package tt;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.bouncycastle.cert.X509CertificateHolder;

/* loaded from: classes4.dex */
public class yn4 {
    public static void a(X509Certificate x509Certificate) {
        try {
            X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(x509Certificate.getEncoded());
            m05 h = m05.h(x509CertificateHolder.getExtensions());
            if (h != null) {
                if (h.l(4)) {
                    throw new CertificateException("Key usage must not contain keyCertSign");
                }
                if (!h.l(128) && !h.l(32)) {
                    throw new CertificateException("Key usage must be none, digitalSignature or keyEncipherment");
                }
            }
            xz2 h2 = xz2.h(x509CertificateHolder.getExtensions());
            if (h2 != null && !h2.l(zz4.d) && !h2.l(zz4.B) && !h2.l(zz4.C)) {
                throw new CertificateException("Certificate extended key usage must include serverAuth, msSGC or nsSGC");
            }
        } catch (CertificateException e) {
            throw e;
        } catch (Exception e2) {
            throw new CertificateException(e2.getMessage(), e2);
        }
    }
}
