package org.xipki.ca.qa;

import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1StreamParser;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERT61String;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.isismtt.x509.AdmissionSyntax;
import org.bouncycastle.asn1.isismtt.x509.Admissions;
import org.bouncycastle.asn1.isismtt.x509.ProfessionInfo;
import org.bouncycastle.asn1.x500.DirectoryString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.Attribute;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.CertPolicyId;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.GeneralSubtree;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.PolicyQualifierId;
import org.bouncycastle.asn1.x509.PolicyQualifierInfo;
import org.bouncycastle.asn1.x509.PrivateKeyUsagePeriod;
import org.bouncycastle.asn1.x509.SubjectDirectoryAttributes;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.UserNotice;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.asn1.x509.qualified.BiometricData;
import org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode;
import org.bouncycastle.asn1.x509.qualified.MonetaryValue;
import org.bouncycastle.asn1.x509.qualified.QCStatement;
import org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.profile.CertValidity;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.DirectoryStringType;
import org.xipki.ca.api.profile.ExtensionControl;
import org.xipki.ca.api.profile.GeneralNameMode;
import org.xipki.ca.api.profile.GeneralNameTag;
import org.xipki.ca.api.profile.Range;
import org.xipki.ca.api.profile.x509.AuthorityInfoAccessControl;
import org.xipki.ca.api.profile.x509.ExtKeyUsageControl;
import org.xipki.ca.api.profile.x509.KeyUsageControl;
import org.xipki.ca.api.profile.x509.SubjectDirectoryAttributesControl;
import org.xipki.ca.api.profile.x509.SubjectDnSpec;
import org.xipki.ca.api.profile.x509.X509CertLevel;
import org.xipki.ca.certprofile.BiometricInfoOption;
import org.xipki.ca.certprofile.XmlX509Certprofile;
import org.xipki.ca.certprofile.XmlX509CertprofileUtil;
import org.xipki.ca.certprofile.commonpki.AdmissionSyntaxOption;
import org.xipki.ca.certprofile.x509.jaxb.AdditionalInformation;
import org.xipki.ca.certprofile.x509.jaxb.AuthorizationTemplate;
import org.xipki.ca.certprofile.x509.jaxb.CertificatePolicies;
import org.xipki.ca.certprofile.x509.jaxb.ConstantExtValue;
import org.xipki.ca.certprofile.x509.jaxb.ExtensionType;
import org.xipki.ca.certprofile.x509.jaxb.ExtensionsType;
import org.xipki.ca.certprofile.x509.jaxb.InhibitAnyPolicy;
import org.xipki.ca.certprofile.x509.jaxb.NameConstraints;
import org.xipki.ca.certprofile.x509.jaxb.PdsLocationType;
import org.xipki.ca.certprofile.x509.jaxb.PdsLocationsType;
import org.xipki.ca.certprofile.x509.jaxb.PolicyConstraints;
import org.xipki.ca.certprofile.x509.jaxb.PolicyMappings;
import org.xipki.ca.certprofile.x509.jaxb.QcEuLimitValueType;
import org.xipki.ca.certprofile.x509.jaxb.QcStatementType;
import org.xipki.ca.certprofile.x509.jaxb.QcStatementValueType;
import org.xipki.ca.certprofile.x509.jaxb.QcStatements;
import org.xipki.ca.certprofile.x509.jaxb.Range2Type;
import org.xipki.ca.certprofile.x509.jaxb.RangeType;
import org.xipki.ca.certprofile.x509.jaxb.RangesType;
import org.xipki.ca.certprofile.x509.jaxb.Restriction;
import org.xipki.ca.certprofile.x509.jaxb.SMIMECapabilities;
import org.xipki.ca.certprofile.x509.jaxb.SMIMECapability;
import org.xipki.ca.certprofile.x509.jaxb.TlsFeature;
import org.xipki.ca.certprofile.x509.jaxb.TripleState;
import org.xipki.ca.certprofile.x509.jaxb.ValidityModel;
import org.xipki.ca.certprofile.x509.jaxb.X509ProfileType;
import org.xipki.ca.qa.internal.QaAuthorizationTemplate;
import org.xipki.ca.qa.internal.QaCertificatePolicies;
import org.xipki.ca.qa.internal.QaDirectoryString;
import org.xipki.ca.qa.internal.QaExtensionValue;
import org.xipki.ca.qa.internal.QaGeneralSubtree;
import org.xipki.ca.qa.internal.QaInhibitAnyPolicy;
import org.xipki.ca.qa.internal.QaNameConstraints;
import org.xipki.ca.qa.internal.QaPolicyConstraints;
import org.xipki.ca.qa.internal.QaPolicyMappingsOption;
import org.xipki.ca.qa.internal.QaPolicyQualifierInfo;
import org.xipki.ca.qa.internal.QaPolicyQualifiers;
import org.xipki.ca.qa.internal.QaTlsFeature;
import org.xipki.common.qa.ValidationIssue;
import org.xipki.common.util.CollectionUtil;
import org.xipki.common.util.CompareUtil;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.security.ExtensionExistence;
import org.xipki.security.HashAlgoType;
import org.xipki.security.KeyUsage;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.util.X509Util;

/* loaded from: input_file:org/xipki/ca/qa/ExtensionsChecker.class */
public class ExtensionsChecker {
    private static final byte[] DER_NULL = {5, 0};
    private static final Logger LOG = LoggerFactory.getLogger(ExtensionsChecker.class);
    private static final List<String> ALL_USAGES = Arrays.asList(KeyUsage.digitalSignature.getName(), KeyUsage.contentCommitment.getName(), KeyUsage.keyEncipherment.getName(), KeyUsage.dataEncipherment.getName(), KeyUsage.keyAgreement.getName(), KeyUsage.keyCertSign.getName(), KeyUsage.cRLSign.getName(), KeyUsage.encipherOnly.getName(), KeyUsage.decipherOnly.getName());
    private QaCertificatePolicies certificatePolicies;
    private QaPolicyMappingsOption policyMappings;
    private QaNameConstraints nameConstraints;
    private QaPolicyConstraints policyConstraints;
    private QaInhibitAnyPolicy inhibitAnyPolicy;
    private QaDirectoryString restriction;
    private QaDirectoryString additionalInformation;
    private ASN1ObjectIdentifier validityModelId;
    private QcStatements qcStatements;
    private QaAuthorizationTemplate authorizationTemplate;
    private QaTlsFeature tlsFeature;
    private QaExtensionValue smimeCapabilities;
    private Map<ASN1ObjectIdentifier, QaExtensionValue> constantExtensions;
    private XmlX509Certprofile certProfile;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.ca.qa.ExtensionsChecker$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/ca/qa/ExtensionsChecker$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag;
        static final /* synthetic */ int[] $SwitchMap$org$xipki$ca$api$profile$DirectoryStringType = new int[DirectoryStringType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$ca$api$profile$DirectoryStringType[DirectoryStringType.bmpString.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$DirectoryStringType[DirectoryStringType.printableString.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$DirectoryStringType[DirectoryStringType.teletexString.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$DirectoryStringType[DirectoryStringType.utf8String.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag = new int[GeneralNameTag.values().length];
            try {
                $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag[GeneralNameTag.rfc822Name.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag[GeneralNameTag.dNSName.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag[GeneralNameTag.uniformResourceIdentifier.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag[GeneralNameTag.iPAddress.ordinal()] = 4;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag[GeneralNameTag.directoryName.ordinal()] = 5;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$ca$api$profile$GeneralNameTag[GeneralNameTag.registeredID.ordinal()] = 6;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    public ExtensionsChecker(X509ProfileType x509ProfileType, XmlX509Certprofile xmlX509Certprofile) throws CertprofileException {
        AuthorizationTemplate authorizationTemplate;
        TlsFeature tlsFeature;
        QcStatements qcStatements;
        ValidityModel validityModel;
        AdditionalInformation additionalInformation;
        Restriction restriction;
        InhibitAnyPolicy inhibitAnyPolicy;
        PolicyConstraints policyConstraints;
        NameConstraints nameConstraints;
        PolicyMappings policyMappings;
        CertificatePolicies certificatePolicies;
        this.certProfile = (XmlX509Certprofile) ParamUtil.requireNonNull("certProfile", xmlX509Certprofile);
        ParamUtil.requireNonNull("conf", x509ProfileType);
        ExtensionsType extensions = x509ProfileType.getExtensions();
        Map extensionControls = xmlX509Certprofile.extensionControls();
        ASN1ObjectIdentifier aSN1ObjectIdentifier = Extension.certificatePolicies;
        if (extensionControls.containsKey(aSN1ObjectIdentifier) && (certificatePolicies = (CertificatePolicies) getExtensionValue(aSN1ObjectIdentifier, extensions, CertificatePolicies.class)) != null) {
            this.certificatePolicies = new QaCertificatePolicies(certificatePolicies);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.policyMappings;
        if (extensionControls.containsKey(aSN1ObjectIdentifier2) && (policyMappings = (PolicyMappings) getExtensionValue(aSN1ObjectIdentifier2, extensions, PolicyMappings.class)) != null) {
            this.policyMappings = new QaPolicyMappingsOption(policyMappings);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.nameConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier3) && (nameConstraints = (NameConstraints) getExtensionValue(aSN1ObjectIdentifier3, extensions, NameConstraints.class)) != null) {
            this.nameConstraints = new QaNameConstraints(nameConstraints);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.policyConstraints;
        if (extensionControls.containsKey(aSN1ObjectIdentifier4) && (policyConstraints = (PolicyConstraints) getExtensionValue(aSN1ObjectIdentifier4, extensions, PolicyConstraints.class)) != null) {
            this.policyConstraints = new QaPolicyConstraints(policyConstraints);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.inhibitAnyPolicy;
        if (extensionControls.containsKey(aSN1ObjectIdentifier5) && (inhibitAnyPolicy = (InhibitAnyPolicy) getExtensionValue(aSN1ObjectIdentifier5, extensions, InhibitAnyPolicy.class)) != null) {
            this.inhibitAnyPolicy = new QaInhibitAnyPolicy(inhibitAnyPolicy);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier6 = ObjectIdentifiers.id_extension_restriction;
        if (extensionControls.containsKey(aSN1ObjectIdentifier6) && (restriction = (Restriction) getExtensionValue(aSN1ObjectIdentifier6, extensions, Restriction.class)) != null) {
            this.restriction = new QaDirectoryString(XmlX509CertprofileUtil.convertDirectoryStringType(restriction.getType()), restriction.getText());
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier7 = ObjectIdentifiers.id_extension_additionalInformation;
        if (extensionControls.containsKey(aSN1ObjectIdentifier7) && (additionalInformation = (AdditionalInformation) getExtensionValue(aSN1ObjectIdentifier7, extensions, AdditionalInformation.class)) != null) {
            this.additionalInformation = new QaDirectoryString(XmlX509CertprofileUtil.convertDirectoryStringType(additionalInformation.getType()), additionalInformation.getText());
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier8 = ObjectIdentifiers.id_extension_validityModel;
        if (extensionControls.containsKey(aSN1ObjectIdentifier8) && (validityModel = (ValidityModel) getExtensionValue(aSN1ObjectIdentifier8, extensions, ValidityModel.class)) != null) {
            this.validityModelId = new ASN1ObjectIdentifier(validityModel.getModelId().getValue());
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.qCStatements;
        if (extensionControls.containsKey(aSN1ObjectIdentifier9) && (qcStatements = (QcStatements) getExtensionValue(aSN1ObjectIdentifier9, extensions, QcStatements.class)) != null) {
            this.qcStatements = qcStatements;
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = ObjectIdentifiers.id_pe_tlsfeature;
        if (extensionControls.containsKey(aSN1ObjectIdentifier10) && (tlsFeature = (TlsFeature) getExtensionValue(aSN1ObjectIdentifier10, extensions, TlsFeature.class)) != null) {
            this.tlsFeature = new QaTlsFeature(tlsFeature);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = ObjectIdentifiers.id_xipki_ext_authorizationTemplate;
        if (extensionControls.containsKey(aSN1ObjectIdentifier11) && (authorizationTemplate = (AuthorizationTemplate) getExtensionValue(aSN1ObjectIdentifier11, extensions, AuthorizationTemplate.class)) != null) {
            this.authorizationTemplate = new QaAuthorizationTemplate(authorizationTemplate);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier12 = ObjectIdentifiers.id_smimeCapabilities;
        if (extensionControls.containsKey(aSN1ObjectIdentifier12)) {
            List<SMIMECapability> sMIMECapability = ((SMIMECapabilities) getExtensionValue(aSN1ObjectIdentifier12, extensions, SMIMECapabilities.class)).getSMIMECapability();
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            for (SMIMECapability sMIMECapability2 : sMIMECapability) {
                ASN1ObjectIdentifier aSN1ObjectIdentifier13 = new ASN1ObjectIdentifier(sMIMECapability2.getCapabilityID().getValue());
                ASN1Integer aSN1Integer = null;
                SMIMECapability.Parameters parameters = sMIMECapability2.getParameters();
                if (parameters != null) {
                    if (parameters.getInteger() != null) {
                        aSN1Integer = new ASN1Integer(parameters.getInteger());
                    } else if (parameters.getBase64Binary() != null) {
                        aSN1Integer = readAsn1Encodable(parameters.getBase64Binary().getValue());
                    }
                }
                aSN1EncodableVector.add(new org.bouncycastle.asn1.smime.SMIMECapability(aSN1ObjectIdentifier13, aSN1Integer));
            }
            try {
                this.smimeCapabilities = new QaExtensionValue(((ExtensionControl) extensionControls.get(aSN1ObjectIdentifier12)).isCritical(), new DERSequence(aSN1EncodableVector).getEncoded());
            } catch (IOException e) {
                throw new CertprofileException("Cannot encode SMIMECapabilities: " + e.getMessage());
            }
        }
        this.constantExtensions = buildConstantExtesions(extensions);
    }

