package org.jsslutils.extra.gsi;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Set;
import java.util.Vector;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.X509Principal;
import org.jsslutils.sslcontext.X509TrustManagerWrapper;

/* loaded from: input_file:org/jsslutils/extra/gsi/GsiWrappingTrustManager.class */
public class GsiWrappingTrustManager implements X509TrustManager {
    public static final String PRERFC_EXTENSION_OID_STRING = "1.3.6.1.4.1.3536.1.222";
    public static final String RFC3820_EXTENSION_OID_STRING = "1.3.6.1.5.5.7.1.14";
    public static final String KEY_USAGE_EXTENSION_OID_STRING = "2.5.29.15";
    private final X509TrustManager trustManager;
    private final boolean allowLegacy;
    private final boolean allowPreRfc;
    private final boolean allowRfc3820;

    /* loaded from: input_file:org/jsslutils/extra/gsi/GsiWrappingTrustManager$CertificateCriticalExtensionsNotSupported.class */
    public static class CertificateCriticalExtensionsNotSupported extends CertificateException {
        private static final long serialVersionUID = 1;
        private final Set<String> unsupportedCriticalExtensionOIDs;

        public CertificateCriticalExtensionsNotSupported() {
            this.unsupportedCriticalExtensionOIDs = null;
        }

        public CertificateCriticalExtensionsNotSupported(Set<String> set) {
            this.unsupportedCriticalExtensionOIDs = Collections.unmodifiableSet(set);
        }

        public CertificateCriticalExtensionsNotSupported(String str, Set<String> set) {
            super(str);
            this.unsupportedCriticalExtensionOIDs = Collections.unmodifiableSet(set);
        }

        public CertificateCriticalExtensionsNotSupported(Throwable th, Set<String> set) {
            super(th);
            this.unsupportedCriticalExtensionOIDs = Collections.unmodifiableSet(set);
        }

        public CertificateCriticalExtensionsNotSupported(String str, Throwable th, Set<String> set) {
            super(str, th);
            this.unsupportedCriticalExtensionOIDs = Collections.unmodifiableSet(set);
        }

        public Set<String> getUnsupportedCriticalExtensionOIDs() {
            return this.unsupportedCriticalExtensionOIDs;
        }

        @Override // java.lang.Throwable
        public String toString() {
            return super.toString() + " Unknown extensions: " + getUnsupportedCriticalExtensionOIDs();
        }
    }

    /* loaded from: input_file:org/jsslutils/extra/gsi/GsiWrappingTrustManager$Wrapper.class */
    public static class Wrapper implements X509TrustManagerWrapper {
        private final boolean allowLegacy;
        private final boolean allowPreRfc;
        private final boolean allowRfc3820;

        public Wrapper() {
            this(true, true, true);
        }

        public Wrapper(boolean z, boolean z2, boolean z3) {
            this.allowPreRfc = z2;
            this.allowLegacy = z;
            this.allowRfc3820 = z3;
        }

        public X509TrustManager wrapTrustManager(X509TrustManager x509TrustManager) {
            return new GsiWrappingTrustManager(x509TrustManager, this.allowLegacy, this.allowPreRfc, this.allowRfc3820);
        }
    }

    public GsiWrappingTrustManager(X509TrustManager x509TrustManager, boolean z, boolean z2, boolean z3) {
        this.trustManager = x509TrustManager;
        this.allowPreRfc = z2;
        this.allowLegacy = z;
        this.allowRfc3820 = z3;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        int length = x509CertificateArr.length - 1;
        while (length >= 0 && x509CertificateArr[length].getBasicConstraints() != -1) {
            length--;
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length - length];
        for (int i = length; i < x509CertificateArr.length; i++) {
            x509CertificateArr2[i - length] = x509CertificateArr[i];
        }
        this.trustManager.checkClientTrusted(x509CertificateArr2, str);
        CertificateException verifyProxyCertificate = verifyProxyCertificate(x509CertificateArr, length, this.allowLegacy, this.allowPreRfc, this.allowRfc3820, null);
        if (verifyProxyCertificate != null) {
            throw verifyProxyCertificate;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

    public static CertificateException verifyProxyCertificate(X509Certificate[] x509CertificateArr, int i, Date date) {
        return verifyProxyCertificate(x509CertificateArr, i, true, true, true, date);
    }

