package com.prosysopc.ua.stack.cert;

import com.prosysopc.ua.stack.b.o;
import com.prosysopc.ua.stack.core.ApplicationDescription;
import com.prosysopc.ua.stack.core.K;
import com.prosysopc.ua.stack.transport.security.g;
import com.prosysopc.ua.stack.transport.security.j;
import com.prosysopc.ua.stack.utils.C0149f;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/prosysopc/ua/stack/cert/DefaultCertificateValidator.class */
public class DefaultCertificateValidator implements j {
    private static final Logger cMH = LoggerFactory.getLogger((Class<?>) DefaultCertificateValidator.class);
    private static final String cMI = "invalid URI name:";
    private static final int cMJ = 0;
    private static final int cMK = 1;
    private volatile c cML;
    private final a cMM;
    private final a cMN;
    private final Set<IgnoredChecks> cMO;

    /* loaded from: input_file:com/prosysopc/ua/stack/cert/DefaultCertificateValidator$IgnoredChecks.class */
    public enum IgnoredChecks {
        IGNORE_CA_MISSING_CRL,
        IGNORE_KEYUSAGE_CHECKS
    }

    public DefaultCertificateValidator(a aVar) {
        this.cMO = new CopyOnWriteArraySet();
        this.cMM = aVar;
        this.cMN = null;
    }

    public DefaultCertificateValidator(a aVar, a aVar2) {
        this.cMO = new CopyOnWriteArraySet();
        this.cMM = aVar;
        this.cMN = aVar2;
    }

    public a cCb() {
        return this.cMM;
    }

    public Set<IgnoredChecks> cCc() {
        return this.cMO;
    }

    public a cCd() {
        return this.cMN;
    }

    public c cCe() {
        return this.cML;
    }

    @Deprecated
    public boolean cCf() {
        return !a(IgnoredChecks.IGNORE_CA_MISSING_CRL);
    }

    @Deprecated
    public void S(boolean z) {
        if (z) {
            cCc().remove(IgnoredChecks.IGNORE_CA_MISSING_CRL);
        } else {
            cCc().add(IgnoredChecks.IGNORE_CA_MISSING_CRL);
        }
    }