    public List<ValidationIssue> checkExtensions(Certificate certificate, X509IssuerInfo x509IssuerInfo, Extensions extensions, X500Name x500Name) {
        ParamUtil.requireNonNull("cert", certificate);
        ParamUtil.requireNonNull("issuerInfo", x509IssuerInfo);
        try {
            X509Certificate x509Cert = X509Util.toX509Cert(certificate);
            LinkedList linkedList = new LinkedList();
            Set<ASN1ObjectIdentifier> exensionTypes = getExensionTypes(certificate, x509IssuerInfo, extensions);
            Extensions extensions2 = certificate.getTBSCertificate().getExtensions();
            ASN1ObjectIdentifier[] extensionOIDs = extensions2.getExtensionOIDs();
            if (extensionOIDs == null) {
                ValidationIssue validationIssue = new ValidationIssue("X509.EXT.GEN", "extension general");
                linkedList.add(validationIssue);
                validationIssue.setFailureMessage("no extension is present");
                return linkedList;
            }
            List<ASN1ObjectIdentifier> asList = Arrays.asList(extensionOIDs);
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : exensionTypes) {
                if (!asList.contains(aSN1ObjectIdentifier)) {
                    ValidationIssue createExtensionIssue = createExtensionIssue(aSN1ObjectIdentifier);
                    linkedList.add(createExtensionIssue);
                    createExtensionIssue.setFailureMessage("extension is absent but is required");
                }
            }
            Map extensionControls = this.certProfile.extensionControls();
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : asList) {
                ValidationIssue createExtensionIssue2 = createExtensionIssue(aSN1ObjectIdentifier2);
                linkedList.add(createExtensionIssue2);
                if (exensionTypes.contains(aSN1ObjectIdentifier2)) {
                    Extension extension = extensions2.getExtension(aSN1ObjectIdentifier2);
                    StringBuilder sb = new StringBuilder();
                    ExtensionControl extensionControl = (ExtensionControl) extensionControls.get(aSN1ObjectIdentifier2);
                    if (extensionControl.isCritical() != extension.isCritical()) {
                        addViolation(sb, "critical", Boolean.valueOf(extension.isCritical()), Boolean.valueOf(extensionControl.isCritical()));
                    }
                    byte[] octets = extension.getExtnValue().getOctets();
                    try {
                        if (Extension.authorityKeyIdentifier.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionIssuerKeyIdentifier(sb, octets, x509IssuerInfo);
                        } else if (Extension.subjectKeyIdentifier.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionSubjectKeyIdentifier(sb, octets, certificate.getSubjectPublicKeyInfo());
                        } else if (Extension.keyUsage.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionKeyUsage(sb, octets, x509Cert.getKeyUsage(), extensions, extensionControl);
                        } else if (Extension.certificatePolicies.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionCertificatePolicies(sb, octets, extensions, extensionControl);
                        } else if (Extension.policyMappings.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionPolicyMappings(sb, octets, extensions, extensionControl);
                        } else if (Extension.subjectAlternativeName.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionSubjectAltName(sb, octets, extensions, extensionControl, x500Name);
                        } else if (Extension.subjectDirectoryAttributes.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionSubjectDirAttrs(sb, octets, extensions, extensionControl);
                        } else if (Extension.issuerAlternativeName.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionIssuerAltNames(sb, octets, x509IssuerInfo);
                        } else if (Extension.basicConstraints.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionBasicConstraints(sb, octets);
                        } else if (Extension.nameConstraints.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionNameConstraints(sb, octets, extensions2, extensionControl);
                        } else if (Extension.policyConstraints.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionPolicyConstraints(sb, octets, extensions, extensionControl);
                        } else if (Extension.extendedKeyUsage.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionExtendedKeyUsage(sb, octets, extensions, extensionControl);
                        } else if (Extension.cRLDistributionPoints.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionCrlDistributionPoints(sb, octets, x509IssuerInfo);
                        } else if (Extension.inhibitAnyPolicy.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionInhibitAnyPolicy(sb, octets, extensions2, extensionControl);
                        } else if (Extension.freshestCRL.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionDeltaCrlDistributionPoints(sb, octets, x509IssuerInfo);
                        } else if (Extension.authorityInfoAccess.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionAuthorityInfoAccess(sb, octets, x509IssuerInfo);
                        } else if (Extension.subjectInfoAccess.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionSubjectInfoAccess(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.id_extension_admission.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionAdmission(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionOcspNocheck(sb, octets);
                        } else if (ObjectIdentifiers.id_extension_restriction.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionRestriction(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.id_extension_additionalInformation.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionAdditionalInformation(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.id_extension_validityModel.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionValidityModel(sb, octets, extensions, extensionControl);
                        } else if (Extension.privateKeyUsagePeriod.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionPrivateKeyUsagePeriod(sb, octets, x509Cert.getNotBefore(), x509Cert.getNotAfter());
                        } else if (Extension.qCStatements.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionQcStatements(sb, octets, extensions, extensionControl);
                        } else if (Extension.biometricInfo.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionBiometricInfo(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.id_pe_tlsfeature.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionTlsFeature(sb, octets, extensions, extensionControl);
                        } else if (ObjectIdentifiers.id_xipki_ext_authorizationTemplate.equals(aSN1ObjectIdentifier2)) {
                            checkExtensionAuthorizationTemplate(sb, octets, extensions, extensionControl);
                        } else {
                            byte[] value = ObjectIdentifiers.id_smimeCapabilities.equals(aSN1ObjectIdentifier2) ? this.smimeCapabilities.value() : getExpectedExtValue(aSN1ObjectIdentifier2, extensions, extensionControl);
                            if (!Arrays.equals(value, octets)) {
                                addViolation(sb, "extension valus", hex(octets), value == null ? "not present" : hex(value));
                            }
                        }
                        if (sb.length() > 0) {
                            createExtensionIssue2.setFailureMessage(sb.toString());
                        }
                    } catch (ArrayIndexOutOfBoundsException | ClassCastException | IllegalArgumentException e) {
                        LOG.debug("extension value does not have correct syntax", e);
                        createExtensionIssue2.setFailureMessage("extension value does not have correct syntax");
                    }
                } else {
                    createExtensionIssue2.setFailureMessage("extension is present but is not permitted");
                }
            }
            return linkedList;
        } catch (CertificateException e2) {
            throw new IllegalArgumentException("invalid cert: " + e2.getMessage());
        }
    }

    private byte[] getExpectedExtValue(ASN1ObjectIdentifier aSN1ObjectIdentifier, Extensions extensions, ExtensionControl extensionControl) {
        Extension extension;
        if (this.constantExtensions != null && this.constantExtensions.containsKey(aSN1ObjectIdentifier)) {
            return this.constantExtensions.get(aSN1ObjectIdentifier).value();
        }
        if (extensions == null || !extensionControl.isRequest() || (extension = extensions.getExtension(aSN1ObjectIdentifier)) == null) {
            return null;
        }
        return extension.getExtnValue().getOctets();
    }