    public static CertificateException verifyProxyCertificate(X509Certificate[] x509CertificateArr, int i, boolean z, boolean z2, boolean z3, Date date) {
        if (i <= 0) {
            return null;
        }
        try {
            X509Certificate x509Certificate = x509CertificateArr[0];
            X509Principal x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
            Vector oIDs = x509Principal.getOIDs();
            Vector values = x509Principal.getValues();
            int size = oIDs.size();
            if (!((DERObjectIdentifier) oIDs.get(size - 1)).equals(X509Name.CN)) {
                return new CertificateException("Proxy must start with 'CN=', got '" + X509Name.DefaultSymbols.get(oIDs.get(size - 1)) + "=" + ((String) values.get(size - 1)) + "'!");
            }
            String str = (String) values.get(size - 1);
            if ("limited proxy".equals(str) || "proxy".equals(str)) {
                return !z ? new CertificateException("Found what could be at best a legacy proxy certificate, not accepted in this configuration: " + x509Principal) : verifyLegacyProxyCertificate(x509CertificateArr, i, date);
            }
            BigInteger bigInteger = null;
            try {
                bigInteger = new BigInteger(str);
            } catch (NumberFormatException e) {
            }
            if (bigInteger == null) {
                return new CertificateException("Not a Pre-RFC or RFC3820 proxy certificate." + x509Principal);
            }
            Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
            return criticalExtensionOIDs.contains(RFC3820_EXTENSION_OID_STRING) ? !z3 ? new CertificateException("Found what could be at best an RFC3820 certificate, not accepted in this configuration: " + x509Principal) : verifyRfc3820ProxyCertificate(x509CertificateArr, i, date) : criticalExtensionOIDs.contains(PRERFC_EXTENSION_OID_STRING) ? !z2 ? new CertificateException("Found what could be at best a Pre-RFC proxy certificate, not accepted in this configuration: " + x509Principal) : verifyPreRfcProxyCertificate(x509CertificateArr, i, date) : new CertificateException("Couldn't find extension OID is what could be a Pre-RFC or RFC3820 proxy certificate: " + criticalExtensionOIDs);
        } catch (IOException e2) {
            return new CertificateParsingException(e2);
        } catch (ClassCastException e3) {
            return new CertificateParsingException(e3);
        }
    }

    public static CertificateException verifyLegacyProxyCertificate(X509Certificate[] x509CertificateArr, int i, Date date) {
        int i2;
        if (i <= 0) {
            return null;
        }
        try {
            boolean z = false;
            X509Certificate x509Certificate = x509CertificateArr[i];
            X509Principal x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
            Vector oIDs = x509Principal.getOIDs();
            Vector values = x509Principal.getValues();
            for (int i3 = i - 1; i3 >= 0; i3--) {
                if (z) {
                    return new CertificateException("Previous proxy is limited!");
                }
                X509Certificate x509Certificate2 = x509Certificate;
                X509Principal x509Principal2 = x509Principal;
                x509Certificate = x509CertificateArr[i3];
                x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
                X509Principal x509Principal3 = new X509Principal(x509Certificate.getIssuerX500Principal().getEncoded());
                if (!x509Principal3.equals(x509Principal2)) {
                    return new CertificateException("Issuer's Subject DN doesn't match Issuer DN.");
                }
                Vector vector = oIDs;
                Vector vector2 = values;
                oIDs = x509Principal.getOIDs();
                values = x509Principal.getValues();
                int size = oIDs.size();
                if (!((DERObjectIdentifier) oIDs.get(size - 1)).equals(X509Name.CN)) {
                    return new CertificateException("Proxy must start with 'CN=', got '" + X509Name.DefaultSymbols.get(oIDs.get(size - 1)) + "=" + ((String) values.get(size - 1)) + "'!");
                }
                String str = (String) values.get(size - 1);
                if ("limited proxy".equals(str)) {
                    z = true;
                } else if (!"proxy".equals(str)) {
                    return new CertificateException("Legacy proxy certificate Subject DN must start with 'CN=proxy' or 'CN=limited proxy', got 'CN=" + str + "'!");
                }
                if (vector.size() != oIDs.size() - 1) {
                    return new CertificateException("Subject DN must extend the Issuer DN by one field.");
                }
                for (0; i2 < vector.size(); i2 + 1) {
                    i2 = (((DERObjectIdentifier) vector.get(i2)).equals(oIDs.get(i2)) && ((String) vector2.get(i2)).equals(values.get(i2))) ? i2 + 1 : 0;
                    return new CertificateException("Mismatch in Subject DN extension of Issuer DN.");
                }
                if (date != null) {
                    x509Certificate.checkValidity(date);
                } else {
                    x509Certificate.checkValidity();
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                } catch (InvalidKeyException e) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e);
                } catch (NoSuchAlgorithmException e2) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e2);
                } catch (NoSuchProviderException e3) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e3);
                } catch (SignatureException e4) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e4);
                }
            }
            return null;
        } catch (IOException e5) {
            return new CertificateParsingException(e5);
        } catch (CertificateException e6) {
            return e6;
        }
    }

