package org.xipki.qa.ca.extn;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERT61String;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.smime.SMIMECapability;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.certprofile.xijson.DirectoryStringType;
import org.xipki.ca.certprofile.xijson.ExtensionSyntaxChecker;
import org.xipki.ca.certprofile.xijson.XijsonCertprofile;
import org.xipki.ca.certprofile.xijson.conf.AdditionalInformation;
import org.xipki.ca.certprofile.xijson.conf.CertificatePolicies;
import org.xipki.ca.certprofile.xijson.conf.ExtensionType;
import org.xipki.ca.certprofile.xijson.conf.ExtnSyntax;
import org.xipki.ca.certprofile.xijson.conf.InhibitAnyPolicy;
import org.xipki.ca.certprofile.xijson.conf.NameConstraints;
import org.xipki.ca.certprofile.xijson.conf.PolicyConstraints;
import org.xipki.ca.certprofile.xijson.conf.PolicyMappings;
import org.xipki.ca.certprofile.xijson.conf.QcStatements;
import org.xipki.ca.certprofile.xijson.conf.Restriction;
import org.xipki.ca.certprofile.xijson.conf.SmimeCapabilities;
import org.xipki.ca.certprofile.xijson.conf.TlsFeature;
import org.xipki.ca.certprofile.xijson.conf.X509ProfileType;
import org.xipki.qa.ValidationIssue;
import org.xipki.qa.ca.IssuerInfo;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.X509Cert;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;

/* loaded from: input_file:org/xipki/qa/ca/extn/ExtensionsChecker.class */
public class ExtensionsChecker {
    private static final Logger LOG = LoggerFactory.getLogger(ExtensionsChecker.class);
    private CertificatePolicies certificatePolicies;
    private PolicyMappings policyMappings;
    private NameConstraints nameConstraints;
    private PolicyConstraints policyConstraints;
    private InhibitAnyPolicy inhibitAnyPolicy;
    private Restriction restriction;
    private AdditionalInformation additionalInformation;
    private ASN1ObjectIdentifier validityModelId;
    private QcStatements qcStatements;
    private TlsFeature tlsFeature;
    private QaExtensionValue smimeCapabilities;
    private Map<ASN1ObjectIdentifier, QaExtensionValue> constantExtensions;
    private Map<ASN1ObjectIdentifier, ExtnSyntax> extensionSyntaxes;
    private XijsonCertprofile certprofile;
    private final A2gChecker a2gChecker;
    private final H2nChecker h2nChecker;
    private final O2tChecker o2tChecker;
    private final U2zChecker u2zChecker;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.qa.ca.extn.ExtensionsChecker$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/qa/ca/extn/ExtensionsChecker$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$ca$certprofile$xijson$DirectoryStringType = new int[DirectoryStringType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$ca$certprofile$xijson$DirectoryStringType[DirectoryStringType.bmpString.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$ca$certprofile$xijson$DirectoryStringType[DirectoryStringType.printableString.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$ca$certprofile$xijson$DirectoryStringType[DirectoryStringType.teletexString.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$ca$certprofile$xijson$DirectoryStringType[DirectoryStringType.utf8String.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public ExtensionsChecker(X509ProfileType x509ProfileType, XijsonCertprofile xijsonCertprofile) throws CertprofileException {
        this.certprofile = (XijsonCertprofile) Args.notNull(xijsonCertprofile, "certprofile");
        Args.notNull(x509ProfileType, "conf");
        Map buildExtensions = x509ProfileType.buildExtensions();
        Map extensionControls = xijsonCertprofile.getExtensionControls();
        ASN1ObjectIdentifier aSN1ObjectIdentifier = Extension.certificatePolicies;
        if (extensionControls.containsKey(aSN1ObjectIdentifier)) {
            this.certificatePolicies = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier.getId())).getCertificatePolicies();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.policyMappings;
        if (extensionControls.containsKey(aSN1ObjectIdentifier2)) {
            this.policyMappings = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier2.getId())).getPolicyMappings();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.nameConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier3)) {
            this.nameConstraints = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier3.getId())).getNameConstraints();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.policyConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier4)) {
            this.policyConstraints = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier4.getId())).getPolicyConstraints();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.inhibitAnyPolicy;
        if (extensionControls.containsKey(aSN1ObjectIdentifier5)) {
            this.inhibitAnyPolicy = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier5.getId())).getInhibitAnyPolicy();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier6 = ObjectIdentifiers.Extn.id_extension_restriction;