    private Set<ASN1ObjectIdentifier> getExensionTypes(Certificate certificate, X509IssuerInfo x509IssuerInfo, Extensions extensions) {
        Extension extension;
        HashSet hashSet = new HashSet();
        Map extensionControls = this.certProfile.extensionControls();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensionControls.keySet()) {
            if (((ExtensionControl) extensionControls.get(aSN1ObjectIdentifier)).isRequired()) {
                hashSet.add(aSN1ObjectIdentifier);
            }
        }
        HashSet<ASN1ObjectIdentifier> hashSet2 = new HashSet();
        if (extensions != null && (extension = extensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions)) != null) {
            ExtensionExistence extensionExistence = ExtensionExistence.getInstance(extension.getParsedValue());
            hashSet.addAll(extensionExistence.needExtensions());
            hashSet2.addAll(extensionExistence.wantExtensions());
        }
        if (CollectionUtil.isEmpty(hashSet2)) {
            return hashSet;
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = Extension.authorityKeyIdentifier;
        if (hashSet2.contains(aSN1ObjectIdentifier2)) {
            hashSet.add(aSN1ObjectIdentifier2);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier3 = Extension.subjectKeyIdentifier;
        if (hashSet2.contains(aSN1ObjectIdentifier3)) {
            hashSet.add(aSN1ObjectIdentifier3);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier4 = Extension.keyUsage;
        if (hashSet2.contains(aSN1ObjectIdentifier4)) {
            boolean z = false;
            if (extensions != null && extensions.getExtension(aSN1ObjectIdentifier4) != null) {
                z = true;
            }
            if (!z && CollectionUtil.isNonEmpty(getKeyusage(true))) {
                z = true;
            }
            if (z) {
                hashSet.add(aSN1ObjectIdentifier4);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier5 = Extension.certificatePolicies;
        if (hashSet2.contains(aSN1ObjectIdentifier5) && this.certificatePolicies != null) {
            hashSet.add(aSN1ObjectIdentifier5);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier6 = Extension.policyMappings;
        if (hashSet2.contains(aSN1ObjectIdentifier6) && this.policyMappings != null) {
            hashSet.add(aSN1ObjectIdentifier6);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier7 = Extension.subjectAlternativeName;
        if (hashSet2.contains(aSN1ObjectIdentifier7) && extensions != null && extensions.getExtension(aSN1ObjectIdentifier7) != null) {
            hashSet.add(aSN1ObjectIdentifier7);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier8 = Extension.issuerAlternativeName;
        if (hashSet2.contains(aSN1ObjectIdentifier8) && certificate.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) {
            hashSet.add(aSN1ObjectIdentifier8);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier9 = Extension.basicConstraints;
        if (hashSet2.contains(aSN1ObjectIdentifier9)) {
            hashSet.add(aSN1ObjectIdentifier9);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier10 = Extension.nameConstraints;
        if (hashSet2.contains(aSN1ObjectIdentifier10) && this.nameConstraints != null) {
            hashSet.add(aSN1ObjectIdentifier10);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier11 = Extension.policyConstraints;
        if (hashSet2.contains(aSN1ObjectIdentifier11) && this.policyConstraints != null) {
            hashSet.add(aSN1ObjectIdentifier11);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier12 = Extension.extendedKeyUsage;
        if (hashSet2.contains(aSN1ObjectIdentifier12)) {
            boolean z2 = false;
            if (extensions != null && extensions.getExtension(aSN1ObjectIdentifier12) != null) {
                z2 = true;
            }
            if (!z2 && CollectionUtil.isNonEmpty(getExtKeyusage(true))) {
                z2 = true;
            }
            if (z2) {
                hashSet.add(aSN1ObjectIdentifier12);
            }
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier13 = Extension.cRLDistributionPoints;
        if (hashSet2.contains(aSN1ObjectIdentifier13) && x509IssuerInfo.crlUrls() != null) {
            hashSet.add(aSN1ObjectIdentifier13);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier14 = Extension.inhibitAnyPolicy;
        if (hashSet2.contains(aSN1ObjectIdentifier14) && this.inhibitAnyPolicy != null) {
            hashSet.add(aSN1ObjectIdentifier14);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier15 = Extension.freshestCRL;
        if (hashSet2.contains(aSN1ObjectIdentifier15) && x509IssuerInfo.deltaCrlUrls() != null) {
            hashSet.add(aSN1ObjectIdentifier15);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier16 = Extension.authorityInfoAccess;
        if (hashSet2.contains(aSN1ObjectIdentifier16) && x509IssuerInfo.ocspUrls() != null) {
            hashSet.add(aSN1ObjectIdentifier16);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier17 = Extension.subjectInfoAccess;
        if (hashSet2.contains(aSN1ObjectIdentifier17) && extensions != null && extensions.getExtension(aSN1ObjectIdentifier17) != null) {
            hashSet.add(aSN1ObjectIdentifier17);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier18 = ObjectIdentifiers.id_extension_admission;
        if (hashSet2.contains(aSN1ObjectIdentifier18) && this.certProfile.admission() != null) {
            hashSet.add(aSN1ObjectIdentifier18);
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier19 = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
        if (hashSet2.contains(aSN1ObjectIdentifier19)) {
            hashSet.add(aSN1ObjectIdentifier19);
        }
        hashSet2.removeAll(hashSet);
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier20 : hashSet2) {
            if (extensions != null && extensions.getExtension(aSN1ObjectIdentifier20) != null && this.constantExtensions.containsKey(aSN1ObjectIdentifier20)) {
                hashSet.add(aSN1ObjectIdentifier20);
            }
        }
        return hashSet;
    }

    private ValidationIssue createExtensionIssue(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        ValidationIssue validationIssue;
        String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
        if (name == null) {
            validationIssue = new ValidationIssue("X509.EXT." + aSN1ObjectIdentifier.getId().replace('.', '_'), "extension " + aSN1ObjectIdentifier.getId());
        } else {
            validationIssue = new ValidationIssue("X509.EXT." + name, "extension " + name + " (" + aSN1ObjectIdentifier.getId() + ")");
        }
        return validationIssue;
    }

    private void checkExtensionBasicConstraints(StringBuilder sb, byte[] bArr) {
        BasicConstraints basicConstraints = BasicConstraints.getInstance(bArr);
        X509CertLevel certLevel = this.certProfile.certLevel();
        boolean z = X509CertLevel.RootCA == certLevel || X509CertLevel.SubCA == certLevel;
        if (z != basicConstraints.isCA()) {
            addViolation(sb, "ca", Boolean.valueOf(basicConstraints.isCA()), Boolean.valueOf(z));
        }
        if (basicConstraints.isCA()) {
            BigInteger pathLenConstraint = basicConstraints.getPathLenConstraint();
            Integer pathLen = this.certProfile.pathLen();
            if (pathLen == null) {
                if (pathLenConstraint != null) {
                    addViolation(sb, "pathLen", pathLenConstraint, "absent");
                }
            } else if (pathLenConstraint == null) {
                addViolation(sb, "pathLen", "null", pathLen);
            } else {
                if (BigInteger.valueOf(pathLen.intValue()).equals(pathLenConstraint)) {
                    return;
                }
                addViolation(sb, "pathLen", pathLenConstraint, pathLen);
            }
        }
    }

    private void checkExtensionSubjectKeyIdentifier(StringBuilder sb, byte[] bArr, SubjectPublicKeyInfo subjectPublicKeyInfo) {
        byte[] keyIdentifier = SubjectKeyIdentifier.getInstance(bArr).getKeyIdentifier();
        byte[] hash = HashAlgoType.SHA1.hash(subjectPublicKeyInfo.getPublicKeyData().getBytes());
        if (Arrays.equals(hash, keyIdentifier)) {
            return;
        }
        addViolation(sb, "SKI", hex(keyIdentifier), hex(hash));
    }

    private void checkExtensionIssuerKeyIdentifier(StringBuilder sb, byte[] bArr, X509IssuerInfo x509IssuerInfo) {
        AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(bArr);
        byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
        if (keyIdentifier == null) {
            sb.append("keyIdentifier is 'absent' but expected 'present'; ");
        } else if (!Arrays.equals(x509IssuerInfo.subjectKeyIdentifier(), keyIdentifier)) {
            addViolation(sb, "keyIdentifier", hex(keyIdentifier), hex(x509IssuerInfo.subjectKeyIdentifier()));
        }
        BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
        GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer();
        if (!this.certProfile.isIncludeIssuerAndSerialInAki()) {
            if (authorityCertSerialNumber != null) {
                sb.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
            }
            if (authorityCertIssuer != null) {
                sb.append("authorityCertIssuer is 'absent' but expected 'present'; ");
                return;
            }
            return;
        }
        if (authorityCertSerialNumber == null) {
            sb.append("authorityCertSerialNumber is 'absent' but expected 'present'; ");
        } else if (!x509IssuerInfo.cert().getSerialNumber().equals(authorityCertSerialNumber)) {
            addViolation(sb, "authorityCertSerialNumber", LogUtil.formatCsn(authorityCertSerialNumber), LogUtil.formatCsn(x509IssuerInfo.cert().getSerialNumber()));
        }
        if (authorityCertIssuer == null) {
            sb.append("authorityCertIssuer is 'absent' but expected 'present'; ");
            return;
        }
        GeneralName[] names = authorityCertIssuer.getNames();
        X500Name x500Name = null;
        int length = names.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            GeneralName generalName = names[i];
            if (generalName.getTagNo() == 4) {
                if (x500Name != null) {
                    sb.append("authorityCertIssuer contains at least two ");
                    sb.append("directoryName but expected one; ");
                    break;
                }
                x500Name = generalName.getName();
            }
            i++;
        }
        if (x500Name == null) {
            sb.append("authorityCertIssuer does not contain directoryName but expected one; ");
            return;
        }
        X500Name subject = x509IssuerInfo.bcCert().getTBSCertificate().getSubject();
        if (subject.equals(x500Name)) {
            return;
        }
        addViolation(sb, "authorityCertIssuer", x500Name, subject);
    }

    private void checkExtensionNameConstraints(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaNameConstraints qaNameConstraints = this.nameConstraints;
        if (qaNameConstraints != null) {
            org.bouncycastle.asn1.x509.NameConstraints nameConstraints = org.bouncycastle.asn1.x509.NameConstraints.getInstance(bArr);
            checkExtensionNameConstraintsSubtrees(sb, "PermittedSubtrees", nameConstraints.getPermittedSubtrees(), qaNameConstraints.permittedSubtrees());
            checkExtensionNameConstraintsSubtrees(sb, "ExcludedSubtrees", nameConstraints.getExcludedSubtrees(), qaNameConstraints.excludedSubtrees());
        } else {
            byte[] expectedExtValue = getExpectedExtValue(Extension.nameConstraints, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
        }
    }

    private void checkExtensionNameConstraintsSubtrees(StringBuilder sb, String str, GeneralSubtree[] generalSubtreeArr, List<QaGeneralSubtree> list) {
        GeneralName generalName;
        int length = generalSubtreeArr == null ? 0 : generalSubtreeArr.length;
        int size = list == null ? 0 : list.size();
        if (length != size) {
            addViolation(sb, "size of " + str, Integer.valueOf(length), Integer.valueOf(size));
            return;
        }
        if (generalSubtreeArr == null || list == null) {
            return;
        }
        for (int i = 0; i < length; i++) {
            GeneralSubtree generalSubtree = generalSubtreeArr[i];
            QaGeneralSubtree qaGeneralSubtree = list.get(i);
            BigInteger minimum = generalSubtree.getMinimum();
            int intValue = minimum == null ? 0 : minimum.intValue();
            Integer minimum2 = qaGeneralSubtree.minimum();
            int intValue2 = minimum2 == null ? 0 : minimum2.intValue();
            String str2 = str + " [" + i + "]";
            if (intValue != intValue2) {
                addViolation(sb, "minimum of " + str2, Integer.valueOf(intValue), Integer.valueOf(intValue2));
            }
            BigInteger maximum = generalSubtree.getMaximum();
            Integer valueOf = maximum == null ? null : Integer.valueOf(maximum.intValue());
            Integer maximum2 = qaGeneralSubtree.maximum();
            if (!CompareUtil.equalsObject(valueOf, maximum2)) {
                addViolation(sb, "maxmum of " + str2, valueOf, maximum2);
            }
            GeneralName base = generalSubtree.getBase();
            if (qaGeneralSubtree.directoryName() != null) {
                generalName = new GeneralName(X509Util.reverse(new X500Name(qaGeneralSubtree.directoryName())));
            } else if (qaGeneralSubtree.dnsName() != null) {
                generalName = new GeneralName(2, qaGeneralSubtree.dnsName());
            } else if (qaGeneralSubtree.ipAddress() != null) {
                generalName = new GeneralName(7, qaGeneralSubtree.ipAddress());
            } else if (qaGeneralSubtree.rfc822Name() != null) {
                generalName = new GeneralName(1, qaGeneralSubtree.rfc822Name());
            } else {
                if (qaGeneralSubtree.uri() == null) {
                    throw new RuntimeException("should not reach here, unknown child of GeneralName");
                }
                generalName = new GeneralName(6, qaGeneralSubtree.uri());
            }
            if (!base.equals(generalName)) {
                addViolation(sb, "base of " + str2, base, generalName);
            }
        }
    }

