "UNKNOWN");
    private static final Collection<String> q = Arrays.asList("RSA");
    private static final Collection<String> r = Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");
    private final String s;
    private final String t;

    private a(String str, String str2) {
        this.s = str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static a a(String str, String str2) {
        return new a(str, str2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final void a(X509Certificate x509Certificate, Object obj) {
        if (this.s.equals("generic")) {
            return;
        }
        if (this.s.equals("tls server")) {
            String str = (String) obj;
            Set<String> a2 = a(x509Certificate);
            if (q.contains(str)) {
                if (!a(x509Certificate, 2)) {
                    throw new f("KeyUsage does not allow key encipherment", f.b, x509Certificate);
                }
            } else if (p.contains(str)) {
                if (!a(x509Certificate, 0)) {
                    throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
                }
            } else {
                if (!r.contains(str)) {
                    throw new CertificateException("Unknown authType: " + str);
                }
                if (!a(x509Certificate, 4)) {
                    throw new f("KeyUsage does not allow key agreement", f.b, x509Certificate);
                }
            }
            if (!a(x509Certificate, b) && !a(x509Certificate, h) && !a(x509Certificate, g)) {
                throw new f("Extended key usage does not permit use for TLS server authentication", f.b, x509Certificate);
            }
            if (!d.a(x509Certificate, k)) {
                throw new f("Netscape cert type does not permit use for SSL server", f.b, x509Certificate);
            }
            a2.remove("2.5.29.15");
            a2.remove(a);
            a2.remove("2.16.840.1.113730.1.1");
            a(a2);
            return;
        }
        if (this.s.equals("tls client")) {
            Set<String> a3 = a(x509Certificate);
            if (!a(x509Certificate, 0)) {
                throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
            }
            if (!a(x509Certificate, c)) {
                throw new f("Extended key usage does not permit use for TLS client authentication", f.b, x509Certificate);
            }
            if (!d.a(x509Certificate, j)) {
                throw new f("Netscape cert type does not permit use for SSL client", f.b, x509Certificate);
            }
            a3.remove("2.5.29.15");
            a3.remove(a);
            a3.remove("2.16.840.1.113730.1.1");
            a(a3);
            return;
        }
        if (this.s.equals("code signing")) {
            c(x509Certificate);
            return;
        }
        if (this.s.equals("jce signing")) {
            c(x509Certificate);
            return;
        }
        if (this.s.equals("plugin code signing")) {
            c(x509Certificate);
            return;
        }
        if (!this.s.equals("tsa server")) {
            throw new CertificateException("Unknown variant: " + this.s);
        }
        Set<String> a4 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
        }
        if (x509Certificate.getExtendedKeyUsage() == null) {
            throw new f("Certificate does not contain an extended key usage extension required for a TSA server", f.b, x509Certificate);
        }
        if (!a(x509Certificate, e)) {
            throw new f("Extended key usage does not permit use for TSA server", f.b, x509Certificate);
        }
        a4.remove("2.5.29.15");
        a4.remove(a);
        a(a4);
    }

    private static Set<String> a(X509Certificate x509Certificate) {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        Set<String> set = criticalExtensionOIDs;
        if (criticalExtensionOIDs == null) {
            set = Collections.emptySet();
        }
        return set;
    }

    private static void a(Set<String> set) {
        set.remove("2.5.29.19");
        set.remove(i);
        if (!set.isEmpty()) {
            throw new CertificateException("Certificate contains unsupported critical extensions: " + set);
        }
    }

    private static boolean a(X509Certificate x509Certificate, String str) {
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        return extendedKeyUsage == null || extendedKeyUsage.contains(str) || extendedKeyUsage.contains(f);
    }

    private static boolean a(X509Certificate x509Certificate, int i2) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return true;
        }
        return keyUsage.length > i2 && keyUsage[i2];
    }

    private void b(X509Certificate x509Certificate) {
        Set<String> a2 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
        }
        if (!a(x509Certificate, c)) {
            throw new f("Extended key usage does not permit use for TLS client authentication", f.b, x509Certificate);
        }
        if (!d.a(x509Certificate, j)) {
            throw new f("Netscape cert type does not permit use for SSL client", f.b, x509Certificate);
        }
        a2.remove("2.5.29.15");
        a2.remove(a);
        a2.remove("2.16.840.1.113730.1.1");
        a(a2);
    }

    private void b(X509Certificate x509Certificate, String str) {
        Set<String> a2 = a(x509Certificate);
        if (q.contains(str)) {
            if (!a(x509Certificate, 2)) {
                throw new f("KeyUsage does not allow key encipherment", f.b, x509Certificate);
            }
        } else if (p.contains(str)) {
            if (!a(x509Certificate, 0)) {
                throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
            }
        } else {
            if (!r.contains(str)) {
                throw new CertificateException("Unknown authType: " + str);
            }
            if (!a(x509Certificate, 4)) {
                throw new f("KeyUsage does not allow key agreement", f.b, x509Certificate);
            }
        }
        if (!a(x509Certificate, b) && !a(x509Certificate, h) && !a(x509Certificate, g)) {
            throw new f("Extended key usage does not permit use for TLS server authentication", f.b, x509Certificate);
        }
        if (!d.a(x509Certificate, k)) {
            throw new f("Netscape cert type does not permit use for SSL server", f.b, x509Certificate);
        }
        a2.remove("2.5.29.15");
        a2.remove(a);
        a2.remove("2.16.840.1.113730.1.1");
        a(a2);
    }

    private void c(X509Certificate x509Certificate) {
        Set<String> a2 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
        }
        if (!a(x509Certificate, d)) {
            throw new f("Extended key usage does not permit use for code signing", f.b, x509Certificate);
        }
        if (!this.s.equals("jce signing")) {
            if (!d.a(x509Certificate, l)) {
                throw new f("Netscape cert type does not permit use for code signing", f.b, x509Certificate);
            }
            a2.remove("2.16.840.1.113730.1.1");
        }
        a2.remove("2.5.29.15");
        a2.remove(a);
        a(a2);
    }

    private void d(X509Certificate x509Certificate) {
        Set<String> a2 = a(x509Certificate);
        if (!a(x509Certificate, 0)) {
            throw new f("KeyUsage does not allow digital signatures", f.b, x509Certificate);
        }
        if (x509Certificate.getExtendedKeyUsage() == null) {
            throw new f("Certificate does not contain an extended key usage extension required for a TSA server", f.b, x509Certificate);
        }
        if (!a(x509Certificate, e)) {
            throw new f("Extended key usage does not permit use for TSA server", f.b, x509Certificate);
        }
        a2.remove("2.5.29.15");
        a2.remove(a);
        a(a2);
    }
}
