package pl.unizeto.android.cryptoapi.util.cert;

import com.lowagie.text.pdf.PdfBoolean;
import iaik.asn1.CodingException;
import iaik.asn1.ObjectID;
import iaik.asn1.structures.AVA;
import iaik.asn1.structures.GeneralName;
import iaik.asn1.structures.GeneralNames;
import iaik.asn1.structures.Name;
import iaik.smime.ess.utils.ESSUtil;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.ExtendedKeyUsage;
import iaik.x509.extensions.KeyUsage;
import iaik.x509.extensions.SubjectKeyIdentifier;
import iaik.x509.extensions.qualified.QCStatements;
import iaik.x509.extensions.qualified.structures.QCStatement;
import iaik.x509.extensions.qualified.structures.QCSyntaxV1;
import iaik.x509.extensions.qualified.structures.QCSyntaxV2;
import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance;
import iaik.x509.extensions.qualified.structures.etsi.QcEuLimitValue;
import iaik.x509.extensions.qualified.structures.etsi.QcEuRetentionPeriod;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Locale;
import java.util.Vector;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.spi.Configurator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.unizeto.android.cryptoapi.certificatestoremanager.CertificationPath;
import pl.unizeto.android.cryptoapi.certificatestoremanager.UniCertificateStoreManagerException;
import pl.unizeto.android.cryptoapi.certificatestoremanager.UniCertificateStoreManagerFactory;
import pl.unizeto.android.cryptoapi.exception.PKIErrorCode;
import pl.unizeto.android.cryptoapi.exception.PKIException;
import pl.unizeto.android.cryptoapi.internal.CommonProperties;
import pl.unizeto.android.cryptoapi.util.keyidentifier.KIGenerator;
import pl.unizeto.android.cryptoapi.util.principal.PrincipalUtils;
import pl.unizeto.x509.extensions.qualified.structures.SubjectSignatureTypeQCStatement;

/* loaded from: classes.dex */
public class CertificateUsage {
    public static final String CHECK_AKI_BOTH_KI_AND_ISSUER_SERIAL_PROPERTY_STRING = "pl.unizeto.android.cryptoapi.checkAkiBothKiAndIssuerSerial";
    protected static final Logger log = LoggerFactory.getLogger(CertificateUsage.class.getSimpleName());

    public static boolean canSignCerts(X509Certificate x509Certificate) throws CertificateException, PKIException {
        if (log.isDebugEnabled()) {
            log.debug("Sprawdzanie czy certyfikat może służyć do walidacji certyfikatów (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        boolean z = isCaCert(x509Certificate) && isForKeyCertSign(x509Certificate) && extKeyUsageAllowsCertSign(x509Certificate);
        if (log.isDebugEnabled()) {
            log.debug("Certyfikat " + (z ? "" : "NIE ") + "może służyć do walidacji certyfikatów (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        return z;
    }

    public static void checkIsInQualifiedPath(X509Certificate x509Certificate) throws CertificateException, UniCertificateStoreManagerException, IOException, PKIException {
        if (!isQualified(x509Certificate)) {
            throw new PKIException(PKIErrorCode.CERTIFICATE_IS_NOT_FOR_NON_REPUDIATION, CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
        }
        CertificationPath certificationPath = null;
        try {
            certificationPath = UniCertificateStoreManagerFactory.getInstance().getCertificationPath(x509Certificate);
        } catch (PKIException e) {
            log.error("", (Throwable) e);
        }
        if (certificationPath == null || !certificationPath.isQualified()) {
            throw new PKIException(PKIErrorCode.CERTIFICATE_IS_NOT_ISSUED_BY_QUALIFIED_DISTRIBUTION_POINT, CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
        }
    }

    public static void checkPathLenConstraintObedience(CertificationPath certificationPath) throws PKIException {
        X509Certificate verifyPathLenConstraint = verifyPathLenConstraint(certificationPath);
        if (verifyPathLenConstraint != null) {
            throw new PKIException(PKIErrorCode.PATH_LEN_CONSTRAINT_VIOLATION, CertificateInfoUtil.getSubjectAndSerialNumberString(verifyPathLenConstraint));
        }
    }

    private static boolean extKeyUsageAllowsCertSign(X509Certificate x509Certificate) throws CertificateException, PKIException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        boolean z = getExtendedKeyUsageConstraints(CertificateUtils.convert(x509Certificate)) == null;
        if (log.isDebugEnabled()) {
            if (z) {
                log.debug("Rozszerzenie Extended Key Usage pozwala na użycie certyfikatu do podpisywania innych certyfikatów lub może być zignorowane (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            } else {
                log.debug("Rozszerzenie Extended Key Usage NIE pozwala na użycie certyfikatu do podpisywania innych certyfikatów (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            }
        }
        return z;
    }

