package org.eclipse.californium.elements.util;

import com.huawei.iotplatform.appcommon.homebase.db.store.SignatureDbManager;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.core.coap.LinkFormat;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes16.dex */
public class CertPathUtil {
    private static final String CLIENT_AUTHENTICATION = "1.3.6.1.5.5.7.3.2";
    private static final int KEY_USAGE_CERTIFICATE_SIGNING = 5;
    private static final int KEY_USAGE_SIGNATURE = 0;
    private static final String SERVER_AUTHENTICATION = "1.3.6.1.5.5.7.3.1";
    private static final int SUBJECT_ALTERNATIVE_NAMES_DNS = 2;
    private static final int SUBJECT_ALTERNATIVE_NAMES_LITERAL_IP = 7;
    private static final String TYPE_X509 = "X.509";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CertPathUtil.class);
    private static final Pattern WHITESPACE_PATTERN = Pattern.compile("\\s{2,}");

    public static boolean canBeUsedForAuthentication(X509Certificate x509Certificate, boolean z) {
        if (x509Certificate.getKeyUsage() != null && !x509Certificate.getKeyUsage()[0]) {
            LOGGER.debug("certificate: {}, not for signing!", x509Certificate.getSubjectX500Principal());
            return false;
        }
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage == null || extendedKeyUsage.isEmpty()) {
                LOGGER.debug("certificate: {}, no extkeyusage!", x509Certificate.getSubjectX500Principal());
            } else {
                LOGGER.trace("certificate: {}", x509Certificate.getSubjectX500Principal());
                String str = z ? CLIENT_AUTHENTICATION : SERVER_AUTHENTICATION;
                boolean z2 = false;
                for (String str2 : extendedKeyUsage) {
                    LOGGER.trace("   extkeyusage {}", str2);
                    if (str.equals(str2)) {
                        z2 = true;
                    }
                }
                if (!z2) {
                    LOGGER.debug("certificate: {}, not for {}!", x509Certificate.getSubjectX500Principal(), z ? "client" : "server");
                    return false;
                }
            }
        } catch (CertificateParsingException e) {
            LOGGER.warn("x509 certificate:", (Throwable) e);
        }
        return true;
    }

    public static boolean canBeUsedToVerifySignature(X509Certificate x509Certificate) {
        if (x509Certificate.getBasicConstraints() < 0) {
            LOGGER.debug("certificate: {}, not for CA!", x509Certificate.getSubjectX500Principal());
            return false;
        }
        if (x509Certificate.getKeyUsage() == null || x509Certificate.getKeyUsage()[5]) {
            return true;
        }
        LOGGER.debug("certificate: {}, not for certificate signing!", x509Certificate.getSubjectX500Principal());
        return false;
    }

    private static boolean contains(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            if (x509Certificate.equals(x509Certificate2)) {
                return true;
            }
        }
        return false;
    }

    public static CertPath generateCertPath(List<X509Certificate> list) {
        if (list != null) {
            return generateCertPath(list, list.size());
        }
        throw new NullPointerException("Certificate chain must not be null!");
    }