        if (extensionControls.containsKey(aSN1ObjectIdentifier6)) {
            this.restriction = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier6.getId())).getRestriction();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier7 = ObjectIdentifiers.Extn.id_extension_additionalInformation;
        if (extensionControls.containsKey(aSN1ObjectIdentifier7)) {
            this.additionalInformation = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier7.getId())).getAdditionalInformation();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier8 = ObjectIdentifiers.Extn.id_extension_validityModel;
        if (extensionControls.containsKey(aSN1ObjectIdentifier8)) {
            this.validityModelId = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier8.getId())).getValidityModel().getModelId().toXiOid();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.qCStatements;
        if (extensionControls.containsKey(aSN1ObjectIdentifier9)) {
            this.qcStatements = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier9.getId())).getQcStatements();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = ObjectIdentifiers.Extn.id_pe_tlsfeature;
        if (extensionControls.containsKey(aSN1ObjectIdentifier10)) {
            this.tlsFeature = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier10.getId())).getTlsFeature();
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = ObjectIdentifiers.Extn.id_smimeCapabilities;
        if (extensionControls.containsKey(aSN1ObjectIdentifier11)) {
            List<SmimeCapabilities.SmimeCapability> capabilities = ((ExtensionType) buildExtensions.get(aSN1ObjectIdentifier11.getId())).getSmimeCapabilities().getCapabilities();
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            for (SmimeCapabilities.SmimeCapability smimeCapability : capabilities) {
                ASN1ObjectIdentifier xiOid = smimeCapability.getCapabilityId().toXiOid();
                ASN1Integer aSN1Integer = null;
                SmimeCapabilities.SmimeCapabilityParameter parameter = smimeCapability.getParameter();
                if (parameter != null) {
                    if (parameter.getInteger() != null) {
                        aSN1Integer = new ASN1Integer(parameter.getInteger());
                    } else if (parameter.getBinary() != null) {
                        aSN1Integer = CheckerUtil.readAsn1Encodable(parameter.getBinary().getValue());
                    }
                }
                aSN1EncodableVector.add(new SMIMECapability(xiOid, aSN1Integer));
            }
            try {
                this.smimeCapabilities = new QaExtensionValue(((Certprofile.ExtensionControl) extensionControls.get(aSN1ObjectIdentifier11)).isCritical(), new DERSequence(aSN1EncodableVector).getEncoded());
            } catch (IOException e) {
                throw new CertprofileException("Cannot encode SMIMECapabilities: " + e.getMessage());
            }
        }
        this.constantExtensions = CheckerUtil.buildConstantExtesions(buildExtensions);
        this.extensionSyntaxes = CheckerUtil.buildExtesionSyntaxes(buildExtensions);
        this.a2gChecker = new A2gChecker(this);
        this.h2nChecker = new H2nChecker(this);
        this.o2tChecker = new O2tChecker(this);
        this.u2zChecker = new U2zChecker(this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificatePolicies getCertificatePolicies() {
        return this.certificatePolicies;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyMappings getPolicyMappings() {
        return this.policyMappings;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NameConstraints getNameConstraints() {
        return this.nameConstraints;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyConstraints getPolicyConstraints() {
        return this.policyConstraints;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public InhibitAnyPolicy getInhibitAnyPolicy() {
        return this.inhibitAnyPolicy;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Restriction getRestriction() {
        return this.restriction;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AdditionalInformation getAdditionalInformation() {
        return this.additionalInformation;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ASN1ObjectIdentifier getValidityModelId() {
        return this.validityModelId;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public QcStatements getQcStatements() {
        return this.qcStatements;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TlsFeature getTlsFeature() {
        return this.tlsFeature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public QaExtensionValue getSmimeCapabilities() {
        return this.smimeCapabilities;
    }

    Map<ASN1ObjectIdentifier, QaExtensionValue> getConstantExtensions() {