    private static boolean extKeyUsageAllowsDigitalSignature(X509Certificate x509Certificate) throws CertificateException, PKIException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        boolean z = getExtendedKeyUsageConstraints(CertificateUtils.convert(x509Certificate)) == null;
        if (log.isDebugEnabled()) {
            if (z) {
                log.debug("Rozszerzenie Extended Key Usage pozwala na użycie certyfikatu do podpisu cyfrowego (digitalSignature) lub może być zignorowane (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            } else {
                log.debug("Rozszerzenie Extended Key Usage NIE pozwala na użycie certyfikatu do podpisu cyfrowego (digitalSignature) (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            }
        }
        return z;
    }

    private static boolean extKeyUsageAllowsKeyEncipherment(X509Certificate x509Certificate) throws CertificateException, PKIException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        boolean z = getExtendedKeyUsageConstraints(CertificateUtils.convert(x509Certificate)) == null;
        if (log.isDebugEnabled()) {
            if (z) {
                log.debug("Rozszerzenie ExtendedKeyUsage pozwala na użycie certyfikatu do szyfrowania kluczy tajnych i prywatnych (keyEncipherment) lub może być zignorowane (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            } else {
                log.debug("Rozszerzenie ExtendedKeyUsage NIE pozwala na użycie certyfikatu do szyfrowania kluczy tajnych i prywatnych (keyEncipherment) (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            }
        }
        return z;
    }

    private static boolean extKeyUsageAllowsNonRepudationOnly(X509Certificate x509Certificate) throws CertificateException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        boolean z = getExtendedKeyUsageConstraints(CertificateUtils.convert(x509Certificate)) == null;
        if (log.isDebugEnabled()) {
            if (z) {
                log.debug("Rozszerzenie Extended Key Usage pozwala na użycie certyfikatu tylko do usługi niezaprzeczalności (nonRepudiation) lub może być zignorowane (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            } else {
                log.debug("Rozszerzenie Extended Key Usage NIE pozwala na użycie certyfikatu tylko do usługi niezaprzeczalności (nonRepudiation)(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            }
        }
        return z;
    }

    public static AuthorityKeyIdentifier getAuthorityKeyIdentifier(X509Certificate x509Certificate) throws PKIException, CertificateException {
        if (log.isDebugEnabled()) {
            log.debug("Pobieranie AuthorityKeyIdentifier (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        try {
            AuthorityKeyIdentifier authorityKeyIdentifier = (AuthorityKeyIdentifier) CertificateUtils.convert(x509Certificate).getExtension(AuthorityKeyIdentifier.oid);
            if (log.isDebugEnabled()) {
                log.debug("Odczytano AKI. AKI: " + authorityKeyIdentifier + "; cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
            }
            return authorityKeyIdentifier;
        } catch (X509ExtensionInitException e) {
            throw new PKIException(e, PKIErrorCode.EXTERNAL_EXCEPTION, "Nie można odczytać rozszerzenia 'AuthorityKeyIdentifier' (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
    }

    private static boolean getCheckAkiBothKiAndIssuerSerial() {
        return BooleanUtils.toBoolean(CommonProperties.getInstance().getProperty(CHECK_AKI_BOTH_KI_AND_ISSUER_SERIAL_PROPERTY_STRING, PdfBoolean.FALSE).trim());
    }

    private static ObjectID[] getExtendedKeyUsageConstraints(iaik.x509.X509Certificate x509Certificate) throws CertificateException {
        try {
            log.debug("Pobranie rozszerzenia ExtendedKeyUsage certyfikatu");
            ExtendedKeyUsage extendedKeyUsage = (ExtendedKeyUsage) x509Certificate.getExtension(ExtendedKeyUsage.oid);
            if (extendedKeyUsage == null || !extendedKeyUsage.isCritical()) {
                log.debug("Certyfikat nie zawiera rozszerzenia ExtendedKeyUsage lub nie jest ono krytyczne");
                log.debug("Rozszerzenie ExtendedKeyUsage nie ogranicza użycia certyfikatu");
                return (ObjectID[]) null;
            }
            ObjectID[] keyPurposeIDs = extendedKeyUsage.getKeyPurposeIDs();
            int length = keyPurposeIDs.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (keyPurposeIDs[i].equals(ExtendedKeyUsage.anyExtendedKeyUsage)) {
                    log.debug("Rozszerzenie ExtendedKeyUsage zawiera identyfikator anyExtendedKeyUsage");
                    log.debug("Rozszerzenie ExtendedKeyUsage nie ogranicza użycia certyfikatu");
                    keyPurposeIDs = (ObjectID[]) null;
                    break;
                }
                i++;
            }
            log.debug("Rozszerzenie ExtendedKeyUsage może ograniczac użycie certyfikatu");
            return keyPurposeIDs;
        } catch (X509ExtensionInitException e) {
            throw new CertificateException(e);
        }
    }