    public static CertPath generateCertPath(List<X509Certificate> list, int i) {
        if (list == null) {
            throw new NullPointerException("Certificate chain must not be null!");
        }
        if (i > list.size()) {
            throw new IllegalArgumentException("size must not be larger then certificate chain!");
        }
        try {
            if (!list.isEmpty()) {
                int size = list.size() - 1;
                X500Principal x500Principal = null;
                for (int i2 = 0; i2 <= size; i2++) {
                    X509Certificate x509Certificate = list.get(i2);
                    Logger logger = LOGGER;
                    logger.debug("Current Subject DN: {}", x509Certificate.getSubjectX500Principal().getName());
                    if (x500Principal != null && !x500Principal.equals(x509Certificate.getSubjectX500Principal())) {
                        logger.debug("Actual Issuer DN: {}", x509Certificate.getSubjectX500Principal().getName());
                        throw new IllegalArgumentException("Given certificates do not form a chain");
                    }
                    x500Principal = x509Certificate.getIssuerX500Principal();
                    logger.debug("Expected Issuer DN: {}", x500Principal.getName());
                    if (x500Principal.equals(x509Certificate.getSubjectX500Principal()) && i2 != size) {
                        throw new IllegalArgumentException("Given certificates do not form a chain, root is not the last!");
                    }
                }
                if (i < list.size()) {
                    ArrayList arrayList = new ArrayList();
                    for (int i3 = 0; i3 < i; i3++) {
                        arrayList.add(list.get(i3));
                    }
                    list = arrayList;
                }
            }
            return CertificateFactory.getInstance("X.509").generateCertPath(list);
        } catch (CertificateException e) {
            throw new IllegalArgumentException("could not create X.509 certificate factory", e);
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:18:0x0044, code lost:
    
        if (r6.getIssuerX500Principal().equals(r6.getSubjectX500Principal()) != false) goto L22;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static java.security.cert.CertPath generateValidatableCertPath(java.util.List<java.security.cert.X509Certificate> r5, java.util.List<javax.security.auth.x500.X500Principal> r6) {
        /*
            if (r5 == 0) goto L4d
            int r0 = r5.size()
            if (r0 <= 0) goto L48
            r1 = 0
            r2 = 1
            if (r6 == 0) goto L2b
            boolean r3 = r6.isEmpty()
            if (r3 != 0) goto L2b
            r3 = r1
        L13:
            if (r3 >= r0) goto L2c
            java.lang.Object r4 = r5.get(r3)
            java.security.cert.X509Certificate r4 = (java.security.cert.X509Certificate) r4
            javax.security.auth.x500.X500Principal r4 = r4.getIssuerX500Principal()
            boolean r4 = r6.contains(r4)
            if (r4 == 0) goto L28
            int r1 = r3 + 1
            goto L2c
        L28:
            int r3 = r3 + 1
            goto L13
        L2b:
            r1 = r0
        L2c:
            if (r0 <= r2) goto L47
            if (r1 != r0) goto L47
            int r0 = r0 + (-1)
            java.lang.Object r6 = r5.get(r0)
            java.security.cert.X509Certificate r6 = (java.security.cert.X509Certificate) r6
            javax.security.auth.x500.X500Principal r2 = r6.getIssuerX500Principal()
            javax.security.auth.x500.X500Principal r6 = r6.getSubjectX500Principal()
            boolean r6 = r2.equals(r6)
            if (r6 == 0) goto L47
            goto L48
        L47:
            r0 = r1
        L48:
            java.security.cert.CertPath r5 = generateCertPath(r5, r0)
            return r5
        L4d:
            java.lang.NullPointerException r5 = new java.lang.NullPointerException
            java.lang.String r6 = "Certificate chain must not be null!"
            r5.<init>(r6)
            throw r5
        */
        throw new UnsupportedOperationException("Method not decompiled: org.eclipse.californium.elements.util.CertPathUtil.generateValidatableCertPath(java.util.List, java.util.List):java.security.cert.CertPath");
    }

    public static String getSubjectsCn(X509Certificate x509Certificate) {
        return Asn1DerDecoder.readCNFromDN(x509Certificate.getSubjectX500Principal().getEncoded());
    }

