package cfca.sadk.tls.sun.security.validator;

import cfca.org.slf4j.Logger;
import cfca.org.slf4j.LoggerFactory;
import cfca.sadk.system.SADKDebugger;
import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.ssl.manager.CertKeyUsage;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:cfca/sadk/tls/sun/security/validator/TLSKeyUsageChecker.class */
public final class TLSKeyUsageChecker {
    private static final String OID_EKU_TLS_SERVER = "1.3.6.1.5.5.7.3.1";
    private static final String OID_EKU_TLS_CLIENT = "1.3.6.1.5.5.7.3.2";
    private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
    private static final String OID_EKU_NS_SGC = "2.16.840.1.113730.4.1";
    private static final String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
    private static final String OID_SUBJECT_ALT_NAME = "2.5.29.17";
    private final TLSValidatorVariant variant;
    private static final Logger logger = LoggerFactory.getLogger(TLSKeyUsageChecker.class);
    private static final CertKeyUsage KU_SIGNATURE = CertKeyUsage.digitalSignature;
    private static final CertKeyUsage KU_KEY_ENCIPHERMENT = CertKeyUsage.keyEncipherment;
    private static final CertKeyUsage KU_KEY_AGREEMENT = CertKeyUsage.keyAgreement;
    private static final Collection<String> KU_SERVER_SIGNATURE = Arrays.asList("SM2PKEA_SM2DSA", "DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA", "RSA_EXPORT", "UNKNOWN");
    private static final Collection<String> KU_SERVER_ENCRYPTION = Arrays.asList("RSAPKEA", "RSA");
    private static final Collection<String> KU_SERVER_KEY_AGREEMENT = Arrays.asList("ECDHE_SM2DSA", "DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");

    private TLSKeyUsageChecker(TLSValidatorVariant tLSValidatorVariant) {
        this.variant = tLSValidatorVariant;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static TLSKeyUsageChecker getInstance(TLSValidatorVariant tLSValidatorVariant) {
        return new TLSKeyUsageChecker(tLSValidatorVariant);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final void check(X509Certificate x509Certificate, Object obj) throws CertificateException {
        if (!(obj instanceof String)) {
            throw new CertificateException("parameter required String type! ");
        }
        if (logger.isInfoEnabled()) {
            logger.info("check<<<<<<Running\n cert: " + Debugger.dump(x509Certificate) + "\n parameter: " + SADKDebugger.dump((String) obj));
        }
        if (x509Certificate == null) {
            return;
        }
        if (this.variant == null) {
            throw new CertificateException("Unknown variant: " + this.variant);
        }
        switch (this.variant) {
            case TLS_SERVER:
                checkTLSServer(x509Certificate, (String) obj);
                return;
            case TLS_CLIENT:
                checkTLSClient(x509Certificate);
                return;
            default:
                throw new CertificateException("Unknown variant: " + this.variant);
        }
    }

    private final void checkTLSClient(X509Certificate x509Certificate) throws CertificateException {
        if (logger.isInfoEnabled()) {
            logger.info("checkTLSClient<<<<<<Running\n cert: " + Debugger.dump(x509Certificate));
        }
        try {
            if (!checkKeyUsage(x509Certificate, KU_SIGNATURE)) {
                throw new TLSValidatorException("KeyUsage does not allow digital signatures", TLSValidatorException.T_EE_EXTENSIONS, x509Certificate);
            }
            if (!checkExtendedKeyUsage(x509Certificate, OID_EKU_TLS_CLIENT)) {
                throw new TLSValidatorException("Extended key usage does not permit use for TLS client authentication", TLSValidatorException.T_EE_EXTENSIONS, x509Certificate);
            }
            Set<String> criticalExtensions = getCriticalExtensions(x509Certificate);
            criticalExtensions.remove("2.5.29.15");
            criticalExtensions.remove("2.5.29.37");
            criticalExtensions.remove("2.16.840.1.113730.1.1");
            checkRemainingExtensions(criticalExtensions);
        } catch (TLSValidatorException e) {
            if (logger.isInfoEnabled()) {
                logger.info("checkTLSClient<<<<<<Failure\n cert: " + Debugger.dump(x509Certificate));
            }
            throw e;
        } catch (CertificateException e2) {
            if (logger.isInfoEnabled()) {
                logger.info("checkTLSClient<<<<<<Failure\n cert: " + Debugger.dump(x509Certificate));
            }
            throw e2;
        }
    }

