using System;
using System.Collections;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Security.Certificates;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.Utilities.Collections;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.X509.Store;

namespace Org.BouncyCastle.Pkix;

public class PkixCertPathValidator
{
	public virtual PkixCertPathValidatorResult Validate(PkixCertPath certPath, PkixParameters paramsPkix)
	{
		if (paramsPkix.GetTrustAnchors() == null)
		{
			throw new ArgumentException("trustAnchors is null, this is not allowed for certification path validation.", "parameters");
		}
		IList certificates = certPath.Certificates;
		int count = certificates.Count;
		if (certificates.Count == 0)
		{
			throw new PkixCertPathValidatorException("Certification path is empty.", null, certPath, 0);
		}
		ISet initialPolicies = paramsPkix.GetInitialPolicies();
		TrustAnchor trustAnchor;
		try
		{
			trustAnchor = PkixCertPathValidatorUtilities.FindTrustAnchor((X509Certificate)certificates[certificates.Count - 1], paramsPkix.GetTrustAnchors());
			if (trustAnchor == null)
			{
				throw new PkixCertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
			}
			CheckCertificate(trustAnchor.TrustedCert);
		}
		catch (Exception ex)
		{
			throw new PkixCertPathValidatorException(ex.Message, ex.InnerException, certPath, certificates.Count - 1);
		}
		int num = 0;
		IList[] array = new IList[count + 1];
		for (int i = 0; i < array.Length; i++)
		{
			array[i] = Platform.CreateArrayList();
		}
		ISet set = new HashSet();
		set.Add(Rfc3280CertPathUtilities.ANY_POLICY);
		PkixPolicyNode pkixPolicyNode = new PkixPolicyNode(Platform.CreateArrayList(), 0, set, null, new HashSet(), Rfc3280CertPathUtilities.ANY_POLICY, critical: false);
		array[0].Add(pkixPolicyNode);
		PkixNameConstraintValidator nameConstraintValidator = new PkixNameConstraintValidator();
		ISet acceptablePolicies = new HashSet();
		int explicitPolicy = ((!paramsPkix.IsExplicitPolicyRequired) ? (count + 1) : 0);
		int inhibitAnyPolicy = ((!paramsPkix.IsAnyPolicyInhibited) ? (count + 1) : 0);
		int policyMapping = ((!paramsPkix.IsPolicyMappingInhibited) ? (count + 1) : 0);
		X509Certificate x509Certificate = trustAnchor.TrustedCert;
		X509Name workingIssuerName;
		AsymmetricKeyParameter asymmetricKeyParameter;
		try
		{
			if (x509Certificate != null)
			{
				workingIssuerName = x509Certificate.SubjectDN;
				asymmetricKeyParameter = x509Certificate.GetPublicKey();
			}
			else
			{
				workingIssuerName = new X509Name(trustAnchor.CAName);
				asymmetricKeyParameter = trustAnchor.CAPublicKey;
			}
		}
		catch (ArgumentException cause)
		{
			throw new PkixCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", cause, certPath, -1);
		}
		try
		{
			PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
		}
		catch (PkixCertPathValidatorException cause2)
		{
			throw new PkixCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", cause2, certPath, -1);
		}
		int maxPathLength = count;
		X509CertStoreSelector targetCertConstraints = paramsPkix.GetTargetCertConstraints();
		if (targetCertConstraints != null && !targetCertConstraints.Match((X509Certificate)certificates[0]))
		{
			throw new PkixCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
		}
		IList certPathCheckers = paramsPkix.GetCertPathCheckers();
		IEnumerator enumerator = certPathCheckers.GetEnumerator();
		while (enumerator.MoveNext())
		{
			((PkixCertPathChecker)enumerator.Current).Init(forward: false);
		}
		X509Certificate x509Certificate2 = null;
		for (num = certificates.Count - 1; num >= 0; num--)
		{
			int num2 = count - num;
			x509Certificate2 = (X509Certificate)certificates[num];
			try
			{
				CheckCertificate(x509Certificate2);
			}
			catch (Exception ex2)
			{
				throw new PkixCertPathValidatorException(ex2.Message, ex2.InnerException, certPath, num);
			}
			Rfc3280CertPathUtilities.ProcessCertA(certPath, paramsPkix, num, asymmetricKeyParameter, workingIssuerName, x509Certificate);
			Rfc3280CertPathUtilities.ProcessCertBC(certPath, num, nameConstraintValidator);
			pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertD(certPath, num, acceptablePolicies, pkixPolicyNode, array, inhibitAnyPolicy);
			pkixPolicyNode = Rfc3280CertPathUtilities.ProcessCertE(certPath, num, pkixPolicyNode);
			Rfc3280CertPathUtilities.ProcessCertF(certPath, num, pkixPolicyNode, explicitPolicy);
			if (num2 != count)
			{
				if (x509Certificate2 != null && x509Certificate2.Version == 1)
				{
					if (num2 != 1 || !x509Certificate2.Equals(trustAnchor.TrustedCert))
					{
						throw new PkixCertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, num);
					}
				}
				else
				{
					Rfc3280CertPathUtilities.PrepareNextCertA(certPath, num);
