package org.xipki.ca.api.profile;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.security.ObjectIdentifiers;

/* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec.class */
public abstract class ExtensionSpec {
    private static final Set<String> specialUseDomains = new HashSet(Arrays.asList(".in-addr.arpa", ".ip6.arpa", "home.arpa", "example", "example.com", "example.net", "example.org", "invalid", "local", "localhost", "onion", "test"));
    private static final Map<Certprofile.CertLevel, ExtensionSpec> rfc5280Instances = new HashMap();
    private static final Map<Certprofile.CertLevel, ExtensionSpec> browserForumInstances = new HashMap();
    private static final AtomicBoolean instancesInitialized = new AtomicBoolean(false);

    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$BrowserForumBREndEntity.class */
    private static class BrowserForumBREndEntity extends Rfc5280EndEntity {
        private static final Set<ASN1ObjectIdentifier> REQUIRED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.certificatePolicies, Extension.authorityInfoAccess, Extension.extendedKeyUsage, Extension.subjectAlternativeName)));
        private static final Set<ASN1ObjectIdentifier> NON_PERMITTED_EXTENSIONS = Collections.emptySet();
        private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSIONS = Collections.emptySet();
        private static final Set<ASN1ObjectIdentifier> NON_CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.certificatePolicies, Extension.cRLDistributionPoints, Extension.authorityInfoAccess)));
        private final Set<ASN1ObjectIdentifier> requiredExtensions;

        private BrowserForumBREndEntity() {
            HashSet hashSet = new HashSet();
            hashSet.addAll(REQUIRED_EXTENSIONS);
            hashSet.addAll(super.getRequiredExtensions());
            this.requiredExtensions = Collections.unmodifiableSet(hashSet);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280EndEntity, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public Set<ASN1ObjectIdentifier> getRequiredExtensions() {
            return this.requiredExtensions;
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280EndEntity, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_PERMITTED_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNotPermitted(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280EndEntity, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isCriticalOnly(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280EndEntity, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNonCriticalOnly(aSN1ObjectIdentifier);
        }
    }

    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$BrowserForumBRRootCA.class */
    private static class BrowserForumBRRootCA extends Rfc5280RootCA {
        private BrowserForumBRRootCA() {
        }
    }

    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$BrowserForumBRSubCA.class */
    private static class BrowserForumBRSubCA extends Rfc5280SubCA {
        private static final Set<ASN1ObjectIdentifier> REQUIRED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.certificatePolicies, Extension.cRLDistributionPoints, Extension.authorityInfoAccess, Extension.basicConstraints, Extension.keyUsage)));
        private static final Set<ASN1ObjectIdentifier> NON_PERMITTED_EXTENSIONS = Collections.emptySet();
        private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.basicConstraints, Extension.keyUsage, Extension.nameConstraints)));
        private static final Set<ASN1ObjectIdentifier> NON_CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.certificatePolicies, Extension.cRLDistributionPoints, Extension.authorityInfoAccess, Extension.extendedKeyUsage)));
        private final Set<ASN1ObjectIdentifier> requiredExtensions;