    private void checkExtensionPolicyConstraints(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaPolicyConstraints qaPolicyConstraints = this.policyConstraints;
        if (qaPolicyConstraints == null) {
            byte[] expectedExtValue = getExpectedExtValue(Extension.policyConstraints, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        org.bouncycastle.asn1.x509.PolicyConstraints policyConstraints = org.bouncycastle.asn1.x509.PolicyConstraints.getInstance(bArr);
        Integer requireExplicitPolicy = qaPolicyConstraints.requireExplicitPolicy();
        BigInteger requireExplicitPolicyMapping = policyConstraints.getRequireExplicitPolicyMapping();
        Integer valueOf = requireExplicitPolicyMapping == null ? null : Integer.valueOf(requireExplicitPolicyMapping.intValue());
        boolean z = true;
        if (requireExplicitPolicy == null) {
            if (valueOf != null) {
                z = false;
            }
        } else if (!requireExplicitPolicy.equals(valueOf)) {
            z = false;
        }
        if (!z) {
            addViolation(sb, "requireExplicitPolicy", valueOf, requireExplicitPolicy);
        }
        Integer inhibitPolicyMapping = qaPolicyConstraints.inhibitPolicyMapping();
        BigInteger inhibitPolicyMapping2 = policyConstraints.getInhibitPolicyMapping();
        Integer valueOf2 = inhibitPolicyMapping2 == null ? null : Integer.valueOf(inhibitPolicyMapping2.intValue());
        boolean z2 = true;
        if (inhibitPolicyMapping == null) {
            if (valueOf2 != null) {
                z2 = false;
            }
        } else if (!inhibitPolicyMapping.equals(valueOf2)) {
            z2 = false;
        }
        if (z2) {
            return;
        }
        addViolation(sb, "inhibitPolicyMapping", valueOf2, inhibitPolicyMapping);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void checkExtensionKeyUsage(StringBuilder sb, byte[] bArr, boolean[] zArr, Extensions extensions, ExtensionControl extensionControl) {
        byte[] constantExtensionValue;
        Extension extension;
        int length = zArr.length;
        if (length > 9) {
            sb.append("invalid syntax: size of valid bits is larger than 9: ").append(length);
            sb.append("; ");
        }
        HashSet hashSet = new HashSet();
        for (int i = 0; i < length; i++) {
            if (zArr[i]) {
                hashSet.add(ALL_USAGES.get(i));
            }
        }
        Set hashSet2 = new HashSet();
        Iterator<KeyUsageControl> it = getKeyusage(true).iterator();
        while (it.hasNext()) {
            hashSet2.add(it.next().keyUsage().getName());
        }
        Set<KeyUsageControl> keyusage = getKeyusage(false);
        if (extensions != null && extensionControl.isRequest() && CollectionUtil.isNonEmpty(keyusage) && (extension = extensions.getExtension(Extension.keyUsage)) != null) {
            org.bouncycastle.asn1.x509.KeyUsage keyUsage = org.bouncycastle.asn1.x509.KeyUsage.getInstance(extension.getParsedValue());
            for (KeyUsageControl keyUsageControl : keyusage) {
                if (keyUsage.hasUsages(keyUsageControl.keyUsage().bcUsage())) {
                    hashSet2.add(keyUsageControl.keyUsage().getName());
                }
            }
        }
        if (CollectionUtil.isEmpty(hashSet2) && (constantExtensionValue = getConstantExtensionValue(Extension.keyUsage)) != null) {
            hashSet2 = getKeyUsage(constantExtensionValue);
        }
        Set<String> strInBnotInA = strInBnotInA(hashSet2, hashSet);
        if (CollectionUtil.isNonEmpty(strInBnotInA)) {
            sb.append("usages ").append(strInBnotInA.toString()).append(" are present but not expected; ");
        }
        Set<String> strInBnotInA2 = strInBnotInA(hashSet, hashSet2);
        if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
            sb.append("usages ").append(strInBnotInA2.toString()).append(" are absent but are required; ");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void checkExtensionExtendedKeyUsage(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        byte[] constantExtensionValue;
        Extension extension;
        HashSet hashSet = new HashSet();
        KeyPurposeId[] usages = ExtendedKeyUsage.getInstance(bArr).getUsages();
        if (usages != null) {
            for (KeyPurposeId keyPurposeId : usages) {
                hashSet.add(keyPurposeId.getId());
            }
        }
        Set hashSet2 = new HashSet();
        Set<ExtKeyUsageControl> extKeyusage = getExtKeyusage(true);
        if (extKeyusage != null) {
            Iterator<ExtKeyUsageControl> it = extKeyusage.iterator();
            while (it.hasNext()) {
                hashSet2.add(it.next().extKeyUsage().getId());
            }
        }
        Set<ExtKeyUsageControl> extKeyusage2 = getExtKeyusage(false);
        if (extensions != null && extensionControl.isRequest() && CollectionUtil.isNonEmpty(extKeyusage2) && (extension = extensions.getExtension(Extension.extendedKeyUsage)) != null) {
            ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.getInstance(extension.getParsedValue());
            for (ExtKeyUsageControl extKeyUsageControl : extKeyusage2) {
                if (extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.getInstance(extKeyUsageControl.extKeyUsage()))) {
                    hashSet2.add(extKeyUsageControl.extKeyUsage().getId());
                }
            }
        }
        if (CollectionUtil.isEmpty(hashSet2) && (constantExtensionValue = getConstantExtensionValue(Extension.keyUsage)) != null) {
            hashSet2 = getExtKeyUsage(constantExtensionValue);
        }
        Set<String> strInBnotInA = strInBnotInA(hashSet2, hashSet);
        if (CollectionUtil.isNonEmpty(strInBnotInA)) {
            sb.append("usages ").append(strInBnotInA.toString()).append(" are present but not expected; ");
        }
        Set<String> strInBnotInA2 = strInBnotInA(hashSet, hashSet2);
        if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
            sb.append("usages ").append(strInBnotInA2.toString()).append(" are absent but are required; ");
        }
    }

    private void checkExtensionTlsFeature(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaTlsFeature qaTlsFeature = this.tlsFeature;
        if (qaTlsFeature == null) {
            byte[] expectedExtValue = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        HashSet hashSet = new HashSet();
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(bArr);
        int size = aSN1Sequence.size();
        for (int i = 0; i < size; i++) {
            hashSet.add(ASN1Integer.getInstance(aSN1Sequence.getObjectAt(i)).getPositiveValue().toString());
        }
        HashSet hashSet2 = new HashSet();
        Iterator<Integer> it = qaTlsFeature.features().iterator();
        while (it.hasNext()) {
            hashSet2.add(it.next().toString());
        }
        Set<String> strInBnotInA = strInBnotInA(hashSet2, hashSet);
        if (CollectionUtil.isNonEmpty(strInBnotInA)) {
            sb.append("features ").append(strInBnotInA.toString()).append(" are present but not expected; ");
        }
        Set<String> strInBnotInA2 = strInBnotInA(hashSet, hashSet2);
        if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
            sb.append("features ").append(strInBnotInA2.toString()).append(" are absent but are required; ");
        }
    }

    private void checkExtensionCertificatePolicies(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaCertificatePolicies qaCertificatePolicies = this.certificatePolicies;
        if (qaCertificatePolicies == null) {
            byte[] expectedExtValue = getExpectedExtValue(Extension.certificatePolicies, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        PolicyInformation[] policyInformation = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(bArr).getPolicyInformation();
        for (PolicyInformation policyInformation2 : policyInformation) {
            ASN1ObjectIdentifier policyIdentifier = policyInformation2.getPolicyIdentifier();
            QaCertificatePolicies.QaCertificatePolicyInformation policyInformation3 = qaCertificatePolicies.policyInformation(policyIdentifier.getId());
            if (policyInformation3 == null) {
                sb.append("certificate policy '").append(policyIdentifier);
                sb.append("' is not expected; ");
            } else {
                QaPolicyQualifiers policyQualifiers = policyInformation3.policyQualifiers();
                if (policyQualifiers == null) {
                    continue;
                } else {
                    ASN1Sequence policyQualifiers2 = policyInformation2.getPolicyQualifiers();
                    LinkedList linkedList = new LinkedList();
                    LinkedList linkedList2 = new LinkedList();
                    int size = policyQualifiers2.size();
                    for (int i = 0; i < size; i++) {
                        PolicyQualifierInfo objectAt = policyQualifiers2.getObjectAt(i);
                        ASN1ObjectIdentifier policyQualifierId = objectAt.getPolicyQualifierId();
                        DERIA5String qualifier = objectAt.getQualifier();
                        if (PolicyQualifierId.id_qt_cps.equals(policyQualifierId)) {
                            linkedList.add(qualifier.getString());
                        } else if (PolicyQualifierId.id_qt_unotice.equals(policyQualifierId)) {
                            UserNotice userNotice = UserNotice.getInstance(qualifier);
                            if (userNotice.getExplicitText() != null) {
                                linkedList2.add(userNotice.getExplicitText().getString());
                            }
                        }
                    }
                    for (QaPolicyQualifierInfo qaPolicyQualifierInfo : policyQualifiers.policyQualifiers()) {
                        if (qaPolicyQualifierInfo instanceof QaPolicyQualifierInfo.QaCpsUriPolicyQualifier) {
                            String cpsUri = ((QaPolicyQualifierInfo.QaCpsUriPolicyQualifier) qaPolicyQualifierInfo).cpsUri();
                            if (!linkedList.contains(cpsUri)) {
                                sb.append("CPSUri '").append(cpsUri);
                                sb.append("' is absent but is required; ");
                            }
                        } else {
                            if (!(qaPolicyQualifierInfo instanceof QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo)) {
                                throw new RuntimeException("should not reach here");
                            }
                            String userNotice2 = ((QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo) qaPolicyQualifierInfo).userNotice();
                            if (!linkedList2.contains(userNotice2)) {
                                sb.append("userNotice '").append(userNotice2);
                                sb.append("' is absent but is required; ");
                            }
                        }
                    }
                }
            }
        }
        for (QaCertificatePolicies.QaCertificatePolicyInformation qaCertificatePolicyInformation : qaCertificatePolicies.policyInformations()) {
            boolean z = false;
            int length = policyInformation.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length) {
                    break;
                }
                if (policyInformation[i2].getPolicyIdentifier().getId().equals(qaCertificatePolicyInformation.policyId())) {
                    z = true;
                    break;
                }
                i2++;
            }
            if (!z) {
                sb.append("certificate policy '").append(qaCertificatePolicyInformation.policyId());
                sb.append("' is absent but is required; ");
            }
        }
    }

    private void checkExtensionPolicyMappings(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaPolicyMappingsOption qaPolicyMappingsOption = this.policyMappings;
        if (qaPolicyMappingsOption == null) {
            byte[] expectedExtValue = getExpectedExtValue(Extension.policyMappings, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        ASN1Sequence dERSequence = DERSequence.getInstance(bArr);
        HashMap hashMap = new HashMap();
        int size = dERSequence.size();
        for (int i = 0; i < size; i++) {
            ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(dERSequence.getObjectAt(i));
            hashMap.put(CertPolicyId.getInstance(aSN1Sequence.getObjectAt(0)).getId(), CertPolicyId.getInstance(aSN1Sequence.getObjectAt(1)).getId());
        }
        for (String str : qaPolicyMappingsOption.issuerDomainPolicies()) {
            String subjectDomainPolicy = qaPolicyMappingsOption.subjectDomainPolicy(str);
            String str2 = (String) hashMap.remove(str);
            if (str2 == null) {
                sb.append("issuerDomainPolicy '").append(str).append("' is absent but is required; ");
            } else if (!str2.equals(subjectDomainPolicy)) {
                addViolation(sb, "subjectDomainPolicy for issuerDomainPolicy", str2, subjectDomainPolicy);
            }
        }
        if (CollectionUtil.isNonEmpty(hashMap)) {
            sb.append("issuerDomainPolicies '").append(hashMap.keySet());
            sb.append("' are present but not expected; ");
        }
    }