    private final void checkTLSServer(X509Certificate x509Certificate, String str) throws CertificateException {
        if (logger.isInfoEnabled()) {
            logger.info("checkTLSServer<<<<<<Running\n cert: " + Debugger.dump(x509Certificate) + "\n parameter: " + SADKDebugger.dump(str));
        }
        try {
            Set<String> criticalExtensions = getCriticalExtensions(x509Certificate);
            if (KU_SERVER_ENCRYPTION.contains(str)) {
                if (!checkKeyUsage(x509Certificate, KU_KEY_ENCIPHERMENT)) {
                    throw new TLSValidatorException("KeyUsage does not allow key encipherment", TLSValidatorException.T_EE_EXTENSIONS, x509Certificate);
                }
            } else if (KU_SERVER_SIGNATURE.contains(str)) {
                if (!checkKeyUsage(x509Certificate, KU_SIGNATURE)) {
                    throw new TLSValidatorException("KeyUsage does not allow digital signatures", TLSValidatorException.T_EE_EXTENSIONS, x509Certificate);
                }
            } else {
                if (!KU_SERVER_KEY_AGREEMENT.contains(str)) {
                    throw new CertificateException("Unknown authType: " + str);
                }
                if (!checkKeyUsage(x509Certificate, KU_KEY_AGREEMENT)) {
                    throw new TLSValidatorException("KeyUsage does not allow key agreement", TLSValidatorException.T_EE_EXTENSIONS, x509Certificate);
                }
            }
            if (!checkExtendedKeyUsage(x509Certificate, OID_EKU_TLS_SERVER) && !checkExtendedKeyUsage(x509Certificate, OID_EKU_MS_SGC) && !checkExtendedKeyUsage(x509Certificate, OID_EKU_NS_SGC)) {
                throw new TLSValidatorException("Extended key usage does not permit use for TLS server authentication", TLSValidatorException.T_EE_EXTENSIONS, x509Certificate);
            }
            criticalExtensions.remove("2.5.29.15");
            criticalExtensions.remove("2.5.29.37");
            criticalExtensions.remove("2.16.840.1.113730.1.1");
            checkRemainingExtensions(criticalExtensions);
        } catch (TLSValidatorException e) {
            if (logger.isInfoEnabled()) {
                logger.info("checkTLSServer<<<<<<Failure\n cert: " + Debugger.dump(x509Certificate), e);
            }
            throw e;
        } catch (CertificateException e2) {
            if (logger.isInfoEnabled()) {
                logger.info("checkTLSServer<<<<<<Failure\n cert: " + Debugger.dump(x509Certificate), e2);
            }
            throw e2;
        }
    }

    private final Set<String> getCriticalExtensions(X509Certificate x509Certificate) {
        if (logger.isInfoEnabled()) {
            logger.info("getCriticalExtensions<<<<<<Running\n cert: " + Debugger.dump(x509Certificate));
        }
        Set<String> set = null;
        if (x509Certificate != null) {
            set = x509Certificate.getCriticalExtensionOIDs();
        }
        if (set == null) {
            set = Collections.emptySet();
        }
        return set;
    }

    private final boolean checkKeyUsage(X509Certificate x509Certificate, CertKeyUsage certKeyUsage) throws CertificateException {
        return true;
    }

    private final boolean checkExtendedKeyUsage(X509Certificate x509Certificate, String str) throws CertificateException {
        List<String> extendedKeyUsage;
        if (logger.isInfoEnabled()) {
            logger.info("checkExtendedKeyUsage<<<<<<Running\n cert: " + Debugger.dump(x509Certificate) + "\n expectedEKU: " + SADKDebugger.dump(str));
        }
        boolean z = true;
        if (x509Certificate != null && str != null && (extendedKeyUsage = x509Certificate.getExtendedKeyUsage()) != null && extendedKeyUsage.size() != 0) {
            z = extendedKeyUsage.contains(str) || extendedKeyUsage.contains(OID_EKU_ANY_USAGE);
        }
        return z;
    }

    private final void checkRemainingExtensions(Set<String> set) throws CertificateException {
        if (set != null) {
            set.remove("2.5.29.19");
            set.remove(OID_SUBJECT_ALT_NAME);
            if (!set.isEmpty()) {
                throw new CertificateException("Certificate contains unsupported  critical extensions: " + set);
            }
        }
    }
}