        return this.constantExtensions;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public XijsonCertprofile getCertprofile() {
        return this.certprofile;
    }

    public List<ValidationIssue> checkExtensions(Certificate certificate, IssuerInfo issuerInfo, Extensions extensions, X500Name x500Name) {
        Args.notNull(certificate, "cert");
        Args.notNull(issuerInfo, "issuerInfo");
        X509Cert x509Cert = new X509Cert(certificate);
        LinkedList linkedList = new LinkedList();
        Set<ASN1ObjectIdentifier> exensionTypes = getExensionTypes(certificate, issuerInfo, extensions);
        Extensions extensions2 = certificate.getTBSCertificate().getExtensions();
        ASN1ObjectIdentifier[] extensionOIDs = extensions2.getExtensionOIDs();
        if (extensionOIDs == null) {
            ValidationIssue validationIssue = new ValidationIssue("X509.EXT.GEN", "extension general");
            linkedList.add(validationIssue);
            validationIssue.setFailureMessage("no extension is present");
            return linkedList;
        }
        List<ASN1ObjectIdentifier> asList = Arrays.asList(extensionOIDs);
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : exensionTypes) {
            if (!asList.contains(aSN1ObjectIdentifier)) {
                ValidationIssue createExtensionIssue = createExtensionIssue(aSN1ObjectIdentifier);
                linkedList.add(createExtensionIssue);
                createExtensionIssue.setFailureMessage("extension is absent but is required");
            }
        }
        Map extensionControls = this.certprofile.getExtensionControls();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : asList) {
            ValidationIssue createExtensionIssue2 = createExtensionIssue(aSN1ObjectIdentifier2);
            linkedList.add(createExtensionIssue2);
            if (exensionTypes.contains(aSN1ObjectIdentifier2)) {
                Extension extension = extensions2.getExtension(aSN1ObjectIdentifier2);
                StringBuilder sb = new StringBuilder();
                Certprofile.ExtensionControl extensionControl = (Certprofile.ExtensionControl) extensionControls.get(aSN1ObjectIdentifier2);
                if (extensionControl.isCritical() != extension.isCritical()) {
                    CheckerUtil.addViolation(sb, "critical", Boolean.valueOf(extension.isCritical()), Boolean.valueOf(extensionControl.isCritical()));
                }
                byte[] octets = extension.getExtnValue().getOctets();
                try {
                    if (this.extensionSyntaxes == null || !this.extensionSyntaxes.containsKey(aSN1ObjectIdentifier2)) {
                        if (Extension.authorityKeyIdentifier.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnAuthorityKeyId(sb, octets, issuerInfo);
                        } else if (Extension.subjectKeyIdentifier.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnSubjectKeyIdentifier(sb, octets, certificate.getSubjectPublicKeyInfo());
                        } else if (Extension.keyUsage.equals(aSN1ObjectIdentifier2)) {
                            this.h2nChecker.checkExtnKeyUsage(sb, x509Cert.getKeyUsage(), extensions, extensionControl);
                        } else if (Extension.certificatePolicies.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnCertificatePolicies(sb, octets, extensions, extensionControl);
                        } else if (Extension.policyMappings.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnPolicyMappings(sb, octets, extensions, extensionControl);
                        } else if (Extension.subjectAlternativeName.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnSubjectAltNames(sb, octets, extensions, extensionControl, x500Name);
                        } else if (Extension.subjectDirectoryAttributes.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnSubjectDirAttrs(sb, octets, extensions, extensionControl);
                        } else if (Extension.issuerAlternativeName.equals(aSN1ObjectIdentifier2)) {
                            this.h2nChecker.checkExtnIssuerAltNames(sb, octets, issuerInfo);
                        } else if (Extension.basicConstraints.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnBasicConstraints(sb, octets);
                        } else if (Extension.nameConstraints.equals(aSN1ObjectIdentifier2)) {
                            this.h2nChecker.checkExtnNameConstraints(sb, octets, extensions, extensionControl);
                        } else if (Extension.policyConstraints.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnPolicyConstraints(sb, octets, extensions, extensionControl);
                        } else if (Extension.extendedKeyUsage.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnExtendedKeyUsage(sb, octets, extensions, extensionControl);
                        } else if (Extension.cRLDistributionPoints.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnCrlDistributionPoints(sb, octets, issuerInfo);