    private void checkExtensionInhibitAnyPolicy(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaInhibitAnyPolicy qaInhibitAnyPolicy = this.inhibitAnyPolicy;
        if (qaInhibitAnyPolicy == null) {
            byte[] expectedExtValue = getExpectedExtValue(Extension.inhibitAnyPolicy, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", bArr, expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        int intValue = ASN1Integer.getInstance(bArr).getPositiveValue().intValue();
        if (intValue != qaInhibitAnyPolicy.skipCerts()) {
            addViolation(sb, "skipCerts", Integer.valueOf(intValue), Integer.valueOf(qaInhibitAnyPolicy.skipCerts()));
        }
    }

    private void checkExtensionSubjectDirAttrs(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        SubjectDirectoryAttributesControl subjectDirAttrsControl = this.certProfile.subjectDirAttrsControl();
        if (subjectDirAttrsControl == null) {
            sb.append("extension is present but not expected; ");
            return;
        }
        ASN1Encodable extensionParsedValue = extensions != null ? extensions.getExtensionParsedValue(Extension.subjectDirectoryAttributes) : null;
        if (extensionParsedValue == null) {
            sb.append("extension is present but not expected; ");
            return;
        }
        Vector attributes = SubjectDirectoryAttributes.getInstance(extensionParsedValue).getAttributes();
        ASN1GeneralizedTime aSN1GeneralizedTime = null;
        String str = null;
        String str2 = null;
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashMap hashMap = new HashMap();
        int size = attributes.size();
        for (int i = 0; i < size; i++) {
            Attribute attribute = Attribute.getInstance(attributes.get(i));
            ASN1ObjectIdentifier attrType = attribute.getAttrType();
            ASN1Encodable aSN1Encodable = attribute.getAttributeValues()[0];
            if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType)) {
                aSN1GeneralizedTime = ASN1GeneralizedTime.getInstance(aSN1Encodable);
            } else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType)) {
                str = DirectoryString.getInstance(aSN1Encodable).getString();
            } else if (ObjectIdentifiers.DN_GENDER.equals(attrType)) {
                str2 = DERPrintableString.getInstance(aSN1Encodable).getString();
            } else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType)) {
                hashSet.add(DERPrintableString.getInstance(aSN1Encodable).getString());
            } else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType)) {
                hashSet2.add(DERPrintableString.getInstance(aSN1Encodable).getString());
            } else {
                Set set = (Set) hashMap.get(attrType);
                if (set == null) {
                    set = new HashSet();
                    hashMap.put(attrType, set);
                }
                set.add(aSN1Encodable);
            }
        }
        Vector attributes2 = SubjectDirectoryAttributes.getInstance(bArr).getAttributes();
        ASN1GeneralizedTime aSN1GeneralizedTime2 = null;
        String str3 = null;
        String str4 = null;
        HashSet hashSet3 = new HashSet();
        HashSet hashSet4 = new HashSet();
        HashMap hashMap2 = new HashMap();
        LinkedList linkedList = new LinkedList(subjectDirAttrsControl.types());
        int size2 = attributes2.size();
        for (int i2 = 0; i2 < size2; i2++) {
            Attribute attribute2 = Attribute.getInstance(attributes2.get(i2));
            ASN1ObjectIdentifier attrType2 = attribute2.getAttrType();
            if (linkedList.contains(attrType2)) {
                ASN1Encodable[] attributeValues = attribute2.getAttributeValues();
                if (attributeValues.length != 1) {
                    sb.append("attribute of type " + attrType2.getId() + " does not single-value value: " + attributeValues.length + "; ");
                } else {
                    ASN1Encodable aSN1Encodable2 = attributeValues[0];
                    if (ObjectIdentifiers.DN_DATE_OF_BIRTH.equals(attrType2)) {
                        aSN1GeneralizedTime2 = ASN1GeneralizedTime.getInstance(aSN1Encodable2);
                    } else if (ObjectIdentifiers.DN_PLACE_OF_BIRTH.equals(attrType2)) {
                        str3 = DirectoryString.getInstance(aSN1Encodable2).getString();
                    } else if (ObjectIdentifiers.DN_GENDER.equals(attrType2)) {
                        str4 = DERPrintableString.getInstance(aSN1Encodable2).getString();
                    } else if (ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP.equals(attrType2)) {
                        hashSet3.add(DERPrintableString.getInstance(aSN1Encodable2).getString());
                    } else if (ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE.equals(attrType2)) {
                        hashSet4.add(DERPrintableString.getInstance(aSN1Encodable2).getString());
                    } else {
                        Set set2 = (Set) hashMap2.get(attrType2);
                        if (set2 == null) {
                            set2 = new HashSet();
                            hashMap2.put(attrType2, set2);
                        }
                        set2.add(aSN1Encodable2);
                    }
                }
            } else {
                sb.append("attribute of type " + attrType2.getId() + " is present but not expected; ");
            }
        }
        if (aSN1GeneralizedTime2 != null) {
            linkedList.remove(ObjectIdentifiers.DN_DATE_OF_BIRTH);
        }
        if (str3 != null) {
            linkedList.remove(ObjectIdentifiers.DN_PLACE_OF_BIRTH);
        }
        if (str4 != null) {
            linkedList.remove(ObjectIdentifiers.DN_GENDER);
        }
        if (!hashSet3.isEmpty()) {
            linkedList.remove(ObjectIdentifiers.DN_COUNTRY_OF_CITIZENSHIP);
        }
        if (!hashSet4.isEmpty()) {
            linkedList.remove(ObjectIdentifiers.DN_COUNTRY_OF_RESIDENCE);
        }
        linkedList.removeAll(hashMap2.keySet());
        if (!linkedList.isEmpty()) {
            LinkedList linkedList2 = new LinkedList();
            Iterator it = linkedList.iterator();
            while (it.hasNext()) {
                linkedList2.add(((ASN1ObjectIdentifier) it.next()).getId());
            }
            sb.append("required attributes of types " + linkedList2 + " are not present; ");
        }
        if (aSN1GeneralizedTime2 != null) {
            String timeString = aSN1GeneralizedTime2.getTimeString();
            if (!SubjectDnSpec.PATTERN_DATE_OF_BIRTH.matcher(timeString).matches()) {
                sb.append("invalid dateOfBirth: " + timeString + "; ");
            }
            String timeString2 = aSN1GeneralizedTime == null ? null : aSN1GeneralizedTime.getTimeString();
            if (!timeString.equalsIgnoreCase(timeString2)) {
                addViolation(sb, "dateOfBirth", timeString, timeString2);
            }
        }
        if (str4 != null) {
            if (!str4.equalsIgnoreCase("F") && !str4.equalsIgnoreCase("M")) {
                sb.append("invalid gender: " + str4 + "; ");
            }
            if (!str4.equalsIgnoreCase(str2)) {
                addViolation(sb, "gender", str4, str2);
            }
        }
        if (str3 != null && !str3.equals(str)) {
            addViolation(sb, "placeOfBirth", str3, str);
        }
        if (!hashSet3.isEmpty()) {
            Set<String> strInBnotInA = strInBnotInA(hashSet, hashSet3);
            if (CollectionUtil.isNonEmpty(strInBnotInA)) {
                sb.append("countryOfCitizenship ").append(strInBnotInA.toString());
                sb.append(" are present but not expected; ");
            }
            Set<String> strInBnotInA2 = strInBnotInA(hashSet3, hashSet);
            if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
                sb.append("countryOfCitizenship ").append(strInBnotInA2.toString());
                sb.append(" are absent but are required; ");
            }
        }
        if (!hashSet4.isEmpty()) {
            Set<String> strInBnotInA3 = strInBnotInA(hashSet2, hashSet4);
            if (CollectionUtil.isNonEmpty(strInBnotInA3)) {
                sb.append("countryOfResidence ").append(strInBnotInA3.toString());
                sb.append(" are present but not expected; ");
            }
            Set<String> strInBnotInA4 = strInBnotInA(hashSet4, hashSet2);
            if (CollectionUtil.isNonEmpty(strInBnotInA4)) {
                sb.append("countryOfResidence ").append(strInBnotInA4.toString());
                sb.append(" are absent but are required; ");
            }
        }
        if (hashMap2.isEmpty()) {
            return;
        }
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : hashMap2.keySet()) {
            Set set3 = (Set) hashMap.get(aSN1ObjectIdentifier);
            if (set3 == null) {
                sb.append("attribute of type " + aSN1ObjectIdentifier.getId() + " is present but not requested; ");
            } else if (!((Set) hashMap2.get(aSN1ObjectIdentifier)).equals(set3)) {
                sb.append("attribute of type " + aSN1ObjectIdentifier.getId() + " differs from the requested one; ");
            }
        }
    }

    private void checkExtensionSubjectAltName(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl, X500Name x500Name) {
        Set subjectAltNameModes = this.certProfile.subjectAltNameModes();
        try {
            GeneralName[] requestedSubjectAltNames = getRequestedSubjectAltNames(x500Name, extensions);
            if (requestedSubjectAltNames == null) {
                sb.append("extension is present but not expected; ");
                return;
            }
            GeneralName[] names = GeneralNames.getInstance(bArr).getNames();
            GeneralName[] generalNameArr = new GeneralName[requestedSubjectAltNames.length];
            for (int i = 0; i < names.length; i++) {
                try {
                    generalNameArr[i] = createGeneralName(names[i], subjectAltNameModes);
                } catch (BadCertTemplateException e) {
                    sb.append("could not process ").append(i + 1).append("-th name: ").append(e.getMessage()).append("; ");
                    return;
                }
            }
            if (names.length != generalNameArr.length) {
                addViolation(sb, "size of GeneralNames", Integer.valueOf(names.length), Integer.valueOf(generalNameArr.length));
                return;
            }
            for (int i2 = 0; i2 < names.length; i2++) {
                if (!names[i2].equals(generalNameArr[i2])) {
                    sb.append(i2 + 1).append("-th name does not match the requested one; ");
                }
            }
        } catch (CertprofileException | BadCertTemplateException e2) {
            LogUtil.warn(LOG, e2, "error while derive grantedSubject from requestedSubject");
            sb.append("error while derive grantedSubject from requestedSubject");
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:50:0x00f2  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private org.bouncycastle.asn1.x509.GeneralName[] getRequestedSubjectAltNames(org.bouncycastle.asn1.x500.X500Name r7, org.bouncycastle.asn1.x509.Extensions r8) throws org.xipki.ca.api.profile.CertprofileException, org.xipki.ca.api.BadCertTemplateException {
        /*
            Method dump skipped, instructions count: 442
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.xipki.ca.qa.ExtensionsChecker.getRequestedSubjectAltNames(org.bouncycastle.asn1.x500.X500Name, org.bouncycastle.asn1.x509.Extensions):org.bouncycastle.asn1.x509.GeneralName[]");
    }