    public static CertificateException verifyPreRfcProxyCertificate(X509Certificate[] x509CertificateArr, int i, Date date) {
        int i2;
        if (i <= 0) {
            return null;
        }
        try {
            X509Certificate x509Certificate = x509CertificateArr[i];
            X509Principal x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
            Vector oIDs = x509Principal.getOIDs();
            Vector values = x509Principal.getValues();
            for (int i3 = i - 1; i3 >= 0; i3--) {
                X509Certificate x509Certificate2 = x509Certificate;
                X509Principal x509Principal2 = x509Principal;
                x509Certificate = x509CertificateArr[i3];
                x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
                X509Principal x509Principal3 = new X509Principal(x509Certificate.getIssuerX500Principal().getEncoded());
                if (date != null) {
                    x509Certificate.checkValidity(date);
                } else {
                    x509Certificate.checkValidity();
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    if (!x509Principal3.equals(x509Principal2)) {
                        return new CertificateException("Issuer's Subject DN doesn't match Issuer DN.");
                    }
                    boolean[] keyUsage = x509Certificate2.getKeyUsage();
                    if (keyUsage != null && !keyUsage[0]) {
                        return new CertificateException("Proxy issuer has KeyUsage extension but Digital Signature not set!");
                    }
                    Vector vector = oIDs;
                    Vector vector2 = values;
                    oIDs = x509Principal.getOIDs();
                    values = x509Principal.getValues();
                    int size = oIDs.size();
                    if (!((DERObjectIdentifier) oIDs.get(size - 1)).equals(X509Name.CN)) {
                        return new CertificateException("Proxy must start with 'CN=', got '" + X509Name.DefaultSymbols.get(oIDs.get(size - 1)) + "=" + ((String) values.get(size - 1)) + "'!");
                    }
                    String str = (String) values.get(size - 1);
                    BigInteger bigInteger = null;
                    try {
                        bigInteger = new BigInteger(str);
                    } catch (NumberFormatException e) {
                    }
                    if (bigInteger == null) {
                        return new CertificateException("Pre-RFC proxy certificate must start with 'CN=<some number>', got 'CN=" + str + "'!");
                    }
                    if (vector.size() != oIDs.size() - 1) {
                        return new CertificateException("Subject DN must extend the Issuer DN by one field.");
                    }
                    for (0; i2 < vector.size(); i2 + 1) {
                        i2 = (((DERObjectIdentifier) vector.get(i2)).equals(oIDs.get(i2)) && ((String) vector2.get(i2)).equals(values.get(i2))) ? i2 + 1 : 0;
                        return new CertificateException("Mismatch in Subject DN extension of Issuer DN.");
                    }
                    Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs.contains(KEY_USAGE_EXTENSION_OID_STRING)) {
                        criticalExtensionOIDs.remove(KEY_USAGE_EXTENSION_OID_STRING);
                    }
                    if (!criticalExtensionOIDs.contains(PRERFC_EXTENSION_OID_STRING)) {
                        return new CertificateException("No Pre-RFC ProxyCertInfo extension found in this certificate (must be critical).");
                    }
                    criticalExtensionOIDs.remove(PRERFC_EXTENSION_OID_STRING);
                    ASN1InputStream aSN1InputStream = new ASN1InputStream(x509Certificate.getExtensionValue(PRERFC_EXTENSION_OID_STRING));
                    try {
                        ASN1OctetString readObject = aSN1InputStream.readObject();
                        aSN1InputStream.close();
                        if (!(readObject instanceof ASN1OctetString)) {
                            return new CertificateException("Invalid Pre-RFC ProxyCertInfo extension in this certificate.");
                        }
                        ASN1InputStream aSN1InputStream2 = new ASN1InputStream(readObject.getOctetStream());
                        try {
                            ASN1Sequence readObject2 = aSN1InputStream2.readObject();
                            aSN1InputStream2.close();
                            if (!(readObject2 instanceof ASN1Sequence)) {
                                return new CertificateException("Invalid Pre-RFC ProxyCertInfo extension in this certificate.");
                            }
                            Enumeration objects = readObject2.getObjects();
                            if (!objects.hasMoreElements()) {
                                return new CertificateException("Invalid Pre-RFC ProxyCertInfo extension in this certificate.");
                            }
                            ASN1Object aSN1Object = (ASN1Object) objects.nextElement();
                            if (aSN1Object instanceof ASN1Sequence) {
                                Enumeration objects2 = ((ASN1Sequence) aSN1Object).getObjects();
                                if (objects2.hasMoreElements() && (((ASN1Object) objects2.nextElement()) instanceof DERObjectIdentifier)) {
                                    if ((!objects2.hasMoreElements() || (((ASN1Object) objects2.nextElement()) instanceof DEROctetString)) && !objects2.hasMoreElements()) {
                                        if (objects.hasMoreElements()) {
                                            aSN1Object = (ASN1Object) objects.nextElement();
                                        }
                                    }
                                    return new CertificateException("Invalid Pre-RFC ProxyCertInfo extension in this certificate.");
                                }
                                return new CertificateException("Invalid Pre-RFC ProxyCertInfo extension in this certificate.");
                            }
                            if ((aSN1Object instanceof DERInteger) && ((DERInteger) aSN1Object).getValue().compareTo(BigInteger.valueOf(i3)) < 0) {
                                return new CertificateException("Invalid path length delegation.");
                            }
                            if (objects.hasMoreElements()) {
                                return new CertificateException("Invalid Pre-RFC ProxyCertInfo extension in this certificate.");
                            }
                            if (!criticalExtensionOIDs.isEmpty()) {
                                return new CertificateCriticalExtensionsNotSupported("Unknown critical extensions.", criticalExtensionOIDs);
                            }
                        } catch (Throwable th) {
                            aSN1InputStream2.close();
                            throw th;
                        }
                    } catch (Throwable th2) {
                        aSN1InputStream.close();
                        throw th2;
                    }
                } catch (InvalidKeyException e2) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e2);
                } catch (NoSuchAlgorithmException e3) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e3);
                } catch (NoSuchProviderException e4) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e4);
                } catch (SignatureException e5) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e5);
                }
            }
            return null;
        } catch (IOException e6) {
            return new CertificateParsingException(e6);
        } catch (CertificateException e7) {
            return e7;
        }
    }