    public static boolean matchDestination(X509Certificate x509Certificate, String str) {
        boolean z;
        String subjectsCn;
        if (x509Certificate == null) {
            throw new NullPointerException("Certificate must not be null!");
        }
        if (str == null) {
            throw new NullPointerException("Destination must not be null!");
        }
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                z = false;
                for (List<?> list : subjectAlternativeNames) {
                    if (((Integer) list.get(0)).intValue() == 2) {
                        if (str.equalsIgnoreCase((String) list.get(1))) {
                            return true;
                        }
                        z = true;
                    }
                }
            } else {
                z = false;
            }
            if (!z && (subjectsCn = getSubjectsCn(x509Certificate)) != null) {
                if (str.equalsIgnoreCase(WHITESPACE_PATTERN.matcher(subjectsCn.trim()).replaceAll(" "))) {
                    return true;
                }
            }
        } catch (ClassCastException e) {
            LOGGER.debug(SignatureDbManager.COLUMN_MATCH, (Throwable) e);
        } catch (IllegalArgumentException e2) {
            LOGGER.debug(SignatureDbManager.COLUMN_MATCH, (Throwable) e2);
        } catch (CertificateParsingException e3) {
            LOGGER.debug(SignatureDbManager.COLUMN_MATCH, (Throwable) e3);
        }
        return false;
    }

    public static boolean matchLiteralIP(String str, String str2) {
        if (str == null) {
            throw new NullPointerException("Subject must not be null!");
        }
        if (str2 == null) {
            throw new NullPointerException("Destination must nit be null!");
        }
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        try {
            return InetAddress.getByName(str).equals(InetAddress.getByName(str2));
        } catch (SecurityException | UnknownHostException unused) {
            return false;
        }
    }

    public static boolean matchLiteralIP(X509Certificate x509Certificate, String str) {
        if (x509Certificate == null) {
            throw new NullPointerException("Certificate must not be null!");
        }
        if (str == null) {
            throw new NullPointerException("Destination must not be null!");
        }
        if (!StringUtil.isLiteralIpAddress(str)) {
            throw new IllegalArgumentException("Destination " + str + " is no literal IP!");
        }
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (((Integer) list.get(0)).intValue() == 7) {
                        String str2 = (String) list.get(1);
                        if (StringUtil.isLiteralIpAddress(str2) && matchLiteralIP(str2, str)) {
                            return true;
                        }
                    }
                }
            }
        } catch (ClassCastException | IllegalArgumentException | CertificateParsingException unused) {
        }
        return false;
    }

    private static X509Certificate searchIssuer(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        X509Certificate x509Certificate2 = null;
        for (X509Certificate x509Certificate3 : x509CertificateArr) {
            if (x509Certificate3 != null && issuerX500Principal.equals(x509Certificate3.getSubjectX500Principal())) {
                if (x509Certificate2 != null && verifySignature(x509Certificate, x509Certificate2)) {
                    return x509Certificate2;
                }
                x509Certificate2 = x509Certificate3;
            }
        }
        return x509Certificate2;
    }

    public static List<X500Principal> toSubjects(List<X509Certificate> list) {
        if (list == null || list.isEmpty()) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            X500Principal subjectX500Principal = it.next().getSubjectX500Principal();
            if (!arrayList.contains(subjectX500Principal)) {
                arrayList.add(subjectX500Principal);
            }
        }
        return arrayList;
    }

    public static List<X509Certificate> toX509CertificatesList(List<? extends Certificate> list) {
        if (list == null) {
            throw new NullPointerException("Certificates list must not be null!");
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (Certificate certificate : list) {
            if (!(certificate instanceof X509Certificate)) {
                throw new IllegalArgumentException("Given certificate is not X.509!" + certificate.getClass());
            }
            arrayList.add((X509Certificate) certificate);
        }
        return arrayList;
    }