    private void checkExtensionSubjectInfoAccess(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        Map subjectInfoAccessModes = this.certProfile.subjectInfoAccessModes();
        if (subjectInfoAccessModes == null) {
            sb.append("extension is present but not expected; ");
            return;
        }
        ASN1Encodable extensionParsedValue = extensions != null ? extensions.getExtensionParsedValue(Extension.subjectInfoAccess) : null;
        if (extensionParsedValue == null) {
            sb.append("extension is present but not expected; ");
            return;
        }
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(extensionParsedValue);
        ASN1Sequence aSN1Sequence2 = ASN1Sequence.getInstance(bArr);
        int size = aSN1Sequence.size();
        if (aSN1Sequence2.size() != size) {
            addViolation(sb, "size of GeneralNames", Integer.valueOf(aSN1Sequence2.size()), Integer.valueOf(size));
            return;
        }
        for (int i = 0; i < size; i++) {
            AccessDescription accessDescription = AccessDescription.getInstance(aSN1Sequence.getObjectAt(i));
            ASN1ObjectIdentifier accessMethod = accessDescription.getAccessMethod();
            Set set = (Set) subjectInfoAccessModes.get(accessMethod);
            if (set == null) {
                sb.append("accessMethod in requestedExtension ");
                sb.append(accessMethod.getId()).append(" is not allowed; ");
            } else {
                AccessDescription accessDescription2 = AccessDescription.getInstance(aSN1Sequence2.getObjectAt(i));
                ASN1ObjectIdentifier accessMethod2 = accessDescription2.getAccessMethod();
                if (accessMethod == null ? accessMethod2 == null : accessMethod.equals(accessMethod2)) {
                    try {
                        if (!accessDescription2.getAccessLocation().equals(createGeneralName(accessDescription.getAccessLocation(), set))) {
                            sb.append("accessLocation does not match the requested one; ");
                        }
                    } catch (BadCertTemplateException e) {
                        sb.append("invalid requestedExtension: ").append(e.getMessage());
                        sb.append("; ");
                    }
                } else {
                    addViolation(sb, "accessMethod", accessMethod2 == null ? "null" : accessMethod2.getId(), accessMethod == null ? "null" : accessMethod.getId());
                }
            }
        }
    }

    private void checkExtensionIssuerAltNames(StringBuilder sb, byte[] bArr, X509IssuerInfo x509IssuerInfo) {
        Extension extension = x509IssuerInfo.bcCert().getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName);
        if (extension == null) {
            sb.append("issuerAlternativeName is present but expected 'none'; ");
            return;
        }
        byte[] octets = extension.getExtnValue().getOctets();
        if (Arrays.equals(octets, bArr)) {
            return;
        }
        addViolation(sb, "issuerAltNames", hex(bArr), hex(octets));
    }

    private void checkExtensionCrlDistributionPoints(StringBuilder sb, byte[] bArr, X509IssuerInfo x509IssuerInfo) {
        DistributionPoint[] distributionPoints = CRLDistPoint.getInstance(bArr).getDistributionPoints();
        if (distributionPoints == null) {
            addViolation(sb, "size of CRLDistributionPoints", 0, 1);
            return;
        }
        int length = distributionPoints.length;
        if (length != 1) {
            addViolation(sb, "size of CRLDistributionPoints", Integer.valueOf(length), 1);
            return;
        }
        HashSet hashSet = new HashSet();
        for (DistributionPoint distributionPoint : distributionPoints) {
            int type = distributionPoint.getDistributionPoint().getType();
            if (type != 0) {
                addViolation(sb, "tag of DistributionPointName of CRLDistibutionPoints", Integer.valueOf(type), 0);
            } else {
                for (GeneralName generalName : GeneralNames.getInstance(distributionPoint.getDistributionPoint().getName()).getNames()) {
                    if (generalName.getTagNo() != 6) {
                        addViolation(sb, "tag of CRL URL", Integer.valueOf(generalName.getTagNo()), 6);
                    } else {
                        hashSet.add(generalName.getName().getString());
                    }
                }
                Set<String> crlUrls = x509IssuerInfo.crlUrls();
                Set<String> strInBnotInA = strInBnotInA(crlUrls, hashSet);
                if (CollectionUtil.isNonEmpty(strInBnotInA)) {
                    sb.append("CRL URLs ").append(strInBnotInA.toString()).append(" are present but not expected; ");
                }
                Set<String> strInBnotInA2 = strInBnotInA(hashSet, crlUrls);
                if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
                    sb.append("CRL URLs ").append(strInBnotInA2.toString()).append(" are absent but are required; ");
                }
            }
        }
    }

    private void checkExtensionDeltaCrlDistributionPoints(StringBuilder sb, byte[] bArr, X509IssuerInfo x509IssuerInfo) {
        DistributionPoint[] distributionPoints = CRLDistPoint.getInstance(bArr).getDistributionPoints();
        if (distributionPoints == null) {
            addViolation(sb, "size of CRLDistributionPoints (deltaCRL)", 0, 1);
            return;
        }
        int length = distributionPoints.length;
        if (length != 1) {
            addViolation(sb, "size of CRLDistributionPoints (deltaCRL)", Integer.valueOf(length), 1);
            return;
        }
        HashSet hashSet = new HashSet();
        for (DistributionPoint distributionPoint : distributionPoints) {
            int type = distributionPoint.getDistributionPoint().getType();
            if (type != 0) {
                addViolation(sb, "tag of DistributionPointName of CRLDistibutionPoints (deltaCRL)", Integer.valueOf(type), 0);
            } else {
                for (GeneralName generalName : GeneralNames.getInstance(distributionPoint.getDistributionPoint().getName()).getNames()) {
                    if (generalName.getTagNo() != 6) {
                        addViolation(sb, "tag of deltaCRL URL", Integer.valueOf(generalName.getTagNo()), 6);
                    } else {
                        hashSet.add(generalName.getName().getString());
                    }
                }
                Set<String> crlUrls = x509IssuerInfo.crlUrls();
                Set<String> strInBnotInA = strInBnotInA(crlUrls, hashSet);
                if (CollectionUtil.isNonEmpty(strInBnotInA)) {
                    sb.append("deltaCRL URLs ").append(strInBnotInA.toString()).append(" are present but not expected; ");
                }
                Set<String> strInBnotInA2 = strInBnotInA(hashSet, crlUrls);
                if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
                    sb.append("deltaCRL URLs ").append(strInBnotInA2.toString()).append(" are absent but are required; ");
                }
            }
        }
    }

    private void checkExtensionAdmission(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        AdmissionSyntaxOption admission = this.certProfile.admission();
        ASN1ObjectIdentifier aSN1ObjectIdentifier = ObjectIdentifiers.id_extension_admission;
        if (admission == null) {
            byte[] expectedExtValue = getExpectedExtValue(aSN1ObjectIdentifier, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension value", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        ArrayList arrayList = null;
        if (extensions != null && admission.isInputFromRequestRequired()) {
            Extension extension = extensions.getExtension(aSN1ObjectIdentifier);
            if (extension == null) {
                sb.append("no Admission extension is contained in the request;");
                return;
            }
            Admissions[] contentsOfAdmissions = AdmissionSyntax.getInstance(extension.getParsedValue()).getContentsOfAdmissions();
            arrayList = new ArrayList(contentsOfAdmissions.length);
            for (Admissions admissions : contentsOfAdmissions) {
                ProfessionInfo[] professionInfos = admissions.getProfessionInfos();
                ArrayList arrayList2 = new ArrayList(professionInfos.length);
                arrayList.add(arrayList2);
                for (ProfessionInfo professionInfo : professionInfos) {
                    arrayList2.add(professionInfo.getRegistrationNumber());
                }
            }
        }
        try {
            byte[] encoded = admission.extensionValue(arrayList).value().toASN1Primitive().getEncoded();
            if (!Arrays.equals(encoded, bArr)) {
                addViolation(sb, "extension valus", hex(bArr), hex(encoded));
            }
        } catch (IOException e) {
            LogUtil.error(LOG, e);
            sb.append("IOException while computing the expected extension value;");
        } catch (BadCertTemplateException e2) {
            LogUtil.error(LOG, e2);
            sb.append("BadCertTemplateException while computing the expected extension value;");
        }
    }

    private void checkExtensionAuthorityInfoAccess(StringBuilder sb, byte[] bArr, X509IssuerInfo x509IssuerInfo) {
        AuthorityInfoAccessControl aiaControl = this.certProfile.aiaControl();
        Set<String> caIssuerUrls = (aiaControl == null || aiaControl.includesCaIssuers()) ? x509IssuerInfo.caIssuerUrls() : Collections.emptySet();
        Set<String> ocspUrls = (aiaControl == null || aiaControl.includesOcsp()) ? x509IssuerInfo.ocspUrls() : Collections.emptySet();
        if (CollectionUtil.isEmpty(caIssuerUrls) && CollectionUtil.isEmpty(ocspUrls)) {
            sb.append("AIA is present but expected is 'none'; ");
            return;
        }
        AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(bArr);
        checkAia(sb, authorityInformationAccess, X509ObjectIdentifiers.id_ad_caIssuers, caIssuerUrls);
        checkAia(sb, authorityInformationAccess, X509ObjectIdentifiers.id_ad_ocsp, ocspUrls);
    }

    private void checkExtensionOcspNocheck(StringBuilder sb, byte[] bArr) {
        if (Arrays.equals(DER_NULL, bArr)) {
            return;
        }
        sb.append("value is not DER NULL; ");
    }

    private void checkExtensionRestriction(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        checkDirectoryString(ObjectIdentifiers.id_extension_restriction, this.restriction, sb, bArr, extensions, extensionControl);
    }

    private void checkExtensionAdditionalInformation(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        checkDirectoryString(ObjectIdentifiers.id_extension_additionalInformation, this.additionalInformation, sb, bArr, extensions, extensionControl);
    }

    private void checkDirectoryString(ASN1ObjectIdentifier aSN1ObjectIdentifier, QaDirectoryString qaDirectoryString, StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        boolean z;
        if (qaDirectoryString == null) {
            byte[] expectedExtValue = getExpectedExtValue(aSN1ObjectIdentifier, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        try {
            ASN1String fromByteArray = ASN1Primitive.fromByteArray(bArr);
            switch (AnonymousClass1.$SwitchMap$org$xipki$ca$api$profile$DirectoryStringType[qaDirectoryString.type().ordinal()]) {
                case 1:
                    z = fromByteArray instanceof DERBMPString;
                    break;
                case 2:
                    z = fromByteArray instanceof DERPrintableString;
                    break;
                case 3:
                    z = fromByteArray instanceof DERT61String;
                    break;
                case 4:
                    z = fromByteArray instanceof DERUTF8String;
                    break;
                default:
                    throw new RuntimeException("should not reach here, unknown DirectoryStringType " + qaDirectoryString.type());
            }
            if (!z) {
                sb.append("extension value is not of type DirectoryString.").append(qaDirectoryString.text()).append("; ");
                return;
            }
            String string = fromByteArray.getString();
            if (qaDirectoryString.text().equals(string)) {
                return;
            }
            addViolation(sb, "content", string, qaDirectoryString.text());
        } catch (IOException e) {
            sb.append("invalid syntax of extension value; ");
        }
    }

    private void checkExtensionValidityModel(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        ASN1ObjectIdentifier aSN1ObjectIdentifier = this.validityModelId;
        if (aSN1ObjectIdentifier == null) {
            byte[] expectedExtValue = getExpectedExtValue(ObjectIdentifiers.id_extension_validityModel, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        ASN1ObjectIdentifier aSN1ObjectIdentifier2 = ASN1ObjectIdentifier.getInstance(bArr);
        if (aSN1ObjectIdentifier.equals(aSN1ObjectIdentifier2)) {
            return;
        }
        addViolation(sb, "content", aSN1ObjectIdentifier2, aSN1ObjectIdentifier);
    }

    private void checkExtensionPrivateKeyUsagePeriod(StringBuilder sb, byte[] bArr, Date date, Date date2) {
        Date add;
        ASN1GeneralizedTime aSN1GeneralizedTime = new ASN1GeneralizedTime(date);
        CertValidity privateKeyUsagePeriod = this.certProfile.privateKeyUsagePeriod();
        if (privateKeyUsagePeriod == null) {
            add = date2;
        } else {
            add = privateKeyUsagePeriod.add(date);
            if (add.after(date2)) {
                add = date2;
            }
        }
        ASN1GeneralizedTime aSN1GeneralizedTime2 = new ASN1GeneralizedTime(add);
        PrivateKeyUsagePeriod privateKeyUsagePeriod2 = PrivateKeyUsagePeriod.getInstance(bArr);
        ASN1GeneralizedTime notBefore = privateKeyUsagePeriod2.getNotBefore();
        if (notBefore == null) {
            sb.append("notBefore is absent but expected present; ");
        } else if (!notBefore.equals(aSN1GeneralizedTime)) {
            addViolation(sb, "notBefore", notBefore.getTimeString(), aSN1GeneralizedTime.getTimeString());
        }
        ASN1GeneralizedTime notAfter = privateKeyUsagePeriod2.getNotAfter();
        if (notAfter == null) {
            sb.append("notAfter is absent but expected present; ");
        } else {
            if (notAfter.equals(aSN1GeneralizedTime2)) {
                return;
            }
            addViolation(sb, "notAfter", notAfter.getTimeString(), aSN1GeneralizedTime2.getTimeString());
        }
    }