    public static String[] getExtendedKeyUsageStrings(X509Certificate x509Certificate) throws CertificateException {
        return getExtendedKeyUsageStrings(x509Certificate, Locale.getDefault());
    }

    public static String[] getExtendedKeyUsageStrings(X509Certificate x509Certificate, Locale locale) throws CertificateException {
        if (locale == null) {
            locale = Locale.getDefault();
        }
        return pl.unizeto.android.cryptoapi.ExtendedKeyUsage.getDescriptions(getExtendedKeyUsages(x509Certificate), locale);
    }

    public static ObjectID[] getExtendedKeyUsages(X509Certificate x509Certificate) throws CertificateException {
        iaik.x509.X509Certificate convert = CertificateUtils.convert(x509Certificate);
        ArrayList arrayList = new ArrayList();
        try {
            ExtendedKeyUsage extendedKeyUsage = (ExtendedKeyUsage) convert.getExtension(ExtendedKeyUsage.oid);
            if (extendedKeyUsage == null) {
                log.debug("Brak ExtKeyUsage w certyfikacie: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
                return (ObjectID[]) arrayList.toArray(new ObjectID[arrayList.size()]);
            }
            for (ObjectID objectID : extendedKeyUsage.getKeyPurposeIDs()) {
                arrayList.add(objectID);
            }
            return (ObjectID[]) arrayList.toArray(new ObjectID[arrayList.size()]);
        } catch (X509ExtensionInitException e) {
            log.error("", (Throwable) e);
            return (ObjectID[]) arrayList.toArray(new ObjectID[arrayList.size()]);
        }
    }

    public static String[] getKeyUsageStrings(X509Certificate x509Certificate) throws CertificateException {
        return getKeyUsageStrings(x509Certificate, Locale.getDefault());
    }

    public static String[] getKeyUsageStrings(X509Certificate x509Certificate, Locale locale) throws CertificateException {
        if (locale == null) {
            Locale.getDefault();
        }
        iaik.x509.X509Certificate convert = CertificateUtils.convert(x509Certificate);
        ArrayList arrayList = new ArrayList();
        boolean[] keyUsage = convert.getKeyUsage();
        if (keyUsage != null) {
            if (keyUsage[0]) {
                arrayList.add("Podpis cyfrowy");
            }
            if (keyUsage[1]) {
                arrayList.add("Realizacja usług niezaprzeczalności");
            }
            if (keyUsage[2]) {
                arrayList.add("Wymiana kluczy");
            }
            if (keyUsage[3]) {
                arrayList.add("Szyfrowanie danych");
            }
            if (keyUsage[4]) {
                arrayList.add("Uzgadnianie kluczy");
            }
            if (keyUsage[5]) {
                arrayList.add("Podpisywanie certyfikatu");
            }
            if (keyUsage[6]) {
                arrayList.add("Podpisywanie list CRL");
            }
            if (keyUsage[7]) {
                arrayList.add("Tylko szyfrowanie");
            }
            if (keyUsage[8]) {
                arrayList.add("Tylko deszyfrowanie");
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    public static SubjectKeyIdentifier getSubjectKeyIdentifier(X509Certificate x509Certificate) throws PKIException, CertificateException {
        if (log.isDebugEnabled()) {
            log.debug("Pobieranie SubjectKeyIdentifier (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        try {
            SubjectKeyIdentifier subjectKeyIdentifier = (SubjectKeyIdentifier) CertificateUtils.convert(x509Certificate).getExtension(SubjectKeyIdentifier.oid);
            if (log.isDebugEnabled()) {
                log.debug("Odczytano SKI. SKI: " + subjectKeyIdentifier + "; cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
            }
            return subjectKeyIdentifier;
        } catch (X509ExtensionInitException e) {
            throw new PKIException(e, PKIErrorCode.EXTERNAL_EXCEPTION, "Nie można odczytać rozszerzenia 'SubjectKeyIdentifier' (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
    }