    public void a(c cVar) {
        this.cML = cVar;
    }

    @Override // com.prosysopc.ua.stack.transport.security.j
    public o a(ApplicationDescription applicationDescription, g gVar) {
        o P;
        try {
            cMH.debug("validateCertificate: applicationDescription={}", applicationDescription);
            cMH.debug("cert={}", gVar);
            if (gVar.gMf.getVersion() != 3) {
                cMH.error("Certificate Versions is {}, must be 3", Integer.valueOf(gVar.gMf.getVersion()));
                return o.P(K.fkC);
            }
            if (!a(IgnoredChecks.IGNORE_KEYUSAGE_CHECKS)) {
                if (gVar.gMf.getKeyUsage() == null) {
                    cMH.error("Cert has no key usage extension: {}", gVar);
                    return o.P(K.fkr);
                }
                boolean z = gVar.gMf.getKeyUsage()[0];
                boolean z2 = gVar.gMf.getKeyUsage()[1];
                if (!z || !z2) {
                    cMH.error("digitalSignature and/or nonRepudiation key usage bits are not set to true: {}", gVar);
                    return o.P(K.fkC);
                }
            } else if (gVar.gMf.getKeyUsage() == null) {
                cMH.warn("Cert has no key usage extension: {}", gVar);
            }
            boolean d = d(gVar);
            cMH.debug("isRevoked={}", Boolean.valueOf(d));
            if (d) {
                return o.P(K.fky);
            }
            o oVar = o.cKW;
            EnumSet<CertificateCheck> noneOf = EnumSet.noneOf(CertificateCheck.class);
            Set<g> cCa = this.cMM.cCa();
            if (cCa != null && cCa.contains(gVar)) {
                cMH.debug("trusted=yes");
                noneOf.add(CertificateCheck.Trusted);
            }
            cMH.debug("trusted={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Trusted)));
            X509Certificate fvy = gVar.fvy();
            try {
                fvy.checkValidity();
                cMH.debug("valid=yes");
                noneOf.add(CertificateCheck.Validity);
            } catch (CertificateExpiredException e) {
            } catch (CertificateNotYetValidException e2) {
            }
            cMH.debug("valid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Validity)));
            try {
                fvy.verify(fvy.getPublicKey());
                cMH.debug("signature=yes");
                cMH.debug("self-signed=yes");
                noneOf.add(CertificateCheck.Signature);
                noneOf.add(CertificateCheck.SelfSigned);
            } catch (GeneralSecurityException e3) {
                boolean z3 = false;
                for (g gVar2 : cCa) {
                    try {
                        fvy.verify(gVar2.fvy().getPublicKey());
                        z3 = true;
                        o e4 = e(gVar2);
                        if (e4.Q(K.fky)) {
                            oVar = o.P(K.fkt);
                        } else if (e4.Q(K.fkz)) {
                            oVar = o.P(K.fku);
                        } else if (e4.Q(K.fkp) || e4.Q(K.fkt) || e4.Q(K.fku)) {
                            oVar = e4;
                        } else if (e4.Q(K.fkx) || e4.Q(K.fks)) {
                            oVar = e4;
                        } else if (e4.cBf()) {
                            oVar = o.P(K.fkr);
                        }
                    } catch (GeneralSecurityException e5) {
                    }
                }
                if (this.cMN != null && !z3) {
                    for (g gVar3 : this.cMN.cCa()) {
                        try {
                            fvy.verify(gVar3.fvy().getPublicKey());
                            z3 = true;
                            o e6 = e(gVar3);
                            if (e6.Q(K.fky)) {
                                oVar = o.P(K.fkt);
                            } else if (e6.Q(K.fkz)) {
                                oVar = o.P(K.fku);
                            } else if (e6.Q(K.fkp) || e6.Q(K.fkt) || e6.Q(K.fku)) {
                                oVar = e6;
                            } else if (e6.Q(K.fkx) || e6.Q(K.fks)) {
                                oVar = o.P(K.fks);