        private BrowserForumBRSubCA() {
            HashSet hashSet = new HashSet();
            hashSet.addAll(REQUIRED_EXTENSIONS);
            hashSet.addAll(super.getRequiredExtensions());
            this.requiredExtensions = Collections.unmodifiableSet(hashSet);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280SubCA, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public Set<ASN1ObjectIdentifier> getRequiredExtensions() {
            return this.requiredExtensions;
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280SubCA, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_PERMITTED_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNotPermitted(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280SubCA, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isCriticalOnly(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280SubCA, org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNonCriticalOnly(aSN1ObjectIdentifier);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$Rfc5280.class */
    public static class Rfc5280 extends ExtensionSpec {
        private static final Set<ASN1ObjectIdentifier> REQUIRED_EXTENSIONS = Collections.emptySet();
        private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.keyUsage, Extension.policyMappings, Extension.nameConstraints, Extension.policyConstraints, Extension.inhibitAnyPolicy, ObjectIdentifiers.Extn.id_pe_tlsfeature)));
        private static final Set<ASN1ObjectIdentifier> NON_CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.authorityKeyIdentifier, Extension.subjectKeyIdentifier, Extension.issuerAlternativeName, Extension.subjectDirectoryAttributes, Extension.freshestCRL, Extension.authorityInfoAccess, Extension.subjectInfoAccess, ObjectIdentifiers.Extn.id_SCTs, ObjectIdentifiers.Extn.id_GMT_0015_ICRegistrationNumber, ObjectIdentifiers.Extn.id_GMT_0015_IdentityCode, ObjectIdentifiers.Extn.id_GMT_0015_InsuranceNumber, ObjectIdentifiers.Extn.id_GMT_0015_OrganizationCode, ObjectIdentifiers.Extn.id_GMT_0015_TaxationNumber)));
        private static final Set<ASN1ObjectIdentifier> NON_REQUEST_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.authorityKeyIdentifier, Extension.issuerAlternativeName, Extension.cRLDistributionPoints, Extension.freshestCRL, ObjectIdentifiers.Extn.id_SCTs, Extension.inhibitAnyPolicy)));

        private Rfc5280() {
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec
        public Set<ASN1ObjectIdentifier> getRequiredExtensions() {
            return REQUIRED_EXTENSIONS;
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec
        public boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonRequest(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_REQUEST_EXTENSIONS.contains(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return false;
        }
    }

    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$Rfc5280EndEntity.class */
    private static class Rfc5280EndEntity extends Rfc5280 {
        private static final Set<ASN1ObjectIdentifier> REQUIRED_EXTENSIONS = Set.copyOf(Collections.singletonList(Extension.subjectKeyIdentifier));
        private static final Set<ASN1ObjectIdentifier> NON_PERMITTED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.policyMappings, Extension.nameConstraints, Extension.policyConstraints, Extension.inhibitAnyPolicy)));
        private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSIONS = Collections.emptySet();
        private static final Set<ASN1ObjectIdentifier> NON_CRITICAL_ONLY_EXTENSIONS = Collections.emptySet();

        private Rfc5280EndEntity() {
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public Set<ASN1ObjectIdentifier> getRequiredExtensions() {
            return REQUIRED_EXTENSIONS;
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_PERMITTED_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNotPermitted(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isCriticalOnly(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNonCriticalOnly(aSN1ObjectIdentifier);
        }
    }

    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$Rfc5280RootCA.class */
    private static class Rfc5280RootCA extends Rfc5280 {
        private static final Set<ASN1ObjectIdentifier> REQUIRED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.basicConstraints, Extension.subjectKeyIdentifier, Extension.keyUsage)));
        private static final Set<ASN1ObjectIdentifier> NON_PERMITTED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.certificatePolicies, Extension.extendedKeyUsage, Extension.authorityKeyIdentifier)));
        private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.basicConstraints, Extension.keyUsage)));
        private static final Set<ASN1ObjectIdentifier> NON_CRITICAL_ONLY_EXTENSIONS = Collections.emptySet();
        private final Set<ASN1ObjectIdentifier> requiredExtensions;

        private Rfc5280RootCA() {
            HashSet hashSet = new HashSet();
            hashSet.addAll(REQUIRED_EXTENSIONS);
            hashSet.addAll(super.getRequiredExtensions());
            this.requiredExtensions = Collections.unmodifiableSet(hashSet);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public Set<ASN1ObjectIdentifier> getRequiredExtensions() {
            return this.requiredExtensions;
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_PERMITTED_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNotPermitted(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isCriticalOnly(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNonCriticalOnly(aSN1ObjectIdentifier);
        }
    }