    public static boolean isAkiMatched(AuthorityKeyIdentifier authorityKeyIdentifier, X509Certificate x509Certificate) throws PKIException, CertificateException, CodingException {
        if (log.isDebugEnabled()) {
            log.debug("Sprawdzanie dopasowania AKI do certyfikatu (aki: " + authorityKeyIdentifier + "; cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        if (authorityKeyIdentifier == null) {
            throw new IllegalArgumentException("'aki' mustn't be null");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'authorityCert mustn't be null'");
        }
        boolean z = authorityKeyIdentifier.getKeyIdentifier() != null;
        GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer();
        BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
        boolean z2 = (authorityCertIssuer == null || authorityCertSerialNumber == null) ? false : true;
        boolean z3 = (authorityCertIssuer == null && authorityCertSerialNumber != null) || (authorityCertIssuer != null && authorityCertSerialNumber == null);
        if ((!z && !z2) || z3) {
            log.warn("Nieprawidłowa postać rozszerzenia 'AuthorityKeyIdentifier' - brak pola 'keyIdentifier' i/lub obu pól 'authorityCertIssuer' i 'authorityCertSerialNumber' (AKI: " + authorityKeyIdentifier + ")");
            throw new PKIException(PKIErrorCode.INVALID_EXTENSION_VALUE_AKI, authorityKeyIdentifier.toString());
        }
        iaik.x509.X509Certificate convert = CertificateUtils.convert(x509Certificate);
        if (!z) {
            return isIssuerAndSerialMatched(authorityCertIssuer, authorityCertSerialNumber, convert);
        }
        if (!isKeyIdentifierMatched(authorityKeyIdentifier, convert)) {
            if (z2) {
                return isIssuerAndSerialMatched(authorityCertIssuer, authorityCertSerialNumber, convert);
            }
            return false;
        }
        if (getCheckAkiBothKiAndIssuerSerial() && z2) {
            return isIssuerAndSerialMatched(authorityCertIssuer, authorityCertSerialNumber, convert);
        }
        return true;
    }

    public static boolean isCaCert(X509Certificate x509Certificate) {
        if (BooleanUtils.toBoolean(CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.util.cert.allowCaWithoutCaFlag", PdfBoolean.FALSE))) {
            log.debug("Sprawdzanie czy certyfikat ma ustawioną flagę cA w BasicConstraints wyłączone");
        } else {
            r0 = x509Certificate.getBasicConstraints() >= 0;
            if (log.isDebugEnabled()) {
                log.debug("Sprawdzany certyfikat (" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ") " + (r0 ? "MA ustawioną flagę" : "NIE MA ustawionej flagi") + " cA w BasicConstraints na TRUE)");
            }
        }
        return r0;
    }

    private static boolean isCertFromCountry(X509Certificate x509Certificate, String str) throws CertificateException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert is null");
        }
        if (x509Certificate instanceof iaik.x509.X509Certificate) {
            x509Certificate = CertificateUtils.convert((iaik.x509.X509Certificate) x509Certificate);
        }
        if (StringUtils.isBlank(str)) {
            return false;
        }
        String str2 = null;
        try {
            for (AVA ava : PrincipalUtils.getAVAs(new Name(x509Certificate.getIssuerX500Principal().getEncoded()))) {
                if (ava.getType().equals(ObjectID.country)) {
                    str2 = ava.getValue().toString();
                }
            }
            return str.equalsIgnoreCase(str2);
        } catch (CodingException e) {
            log.error("Błąd podczas parsowania certyfikatu", (Throwable) e);
            throw new CertificateException(e);
        }
    }

    public static boolean isForCRLSign(iaik.x509.X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null || keyUsage[6]) {
            return true;
        }
        log.debug("Nieprawidłowy certyfikat podpisujący listy CRL (" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        return false;
    }

    public static boolean isForDVCS(iaik.x509.X509Certificate x509Certificate) {
        try {
            ExtendedKeyUsage extendedKeyUsage = (ExtendedKeyUsage) x509Certificate.getExtension(ExtendedKeyUsage.oid);
            if (extendedKeyUsage == null) {
                log.debug("Brak ExtKeyUsage w certyfikacie: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
                return false;
            }
            for (ObjectID objectID : extendedKeyUsage.getKeyPurposeIDs()) {
                if (objectID.equals(pl.unizeto.android.cryptoapi.ObjectID.dvcsSigning)) {
                    return true;
                }
            }
            return false;
        } catch (X509ExtensionInitException e) {
            log.error("", (Throwable) e);
            return false;
        }
    }

    public static boolean isForDigitalSignature(X509Certificate x509Certificate) throws CertificateException, PKIException {
        boolean[] keyUsage = CertificateUtils.convert(x509Certificate).getKeyUsage();
        if (BooleanUtils.toBoolean(CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.util.cert.allowIgnoreExtendedKeyUsage")) && keyUsage != null && keyUsage[0]) {
            return true;
        }
        boolean extKeyUsageAllowsDigitalSignature = (keyUsage == null || keyUsage[0]) ? extKeyUsageAllowsDigitalSignature(x509Certificate) : false;
        if (!extKeyUsageAllowsDigitalSignature && isForNonRepudiationOnly(x509Certificate)) {
            extKeyUsageAllowsDigitalSignature = true;
        }
        return extKeyUsageAllowsDigitalSignature;
    }

