package org.bouncycastle.jsse.provider;

import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jsse.BCX509ExtendedTrustManager;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.tls.TlsUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class ImportX509TrustManager_5 extends BCX509ExtendedTrustManager implements ImportX509TrustManager {
    public final JcaJceHelper helper;
    public final boolean isInFipsMode;
    public final X509TrustManager x509TrustManager;

    public ImportX509TrustManager_5(boolean z, JcaJceHelper jcaJceHelper, X509TrustManager x509TrustManager) {
        this.isInFipsMode = z;
        this.helper = jcaJceHelper;
        this.x509TrustManager = x509TrustManager;
    }

    public static X509Certificate[] copyChain(X509Certificate[] x509CertificateArr) {
        if (TlsUtils.isNullOrEmpty(x509CertificateArr)) {
            throw new IllegalArgumentException("'chain' must be a chain of at least one certificate");
        }
        return (X509Certificate[]) x509CertificateArr.clone();
    }

    public final void checkAdditionalTrust(X509Certificate[] x509CertificateArr, String str, TransportData transportData, boolean z) throws CertificateException {
        Set unmodifiableSet;
        BCAlgorithmConstraints algorithmConstraints = TransportData.getAlgorithmConstraints(transportData, false);
        X509Certificate[] acceptedIssuers = getAcceptedIssuers();
        if (TlsUtils.isNullOrEmpty(acceptedIssuers)) {
            unmodifiableSet = Collections.emptySet();
        } else {
            HashSet hashSet = new HashSet();
            for (X509Certificate x509Certificate : acceptedIssuers) {
                if (x509Certificate != null) {
                    hashSet.add(x509Certificate);
                }
            }
            unmodifiableSet = Collections.unmodifiableSet(hashSet);
        }
        try {
            ProvAlgorithmChecker.checkChain(this.isInFipsMode, this.helper, algorithmConstraints, unmodifiableSet, x509CertificateArr, !ProvX509TrustManager.provTrustManagerCheckEKU ? null : z ? KeyPurposeId.id_kp_serverAuth : KeyPurposeId.id_kp_clientAuth, ProvX509TrustManager.getRequiredKeyUsage(str, z));
            ProvX509TrustManager.checkExtendedTrust(x509CertificateArr, transportData, z);
        } catch (GeneralSecurityException e) {
            throw new CertificateException("Certificates do not conform to algorithm constraints", e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.x509TrustManager.checkClientTrusted(copyChain(x509CertificateArr), str);
        checkAdditionalTrust(x509CertificateArr, str, null, false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, Socket socket) throws CertificateException {
        this.x509TrustManager.checkClientTrusted(copyChain(x509CertificateArr), "TLS-client-auth");
        checkAdditionalTrust(x509CertificateArr, "TLS-client-auth", TransportData.from(socket), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, SSLEngine sSLEngine) throws CertificateException {
        this.x509TrustManager.checkClientTrusted(copyChain(x509CertificateArr), "TLS-client-auth");
        checkAdditionalTrust(x509CertificateArr, "TLS-client-auth", TransportData.from(sSLEngine), false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.x509TrustManager.checkServerTrusted(copyChain(x509CertificateArr), str);
        checkAdditionalTrust(x509CertificateArr, str, null, true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.x509TrustManager.checkServerTrusted(copyChain(x509CertificateArr), str);
        checkAdditionalTrust(x509CertificateArr, str, TransportData.from(socket), true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.x509TrustManager.checkServerTrusted(copyChain(x509CertificateArr), str);
        checkAdditionalTrust(x509CertificateArr, str, TransportData.from(sSLEngine), true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public final X509Certificate[] getAcceptedIssuers() {
        return this.x509TrustManager.getAcceptedIssuers();
    }

    @Override // org.bouncycastle.jsse.provider.ImportX509TrustManager
    public final X509TrustManager unwrap() {
        return this.x509TrustManager;
    }
}