    private void checkExtensionQcStatements(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        int i;
        int i2;
        QcStatements qcStatements = this.qcStatements;
        if (qcStatements == null) {
            byte[] expectedExtValue = getExpectedExtValue(Extension.qCStatements, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", bArr, expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        int size = qcStatements.getQcStatement().size();
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(bArr);
        int size2 = aSN1Sequence.size();
        if (size2 != size) {
            addViolation(sb, "number of statements", Integer.valueOf(size2), Integer.valueOf(size));
            return;
        }
        HashMap hashMap = new HashMap();
        Extension extension = extensions == null ? null : extensions.getExtension(Extension.qCStatements);
        if (extension != null) {
            ASN1Sequence aSN1Sequence2 = ASN1Sequence.getInstance(extension.getParsedValue());
            int size3 = aSN1Sequence2.size();
            for (int i3 = 0; i3 < size3; i3++) {
                QCStatement qCStatement = QCStatement.getInstance(aSN1Sequence2.getObjectAt(i3));
                if (ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(qCStatement.getStatementId())) {
                    MonetaryValue monetaryValue = MonetaryValue.getInstance(qCStatement.getStatementInfo());
                    int intValue = monetaryValue.getAmount().intValue();
                    int intValue2 = monetaryValue.getExponent().intValue();
                    Iso4217CurrencyCode currency = monetaryValue.getCurrency();
                    hashMap.put(currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric()), new int[]{intValue, intValue2});
                }
            }
        }
        for (int i4 = 0; i4 < size; i4++) {
            QCStatement qCStatement2 = QCStatement.getInstance(aSN1Sequence.getObjectAt(i4));
            QcStatementType qcStatementType = (QcStatementType) qcStatements.getQcStatement().get(i4);
            if (!qCStatement2.getStatementId().getId().equals(qcStatementType.getStatementId().getValue())) {
                addViolation(sb, "statmentId[" + i4 + "]", qCStatement2.getStatementId().getId(), qcStatementType.getStatementId().getValue());
            } else if (qcStatementType.getStatementValue() == null) {
                if (qCStatement2.getStatementInfo() != null) {
                    addViolation(sb, "statmentInfo[" + i4 + "]", "present", "absent");
                }
            } else if (qCStatement2.getStatementInfo() == null) {
                addViolation(sb, "statmentInfo[" + i4 + "]", "absent", "present");
            } else {
                QcStatementValueType statementValue = qcStatementType.getStatementValue();
                try {
                    if (statementValue.getConstant() != null) {
                        byte[] value = statementValue.getConstant().getValue();
                        byte[] encoded = qCStatement2.getStatementInfo().toASN1Primitive().getEncoded();
                        if (!Arrays.equals(encoded, value)) {
                            addViolation(sb, "statementInfo[" + i4 + "]", hex(encoded), hex(value));
                        }
                    } else if (statementValue.getQcRetentionPeriod() != null) {
                        String aSN1Integer = ASN1Integer.getInstance(qCStatement2.getStatementInfo()).toString();
                        String num = statementValue.getQcRetentionPeriod().toString();
                        if (!aSN1Integer.equals(num)) {
                            addViolation(sb, "statementInfo[" + i4 + "]", aSN1Integer, num);
                        }
                    } else if (statementValue.getPdsLocations() != null) {
                        HashSet hashSet = new HashSet();
                        ASN1Sequence aSN1Sequence3 = ASN1Sequence.getInstance(qCStatement2.getStatementInfo());
                        int size4 = aSN1Sequence3.size();
                        for (int i5 = 0; i5 < size4; i5++) {
                            ASN1Sequence aSN1Sequence4 = ASN1Sequence.getInstance(aSN1Sequence3.getObjectAt(i5));
                            int size5 = aSN1Sequence4.size();
                            if (size5 != 2) {
                                throw new IllegalArgumentException("sequence size is " + size5 + " but expected 2");
                            }
                            hashSet.add("url=" + DERIA5String.getInstance(aSN1Sequence4.getObjectAt(0)).getString() + ",lang=" + DERPrintableString.getInstance(aSN1Sequence4.getObjectAt(1)).getString());
                        }
                        PdsLocationsType pdsLocations = statementValue.getPdsLocations();
                        HashSet hashSet2 = new HashSet();
                        for (PdsLocationType pdsLocationType : pdsLocations.getPdsLocation()) {
                            hashSet2.add("url=" + pdsLocationType.getUrl() + ",lang=" + pdsLocationType.getLanguage());
                        }
                        Set<String> strInBnotInA = strInBnotInA(hashSet2, hashSet);
                        if (CollectionUtil.isNonEmpty(strInBnotInA)) {
                            sb.append("statementInfo[" + i4 + "]: ").append(strInBnotInA.toString());
                            sb.append(" are present but not expected; ");
                        }
                        Set<String> strInBnotInA2 = strInBnotInA(hashSet, hashSet2);
                        if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
                            sb.append("statementInfo[" + i4 + "]: ").append(strInBnotInA2.toString());
                            sb.append(" are absent but are required; ");
                        }
                    } else {
                        if (statementValue.getQcEuLimitValue() == null) {
                            throw new RuntimeException("statementInfo[" + i4 + "]should not reach here");
                        }
                        QcEuLimitValueType qcEuLimitValue = statementValue.getQcEuLimitValue();
                        String upperCase = qcEuLimitValue.getCurrency().toUpperCase();
                        int[] iArr = (int[]) hashMap.get(upperCase);
                        Range2Type amount = qcEuLimitValue.getAmount();
                        if (amount.getMin() == amount.getMax()) {
                            i = amount.getMin();
                        } else {
                            if (iArr == null) {
                                sb.append("found no QcEuLimit for currency '").append(upperCase).append("'; ");
                                return;
                            }
                            i = iArr[0];
                        }
                        String num2 = Integer.toString(i);
                        Range2Type exponent = qcEuLimitValue.getExponent();
                        if (exponent.getMin() == exponent.getMax()) {
                            i2 = exponent.getMin();
                        } else {
                            if (iArr == null) {
                                sb.append("found no QcEuLimit for currency '").append(upperCase).append("'; ");
                                return;
                            }
                            i2 = iArr[1];
                        }
                        String num3 = Integer.toString(i2);
                        MonetaryValue monetaryValue2 = MonetaryValue.getInstance(qCStatement2.getStatementInfo());
                        Iso4217CurrencyCode currency2 = monetaryValue2.getCurrency();
                        String alphabetic = currency2.isAlphabetic() ? currency2.getAlphabetic() : Integer.toString(currency2.getNumeric());
                        String bigInteger = monetaryValue2.getAmount().toString();
                        String bigInteger2 = monetaryValue2.getExponent().toString();
                        if (!alphabetic.equals(upperCase)) {
                            addViolation(sb, "statementInfo[" + i4 + "].qcEuLimit.currency", alphabetic, upperCase);
                        }
                        if (!bigInteger.equals(num2)) {
                            addViolation(sb, "statementInfo[" + i4 + "].qcEuLimit.amount", bigInteger, num2);
                        }
                        if (!bigInteger2.equals(num3)) {
                            addViolation(sb, "statementInfo[" + i4 + "].qcEuLimit.exponent", bigInteger2, num3);
                        }
                    }
                } catch (IOException e) {
                    sb.append("statementInfo[").append(i4).append("] has incorrect syntax; ");
                }
            }
        }
    }

    private void checkExtensionBiometricInfo(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        BiometricInfoOption biometricInfo = this.certProfile.biometricInfo();
        if (biometricInfo == null) {
            sb.append("extension is present but not expected; ");
            return;
        }
        ASN1Encodable extensionParsedValue = extensions != null ? extensions.getExtensionParsedValue(Extension.biometricInfo) : null;
        if (extensionParsedValue == null) {
            sb.append("extension is present but not expected; ");
            return;
        }
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(extensionParsedValue);
        int size = aSN1Sequence.size();
        ASN1Sequence aSN1Sequence2 = ASN1Sequence.getInstance(bArr);
        int size2 = aSN1Sequence2.size();
        if (size2 != size) {
            addViolation(sb, "number of biometricData", Integer.valueOf(size2), Integer.valueOf(size));
            return;
        }
        for (int i = 0; i < size; i++) {
            BiometricData biometricData = BiometricData.getInstance(aSN1Sequence2.getObjectAt(i));
            BiometricData biometricData2 = BiometricData.getInstance(aSN1Sequence.getObjectAt(i));
            TypeOfBiometricData typeOfBiometricData = biometricData.getTypeOfBiometricData();
            TypeOfBiometricData typeOfBiometricData2 = biometricData2.getTypeOfBiometricData();
            if (!typeOfBiometricData.equals(typeOfBiometricData2)) {
                addViolation(sb, "biometricData[" + i + "].typeOfBiometricData", typeOfBiometricData.isPredefined() ? Integer.toString(typeOfBiometricData.getPredefinedBiometricType()) : typeOfBiometricData.getBiometricDataOid().getId(), typeOfBiometricData2.isPredefined() ? Integer.toString(typeOfBiometricData2.getPredefinedBiometricType()) : typeOfBiometricData2.getBiometricDataOid().getId());
            }
            ASN1ObjectIdentifier algorithm = biometricData.getHashAlgorithm().getAlgorithm();
            ASN1ObjectIdentifier algorithm2 = biometricData2.getHashAlgorithm().getAlgorithm();
            if (!algorithm.equals(algorithm2)) {
                addViolation(sb, "biometricData[" + i + "].hashAlgorithm", algorithm.getId(), algorithm2.getId());
            }
            ASN1Encodable parameters = biometricData.getHashAlgorithm().getParameters();
            if (parameters == null) {
                sb.append("biometricData[").append(i).append("].hashAlgorithm.parameters is 'present'");
                sb.append(" but expected 'absent'; ");
            } else {
                try {
                    byte[] encoded = parameters.toASN1Primitive().getEncoded();
                    if (!Arrays.equals(encoded, DER_NULL)) {
                        addViolation(sb, "biometricData[" + i + "].biometricDataHash.parameters", hex(encoded), hex(DER_NULL));
                    }
                } catch (IOException e) {
                    sb.append("biometricData[").append(i).append("].biometricDataHash.parameters has incorrect syntax; ");
                }
            }
            byte[] octets = biometricData.getBiometricDataHash().getOctets();
            byte[] octets2 = biometricData2.getBiometricDataHash().getOctets();
            if (!Arrays.equals(octets, octets2)) {
                addViolation(sb, "biometricData[" + i + "].biometricDataHash", hex(octets), hex(octets2));
            }
            DERIA5String sourceDataUri = biometricData.getSourceDataUri();
            String string = sourceDataUri == null ? null : sourceDataUri.getString();
            String str = null;
            if (biometricInfo.sourceDataUriOccurrence() != TripleState.FORBIDDEN) {
                DERIA5String sourceDataUri2 = biometricData2.getSourceDataUri();
                str = sourceDataUri2 == null ? null : sourceDataUri2.getString();
            }
            if (str == null) {
                if (string != null) {
                    addViolation(sb, "biometricData[" + i + "].sourceDataUri", "present", "absent");
                }
            } else if (string == null) {
                sb.append("biometricData[").append(i).append("].sourceDataUri is 'absent'");
                sb.append(" but expected 'present'; ");
            } else if (!string.equals(str)) {
                addViolation(sb, "biometricData[" + i + "].sourceDataUri", string, str);
            }
        }
    }

