package com.blackberry.security.trustmgr.pkic;

import android.util.Log;
import com.blackberry.security.sb.pkic.TpCertValidator;
import com.blackberry.security.sb.pkic.TpCertValidatorResult;
import com.blackberry.security.sb.pkic.TpStore;
import com.blackberry.security.sb.pkic.TpX509CertCollection;
import com.blackberry.security.sb.pkic.TpX509CertKeyStore;
import com.blackberry.security.trustmgr.FutureResult;
import com.blackberry.security.trustmgr.PkixProfile;
import com.blackberry.security.trustmgr.ValidationContext;
import com.blackberry.security.trustmgr.a.aa;
import com.blackberry.security.trustmgr.a.c;
import com.blackberry.security.trustmgr.a.d;
import com.blackberry.security.trustmgr.a.p;
import com.blackberry.security.trustmgr.a.q;
import com.blackberry.security.trustmgr.a.u;
import com.blackberry.security.trustmgr.a.z;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.concurrent.Executor;

/* loaded from: classes.dex */
class PkicValidator extends c {
    private static final String LOG_TAG = "certmgr:trustmgr:PkicValidator";
    private static final TpWarning[] TP_WARN_LIST = {new TpWarning(2, q.a.WARN), new TpWarning(4, q.a.WARN), new TpWarning(8, q.a.WARN), new TpWarning(64, q.a.WARN), new TpWarning(32, q.a.WARN), new TpWarning(128, q.a.WARN), new TpWarning(256, q.a.WARN), new TpWarning(TpCertValidator.TP_VALIDATE_WARN_INVALID_SIGNATURE, q.a.WARN_INVALID_SIGNATURE), new TpWarning(TpCertValidator.TP_VALIDATE_WARN_NAME_CONSTRAINTS, q.a.WARN), new TpWarning(TpCertValidator.TP_VALIDATE_WARN_INVALID_ISSUER, q.a.WARN), new TpWarning(512, q.a.WARN_UNTRUSTED), new TpWarning(16, q.a.WARN_INVALID_TIME_PERIOD)};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public static class TpWarning {
        final q.a pkixType;
        final long tpType;

        TpWarning(long j, q.a aVar) {
            this.tpType = j;
            this.pkixType = aVar;
        }
    }

    /* loaded from: classes.dex */
    class Worker implements Runnable {
        private final ValidationContext mContext;
        private final d<Void> mResultRef;

        Worker(ValidationContext validationContext, d<Void> dVar) {
            this.mContext = validationContext;
            this.mResultRef = dVar;
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                if (this.mResultRef.isDone()) {
                    return;
                }
                PkicValidator.this.validateByCert(this.mContext);
                this.mResultRef.set(null);
            } catch (z e) {
                this.mResultRef.d(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PkicValidator() {
        addSupportedProfileType(PkixProfile.class);
    }

    private CertPath parseCertPath(TpCertValidatorResult tpCertValidatorResult) {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            if (tpCertValidatorResult.getCertChain().length == 0) {
                throw new z("PKIC provided an empty cert chain");
            }
            ArrayList arrayList = new ArrayList();
            for (byte[] bArr : tpCertValidatorResult.getCertChain()) {
                try {
                    arrayList.add(certificateFactory.generateCertificate(new ByteArrayInputStream(bArr)));
                } catch (CertificateException e) {
                    throw new z("Failed to generate certificate", e);
                }
            }
            try {
                return certificateFactory.generateCertPath(arrayList);
            } catch (CertificateException e2) {
                throw new z("Failed to generate a cert path", e2);
            }
        } catch (CertificateException e3) {
            throw new z("Failed to initialize certificate factory", e3);
        }
    }

    private long parseTpWarnings(long j, long j2, q.a aVar, List<q> list) {
        if ((j & j2) != j) {
            return j2;
        }
        list.add(new q(aVar, "PKI-C warning: 0x" + Long.toHexString(j)));
        return j2 & (~j);
    }

