package cfca.sadk.tls.sun.security.ssl.manager;

import cfca.sadk.tls.javax.net.ssl.CFCASNIHostName;
import cfca.sadk.tls.javax.net.ssl.CFCASNIServerName;
import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.util.CFCASSLHelper;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/manager/CertCheckType.class */
enum CertCheckType {
    NONE(new String[0]),
    CLIENT(new String[]{"2.5.29.37.0", "1.3.6.1.5.5.7.3.2"}),
    SERVER(new String[]{"2.5.29.37.0", "1.3.6.1.5.5.7.3.1", "2.16.840.1.113730.4.1", "1.3.6.1.4.1.311.10.3.3"});

    final Set<String> validEku;

    CertCheckType(String[] strArr) {
        this.validEku = new HashSet(Arrays.asList(strArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final CertCheckResult check(X509Certificate x509Certificate, Date date, List<CFCASNIServerName> list, String str) {
        if (x509Certificate == null || date == null) {
            throw new IllegalArgumentException("parameters cert and date must not null");
        }
        CertCheckResult certCheckResult = CertCheckResult.OK;
        if (this == NONE) {
            return certCheckResult;
        }
        CertCheckResult checkExtensions = checkExtensions(x509Certificate);
        if (checkExtensions != CertCheckResult.OK) {
            return checkExtensions;
        }
        CertCheckResult checkValidity = checkValidity(x509Certificate, date);
        return checkValidity != CertCheckResult.OK ? checkValidity : checkSNIServerName(x509Certificate, list, str);
    }

    private final CertCheckResult checkExtensions(X509Certificate x509Certificate) {
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage != null && Collections.disjoint(this.validEku, extendedKeyUsage)) {
                return CertCheckResult.EXTENSION_MISMATCH;
            }
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            if (keyUsage != null) {
                String algorithm = x509Certificate.getPublicKey().getAlgorithm();
                boolean enabled = CertKeyUsage.digitalSignature.getEnabled(keyUsage);
                if ("RSA".equals(algorithm) && !enabled && (this == CLIENT || !CertKeyUsage.keyEncipherment.getEnabled(keyUsage))) {
                    return CertCheckResult.EXTENSION_MISMATCH;
                }
                if ("DSA".equals(algorithm) && !enabled) {
                    return CertCheckResult.EXTENSION_MISMATCH;
                }
                if ("DH".equals(algorithm) && !CertKeyUsage.keyAgreement.getEnabled(keyUsage)) {
                    return CertCheckResult.EXTENSION_MISMATCH;
                }
                if ("DH".equals(algorithm)) {
                    if (!enabled) {
                        return CertCheckResult.EXTENSION_MISMATCH;
                    }
                    if (this == SERVER && !CertKeyUsage.keyAgreement.getEnabled(keyUsage)) {
                        return CertCheckResult.EXTENSION_MISMATCH;
                    }
                }
            }
            return CertCheckResult.OK;
        } catch (CertificateException e) {
            return CertCheckResult.EXTENSION_MISMATCH;
        }
    }

    private final CertCheckResult checkValidity(X509Certificate x509Certificate, Date date) {
        CertCheckResult certCheckResult = CertCheckResult.OK;
        try {
            x509Certificate.checkValidity(date);
        } catch (CertificateExpiredException e) {
            certCheckResult = CertCheckResult.EXPIRED;
        } catch (CertificateNotYetValidException e2) {
            certCheckResult = CertCheckResult.NOTYETVALID;
        }
        return certCheckResult;
    }

    private final CertCheckResult checkSNIServerName(X509Certificate x509Certificate, List<CFCASNIServerName> list, String str) {
        CertCheckResult certCheckResult = CertCheckResult.OK;
        if (list != null && !list.isEmpty()) {
            for (CFCASNIServerName cFCASNIServerName : list) {
                if (cFCASNIServerName != null) {
                    certCheckResult = checkSNIServerName(x509Certificate, cFCASNIServerName, str);
                    if (certCheckResult != CertCheckResult.OK) {
                        break;
                    }
                }
            }
        }
        return certCheckResult;
    }

    private final CertCheckResult checkSNIServerName(X509Certificate x509Certificate, CFCASNIServerName cFCASNIServerName, String str) {
        CertCheckResult certCheckResult = CertCheckResult.OK;
        if (cFCASNIServerName.getType() == 0) {
            if (!(cFCASNIServerName instanceof CFCASNIHostName)) {
                try {
                    cFCASNIServerName = new CFCASNIHostName(cFCASNIServerName.getEncoded());
                } catch (IllegalArgumentException e) {
                    if (Debugger.check.isDebugEnabled()) {
                        Debugger.check.debug("Illegal server name: {}", cFCASNIServerName);
                    }
                    return CertCheckResult.INSENSITIVE;
                }
            }
            String asciiName = ((CFCASNIHostName) cFCASNIServerName).getAsciiName();
            try {
                CFCASSLHelper.checkIdentity(x509Certificate, str, asciiName);
                certCheckResult = CertCheckResult.OK;
            } catch (CertificateException e2) {
                if (Debugger.check.isDebugEnabled()) {
                    Debugger.check.debug("Certificate identity does not match  Server Name Inidication (SNI): {}", asciiName);
                }
                certCheckResult = CertCheckResult.INSENSITIVE;
            }
        }
        return certCheckResult;
    }
}