    public static boolean isForKeyCertSign(X509Certificate x509Certificate) {
        boolean z = false;
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            z = true;
        } else if (keyUsage[5]) {
            z = true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Rozszerzenie 'keyUsage' " + (z ? "" : "NIE ") + "pozwala na podpisywanie certyfikatów (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        return z;
    }

    public static boolean isForKeyEncipherment(X509Certificate x509Certificate) throws CertificateException, PKIException {
        boolean z = false;
        log.debug("Sprawdzenie czy certyfikat może byc użyty do szyfrowania kluczy prywatnych i tajnych");
        iaik.x509.X509Certificate convert = CertificateUtils.convert(x509Certificate);
        log.debug("Pobranie pola KeyUsage certyfikatu");
        boolean[] keyUsage = convert.getKeyUsage();
        if (keyUsage == null) {
            log.debug("Certyfikat nie zawiera pola KeyUsage");
            z = true;
        } else if (keyUsage[2]) {
            log.debug("Pole keyUsage certyfikatu pozwala na jego wykorzystanie do szyfrowania kluczy tajnych i prywatnych");
            z = true;
        } else {
            log.debug("Pole keyUsage certyfikatu nie pozwala na jego wykorzystanie do szyfrowania kluczy tajnych i prywatnych");
        }
        boolean z2 = BooleanUtils.toBoolean(CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.util.cert.allowIgnoreExtendedKeyUsage"));
        if (z && z2) {
            return true;
        }
        if (z) {
            z = extKeyUsageAllowsKeyEncipherment(x509Certificate);
        }
        return z;
    }

    public static boolean isForNonRepudiationOnly(X509Certificate x509Certificate) throws CertificateException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert is null");
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            log.debug("Certyfikat nie jest certyfikatem kwalifikowanym, brak rozszerzenia KeyUsage (" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            return false;
        }
        if (!keyUsage[0] && keyUsage[1] && !keyUsage[2] && !keyUsage[3] && !keyUsage[4] && !keyUsage[5] && !keyUsage[6] && !keyUsage[7] && !keyUsage[8] && extKeyUsageAllowsNonRepudationOnly(x509Certificate)) {
            return true;
        }
        log.debug("Certyfikat nie jest certyfikatem kwalifikowanym, nieprawidłowa wartość KeyUsage (" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        return false;
    }

    public static boolean isForOCSPSigning(iaik.x509.X509Certificate x509Certificate) {
        try {
            ExtendedKeyUsage extendedKeyUsage = (ExtendedKeyUsage) x509Certificate.getExtension(ExtendedKeyUsage.oid);
            if (extendedKeyUsage == null) {
                log.debug("Brak rozszerzenia ExtendedKeyUsage w certyfikacie (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
                return false;
            }
            for (ObjectID objectID : extendedKeyUsage.getKeyPurposeIDs()) {
                if (ExtendedKeyUsage.ocspSigning.equals(objectID)) {
                    return true;
                }
            }
            return false;
        } catch (X509ExtensionInitException e) {
            log.error("", (Throwable) e);
            return false;
        }
    }

    public static boolean isForTimeStamping(iaik.x509.X509Certificate x509Certificate) {
        if (CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.disableTimeStampingCertUsageCheck").trim().equals(PdfBoolean.TRUE)) {
            return true;
        }
        try {
            if (CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.enableStrictRfc3161TsaCertUsageCheck", PdfBoolean.FALSE).trim().equals(PdfBoolean.FALSE)) {
                if (getExtendedKeyUsages(x509Certificate) == null) {
                    return false;
                }
                return Arrays.asList(getExtendedKeyUsages(x509Certificate)).contains(ExtendedKeyUsage.timeStamping);
            }
            ObjectID[] extendedKeyUsageConstraints = getExtendedKeyUsageConstraints(x509Certificate);
            if (extendedKeyUsageConstraints == null) {
                if (log.isDebugEnabled()) {
                    log.debug("'extendedKeyUsage' nie jest krytyczne lub nie jest określone - cert nie nadaje się dla TSA(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
                }
                return false;
            }
            if (extendedKeyUsageConstraints.length != 1) {
                if (log.isDebugEnabled()) {
                    log.debug("'extendedKeyUsage' zawiera więcej niż jedno użycie - cert nie nadaje się dla TSA(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
                }
                return false;
            }
            if (ExtendedKeyUsage.timeStamping.equals(extendedKeyUsageConstraints[0])) {
                log.info("'extendedKeyUsage' spełnia warunki dla TSA (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
                return true;
            }
            if (log.isDebugEnabled()) {
                log.debug("'extendedKeyUsage' nie zawiera użycia 'id-kp-timeStamping' - cert nie nadaje się dla TSA(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            }
            return false;
        } catch (CertificateException e) {
            if (log.isDebugEnabled()) {
                log.debug("nie można odczytać 'extendedKeyUsage' - cert nie nadaje się dla TSA");
            }
            return false;
        }
    }