    public static CertificateException verifyRfc3820ProxyCertificate(X509Certificate[] x509CertificateArr, int i, Date date) {
        int i2;
        if (i <= 0) {
            return null;
        }
        try {
            X509Certificate x509Certificate = x509CertificateArr[i];
            X509Principal x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
            Vector oIDs = x509Principal.getOIDs();
            Vector values = x509Principal.getValues();
            for (int i3 = i - 1; i3 >= 0; i3--) {
                X509Certificate x509Certificate2 = x509Certificate;
                X509Principal x509Principal2 = x509Principal;
                x509Certificate = x509CertificateArr[i3];
                x509Principal = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded());
                X509Principal x509Principal3 = new X509Principal(x509Certificate.getIssuerX500Principal().getEncoded());
                if (date != null) {
                    x509Certificate.checkValidity(date);
                } else {
                    x509Certificate.checkValidity();
                }
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    Vector vector = oIDs;
                    Vector vector2 = values;
                    oIDs = x509Principal.getOIDs();
                    values = x509Principal.getValues();
                    if (vector.size() <= 0) {
                        return new CertificateException("Proxy must not not have empty DN!");
                    }
                    if (!x509Principal3.equals(x509Principal2)) {
                        return new CertificateException("Issuer's Subject DN doesn't match Issuer DN.");
                    }
                    boolean[] keyUsage = x509Certificate2.getKeyUsage();
                    if (keyUsage != null && !keyUsage[0]) {
                        return new CertificateException("Proxy issuer has KeyUsage extension but Digital Signature not set!");
                    }
                    if (x509Certificate.getIssuerAlternativeNames() != null) {
                        return new CertificateException("Proxy cert must not have an issuer alternative name <http://www.apps.ietf.org/rfc/rfc3820.html#sec-3.2>");
                    }
                    int size = oIDs.size();
                    if (!((DERObjectIdentifier) oIDs.get(size - 1)).equals(X509Name.CN)) {
                        return new CertificateException("Proxy must start with 'CN=', got '" + X509Name.DefaultSymbols.get(oIDs.get(size - 1)) + "=" + ((String) values.get(size - 1)) + "'!");
                    }
                    String str = (String) values.get(size - 1);
                    BigInteger bigInteger = null;
                    try {
                        bigInteger = new BigInteger(str);
                    } catch (NumberFormatException e) {
                    }
                    if (bigInteger == null) {
                        return new CertificateException("RFC3820 proxy certificate must start with 'CN=<some number>', got 'CN=" + str + "'!");
                    }
                    if (vector.size() != oIDs.size() - 1) {
                        return new CertificateException("Subject DN must extend the Issuer DN by one field.");
                    }
                    for (0; i2 < vector.size(); i2 + 1) {
                        i2 = (((DERObjectIdentifier) vector.get(i2)).equals(oIDs.get(i2)) && ((String) vector2.get(i2)).equals(values.get(i2))) ? i2 + 1 : 0;
                        return new CertificateException("Mismatch in Subject DN extension of Issuer DN.");
                    }
                    if (x509Certificate.getSubjectAlternativeNames() != null) {
                        return new CertificateException("Proxy cert must not have a subject alternative name <http://www.apps.ietf.org/rfc/rfc3820.html#sec-3.5>");
                    }
                    if (x509Certificate.getBasicConstraints() != -1) {
                        return new CertificateException("Proxy cert must not CA field in basic constraints extension set to true <http://www.apps.ietf.org/rfc/rfc3820.html#sec-3.7>");
                    }
                    Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
                    if (criticalExtensionOIDs.contains(KEY_USAGE_EXTENSION_OID_STRING)) {
                        criticalExtensionOIDs.remove(KEY_USAGE_EXTENSION_OID_STRING);
                    }
                    if (!criticalExtensionOIDs.contains(RFC3820_EXTENSION_OID_STRING)) {
                        return new CertificateException("No RFC3820 ProxyCertInfo extension found in this certificate (must be critical).");