					pkixPolicyNode = Rfc3280CertPathUtilities.PrepareCertB(certPath, num, array, pkixPolicyNode, policyMapping);
					Rfc3280CertPathUtilities.PrepareNextCertG(certPath, num, nameConstraintValidator);
					explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertH1(certPath, num, explicitPolicy);
					policyMapping = Rfc3280CertPathUtilities.PrepareNextCertH2(certPath, num, policyMapping);
					inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertH3(certPath, num, inhibitAnyPolicy);
					explicitPolicy = Rfc3280CertPathUtilities.PrepareNextCertI1(certPath, num, explicitPolicy);
					policyMapping = Rfc3280CertPathUtilities.PrepareNextCertI2(certPath, num, policyMapping);
					inhibitAnyPolicy = Rfc3280CertPathUtilities.PrepareNextCertJ(certPath, num, inhibitAnyPolicy);
					Rfc3280CertPathUtilities.PrepareNextCertK(certPath, num);
					maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertL(certPath, num, maxPathLength);
					maxPathLength = Rfc3280CertPathUtilities.PrepareNextCertM(certPath, num, maxPathLength);
					Rfc3280CertPathUtilities.PrepareNextCertN(certPath, num);
					ISet criticalExtensionOids = x509Certificate2.GetCriticalExtensionOids();
					if (criticalExtensionOids != null)
					{
						criticalExtensionOids = new HashSet(criticalExtensionOids);
						criticalExtensionOids.Remove(X509Extensions.KeyUsage.Id);
						criticalExtensionOids.Remove(X509Extensions.CertificatePolicies.Id);
						criticalExtensionOids.Remove(X509Extensions.PolicyMappings.Id);
						criticalExtensionOids.Remove(X509Extensions.InhibitAnyPolicy.Id);
						criticalExtensionOids.Remove(X509Extensions.IssuingDistributionPoint.Id);
						criticalExtensionOids.Remove(X509Extensions.DeltaCrlIndicator.Id);
						criticalExtensionOids.Remove(X509Extensions.PolicyConstraints.Id);
						criticalExtensionOids.Remove(X509Extensions.BasicConstraints.Id);
						criticalExtensionOids.Remove(X509Extensions.SubjectAlternativeName.Id);
						criticalExtensionOids.Remove(X509Extensions.NameConstraints.Id);
					}
					else
					{
						criticalExtensionOids = new HashSet();
					}
					Rfc3280CertPathUtilities.PrepareNextCertO(certPath, num, criticalExtensionOids, certPathCheckers);
					x509Certificate = x509Certificate2;
					workingIssuerName = x509Certificate.SubjectDN;
					try
					{
						asymmetricKeyParameter = PkixCertPathValidatorUtilities.GetNextWorkingKey(certPath.Certificates, num);
					}
					catch (PkixCertPathValidatorException cause3)
					{
						throw new PkixCertPathValidatorException("Next working key could not be retrieved.", cause3, certPath, num);
					}
					PkixCertPathValidatorUtilities.GetAlgorithmIdentifier(asymmetricKeyParameter);
				}
			}
		}
		explicitPolicy = Rfc3280CertPathUtilities.WrapupCertA(explicitPolicy, x509Certificate2);
		explicitPolicy = Rfc3280CertPathUtilities.WrapupCertB(certPath, num + 1, explicitPolicy);
		ISet criticalExtensionOids2 = x509Certificate2.GetCriticalExtensionOids();
		if (criticalExtensionOids2 != null)
		{
			criticalExtensionOids2 = new HashSet(criticalExtensionOids2);
			criticalExtensionOids2.Remove(X509Extensions.KeyUsage.Id);
			criticalExtensionOids2.Remove(X509Extensions.CertificatePolicies.Id);
			criticalExtensionOids2.Remove(X509Extensions.PolicyMappings.Id);
			criticalExtensionOids2.Remove(X509Extensions.InhibitAnyPolicy.Id);
			criticalExtensionOids2.Remove(X509Extensions.IssuingDistributionPoint.Id);
			criticalExtensionOids2.Remove(X509Extensions.DeltaCrlIndicator.Id);
			criticalExtensionOids2.Remove(X509Extensions.PolicyConstraints.Id);
			criticalExtensionOids2.Remove(X509Extensions.BasicConstraints.Id);
			criticalExtensionOids2.Remove(X509Extensions.SubjectAlternativeName.Id);
			criticalExtensionOids2.Remove(X509Extensions.NameConstraints.Id);
			criticalExtensionOids2.Remove(X509Extensions.CrlDistributionPoints.Id);
		}
		else
		{
			criticalExtensionOids2 = new HashSet();
		}
		Rfc3280CertPathUtilities.WrapupCertF(certPath, num + 1, certPathCheckers, criticalExtensionOids2);
		PkixPolicyNode pkixPolicyNode2 = Rfc3280CertPathUtilities.WrapupCertG(certPath, paramsPkix, initialPolicies, num + 1, array, pkixPolicyNode, acceptablePolicies);
		if (explicitPolicy > 0 || pkixPolicyNode2 != null)
		{
			return new PkixCertPathValidatorResult(trustAnchor, pkixPolicyNode2, x509Certificate2.GetPublicKey());
		}
		throw new PkixCertPathValidatorException("Path processing failed on policy.", null, certPath, num);
	}

	internal static void CheckCertificate(X509Certificate cert)
	{
		try
		{
			TbsCertificateStructure.GetInstance(cert.CertificateStructure.TbsCertificate);
		}
		catch (CertificateEncodingException innerException)
		{
			throw new Exception("unable to process TBSCertificate", innerException);
		}
	}
}