package ru.CryptoPro.reprov.certpath;

import java.security.cert.CertPathValidatorException;
import java.security.cert.CertSelector;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import ru.CryptoPro.JCP.tools.JCPLogger;
import ru.CryptoPro.reprov.cl_9;
import ru.CryptoPro.reprov.x509.PKIXExtensions;

/* loaded from: classes3.dex */
class KeyChecker extends PKIXCertPathChecker {
    private static Set d;
    private final int a;
    private CertSelector b;
    private int c;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(X509Certificate x509Certificate) throws CertPathValidatorException {
        JCPLogger.finerFormat("KeyChecker.verifyCAKeyUsage() ---checking {0}...", "CA key usage");
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return;
        }
        if (keyUsage[5]) {
            JCPLogger.finerFormat("KeyChecker.verifyCAKeyUsage() {0} verified.", "CA key usage");
            return;
        }
        if (cl_9.a()) {
            throw new CertPathValidatorException("CA key usage check failed: keyCertSign bit is not set", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
        }
        throw new CertPathValidatorException("CA key usage check failed: keyCertSign bit is not set");
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        int i = this.c - 1;
        this.c = i;
        if (i == 0) {
            CertSelector certSelector = this.b;
            if (certSelector != null && !certSelector.match(x509Certificate)) {
                throw new CertPathValidatorException("target certificate constraints check failed");
            }
        } else {
            a(x509Certificate);
        }
        if (collection == null || collection.isEmpty()) {
            return;
        }
        collection.remove(PKIXExtensions.KeyUsage_Id.toString());
        collection.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
        collection.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        if (d == null) {
            HashSet hashSet = new HashSet();
            d = hashSet;
            hashSet.add(PKIXExtensions.KeyUsage_Id.toString());
            d.add(PKIXExtensions.ExtendedKeyUsage_Id.toString());
            d.add(PKIXExtensions.SubjectAlternativeName_Id.toString());
            d = Collections.unmodifiableSet(d);
        }
        return d;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.c = this.a;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }
}