                            } else if (e6.cBf()) {
                                oVar = o.P(K.fkr);
                            }
                        } catch (GeneralSecurityException e7) {
                        }
                    }
                } else if (z3) {
                    noneOf.add(CertificateCheck.Trusted);
                }
                if (!z3) {
                    oVar = o.P(K.fkp);
                }
                if (oVar.cBf()) {
                    if (cCa != null && !cCa.contains(gVar)) {
                        this.cMM.a(ValidationResult.Reject, gVar);
                    }
                    return oVar;
                }
                cMH.debug("signature=yes");
                noneOf.add(CertificateCheck.Signature);
            }
            cMH.debug("signature={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Signature)));
            cMH.debug("self-signed={}", Boolean.valueOf(noneOf.contains(CertificateCheck.SelfSigned)));
            String applicationUri = applicationDescription == null ? null : applicationDescription.getApplicationUri();
            boolean z4 = applicationUri == null;
            if (!z4) {
                try {
                    if (C0149f.d(fvy).equals(applicationUri)) {
                        z4 = true;
                    }
                } catch (CertificateParsingException e8) {
                    if (e8.getCause().getMessage().contains(cMI)) {
                        String[] split = e8.getCause().getMessage().split(cMI);
                        if (split.length == 2 && split[1].equals(applicationUri)) {
                            cMH.warn("The provided certificate contains an invalid ApplicationURI: {}", split[1]);
                            noneOf.add(CertificateCheck.Uri);
                        } else {
                            cMH.warn("The provided certificate does not define the ApplicationURI", (Throwable) e8);
                        }
                    } else {
                        cMH.warn("The provided certificate has an invalid SubjectAlternativeNames field", (Throwable) e8);
                    }
                }
            }
            if (z4) {
                noneOf.add(CertificateCheck.Uri);
                noneOf.add(CertificateCheck.UriValid);
            }
            cMH.debug("uri={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Uri)));
            cMH.debug("uriValid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.UriValid)));
            ValidationResult a = a(gVar, applicationDescription, noneOf);
            cMH.debug("action={}", a);
            switch (a) {
                case AcceptPermanently:
                    P = o.cKW;
                    this.cMM.a(ValidationResult.AcceptPermanently, gVar);
                    break;
                case AcceptOnce:
                    P = o.cKW;
                    this.cMM.a(ValidationResult.AcceptOnce, gVar);
                    break;
                case Reject:
                    if (!noneOf.contains(CertificateCheck.Trusted)) {
                        P = o.P(K.fng);
                    } else if (!noneOf.contains(CertificateCheck.Signature)) {
                        P = o.P(K.fng);
                    } else if (!noneOf.contains(CertificateCheck.Validity)) {
                        P = o.P(K.fkz);
                    } else if (noneOf.contains(CertificateCheck.Uri)) {
                        cMH.warn("Rejected a certificate which did contain passedchecks: {}", noneOf);
                        P = o.P(K.fng);
                    } else {
                        P = o.P(K.fkB);
                    }
                    if (cCa != null && !cCa.contains(gVar)) {
                        this.cMM.a(ValidationResult.Reject, gVar);
                        break;
                    }
                    break;
                default:
                    throw new RuntimeException("Encountered unknown enum value for ValidatiorResult: " + a);
            }
            return P;
        } catch (RuntimeException e9) {
            cMH.error("error while validating certificates", (Throwable) e9);
            return o.P(K.flI);
        }
    }