    public static CertPath validateCertificatePathWithIssuer(boolean z, CertPath certPath, X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        String str;
        boolean z2;
        boolean z3;
        X509Certificate x509Certificate;
        if (x509CertificateArr == null) {
            throw new CertPathValidatorException("certificates are not trusted!");
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        if (certificates.isEmpty()) {
            return certPath;
        }
        List<X509Certificate> x509CertificatesList = toX509CertificatesList(certificates);
        int size = x509CertificatesList.size();
        int i = size - 1;
        X509Certificate x509Certificate2 = (X509Certificate) certificates.get(i);
        X509Certificate x509Certificate3 = null;
        if (x509CertificateArr.length == 0) {
            if (i == 0) {
                if (!x509Certificate2.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
                    LOGGER.debug("   trust all- single certificate {}", x509Certificate2.getSubjectX500Principal());
                    return certPath;
                }
                i++;
            }
            str = "last";
            z2 = false;
            z3 = false;
        } else if (z) {
            str = LinkFormat.CONTEXT;
            int i2 = 1;
            while (true) {
                if (i2 >= size) {
                    x509Certificate = null;
                    break;
                }
                x509Certificate = x509CertificatesList.get(i2);
                if (!contains(x509Certificate, x509CertificateArr)) {
                    i2++;
                } else if (i > i2) {
                    z3 = true;
                    i = i2;
                    z2 = true;
                }
            }
            z2 = false;
            z3 = false;
            if (x509Certificate == null) {
                X509Certificate searchIssuer = searchIssuer(x509Certificate2, x509CertificateArr);
                if (searchIssuer != null) {
                    z2 = !x509Certificate2.equals(searchIssuer);
                }
                x509Certificate2 = searchIssuer;
                i = size;
            } else {
                x509Certificate2 = x509Certificate;
            }
            if (x509Certificate2 == null) {
                X509Certificate x509Certificate4 = x509CertificatesList.get(0);
                if (contains(x509Certificate4, x509CertificateArr)) {
                    if (size <= 1) {
                        LOGGER.debug("   trust node - single certificate {}", x509Certificate4.getSubjectX500Principal());
                        return certPath;
                    }
                    x509Certificate2 = x509CertificatesList.get(1);
                    str = "node's issuer";
                    i = 1;
                    z3 = true;
                }
            }
        } else {
            X509Certificate searchIssuer2 = searchIssuer(x509Certificate2, x509CertificateArr);
            if (searchIssuer2 == null && contains(x509Certificate2, x509CertificateArr)) {
                str = "last's subject";
                z2 = false;
            } else {
                str = "last's issuer";
                z2 = !x509Certificate2.equals(searchIssuer2);
                x509Certificate2 = searchIssuer2;
            }
            i = size;
            z3 = false;
        }
        CertPath generateCertPath = generateCertPath(x509CertificatesList, i);
        HashSet hashSet = new HashSet();
        if (x509Certificate2 == null) {
            x509Certificate2 = x509CertificateArr[0];
        }
        hashSet.add(new TrustAnchor(x509Certificate2, null));
        Logger logger = LOGGER;
        if (logger.isDebugEnabled()) {
            List<X509Certificate> x509CertificatesList2 = toX509CertificatesList(generateCertPath.getCertificates());
            logger.debug("verify: certificate path {} (orig. {})", Integer.valueOf(i), Integer.valueOf(size));
            Iterator<X509Certificate> it = x509CertificatesList2.iterator();
            while (it.hasNext()) {
                x509Certificate3 = it.next();
                LOGGER.debug("   cert : {}", x509Certificate3.getSubjectX500Principal());
            }
            if (x509Certificate3 != null) {
                LOGGER.debug("   sign : {}", x509Certificate3.getIssuerX500Principal());
            }
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                LOGGER.debug("   trust: {}, {}", str, ((TrustAnchor) it2.next()).getTrustedCert().getSubjectX500Principal());
            }
        }
        CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        certPathValidator.validate(generateCertPath, pKIXParameters);
        if (JceProviderUtil.isEcdsaVulnerable()) {
            Asn1DerDecoder.checkCertificateChain(x509CertificatesList, x509Certificate2, i);
        }
        if (!z3 && !z2) {
            return certPath;
        }
        if (!z2) {
            return generateCertPath;
        }
        if (!z3) {
            x509CertificatesList.add(x509Certificate2);
        }
        return generateCertPath(x509CertificatesList, i + 1);
    }

    private static boolean verifySignature(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            x509Certificate2.checkValidity();
            x509Certificate.verify(x509Certificate2.getPublicKey());
            return true;
        } catch (GeneralSecurityException unused) {
            return false;
        }
    }
}