    private static boolean isGeneratedSkiMatched(iaik.x509.X509Certificate x509Certificate, byte[] bArr) {
        boolean z = false;
        try {
            z = Arrays.equals(bArr, KIGenerator.generatePkTlvSha1(x509Certificate));
            if (z) {
                return z;
            }
        } catch (IOException e) {
            log.warn("Nie udało się próba wygenerowania SKI dla certyfikatu w celu sprawdzenia dopasowania AKI(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")", (Throwable) e);
        } catch (NoSuchAlgorithmException e2) {
            log.warn("Nie udało się próba wygenerowania SKI dla certyfikatu w celu sprawdzenia dopasowania AKI(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")", (Throwable) e2);
        }
        try {
            z = Arrays.equals(bArr, KIGenerator.generatePkValueSha1(x509Certificate));
            if (z) {
                return z;
            }
        } catch (IOException e3) {
            log.warn("Nie udało się próba wygenerowania SKI dla certyfikatu w celu sprawdzenia dopasowania AKI(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")", (Throwable) e3);
        } catch (NoSuchAlgorithmException e4) {
            log.warn("Nie udało się próba wygenerowania SKI dla certyfikatu w celu sprawdzenia dopasowania AKI(cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")", (Throwable) e4);
        }
        return z;
    }

    private static boolean isIssuerAndSerialMatched(GeneralNames generalNames, BigInteger bigInteger, X509Certificate x509Certificate) throws PKIException, CodingException {
        boolean z = false;
        if (generalNames == null) {
            throw new IllegalArgumentException("'authorityCertIssuer' mustn't be null");
        }
        if (bigInteger == null) {
            throw new IllegalArgumentException("'authorityCertSerial' mustn't be null");
        }
        if (x509Certificate instanceof iaik.x509.X509Certificate) {
            x509Certificate = CertificateUtils.convert((iaik.x509.X509Certificate) x509Certificate);
        }
        GeneralName[] names = generalNames.getNames(4);
        int length = names.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (PrincipalUtils.equals(names[i].getName().toString(), x509Certificate.getIssuerX500Principal().toString()) && bigInteger.equals(x509Certificate.getSerialNumber())) {
                z = true;
                break;
            }
            i++;
        }
        if (log.isDebugEnabled()) {
            log.debug("authorityCertIssuer i authorityCertSerialNumber " + (z ? "" : "NIE ") + "pasują do certyfikatu (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + "; authorityCertIssuer: " + generalNames + "; authorityCertSerialNumber: " + bigInteger + ")");
        }
        return z;
    }

    private static boolean isKeyIdentifierMatched(AuthorityKeyIdentifier authorityKeyIdentifier, iaik.x509.X509Certificate x509Certificate) throws PKIException, CertificateException {
        boolean isGeneratedSkiMatched;
        if (authorityKeyIdentifier.getKeyIdentifier() == null) {
            throw new IllegalArgumentException("'keyIdentifier' mustn't be null");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        SubjectKeyIdentifier subjectKeyIdentifier = getSubjectKeyIdentifier(x509Certificate);
        if (subjectKeyIdentifier != null) {
            isGeneratedSkiMatched = Arrays.equals(authorityKeyIdentifier.getKeyIdentifier(), subjectKeyIdentifier.get());
        } else {
            if (log.isDebugEnabled()) {
                log.debug("W certyfikacie wystawcy brak SKI. Próbuję dopasowac keyIdentifier z AKI do wygenerowanego SKI");
            }
            isGeneratedSkiMatched = isGeneratedSkiMatched(x509Certificate, authorityKeyIdentifier.getKeyIdentifier());
        }
        if (log.isDebugEnabled()) {
            log.debug("SKI (" + (subjectKeyIdentifier != null ? subjectKeyIdentifier.toString() : Configurator.NULL) + ") " + (isGeneratedSkiMatched ? "" : "nie ") + "pasuje do keyIdentifier z AKI (" + authorityKeyIdentifier.toString() + "), cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
        }
        return isGeneratedSkiMatched;
    }

