package com.blackberry.security.secureemail.provider.certificate;

import android.annotation.TargetApi;
import android.content.Context;
import com.blackberry.common.utils.o;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXReason;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;

/* compiled from: CertPathCertValidator.java */
/* loaded from: classes.dex */
class a extends c {
    /* JADX INFO: Access modifiers changed from: package-private */
    public a(Context context, byte[] bArr, String str) {
        super(context, bArr, str);
    }

    private static CertPath a(KeyStore keyStore, X509Certificate x509Certificate) {
        boolean z;
        Exception e;
        ArrayList arrayList = new ArrayList();
        X509CertSelector x509CertSelector = new X509CertSelector();
        ArrayList arrayList2 = new ArrayList();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
            if (x509Certificate2 != null) {
                arrayList2.add(x509Certificate2);
            }
        }
        CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList2));
        boolean z2 = false;
        while (true) {
            arrayList.add(x509Certificate);
            o.b("SecureEmail", "Added to buildCertPath: %s", x509Certificate.getSubjectX500Principal());
            x509CertSelector.setSubject(x509Certificate.getIssuerX500Principal());
            Iterator<? extends Certificate> it = certStore.getCertificates(x509CertSelector).iterator();
            X509Certificate x509Certificate3 = x509Certificate;
            boolean z3 = false;
            while (it.hasNext()) {
                X509Certificate x509Certificate4 = (X509Certificate) it.next();
                try {
                    x509Certificate3.verify(x509Certificate4.getPublicKey());
                } catch (Exception e2) {
                    z = z3;
                    e = e2;
                }
                try {
                    if (x509Certificate4.getIssuerX500Principal().equals(x509Certificate4.getSubjectX500Principal())) {
                        arrayList.add(x509Certificate4);
                        z2 = true;
                    } else {
                        x509Certificate3 = x509Certificate4;
                    }
                    z3 = true;
                } catch (Exception e3) {
                    e = e3;
                    z = true;
                    o.d("SecureEmail", "Signature verification failed: %s", e.getMessage());
                    z3 = z;
                }
            }
            if (!z3) {
                arrayList.clear();
                z2 = true;
            }
            if (z2) {
                o.c("SecureEmail", "buildCertPath size: %d", Integer.valueOf(arrayList.size()));
                return CertificateFactory.getInstance("X.509").generateCertPath(arrayList);
            }
            x509Certificate = x509Certificate3;
        }
    }

    @Override // com.blackberry.security.secureemail.provider.certificate.c
    @TargetApi(24)
    protected g RO() {
        CertPathValidator certPathValidator;
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
            keyStore.load(null, null);
            CertPath a2 = a(keyStore, createCertificate(this.cnQ));
            PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
            if (com.blackberry.email.c.a.Gg()) {
                certPathValidator = CertPathValidator.getInstance("PKIX", "BBCertPathValidatorProvider");
            } else {
                certPathValidator = CertPathValidator.getInstance("PKIX");
                pKIXParameters.setRevocationEnabled(false);
            }
            certPathValidator.validate(a2, pKIXParameters);
            o.c("SecureEmail", "Validate passed for " + this.cnR, new Object[0]);
            return new g(1, 1, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_GOOD);
        } catch (IOException e) {
            e = e;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        } catch (InvalidAlgorithmParameterException e2) {
            e = e2;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        } catch (KeyStoreException e3) {
            e = e3;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        } catch (NoSuchAlgorithmException e4) {
            e = e4;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        } catch (NoSuchProviderException e5) {
            e = e5;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        } catch (CertPathValidatorException e6) {
            CertPathValidatorException.Reason reason = e6.getReason();
            o.d("SecureEmail", "Validate failed for " + this.cnR + ", reason: " + reason.toString(), new Object[0]);
            if (reason == CertPathValidatorException.BasicReason.REVOKED) {
                return new g(2, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_CRITICAL);
            }
            if (reason == CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
                return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_GOOD);
            }
            if (reason == CertPathValidatorException.BasicReason.EXPIRED || reason == CertPathValidatorException.BasicReason.NOT_YET_VALID) {
                return new g(1, 2, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_WARNING);
            }
            if (reason == PKIXReason.INVALID_POLICY) {
                return new g(1, 1, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_CRITICAL);
            }
            return null;
        } catch (CertStoreException e7) {
            e = e7;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        } catch (CertificateException e8) {
            e = e8;
            o.d("SecureEmail", "Failed to validate cert: %s, %s", e.getClass().getSimpleName(), e.getMessage());
            return new g(4, 8, com.blackberry.security.secureemail.client.b.a.CERTIFICATE_STATUS_UNKNOWN);
        }
    }
}