    /* loaded from: input_file:org/xipki/ca/api/profile/ExtensionSpec$Rfc5280SubCA.class */
    private static class Rfc5280SubCA extends Rfc5280 {
        private static final Set<ASN1ObjectIdentifier> REQUIRED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.basicConstraints, Extension.subjectKeyIdentifier, Extension.keyUsage)));
        private static final Set<ASN1ObjectIdentifier> NON_PERMITTED_EXTENSIONS = Collections.emptySet();
        private static final Set<ASN1ObjectIdentifier> CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.basicConstraints, Extension.keyUsage, Extension.nameConstraints)));
        private static final Set<ASN1ObjectIdentifier> NON_CRITICAL_ONLY_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Extension.certificatePolicies, Extension.cRLDistributionPoints, Extension.authorityInfoAccess, Extension.extendedKeyUsage)));
        private final Set<ASN1ObjectIdentifier> requiredExtensions;

        private Rfc5280SubCA() {
            HashSet hashSet = new HashSet();
            hashSet.addAll(REQUIRED_EXTENSIONS);
            hashSet.addAll(super.getRequiredExtensions());
            this.requiredExtensions = Collections.unmodifiableSet(hashSet);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public Set<ASN1ObjectIdentifier> getRequiredExtensions() {
            return this.requiredExtensions;
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_PERMITTED_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNotPermitted(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isCriticalOnly(aSN1ObjectIdentifier);
        }

        @Override // org.xipki.ca.api.profile.ExtensionSpec.Rfc5280, org.xipki.ca.api.profile.ExtensionSpec
        public boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            return NON_CRITICAL_ONLY_EXTENSIONS.contains(aSN1ObjectIdentifier) || super.isNonCriticalOnly(aSN1ObjectIdentifier);
        }
    }

    public abstract Set<ASN1ObjectIdentifier> getRequiredExtensions();

    public abstract boolean isNotPermitted(ASN1ObjectIdentifier aSN1ObjectIdentifier);

    public abstract boolean isCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier);

    public abstract boolean isNonCriticalOnly(ASN1ObjectIdentifier aSN1ObjectIdentifier);

    public abstract boolean isNonRequest(ASN1ObjectIdentifier aSN1ObjectIdentifier);

    public static boolean isValidPublicDomain(String str) {
        if (!DomainValidator.getInstance().isValid(str)) {
            return false;
        }
        String lowerCase = str.toLowerCase();
        Iterator<String> it = specialUseDomains.iterator();
        while (it.hasNext()) {
            if (lowerCase.endsWith(it.next())) {
                return false;
            }
        }
        return true;
    }

    public static boolean isValidPublicIPv4Address(byte[] bArr) {
        if (bArr == null || bArr.length != 4) {
            return false;
        }
        int i = 255 & bArr[0];
        int i2 = 255 & bArr[1];
        if (i == 10) {
            return false;
        }
        return i == 172 ? i2 < 16 || i2 > 31 : (i == 192 && i2 == 168) ? false : true;
    }

    public static ExtensionSpec getExtensionSpec(Certprofile.CertDomain certDomain, Certprofile.CertLevel certLevel) {
        if (!instancesInitialized.get()) {
            synchronized (instancesInitialized) {
                rfc5280Instances.put(Certprofile.CertLevel.RootCA, new Rfc5280RootCA());
                Rfc5280SubCA rfc5280SubCA = new Rfc5280SubCA();
                rfc5280Instances.put(Certprofile.CertLevel.SubCA, rfc5280SubCA);
                rfc5280Instances.put(Certprofile.CertLevel.CROSS, rfc5280SubCA);
                rfc5280Instances.put(Certprofile.CertLevel.EndEntity, new Rfc5280EndEntity());
                browserForumInstances.put(Certprofile.CertLevel.RootCA, new BrowserForumBRRootCA());
                BrowserForumBRSubCA browserForumBRSubCA = new BrowserForumBRSubCA();
                browserForumInstances.put(Certprofile.CertLevel.SubCA, browserForumBRSubCA);
                browserForumInstances.put(Certprofile.CertLevel.CROSS, browserForumBRSubCA);
                browserForumInstances.put(Certprofile.CertLevel.EndEntity, new BrowserForumBREndEntity());
                instancesInitialized.set(true);
            }
        }
        return certDomain == Certprofile.CertDomain.CABForumBR ? browserForumInstances.get(certLevel) : rfc5280Instances.get(certLevel);
    }
}
