package com.sun.deploy.security;

import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.util.Trace;
import java.io.IOException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import sun.security.validator.PKIXValidator;

/* loaded from: input_file:lib/deploy.jar:com/sun/deploy/security/DeployCertPathChecker.class */
final class DeployCertPathChecker extends PKIXCertPathChecker {
    private int remainingCerts;
    private PKIXValidator pv;
    private static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
    private static final Set extSet = Collections.singleton(OID_NETSCAPE_CERT_TYPE);
    private static final String NSCT_OBJECT_SIGNING_CA = "object_signing_ca";
    private static final String NSCT_SSL_CA = "ssl_ca";
    private static final String NSCT_S_MIME_CA = "s_mime_ca";

    /* JADX INFO: Access modifiers changed from: package-private */
    public DeployCertPathChecker(PKIXValidator pKIXValidator) {
        this.pv = pKIXValidator;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection collection) throws CertPathValidatorException {
        X509Certificate x509Certificate = (X509Certificate) certificate;
        if (collection != null && !collection.isEmpty()) {
            collection.remove(OID_NETSCAPE_CERT_TYPE);
        }
        this.remainingCerts--;
        if (this.remainingCerts == 0) {
            return;
        }
        try {
            if (x509Certificate.getExtensionValue(OID_BASIC_CONSTRAINTS) == null) {
                if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) == null) {
                    Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.extensionvalue");
                    throw new CertPathValidatorException(ResourceManager.getMessage("trustdecider.check.basicconstraints.extensionvalue"));
                }
                if (!CertUtils.getNetscapeCertTypeBit(x509Certificate, NSCT_OBJECT_SIGNING_CA)) {
                    Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.certtypebit");
                    throw new CertPathValidatorException(ResourceManager.getMessage("trustdecider.check.basicconstraints.certtypebit"));
                }
            } else if (x509Certificate.getExtensionValue(OID_NETSCAPE_CERT_TYPE) != null && ((CertUtils.getNetscapeCertTypeBit(x509Certificate, NSCT_SSL_CA) || CertUtils.getNetscapeCertTypeBit(x509Certificate, NSCT_S_MIME_CA)) && !CertUtils.getNetscapeCertTypeBit(x509Certificate, NSCT_OBJECT_SIGNING_CA))) {
                Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue");
                throw new CertPathValidatorException(ResourceManager.getMessage("trustdecider.check.basicconstraints.bitvalue"));
            }
        } catch (IOException e) {
            throw new CertPathValidatorException();
        } catch (CertificateException e2) {
            throw new CertPathValidatorException();
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        return extSet;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return true;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        this.remainingCerts = this.pv.getCertPathLength();
    }
}
