package org.bouncycastle.jce.provider;

import defpackage.a2;
import defpackage.ae1;
import defpackage.cc0;
import defpackage.ci9;
import defpackage.cj4;
import defpackage.dgf;
import defpackage.e4c;
import defpackage.ebd;
import defpackage.ewa;
import defpackage.fb0;
import defpackage.g1;
import defpackage.h8c;
import defpackage.hy;
import defpackage.i1;
import defpackage.iwa;
import defpackage.j4c;
import defpackage.jwa;
import defpackage.k1;
import defpackage.k4c;
import defpackage.kp7;
import defpackage.m08;
import defpackage.m1;
import defpackage.m36;
import defpackage.m7;
import defpackage.nlb;
import defpackage.nn0;
import defpackage.o1;
import defpackage.o6;
import defpackage.oz2;
import defpackage.p1;
import defpackage.pqb;
import defpackage.pu7;
import defpackage.pw2;
import defpackage.pzc;
import defpackage.q1;
import defpackage.q7a;
import defpackage.qm;
import defpackage.qs2;
import defpackage.qz2;
import defpackage.r5c;
import defpackage.tc0;
import defpackage.tga;
import defpackage.tx3;
import defpackage.u1;
import defpackage.vga;
import defpackage.y60;
import defpackage.yd1;
import defpackage.yef;
import defpackage.yga;
import defpackage.zd1;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.Extension;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class ProvOcspRevocationChecker implements iwa {
    private static final int DEFAULT_OCSP_MAX_RESPONSE_SIZE = 32768;
    private static final int DEFAULT_OCSP_TIMEOUT = 15000;
    private static final Map oids;
    private final pu7 helper;
    private boolean isEnabledOCSP;
    private String ocspURL;
    private jwa parameters;
    private final ProvRevocationChecker parent;

    static {
        HashMap hashMap = new HashMap();
        oids = hashMap;
        hashMap.put(new p1("1.2.840.113549.1.1.5"), "SHA1WITHRSA");
        hashMap.put(ewa.G0, "SHA224WITHRSA");
        hashMap.put(ewa.D0, "SHA256WITHRSA");
        hashMap.put(ewa.E0, "SHA384WITHRSA");
        hashMap.put(ewa.F0, "SHA512WITHRSA");
        hashMap.put(pw2.m, "GOST3411WITHGOST3410");
        hashMap.put(pw2.n, "GOST3411WITHECGOST3410");
        hashMap.put(h8c.g, "GOST3411-2012-256WITHECGOST3410-2012-256");
        hashMap.put(h8c.h, "GOST3411-2012-512WITHECGOST3410-2012-512");
        hashMap.put(cc0.f3021a, "SHA1WITHPLAIN-ECDSA");
        hashMap.put(cc0.b, "SHA224WITHPLAIN-ECDSA");
        hashMap.put(cc0.c, "SHA256WITHPLAIN-ECDSA");
        hashMap.put(cc0.f3022d, "SHA384WITHPLAIN-ECDSA");
        hashMap.put(cc0.e, "SHA512WITHPLAIN-ECDSA");
        hashMap.put(cc0.f, "RIPEMD160WITHPLAIN-ECDSA");
        hashMap.put(tx3.f20878a, "SHA1WITHCVC-ECDSA");
        hashMap.put(tx3.b, "SHA224WITHCVC-ECDSA");
        hashMap.put(tx3.c, "SHA256WITHCVC-ECDSA");
        hashMap.put(tx3.f20879d, "SHA384WITHCVC-ECDSA");
        hashMap.put(tx3.e, "SHA512WITHCVC-ECDSA");
        hashMap.put(kp7.f16036a, "XMSS");
        hashMap.put(kp7.b, "XMSSMT");
        hashMap.put(new p1("1.2.840.113549.1.1.4"), "MD5WITHRSA");
        hashMap.put(new p1("1.2.840.113549.1.1.2"), "MD2WITHRSA");
        hashMap.put(new p1("1.2.840.10040.4.3"), "SHA1WITHDSA");
        hashMap.put(dgf.P1, "SHA1WITHECDSA");
        hashMap.put(dgf.S1, "SHA224WITHECDSA");
        hashMap.put(dgf.T1, "SHA256WITHECDSA");
        hashMap.put(dgf.U1, "SHA384WITHECDSA");
        hashMap.put(dgf.V1, "SHA512WITHECDSA");
        hashMap.put(yga.h, "SHA1WITHRSA");
        hashMap.put(yga.g, "SHA1WITHDSA");
        hashMap.put(q7a.P, "SHA224WITHDSA");
        hashMap.put(q7a.Q, "SHA256WITHDSA");
    }

    public ProvOcspRevocationChecker(ProvRevocationChecker provRevocationChecker, pu7 pu7Var) {
        this.parent = provRevocationChecker;
        this.helper = pu7Var;
    }

    private static byte[] calcKeyHash(MessageDigest messageDigest, PublicKey publicKey) {
        return messageDigest.digest(ebd.h(publicKey.getEncoded()).f12851d.r());
    }

    private yd1 createCertID(qm qmVar, ae1 ae1Var, m1 m1Var) throws CertPathValidatorException {
        try {
            MessageDigest a2 = this.helper.a(ci9.a(qmVar.c));
            return new yd1(qmVar, new qz2(a2.digest(ae1Var.f1376d.j.c("DER"))), new qz2(a2.digest(ae1Var.f1376d.k.f12851d.r())), m1Var);
        } catch (Exception e) {
            throw new CertPathValidatorException("problem creating ID: " + e, e);
        }
    }