                        } else if (Extension.inhibitAnyPolicy.equals(aSN1ObjectIdentifier2)) {
                            this.h2nChecker.checkExtnInhibitAnyPolicy(sb, octets, extensions2, extensionControl);
                        } else if (Extension.freshestCRL.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnDeltaCrlDistributionPoints(sb, octets, issuerInfo);
                        } else if (Extension.authorityInfoAccess.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnAuthorityInfoAccess(sb, octets, issuerInfo);
                        } else if (Extension.subjectInfoAccess.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnSubjectInfoAccess(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_extension_admission.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnAdmission(sb, octets, extensions, x500Name, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnOcspNocheck(sb, octets);
                        } else if (ObjectIdentifiers.Extn.id_extension_restriction.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnRestriction(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_extension_additionalInformation.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnAdditionalInformation(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_extension_validityModel.equals(aSN1ObjectIdentifier2)) {
                            this.u2zChecker.checkExtnValidityModel(sb, octets, extensions, extensionControl);
                        } else if (Extension.privateKeyUsagePeriod.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnPrivateKeyUsagePeriod(sb, octets, x509Cert.getNotBefore(), x509Cert.getNotAfter());
                        } else if (Extension.qCStatements.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnQcStatements(sb, octets, extensions, extensionControl);
                        } else if (Extension.biometricInfo.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnBiometricInfo(sb, octets, extensions);
                        } else if (ObjectIdentifiers.Extn.id_pe_tlsfeature.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkExtnTlsFeature(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_smimeCapabilities.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkSmimeCapabilities(sb, octets, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_SCTs.equals(aSN1ObjectIdentifier2)) {
                            this.o2tChecker.checkScts(sb, octets, extensionControl);
                        } else if (ObjectIdentifiers.Extn.id_GMT_0015_ICRegistrationNumber.equals(aSN1ObjectIdentifier2) || ObjectIdentifiers.Extn.id_GMT_0015_InsuranceNumber.equals(aSN1ObjectIdentifier2) || ObjectIdentifiers.Extn.id_GMT_0015_OrganizationCode.equals(aSN1ObjectIdentifier2) || ObjectIdentifiers.Extn.id_GMT_0015_TaxationNumber.equals(aSN1ObjectIdentifier2) || ObjectIdentifiers.Extn.id_GMT_0015_IdentityCode.equals(aSN1ObjectIdentifier2)) {
                            this.a2gChecker.checkExtnGmt0015(sb, octets, extensions, extensionControl, aSN1ObjectIdentifier2, x500Name);
                        } else {
                            byte[] expectedExtValue = getExpectedExtValue(aSN1ObjectIdentifier2, extensions, extensionControl);
                            if (!Arrays.equals(expectedExtValue, octets)) {
                                CheckerUtil.addViolation(sb, "extension value", CheckerUtil.hex(octets), expectedExtValue == null ? "not present" : CheckerUtil.hex(expectedExtValue));
                            }
                        }
                    } else if (Arrays.equals(extensions.getExtension(aSN1ObjectIdentifier2).getExtnValue().getOctets(), octets)) {
                        try {
                            ExtensionSyntaxChecker.checkExtension("extension " + ObjectIdentifiers.oidToDisplayName(aSN1ObjectIdentifier2), extension.getParsedValue(), this.extensionSyntaxes.get(aSN1ObjectIdentifier2));
                        } catch (BadCertTemplateException e) {
                            sb.append(e.getMessage());
                        }
                    } else {
                        sb.append("extension in certificate does not equal the one contained in the request");
                    }
                    if (sb.length() > 0) {
                        createExtensionIssue2.setFailureMessage(sb.toString());
                    }
                } catch (IOException | ArrayIndexOutOfBoundsException | ClassCastException | IllegalArgumentException e2) {
                    LOG.debug("extension value does not have correct syntax", e2);
                    createExtensionIssue2.setFailureMessage("extension value does not have correct syntax");
                }
            } else {
                createExtensionIssue2.setFailureMessage("extension is present but is not permitted");
            }
        }
        return linkedList;
    }

    private byte[] getExpectedExtValue(ASN1ObjectIdentifier aSN1ObjectIdentifier, Extensions extensions, Certprofile.ExtensionControl extensionControl) {
