package com.blackberry.security.trustmgr.x509;

import com.blackberry.security.trustmgr.CertificateUsageType;
import com.blackberry.security.trustmgr.ValidationException;
import com.blackberry.security.trustmgr.a.f;
import com.blackberry.security.trustmgr.a.r;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;

/* loaded from: classes3.dex */
public class X509CertUsageVerifier implements f {
    private static final String EKU_ANY = "2.5.29.37.0";
    private static final String EKU_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
    private static final String EKU_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4";
    private static final String EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
    private static final String EKU_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
    private static final String EKU_nsSGC = "2.16.840.1.113730.4.1";
    private static final int KU_DIGITAL_SIGNATURE = 0;
    private static final int KU_NON_REPUDIATION = 1;

    private void addWarning(List<r> list, r rVar) {
        if (rVar == null) {
            return;
        }
        for (r rVar2 : list) {
            if (rVar2.QJ() == rVar.QJ()) {
                rVar2.j(rVar.getDebugInfo());
                return;
            }
        }
        list.add(rVar);
    }

    private r verifyExtendedKeyUsage(CertificateUsageType certificateUsageType, X509Certificate x509Certificate) {
        boolean z;
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage == null) {
                return null;
            }
            HashSet hashSet = new HashSet();
            hashSet.add(EKU_ANY);
            switch (certificateUsageType) {
                case SMIME_PEER:
                    hashSet.add(EKU_EMAIL_PROTECTION);
                    break;
                case SSL_CLIENT:
                    hashSet.add(EKU_CLIENT_AUTH);
                    break;
                case SSL_SERVER:
                    hashSet.add(EKU_SERVER_AUTH);
                    hashSet.add(EKU_MS_SGC);
                    hashSet.add(EKU_nsSGC);
                    break;
                default:
                    return null;
            }
            Iterator<String> it = extendedKeyUsage.iterator();
            while (true) {
                if (!it.hasNext()) {
                    z = false;
                } else if (hashSet.contains(it.next())) {
                    z = true;
                }
            }
            if (z) {
                return null;
            }
            r rVar = new r(r.a.WARN_INVALID_USAGE);
            rVar.kW("Expected extended key usage(s): " + hashSet);
            return rVar;
        } catch (CertificateParsingException e) {
            throw new ValidationException("Failed to parse certificate", e);
        }
    }

    private r verifyKeyUsage(CertificateUsageType certificateUsageType, X509Certificate x509Certificate) {
        r rVar;
        r rVar2 = null;
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null) {
            HashSet hashSet = new HashSet();
            switch (certificateUsageType) {
                case SMIME_PEER:
                    hashSet.add(0);
                    break;
                case SSL_CLIENT:
                    hashSet.add(0);
                    break;
                case SSL_SERVER:
                    hashSet.add(0);
                    break;
            }
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                int intValue = ((Integer) it.next()).intValue();
                if (intValue >= 0 && keyUsage.length > intValue) {
                    if (keyUsage[intValue]) {
                        rVar = rVar2;
                    } else {
                        rVar = rVar2 == null ? new r(r.a.WARN_INVALID_USAGE) : rVar2;
                        rVar.kW("Missing key usage: " + intValue);
                    }
                    rVar2 = rVar;
                }
            }
        }
        return rVar2;
    }

    @Override // com.blackberry.security.trustmgr.a.f
    public List<r> verify(CertificateUsageType certificateUsageType, Certificate certificate) {
        if (!(certificate instanceof X509Certificate)) {
            throw new IllegalArgumentException("Unsupported certificate type: " + certificate.getType());
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        ArrayList arrayList = new ArrayList();
        addWarning(arrayList, verifyKeyUsage(certificateUsageType, x509Certificate));
        addWarning(arrayList, verifyExtendedKeyUsage(certificateUsageType, x509Certificate));
        return arrayList;
    }
}