    public static boolean isLegalIssuer(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws PKIException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, CodingException {
        if (log.isDebugEnabled()) {
            log.debug("Sprawdzanie czy certyfikat jest wystawcą drugiego certyfikatu (potentialIssuer: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + "; cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate2) + ")");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("'potentialIssuer' mustn't be null");
        }
        if (x509Certificate2 == null) {
            throw new IllegalArgumentException("'cert' mustn't be null");
        }
        boolean z = false;
        if (x509Certificate2 instanceof iaik.x509.X509Certificate) {
            x509Certificate2 = CertificateUtils.convert((iaik.x509.X509Certificate) x509Certificate2);
        }
        if (x509Certificate instanceof iaik.x509.X509Certificate) {
            x509Certificate = CertificateUtils.convert((iaik.x509.X509Certificate) x509Certificate);
        }
        log.debug("Cert Issuer:      " + x509Certificate2.getIssuerX500Principal());
        log.debug("Potential Issuer: " + x509Certificate.getSubjectX500Principal());
        boolean z2 = BooleanUtils.toBoolean(CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.allowDifferentSubjectIssuerNames", PdfBoolean.FALSE));
        if (PrincipalUtils.equals(x509Certificate2.getIssuerX500Principal(), x509Certificate.getSubjectX500Principal()) || z2) {
            AuthorityKeyIdentifier authorityKeyIdentifier = getAuthorityKeyIdentifier(x509Certificate2);
            if ((authorityKeyIdentifier == null || isAkiMatched(authorityKeyIdentifier, x509Certificate)) && canSignCerts(x509Certificate) && !isSelfSignedSubCa(x509Certificate) && isSignedBy(x509Certificate2, x509Certificate)) {
                z = true;
            }
        } else {
            z = false;
        }
        if (log.isDebugEnabled()) {
            log.debug("'potentialIssuer' " + (z ? "" : "NIE ") + "jest wystawcą 'cert' (potentialIssuer: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + "; cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate2) + ")");
        }
        return z;
    }

    public static boolean isOCSP(X509Certificate x509Certificate) throws CertificateException {
        iaik.x509.X509Certificate convert = CertificateUtils.convert(x509Certificate);
        String property = CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.disableOcspSigningCertUsageCheck");
        if (property != null && property.trim().equals(PdfBoolean.TRUE)) {
            return true;
        }
        if (!isForOCSPSigning(convert)) {
            return false;
        }
        KeyUsage keyUsage = null;
        try {
            keyUsage = (KeyUsage) convert.getExtension(KeyUsage.oid);
        } catch (X509ExtensionInitException e) {
            log.warn("nie można odczytać 'keyUsage'", (Throwable) e);
        }
        if (keyUsage != null) {
            if (!(keyUsage.isSet(1) || keyUsage.isSet(2))) {
                log.warn("Rozszerzenie 'keyUsage' certyfikatu nie pozwala na użycie go dla OCSP (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
                return false;
            }
        }
        log.debug("'keyUsage' i 'extendedKeyUsage' pozwala na użycie certyfikatu dla OCSP (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        return true;
    }

    public static boolean isPathLengthConstraintObeyed(CertificationPath certificationPath) {
        return verifyPathLenConstraint(certificationPath) == null;
    }

    public static boolean isQualified(X509Certificate x509Certificate) throws CertificateException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert is null");
        }
        if (!isForNonRepudiationOnly(x509Certificate)) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(QCSyntaxV1.statementID);
        arrayList.add(QCSyntaxV2.statementID);
        arrayList.add(QcEuCompliance.statementID);
        arrayList.add(QcEuLimitValue.statementID);
        arrayList.add(QcEuRetentionPeriod.statementID);
        arrayList.add(new ObjectID("0.4.0.1862.1.4"));
        if (isCertFromCountry(x509Certificate, "PL")) {
            arrayList.add(SubjectSignatureTypeQCStatement.statementID);
        }
        boolean z = true;
        try {
            QCStatements qCStatements = (QCStatements) ESSUtil.convertCertificate(x509Certificate).getExtension(QCStatements.oid);
            if (qCStatements != null) {
                QCStatement[] qCStatements2 = qCStatements.getQCStatements();
                int length = qCStatements2.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    ObjectID statementID = qCStatements2[i].getStatementID();
                    boolean z2 = false;
                    Iterator it = arrayList.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (((ObjectID) it.next()).equals(statementID)) {
                            z2 = true;
                            break;
                        }
                    }
                    if (!z2) {
                        z = false;
                        break;
                    }
                    i++;
                }
                if (!z) {
                    return false;
                }
            }
            return true;
        } catch (X509ExtensionInitException e) {
            log.error("Błąd podczas parsowania certyfikatu", (Throwable) e);
            throw new CertificateException(e);
        }
    }

    public static boolean isRoot(X509Certificate x509Certificate) throws CertificateException, PKIException, CodingException {
        AuthorityKeyIdentifier authorityKeyIdentifier;
        if (log.isDebugEnabled()) {
            log.debug("Sprawdzanie czy certyfikat jest rootem (cert: " + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        boolean z = false;
        if (isSelfIssued(x509Certificate) && canSignCerts(x509Certificate) && ((authorityKeyIdentifier = getAuthorityKeyIdentifier(x509Certificate)) == null || isAkiMatched(authorityKeyIdentifier, x509Certificate))) {
            z = true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Certyfikat " + (z ? "" : "NIE ") + "jest rootem (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        }
        return z;
    }