        Extension extension;
        if (this.constantExtensions != null && this.constantExtensions.containsKey(aSN1ObjectIdentifier)) {
            return this.constantExtensions.get(aSN1ObjectIdentifier).getValue();
        }
        if (extensions == null || !extensionControl.isRequest() || (extension = extensions.getExtension(aSN1ObjectIdentifier)) == null) {
            return null;
        }
        return extension.getExtnValue().getOctets();
    }

    private Set<ASN1ObjectIdentifier> getExensionTypes(Certificate certificate, IssuerInfo issuerInfo, Extensions extensions) {
        HashSet hashSet = new HashSet();
        Map extensionControls = this.certprofile.getExtensionControls();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensionControls.keySet()) {
            if (((Certprofile.ExtensionControl) extensionControls.get(aSN1ObjectIdentifier)).isRequired()) {
                hashSet.add(aSN1ObjectIdentifier);
            } else if (extensions != null && extensions.getExtension(aSN1ObjectIdentifier) != null && this.extensionSyntaxes != null && this.extensionSyntaxes.containsKey(aSN1ObjectIdentifier)) {
                hashSet.add(aSN1ObjectIdentifier);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.authorityKeyIdentifier;
        if (extensionControls.containsKey(aSN1ObjectIdentifier2)) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.subjectKeyIdentifier;
        if (extensionControls.containsKey(aSN1ObjectIdentifier3)) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier3);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.keyUsage;
        if (extensionControls.containsKey(aSN1ObjectIdentifier4)) {
            boolean z = false;
            if (extensions != null && extensions.getExtension(aSN1ObjectIdentifier4) != null) {
                z = true;
            }
            if (!z && CollectionUtil.isNotEmpty(this.h2nChecker.getKeyusage(true))) {
                z = true;
            }
            if (z) {
                CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier4);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.certificatePolicies;
        if (extensionControls.containsKey(aSN1ObjectIdentifier5) && this.certificatePolicies != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier5);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier6 = Extension.policyMappings;
        if (extensionControls.containsKey(aSN1ObjectIdentifier6) && this.policyMappings != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier6);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier7 = Extension.subjectAlternativeName;
        if (extensionControls.containsKey(aSN1ObjectIdentifier7) && extensions != null && extensions.getExtension(aSN1ObjectIdentifier7) != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier7);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier8 = Extension.issuerAlternativeName;
        if (extensionControls.containsKey(aSN1ObjectIdentifier8) && certificate.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier8);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.basicConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier9)) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier9);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = Extension.nameConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier10) && this.nameConstraints != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier10);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = Extension.policyConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier11) && this.policyConstraints != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier11);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier12 = Extension.extendedKeyUsage;
        if (extensionControls.containsKey(aSN1ObjectIdentifier12)) {
            boolean z2 = false;
            if (extensions != null && extensions.getExtension(aSN1ObjectIdentifier12) != null) {
                z2 = true;
            }
            if (!z2 && CollectionUtil.isNotEmpty(getExtKeyusage(true))) {
                z2 = true;
            }
            if (z2) {
                CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier12);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier13 = Extension.cRLDistributionPoints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier13) && issuerInfo.getCrlUrls() != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier13);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier14 = Extension.inhibitAnyPolicy;
        if (extensionControls.containsKey(aSN1ObjectIdentifier14) && this.inhibitAnyPolicy != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier14);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier15 = Extension.freshestCRL;
        if (extensionControls.containsKey(aSN1ObjectIdentifier15) && issuerInfo.getDeltaCrlUrls() != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier15);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier16 = Extension.authorityInfoAccess;