    private void checkExtensionAuthorizationTemplate(StringBuilder sb, byte[] bArr, Extensions extensions, ExtensionControl extensionControl) {
        QaAuthorizationTemplate qaAuthorizationTemplate = this.authorizationTemplate;
        if (qaAuthorizationTemplate == null) {
            byte[] expectedExtValue = getExpectedExtValue(ObjectIdentifiers.id_xipki_ext_authorizationTemplate, extensions, extensionControl);
            if (Arrays.equals(expectedExtValue, bArr)) {
                return;
            }
            addViolation(sb, "extension values", hex(bArr), expectedExtValue == null ? "not present" : hex(expectedExtValue));
            return;
        }
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(bArr);
        ASN1ObjectIdentifier aSN1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(aSN1Sequence.getObjectAt(0));
        ASN1OctetString dEROctetString = DEROctetString.getInstance(aSN1Sequence.getObjectAt(1));
        if (!qaAuthorizationTemplate.type().equals(aSN1ObjectIdentifier.getId())) {
            addViolation(sb, "type", aSN1ObjectIdentifier.getId(), qaAuthorizationTemplate.type());
        }
        byte[] octets = dEROctetString.getOctets();
        if (Arrays.equals(qaAuthorizationTemplate.accessRights(), octets)) {
            return;
        }
        addViolation(sb, "accessRights", hex(octets), hex(qaAuthorizationTemplate.accessRights()));
    }

    private Set<KeyUsageControl> getKeyusage(boolean z) {
        HashSet hashSet = new HashSet();
        Set<KeyUsageControl> keyusages = this.certProfile.keyusages();
        if (keyusages != null) {
            for (KeyUsageControl keyUsageControl : keyusages) {
                if (keyUsageControl.isRequired() == z) {
                    hashSet.add(keyUsageControl);
                }
            }
        }
        return hashSet;
    }

    private Set<ExtKeyUsageControl> getExtKeyusage(boolean z) {
        HashSet hashSet = new HashSet();
        Set<ExtKeyUsageControl> extendedKeyusages = this.certProfile.extendedKeyusages();
        if (extendedKeyusages != null) {
            for (ExtKeyUsageControl extKeyUsageControl : extendedKeyusages) {
                if (extKeyUsageControl.isRequired() == z) {
                    hashSet.add(extKeyUsageControl);
                }
            }
        }
        return hashSet;
    }

    private byte[] getConstantExtensionValue(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        if (this.constantExtensions == null) {
            return null;
        }
        return this.constantExtensions.get(aSN1ObjectIdentifier).value();
    }

    private Object getExtensionValue(ASN1ObjectIdentifier aSN1ObjectIdentifier, ExtensionsType extensionsType, Class<?> cls) throws CertprofileException {
        for (ExtensionType extensionType : extensionsType.getExtension()) {
            if (extensionType.getType().getValue().equals(aSN1ObjectIdentifier.getId())) {
                if (extensionType.getValue() == null || extensionType.getValue().getAny() == null) {
                    return null;
                }
                Object any = extensionType.getValue().getAny();
                if (cls.isAssignableFrom(any.getClass())) {
                    return any;
                }
                if (ConstantExtValue.class.isAssignableFrom(any.getClass())) {
                    return null;
                }
                throw new CertprofileException("the extension configuration for " + ObjectIdentifiers.oidToDisplayName(aSN1ObjectIdentifier) + " is not of the expected type " + cls.getName());
            }
        }
        throw new RuntimeException("should not reach here: undefined extension " + ObjectIdentifiers.oidToDisplayName(aSN1ObjectIdentifier));
    }

    public static Map<ASN1ObjectIdentifier, QaExtensionValue> buildConstantExtesions(ExtensionsType extensionsType) throws CertprofileException {
        if (extensionsType == null) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (ExtensionType extensionType : extensionsType.getExtension()) {
            if (extensionType.getValue() != null && (extensionType.getValue().getAny() instanceof ConstantExtValue)) {
                ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(extensionType.getType().getValue());
                if (!Extension.subjectAlternativeName.equals(aSN1ObjectIdentifier) && !Extension.subjectInfoAccess.equals(aSN1ObjectIdentifier) && !Extension.biometricInfo.equals(aSN1ObjectIdentifier)) {
                    byte[] value = ((ConstantExtValue) extensionType.getValue().getAny()).getValue();
                    try {
                        new ASN1StreamParser(value).readObject();
                        hashMap.put(aSN1ObjectIdentifier, new QaExtensionValue(extensionType.isCritical(), value));
                    } catch (IOException e) {
                        throw new CertprofileException("could not parse the constant extension value", e);
                    }
                }
            }
        }
        if (CollectionUtil.isEmpty(hashMap)) {
            return null;
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private static ASN1Encodable readAsn1Encodable(byte[] bArr) throws CertprofileException {
        try {
            return new ASN1StreamParser(bArr).readObject();
        } catch (IOException e) {
            throw new CertprofileException("could not parse the constant extension value", e);
        }
    }

    private static String hex(byte[] bArr) {
        return Hex.toHexString(bArr);
    }

    private static Set<String> strInBnotInA(Collection<String> collection, Collection<String> collection2) {
        if (collection2 == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        for (String str : collection2) {
            if (collection == null || !collection.contains(str)) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    static Set<Range> buildParametersMap(RangesType rangesType) {
        if (rangesType == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        for (RangeType rangeType : rangesType.getRange()) {
            if (rangeType.getMin() != null || rangeType.getMax() != null) {
                hashSet.add(new Range(rangeType.getMin(), rangeType.getMax()));
            }
        }
        return hashSet;
    }

    private static GeneralName createGeneralName(GeneralName generalName, Set<GeneralNameMode> set) throws BadCertTemplateException {
        int tagNo = generalName.getTagNo();
        GeneralNameMode generalNameMode = null;
        if (set != null) {
            Iterator<GeneralNameMode> it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeneralNameMode next = it.next();
                if (next.tag().tag() == tagNo) {
                    generalNameMode = next;
                    break;
                }
            }
            if (generalNameMode == null) {
                throw new BadCertTemplateException("generalName tag " + tagNo + " is not allowed");
            }
        }
        switch (tagNo) {
            case 0:
                ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(generalName.getName());
                ASN1ObjectIdentifier aSN1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(aSN1Sequence.getObjectAt(0));
                if (generalNameMode != null && !generalNameMode.allowedTypes().contains(aSN1ObjectIdentifier)) {
                    throw new BadCertTemplateException("otherName.type " + aSN1ObjectIdentifier.getId() + " is not allowed");
                }
                ASN1String object = ASN1TaggedObject.getInstance(aSN1Sequence.getObjectAt(1)).getObject();
                if (!(object instanceof ASN1String)) {
                    throw new BadCertTemplateException("otherName.value is not a String");
                }
                String string = object.getString();
                ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                aSN1EncodableVector.add(aSN1ObjectIdentifier);
                aSN1EncodableVector.add(new DERTaggedObject(true, 0, new DERUTF8String(string)));
                return new GeneralName(0, new DERSequence(aSN1EncodableVector));
            case 1:
            case 2:
            case 4:
            case 6:
            case 7:
            case 8:
                return new GeneralName(tagNo, generalName.getName());
            case 3:
            default:
                throw new RuntimeException("should not reach here, unknown GeneralName tag " + tagNo);
            case 5:
                ASN1Sequence aSN1Sequence2 = ASN1Sequence.getInstance(generalName.getName());
                String str = null;
                int i = 0;
                if (aSN1Sequence2.size() > 1) {
                    i = 0 + 1;
                    str = DirectoryString.getInstance(ASN1TaggedObject.getInstance(aSN1Sequence2.getObjectAt(0)).getObject()).getString();
                }
                int i2 = i;
                int i3 = i + 1;
                String string2 = DirectoryString.getInstance(ASN1TaggedObject.getInstance(aSN1Sequence2.getObjectAt(i2)).getObject()).getString();
                ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                if (str != null) {
                    aSN1EncodableVector2.add(new DERTaggedObject(false, 0, new DirectoryString(str)));
                }
                aSN1EncodableVector2.add(new DERTaggedObject(false, 1, new DirectoryString(string2)));
                return new GeneralName(5, new DERSequence(aSN1EncodableVector2));
        }
    }

    private static Set<String> getKeyUsage(byte[] bArr) {
        HashSet hashSet = new HashSet();
        org.bouncycastle.asn1.x509.KeyUsage keyUsage = org.bouncycastle.asn1.x509.KeyUsage.getInstance(bArr);
        for (KeyUsage keyUsage2 : KeyUsage.values()) {
            if (keyUsage.hasUsages(keyUsage2.bcUsage())) {
                hashSet.add(keyUsage2.getName());
            }
        }
        return hashSet;
    }

    private static Set<String> getExtKeyUsage(byte[] bArr) {
        HashSet hashSet = new HashSet();
        for (KeyPurposeId keyPurposeId : ExtendedKeyUsage.getInstance(bArr).getUsages()) {
            hashSet.add(keyPurposeId.getId());
        }
        return hashSet;
    }

    private static void checkAia(StringBuilder sb, AuthorityInformationAccess authorityInformationAccess, ASN1ObjectIdentifier aSN1ObjectIdentifier, Set<String> set) {
        String id = X509ObjectIdentifiers.id_ad_ocsp.equals(aSN1ObjectIdentifier) ? "OCSP" : X509ObjectIdentifiers.id_ad_caIssuers.equals(aSN1ObjectIdentifier) ? "caIssuer" : aSN1ObjectIdentifier.getId();
        LinkedList linkedList = new LinkedList();
        for (AccessDescription accessDescription : authorityInformationAccess.getAccessDescriptions()) {
            if (aSN1ObjectIdentifier.equals(accessDescription.getAccessMethod())) {
                linkedList.add(accessDescription);
            }
        }
        int size = linkedList.size();
        if (size != set.size()) {
            addViolation(sb, "number of AIA " + id + " URIs", Integer.valueOf(size), Integer.valueOf(set.size()));
            return;
        }
        HashSet hashSet = new HashSet();
        for (int i = 0; i < size; i++) {
            GeneralName accessLocation = ((AccessDescription) linkedList.get(i)).getAccessLocation();
            if (accessLocation.getTagNo() != 6) {
                addViolation(sb, "tag of accessLocation of AIA ", Integer.valueOf(accessLocation.getTagNo()), 6);
            } else {
                hashSet.add(accessLocation.getName().getString());
            }
        }
        Set<String> strInBnotInA = strInBnotInA(set, hashSet);
        if (CollectionUtil.isNonEmpty(strInBnotInA)) {
            sb.append(id).append(" URIs ").append(strInBnotInA.toString());
            sb.append(" are present but not expected; ");
        }
        Set<String> strInBnotInA2 = strInBnotInA(hashSet, set);
        if (CollectionUtil.isNonEmpty(strInBnotInA2)) {
            sb.append(id).append(" URIs ").append(strInBnotInA2.toString());
            sb.append(" are absent but are required; ");
        }
    }

    private static void addViolation(StringBuilder sb, String str, Object obj, Object obj2) {
        sb.append(str).append(" is '").append(obj);
        sb.append("' but expected '").append(obj2).append("';");
    }
}