    @Override // com.prosysopc.ua.stack.transport.security.j
    public o c(g gVar) {
        cMH.debug("validateCertificate: Cert={}", gVar);
        return gVar == null ? o.cKW : a(null, gVar);
    }

    private ValidationResult a(g gVar, ApplicationDescription applicationDescription, EnumSet<CertificateCheck> enumSet) {
        c cVar = this.cML;
        return cVar != null ? cVar.onValidate(gVar, applicationDescription, enumSet) : enumSet.containsAll(CertificateCheck.COMPULSORY) ? ValidationResult.AcceptPermanently : ValidationResult.Reject;
    }

    private boolean a(IgnoredChecks ignoredChecks) {
        return this.cMO.contains(ignoredChecks);
    }

    private boolean d(g gVar) {
        Iterator<X509CRL> it = this.cMM.cBZ().iterator();
        while (it.hasNext()) {
            if (it.next().isRevoked(gVar.fvy())) {
                return true;
            }
        }
        if (this.cMN == null) {
            return false;
        }
        Iterator<X509CRL> it2 = this.cMN.cBZ().iterator();
        while (it2.hasNext()) {
            if (it2.next().isRevoked(gVar.fvy())) {
                return true;
            }
        }
        return false;
    }

    o e(g gVar) {
        boolean z;
        try {
            cMH.debug("issuerCert={}", gVar);
            if (gVar.gMf.getVersion() != 3) {
                cMH.error("Certificate Versions is {}, must be 3", Integer.valueOf(gVar.gMf.getVersion()));
                return o.P(K.fkC);
            }
            if (!a(IgnoredChecks.IGNORE_KEYUSAGE_CHECKS)) {
                if (gVar.gMf.getKeyUsage() == null) {
                    cMH.error("Issuer Cert has no key usage extension: {}, cert");
                    return o.P(K.fkr);
                }
            } else if (gVar.gMf.getKeyUsage() == null) {
                cMH.warn("Issuer Cert has no key usage extension: {}", gVar);
            }
            boolean d = d(gVar);
            cMH.debug("isRevoked={}", Boolean.valueOf(d));
            if (d) {
                return o.P(K.fkt);
            }
            o oVar = o.cKW;
            EnumSet noneOf = EnumSet.noneOf(CertificateCheck.class);
            Set<g> cCa = this.cMM.cCa();
            if (cCa != null && cCa.contains(gVar)) {
                cMH.debug("trusted=yes");
                noneOf.add(CertificateCheck.Trusted);
            }
            cMH.debug("trusted={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Trusted)));
            X509Certificate fvy = gVar.fvy();
            try {
                fvy.checkValidity();
                cMH.debug("valid=yes");
                noneOf.add(CertificateCheck.Validity);
                cMH.debug("valid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Validity)));
                try {
                    fvy.verify(fvy.getPublicKey());
                    cMH.debug("signature=yes");
                    cMH.debug("self-signed=yes");
                    noneOf.add(CertificateCheck.Signature);
                    noneOf.add(CertificateCheck.SelfSigned);
                    z = false;
                    if (this.cMM.cCa().contains(gVar)) {
                        Iterator<X509CRL> it = this.cMM.cBZ().iterator();
                        while (it.hasNext()) {
                            if (it.next().getIssuerDN().equals(gVar.gMf.getIssuerDN())) {
                                z = true;
                            }
                        }
                    } else if (this.cMN != null) {
                        Iterator<X509CRL> it2 = this.cMN.cBZ().iterator();
                        while (it2.hasNext()) {
                            if (it2.next().getIssuerDN().equals(gVar.gMf.getIssuerDN())) {
                                z = true;
                            }
                        }
                    }
                } catch (GeneralSecurityException e) {
                    boolean z2 = false;
                    for (g gVar2 : cCa) {
                        try {
                            fvy.verify(gVar2.fvy().getPublicKey());
                            z2 = true;
                            o e2 = e(gVar2);
                            if (e2.Q(K.fky)) {
                                oVar = o.P(K.fkt);
                            } else if (e2.Q(K.fkz)) {
                                oVar = o.P(K.fku);
                            } else if (e2.Q(K.fkp) || e2.Q(K.fkt) || e2.Q(K.fku)) {
                                oVar = e2;
                            } else if (e2.Q(K.fkx) || e2.Q(K.fks)) {
                                oVar = e2;
                            } else if (e2.cBf()) {
                                oVar = o.P(K.fkr);
                            }
                        } catch (GeneralSecurityException e3) {
                        }
                    }
                    if (this.cMN != null && !z2) {
                        for (g gVar3 : this.cMN.cCa()) {
                            try {
                                fvy.verify(gVar3.fvy().getPublicKey());
                                z2 = true;
                                o e4 = e(gVar3);
                                if (e4.Q(K.fky)) {
                                    oVar = o.P(K.fkt);
                                } else if (e4.Q(K.fkz)) {
                                    oVar = o.P(K.fku);
                                } else if (e4.Q(K.fkp) || e4.Q(K.fkt) || e4.Q(K.fku)) {
                                    oVar = e4;
                                } else if (e4.Q(K.fkx) || e4.Q(K.fks)) {
                                    oVar = o.P(K.fks);
                                } else if (e4.cBf()) {
                                    oVar = o.P(K.fkr);
                                }
                            } catch (GeneralSecurityException e5) {
                            }
                        }
                        if (!z2) {
                            oVar = o.P(K.fkp);
                        }
                    } else if (this.cMN == null && !z2) {
                        oVar = o.P(K.fkp);
                    } else if (z2) {
                        noneOf.add(CertificateCheck.Trusted);
                    }
                    if (oVar.cBf()) {
                        return oVar;
                    }
                    cMH.debug("signature=yes");
                    noneOf.add(CertificateCheck.Signature);
                    noneOf.add(CertificateCheck.Trusted);
                }
                if (!z && !a(IgnoredChecks.IGNORE_CA_MISSING_CRL)) {
                    oVar = o.P(K.fkx);
                    return oVar;
                }
                cMH.debug("issuer signature={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Signature)));
                cMH.debug("issuer self-signed={}", Boolean.valueOf(noneOf.contains(CertificateCheck.SelfSigned)));
                return oVar;
            } catch (CertificateExpiredException e6) {
                return o.P(K.fkz);
            } catch (CertificateNotYetValidException e7) {
                return o.P(K.fkz);
            }
        } catch (RuntimeException e8) {
            cMH.error("Error while validating certificate chain", (Throwable) e8);
            return o.P(K.flI);
        }
    }
}