    private static boolean isSelfIssued(X509Certificate x509Certificate) {
        if (x509Certificate instanceof iaik.x509.X509Certificate) {
            x509Certificate = CertificateUtils.convert((iaik.x509.X509Certificate) x509Certificate);
        }
        return x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal()) && !x509Certificate.getIssuerX500Principal().getName().equals("");
    }

    private static boolean isSelfSignedSubCa(X509Certificate x509Certificate) throws CertificateException, PKIException, CodingException {
        AuthorityKeyIdentifier authorityKeyIdentifier;
        boolean z = false;
        if (isSelfIssued(x509Certificate) && canSignCerts(x509Certificate) && (authorityKeyIdentifier = getAuthorityKeyIdentifier(x509Certificate)) != null && !isAkiMatched(authorityKeyIdentifier, x509Certificate)) {
            z = true;
        }
        if (log.isDebugEnabled()) {
            if (z) {
                log.debug("Certyfikat jest samopodpisanym certyfikatem pośredniego CA (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            } else {
                log.debug("Certyfikat nie jest samopodpisanym certyfikatem pośredniego CA (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            }
        }
        return z;
    }

    public static boolean isSignedBy(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            return true;
        } catch (SignatureException e) {
            log.error("Błąd weryfikacji podpisu pod certyfikatem!", (Throwable) e);
            return false;
        }
    }

    public static boolean isTsa(X509Certificate x509Certificate, boolean z) throws CertificateException {
        iaik.x509.X509Certificate convert = CertificateUtils.convert(x509Certificate);
        if (CommonProperties.getInstance().getProperty("pl.unizeto.android.cryptoapi.disableTimeStampingCertUsageCheck").trim().equals(PdfBoolean.TRUE)) {
            return true;
        }
        if (!isForTimeStamping(convert)) {
            return false;
        }
        KeyUsage keyUsage = null;
        try {
            keyUsage = (KeyUsage) convert.getExtension(KeyUsage.oid);
        } catch (X509ExtensionInitException e) {
            log.warn("Nie można odczytać 'keyUsage'", (Throwable) e);
        }
        if (keyUsage != null && (keyUsage.isSet(64) || keyUsage.isSet(8) || keyUsage.isSet(256) || keyUsage.isSet(128) || keyUsage.isSet(16) || keyUsage.isSet(32) || keyUsage.isSet(4))) {
            log.warn("Rozszerzenie 'keyUsage' certyfikatu nie pozwala na użycie go dla TSA (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            return false;
        }
        if (!z || (keyUsage != null && keyUsage.isSet(2))) {
            log.debug("'keyUsage' i 'extendedKeyUsage' pozwala na użycie certyfikatu dla " + (z ? "kwalifikowanego " : "niekwalifikowanego ") + "TSA (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
            return true;
        }
        log.warn("Rozszerzenie 'keyUsage' certyfikatu nie pozwala na użycie go dla kwalifikowanego TSA - brak flagi 'nonRepudiation' (cert:" + CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate) + ")");
        return false;
    }

    public static X509Certificate verifyPathLenConstraint(CertificationPath certificationPath) {
        if (log.isDebugEnabled()) {
            log.debug("Sprawdzanie zachowania zgodności ścieżki z ograniczeniem pathLenConstraint");
        }
        X509Certificate x509Certificate = null;
        if (certificationPath.getPath().isEmpty()) {
            if (log.isDebugEnabled()) {
                log.debug("Ścieżka certyfikacji jest pusta");
            }
            return null;
        }
        int size = certificationPath.getPath().size();
        Vector<X509Certificate> path = certificationPath.getPath();
        int size2 = certificationPath.getPath().size() - 1;
        while (true) {
            if (size2 < 0) {
                break;
            }
            X509Certificate elementAt = path.elementAt(size2);
            if (!isSelfIssued(elementAt)) {
                size--;
            }
            if (size < -1) {
                x509Certificate = elementAt;
                if (log.isDebugEnabled()) {
                    log.debug("Naruszono ograniczenie na długość ścieżki 'pathLenConstraint' w certyfikacie " + CertificateInfoUtil.getSubjectAndSerialNumberString(elementAt));
                }
            } else {
                int basicConstraints = elementAt.getBasicConstraints();
                if (basicConstraints >= 0 && basicConstraints < size) {
                    size = basicConstraints;
                }
                size2--;
            }
        }
        if (x509Certificate == null && log.isDebugEnabled()) {
            log.debug("'pathLenConstraint' nienaruszone w ścieżce");
        }
        return x509Certificate;
    }
}
