package de.mtg.jzlint.lints.rfc;

import de.mtg.jzlint.EffectiveDate;
import de.mtg.jzlint.JavaLint;
import de.mtg.jzlint.Lint;
import de.mtg.jzlint.LintResult;
import de.mtg.jzlint.Source;
import de.mtg.jzlint.Status;
import de.mtg.jzlint.utils.Utils;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;

@Lint(name = "e_path_len_constraint_improperly_included", description = "CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set", citation = "RFC 5280: 4.2.1.9", source = Source.RFC5280, effectiveDate = EffectiveDate.RFC5280)
/* loaded from: input_file:BOOT-INF/lib/jzlint-1.0.0.jar:de/mtg/jzlint/lints/rfc/PathLenConstraintImproperlyIncluded.class */
public class PathLenConstraintImproperlyIncluded implements JavaLint {
    @Override // de.mtg.jzlint.JavaLint
    public LintResult execute(X509Certificate x509Certificate) {
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(ASN1OctetString.getInstance(x509Certificate.getExtensionValue(Extension.basicConstraints.getId())).getOctets());
        if (aSN1Sequence.size() == 0) {
            return LintResult.of(Status.PASS);
        }
        if (aSN1Sequence.size() == 1) {
            return aSN1Sequence.getObjectAt(0) instanceof ASN1Boolean ? LintResult.of(Status.PASS) : LintResult.of(Status.ERROR);
        }
        if (((ASN1Boolean) aSN1Sequence.getObjectAt(0)).isTrue() && Utils.hasKeyUsageExtension(x509Certificate) && KeyUsage.getInstance(ASN1OctetString.getInstance(x509Certificate.getExtensionValue(Extension.keyUsage.getId())).getOctets()).hasUsages(4)) {
            return LintResult.of(Status.PASS);
        }
        return LintResult.of(Status.ERROR);
    }

    @Override // de.mtg.jzlint.JavaLint
    public boolean checkApplies(X509Certificate x509Certificate) {
        return Utils.hasBasicConstraintsExtension(x509Certificate);
    }
}