                    }
                    criticalExtensionOIDs.remove(RFC3820_EXTENSION_OID_STRING);
                    ASN1InputStream aSN1InputStream = new ASN1InputStream(x509Certificate.getExtensionValue(RFC3820_EXTENSION_OID_STRING));
                    try {
                        ASN1OctetString readObject = aSN1InputStream.readObject();
                        aSN1InputStream.close();
                        if (!(readObject instanceof ASN1OctetString)) {
                            return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                        }
                        ASN1InputStream aSN1InputStream2 = new ASN1InputStream(readObject.getOctetStream());
                        try {
                            ASN1Sequence readObject2 = aSN1InputStream2.readObject();
                            aSN1InputStream2.close();
                            if (!(readObject2 instanceof ASN1Sequence)) {
                                return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                            }
                            Enumeration objects = readObject2.getObjects();
                            if (!objects.hasMoreElements()) {
                                return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                            }
                            ASN1Object aSN1Object = (ASN1Object) objects.nextElement();
                            if (aSN1Object instanceof DERInteger) {
                                if (((DERInteger) aSN1Object).getValue().compareTo(BigInteger.valueOf(i3)) < 0) {
                                    return new CertificateException("Invalid path length delegation.");
                                }
                                if (!objects.hasMoreElements()) {
                                    return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                                }
                                aSN1Object = (ASN1Object) objects.nextElement();
                            }
                            if (aSN1Object instanceof ASN1Sequence) {
                                Enumeration objects2 = ((ASN1Sequence) aSN1Object).getObjects();
                                if (objects2.hasMoreElements() && (((ASN1Object) objects2.nextElement()) instanceof DERObjectIdentifier)) {
                                    if (objects2.hasMoreElements()) {
                                        if (!(((ASN1Object) objects2.nextElement()) instanceof DEROctetString)) {
                                            return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                                        }
                                    }
                                    if (objects2.hasMoreElements()) {
                                        return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                                    }
                                }
                                return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                            }
                            if (objects.hasMoreElements()) {
                                return new CertificateException("Invalid RFC3820 ProxyCertInfo extension in this certificate.");
                            }
                            if (!criticalExtensionOIDs.isEmpty()) {
                                return new CertificateCriticalExtensionsNotSupported("Unknown critical extensions.", criticalExtensionOIDs);
                            }
                        } catch (Throwable th) {
                            aSN1InputStream2.close();
                            throw th;
                        }
                    } catch (Throwable th2) {
                        aSN1InputStream.close();
                        throw th2;
                    }
                } catch (InvalidKeyException e2) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e2);
                } catch (NoSuchAlgorithmException e3) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e3);
                } catch (NoSuchProviderException e4) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e4);
                } catch (SignatureException e5) {
                    return new CertificateException("Failed to verify certificate '" + x509Principal + "' issued by '" + x509Principal3 + "'.", e5);
                }
            }
            return null;
        } catch (IOException e6) {
            return new CertificateParsingException(e6);
        } catch (CertificateException e7) {
            return e7;
        }
    }
}