        if (extensionControls.containsKey(aSN1ObjectIdentifier16) && issuerInfo.getOcspUrls() != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier16);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier17 = Extension.subjectInfoAccess;
        if (extensionControls.containsKey(aSN1ObjectIdentifier17) && extensions != null && extensions.getExtension(aSN1ObjectIdentifier17) != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier17);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier18 = ObjectIdentifiers.Extn.id_extension_admission;
        if (extensionControls.containsKey(aSN1ObjectIdentifier18) && this.certprofile.extensions().getAdmission() != null) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier18);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier19 = ObjectIdentifiers.Extn.id_extension_pkix_ocsp_nocheck;
        if (extensionControls.containsKey(aSN1ObjectIdentifier19)) {
            CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier19);
        }
        if (extensions != null) {
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier20 : extensions.getExtensionOIDs()) {
                if (extensionControls.containsKey(aSN1ObjectIdentifier20)) {
                    CheckerUtil.addIfNotIn(hashSet, aSN1ObjectIdentifier20);
                }
            }
        }
        return hashSet;
    }

    private ValidationIssue createExtensionIssue(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
        if (name != null) {
            return new ValidationIssue("X509.EXT." + name, "extension " + name + " (" + aSN1ObjectIdentifier.getId() + ")");
        }
        return new ValidationIssue("X509.EXT." + aSN1ObjectIdentifier.getId().replace('.', '_'), "extension " + aSN1ObjectIdentifier.getId());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkDirectoryString(ASN1ObjectIdentifier aSN1ObjectIdentifier, DirectoryStringType directoryStringType, String str, StringBuilder sb, byte[] bArr, Extensions extensions, Certprofile.ExtensionControl extensionControl) {
        boolean z;
        if (directoryStringType == null) {
            checkConstantExtnValue(aSN1ObjectIdentifier, sb, bArr, extensions, extensionControl);
            return;
        }
        try {
            ASN1String fromByteArray = ASN1Primitive.fromByteArray(bArr);
            switch (AnonymousClass1.$SwitchMap$org$xipki$ca$certprofile$xijson$DirectoryStringType[directoryStringType.ordinal()]) {
                case 1:
                    z = fromByteArray instanceof DERBMPString;
                    break;
                case 2:
                    z = fromByteArray instanceof DERPrintableString;
                    break;
                case 3:
                    z = fromByteArray instanceof DERT61String;
                    break;
                case 4:
                    z = fromByteArray instanceof DERUTF8String;
                    break;
                default:
                    throw new IllegalStateException("should not reach here, unknown DirectoryStringType " + directoryStringType);
            }
            if (!z) {
                sb.append("extension value is not of type DirectoryString.").append(str).append("; ");
                return;
            }
            String string = fromByteArray.getString();
            if (str.equals(string)) {
                return;
            }
            CheckerUtil.addViolation(sb, "content", string, str);
        } catch (IOException e) {
            sb.append("invalid syntax of extension value; ");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Certprofile.ExtKeyUsageControl> getExtKeyusage(boolean z) {
        HashSet hashSet = new HashSet();
        Set<Certprofile.ExtKeyUsageControl> extendedKeyusages = this.certprofile.extensions().getExtendedKeyusages();
        if (extendedKeyusages != null) {
            for (Certprofile.ExtKeyUsageControl extKeyUsageControl : extendedKeyusages) {
                if (extKeyUsageControl.isRequired() == z) {
                    hashSet.add(extKeyUsageControl);
                }
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getConstantExtensionValue(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        if (this.constantExtensions == null) {
            return null;
        }
        return this.constantExtensions.get(aSN1ObjectIdentifier).getValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkConstantExtnValue(ASN1ObjectIdentifier aSN1ObjectIdentifier, StringBuilder sb, byte[] bArr, Extensions extensions, Certprofile.ExtensionControl extensionControl) {
        byte[] expectedExtValue = getExpectedExtValue(aSN1ObjectIdentifier, extensions, extensionControl);
        if (Arrays.equals(expectedExtValue, bArr)) {
            return;
        }
        CheckerUtil.addViolation(sb, "extension values", CheckerUtil.hex(bArr), expectedExtValue == null ? "not present" : CheckerUtil.hex(expectedExtValue));
    }
}
