package com.tibco.security.impl.entrust61;

import com.entrust.toolkit.exceptions.ExtensionException;
import com.entrust.toolkit.x509.CertVerifier;
import com.entrust.toolkit.x509.LdapDirectory;
import com.entrust.toolkit.x509.certstore.CertificateGraph;
import com.entrust.toolkit.x509.policies.ClientSettings;
import com.entrust.toolkit.x509.testlets.ExtensionTester;
import iaik.asn1.ObjectID;
import iaik.x509.SimpleChainVerifier;
import iaik.x509.V3Extension;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.BasicConstraints;
import iaik.x509.extensions.CRLDistributionPoints;
import iaik.x509.extensions.CRLNumber;
import iaik.x509.extensions.ExtendedKeyUsage;
import iaik.x509.extensions.IssuerAltName;
import iaik.x509.extensions.KeyUsage;
import iaik.x509.extensions.PolicyConstraints;
import iaik.x509.extensions.PolicyMappings;
import iaik.x509.extensions.ReasonCode;
import iaik.x509.extensions.SubjectAltName;
import iaik.x509.extensions.SubjectKeyIdentifier;
import iaik.x509.extensions.netscape.NetscapeBaseUrl;
import iaik.x509.extensions.netscape.NetscapeCaPolicyUrl;
import iaik.x509.extensions.netscape.NetscapeCaRevocationUrl;
import iaik.x509.extensions.netscape.NetscapeCertRenewalUrl;
import iaik.x509.extensions.netscape.NetscapeComment;
import iaik.x509.extensions.netscape.NetscapeRevocationUrl;
import iaik.x509.extensions.netscape.NetscapeSSLServerName;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;

/* compiled from: SimpleChainVerifierDecompiled.java */
/* loaded from: input_file:com/tibco/security/impl/entrust61/E.class */
class E extends SimpleChainVerifier {
    private static final long serialVersionUID = 1;

    E() {
    }

    protected void checkExtensions(X509Certificate[] x509CertificateArr, int i) throws CertificateException {
        boolean z = false;
        if (x509CertificateArr[i] instanceof iaik.x509.X509Certificate) {
            boolean z2 = false;
            Enumeration listExtensions = ((iaik.x509.X509Certificate) x509CertificateArr[i]).listExtensions();
            if (listExtensions != null) {
                while (true) {
                    if (!listExtensions.hasMoreElements()) {
                        break;
                    }
                    KeyUsage keyUsage = (V3Extension) listExtensions.nextElement();
                    ObjectID objectID = keyUsage.getObjectID();
                    if (objectID.equals(BasicConstraints.oid)) {
                        z2 = true;
                        BasicConstraints basicConstraints = (BasicConstraints) keyUsage;
                        if (basicConstraints.ca()) {
                            if (i == 0) {
                                throw new CertificateException("Extension error: certificate at index 0 is marked CA certificate");
                            }
                            int pathLenConstraint = basicConstraints.getPathLenConstraint();
                            if (pathLenConstraint != -1 && pathLenConstraint < i - 1) {
                                throw new CertificateException("Extension error: pathLenConstraint violated!");
                            }
                        } else if (i != 0) {
                            throw new CertificateException("Extension error: certificate at index " + i + " is marked as non-CA certificate");
                        }
                    } else if (!objectID.equals(KeyUsage.oid)) {
                        if (!objectID.equals(AuthorityKeyIdentifier.oid) && !objectID.equals(CRLDistributionPoints.oid) && !objectID.equals(CRLNumber.oid) && !objectID.equals(ExtendedKeyUsage.oid) && !objectID.equals(IssuerAltName.oid) && !objectID.equals(PolicyMappings.oid) && !objectID.equals(ReasonCode.oid) && !objectID.equals(PolicyConstraints.oid) && !objectID.equals(SubjectAltName.oid) && !objectID.equals(SubjectKeyIdentifier.oid) && !objectID.equals(NetscapeBaseUrl.oid) && !objectID.equals(NetscapeCaPolicyUrl.oid) && !objectID.equals(NetscapeCaRevocationUrl.oid) && !objectID.equals(NetscapeCertRenewalUrl.oid) && !objectID.equals(NetscapeComment.oid) && !objectID.equals(NetscapeRevocationUrl.oid) && !objectID.equals(NetscapeSSLServerName.oid) && keyUsage.isCritical()) {
                            z = true;
                            break;
                        }
                    } else {
                        KeyUsage keyUsage2 = keyUsage;
                        if (i > 0 && (keyUsage2.get() & 32) == 0) {
                            throw new CertificateException("Extension error: keyusage does not allow certificate signing");
                        }
                    }
                }
            }
            if (!z2 && i > 0 && x509CertificateArr[i].getVersion() >= 3) {
                throw new CertificateException("Extension error: Certificate " + (i + 1) + " does not have a basic constraints extension!");
            }
            try {
                if (z) {
                    try {
                        ExtensionTester extensionTester = new ExtensionTester(new CertVerifier((iaik.x509.X509Certificate) x509CertificateArr[x509CertificateArr.length - 1], (LdapDirectory) null, (ClientSettings) null));
                        iaik.x509.X509Certificate[] x509CertificateArr2 = new iaik.x509.X509Certificate[x509CertificateArr.length];
                        System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, x509CertificateArr.length);
                        extensionTester.validate(x509CertificateArr2);
                    } catch (ExtensionException e) {
                        throw new CertificateException((Throwable) e);
                    }
                }
            } finally {
                CertificateGraph.Graph().clear();
            }
        }
    }
}