    private List<q> parseTpWarnings(long j) {
        ArrayList arrayList = new ArrayList();
        long j2 = j;
        for (TpWarning tpWarning : TP_WARN_LIST) {
            j2 = parseTpWarnings(tpWarning.tpType, j2, tpWarning.pkixType, arrayList);
        }
        if (j2 != 0) {
            Log.i(LOG_TAG, "Unhandled PKI-C warnings: 0x" + Long.toHexString(j2));
            arrayList.add(new q(q.a.WARN, "Unhandled PKI-C warnings: 0x" + Long.toHexString(j2)));
        }
        return arrayList;
    }

    private u parseWarnings(CertPath certPath, TpCertValidatorResult tpCertValidatorResult) {
        u uVar = new u();
        uVar.aj(parseTpWarnings(tpCertValidatorResult.getCollectiveWarnings()));
        List<? extends Certificate> certificates = certPath.getCertificates();
        long[] warningsPerCert = tpCertValidatorResult.getWarningsPerCert();
        if (warningsPerCert.length != certificates.size()) {
            throw new z("Invalid certificate warning array length");
        }
        for (int i = 0; i < warningsPerCert.length; i++) {
            uVar.a(certificates.get(i), parseTpWarnings(warningsPerCert[i]));
        }
        return uVar;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void validateByCert(ValidationContext validationContext) {
        boolean z;
        PkixProfile pkixProfile = (PkixProfile) getProfile(PkixProfile.class);
        if (pkixProfile == null) {
            throw new z("Missing PKIX profile");
        }
        Certificate certificate = (Certificate) validationContext.get(ValidationContext.CERT);
        if (!(certificate instanceof X509Certificate)) {
            throw new z("Unsupported certificate type: " + certificate.getType());
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Date referenceDate = pkixProfile.getReferenceDate();
        if (referenceDate == null) {
            referenceDate = new Date();
        }
        KeyStore trustStore = pkixProfile.getTrustStore();
        if (trustStore == null) {
            try {
                trustStore = pkixProfile.getDefaultTrustStore();
                z = true;
            } catch (CertificateException e) {
                throw new z("Failed to initialize default trust store", e);
            }
        } else {
            z = false;
        }
        TpStore[] tpStoreArr = {new TpX509CertKeyStore(trustStore, x509Certificate, z)};
        TpStore[] tpStoreArr2 = new TpStore[2];
        TpX509CertCollection tpX509CertCollection = new TpX509CertCollection();
        for (Certificate certificate2 : pkixProfile.getIntermediateCertificates()) {
            if (!(certificate2 instanceof X509Certificate)) {
                throw new z("Unsupported intermediate certificate type: " + certificate2.getType());
            }
            tpX509CertCollection.addCert((X509Certificate) certificate2);
        }
        tpStoreArr2[0] = tpX509CertCollection;
        KeyStore intermediateStore = pkixProfile.getIntermediateStore();
        if (intermediateStore != null) {
            tpStoreArr2[1] = new TpX509CertKeyStore(intermediateStore);
        }
        try {
            TpCertValidatorResult validateByCert = new TpCertValidator().validateByCert(x509Certificate, tpStoreArr2, tpStoreArr, referenceDate);
            if (validateByCert.getRetCode() != 0) {
                throw new z("Failed to invoke PKIC validator: rc = " + validateByCert.getRetCode() + " error = " + validateByCert.getErrMsg());
            }
            CertPath parseCertPath = parseCertPath(validateByCert);
            validationContext.add(p.cpA, parseCertPath);
            ((aa) validationContext.get(ValidationContext.WARNINGS)).a(PkixProfile.class, parseWarnings(parseCertPath, validateByCert));
        } catch (CertificateException e2) {
            throw new z("Failed to invoke PKIC validator", e2);
        }
    }

    @Override // com.blackberry.security.trustmgr.Validator
    public FutureResult<Void> validate(ValidationContext validationContext) {
        if (validationContext.contains(p.cpA)) {
            throw new z("Certificate path already exists");
        }
        if (!validationContext.contains(ValidationContext.CERT)) {
            throw new z("Unsupported validation mode");
        }
        d dVar = new d();
        ((Executor) validationContext.get(ValidationContext.SHORT_TASK_EXECUTOR)).execute(new Worker(validationContext, dVar));
        return dVar;
    }
}