    private yd1 createCertID(yd1 yd1Var, ae1 ae1Var, m1 m1Var) throws CertPathValidatorException {
        return createCertID(yd1Var.c, ae1Var, m1Var);
    }

    private ae1 extractCert() throws CertPathValidatorException {
        try {
            return ae1.h(this.parameters.e.getEncoded());
        } catch (Exception e) {
            String c = m7.c(e, qs2.e("cannot process signing cert: "));
            jwa jwaVar = this.parameters;
            throw new CertPathValidatorException(c, e, jwaVar.c, jwaVar.f15621d);
        }
    }

    private static String getDigestName(p1 p1Var) {
        String a2 = ci9.a(p1Var);
        int indexOf = a2.indexOf(45);
        if (indexOf > 0 && !a2.startsWith("SHA3")) {
            a2 = a2.substring(0, indexOf) + a2.substring(indexOf + 1);
        }
        return a2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static URI getOcspResponderURI(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(cj4.x.c);
        if (extensionValue == null) {
            return null;
        }
        byte[] bArr = q1.s(extensionValue).c;
        o6[] o6VarArr = (bArr instanceof y60 ? (y60) bArr : bArr != 0 ? new y60(u1.s(bArr)) : null).c;
        int length = o6VarArr.length;
        o6[] o6VarArr2 = new o6[length];
        System.arraycopy(o6VarArr, 0, o6VarArr2, 0, o6VarArr.length);
        for (int i = 0; i != length; i++) {
            o6 o6Var = o6VarArr2[i];
            if (o6.e.l(o6Var.c)) {
                m36 m36Var = o6Var.f17832d;
                if (m36Var.f16773d == 6) {
                    try {
                        return new URI(((a2) m36Var.c).g());
                    } catch (URISyntaxException unused) {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        return null;
    }

    private static String getSignatureName(qm qmVar) {
        g1 g1Var = qmVar.f19173d;
        if (g1Var != null && !oz2.c.k(g1Var) && qmVar.c.l(ewa.C0)) {
            return tc0.b(new StringBuilder(), getDigestName(pqb.h(g1Var).c.c), "WITHRSAANDMGF1");
        }
        Map map = oids;
        return map.containsKey(qmVar.c) ? (String) map.get(qmVar.c) : qmVar.c.c;
    }

    private static X509Certificate getSignerCert(nn0 nn0Var, X509Certificate x509Certificate, X509Certificate x509Certificate2, pu7 pu7Var) throws NoSuchProviderException, NoSuchAlgorithmException {
        o1 o1Var = nn0Var.c.e.c;
        byte[] bArr = o1Var instanceof q1 ? ((q1) o1Var).c : null;
        if (bArr != null) {
            MessageDigest a2 = pu7Var.a("SHA1");
            if (x509Certificate2 != null && Arrays.equals(bArr, calcKeyHash(a2, x509Certificate2.getPublicKey()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && Arrays.equals(bArr, calcKeyHash(a2, x509Certificate.getPublicKey()))) {
                return x509Certificate;
            }
        } else {
            fb0 fb0Var = fb0.h;
            yef h = yef.h(fb0Var, o1Var instanceof q1 ? null : yef.i(o1Var));
            if (x509Certificate2 != null && h.equals(yef.h(fb0Var, x509Certificate2.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && h.equals(yef.h(fb0Var, x509Certificate.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate;
            }
        }
        return null;
    }

    private static boolean responderMatches(e4c e4cVar, X509Certificate x509Certificate, pu7 pu7Var) throws NoSuchProviderException, NoSuchAlgorithmException {
        o1 o1Var = e4cVar.c;
        yef yefVar = null;
        byte[] bArr = o1Var instanceof q1 ? ((q1) o1Var).c : null;
        if (bArr != null) {
            return Arrays.equals(bArr, calcKeyHash(pu7Var.a("SHA1"), x509Certificate.getPublicKey()));
        }
        fb0 fb0Var = fb0.h;
        if (!(o1Var instanceof q1)) {
            yefVar = yef.i(o1Var);
        }
        return yef.h(fb0Var, yefVar).equals(yef.h(fb0Var, x509Certificate.getSubjectX500Principal().getEncoded()));
    }

    public static boolean validatedOcspResponse(nn0 nn0Var, jwa jwaVar, byte[] bArr, X509Certificate x509Certificate, pu7 pu7Var) throws CertPathValidatorException {
        try {
            u1 u1Var = nn0Var.f;
            Signature createSignature = pu7Var.createSignature(getSignatureName(nn0Var.f17563d));
            X509Certificate signerCert = getSignerCert(nn0Var, jwaVar.e, x509Certificate, pu7Var);
            if (signerCert == null && u1Var == null) {
                throw new CertPathValidatorException("OCSP responder certificate not found");
            }
            if (signerCert != null) {
                createSignature.initVerify(signerCert.getPublicKey());
            } else {
                X509Certificate x509Certificate2 = (X509Certificate) pu7Var.d("X.509").generateCertificate(new ByteArrayInputStream(u1Var.t(0).f().getEncoded()));
                x509Certificate2.verify(jwaVar.e.getPublicKey());
                x509Certificate2.checkValidity(new Date(jwaVar.b.getTime()));
                if (!responderMatches(nn0Var.c.e, x509Certificate2, pu7Var)) {
                    throw new CertPathValidatorException("responder certificate does not match responderID", null, jwaVar.c, jwaVar.f15621d);
                }
                List<String> extendedKeyUsage = x509Certificate2.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(m08.f16722d.c.c)) {
                    throw new CertPathValidatorException("responder certificate not valid for signing OCSP responses", null, jwaVar.c, jwaVar.f15621d);
                }
                createSignature.initVerify(x509Certificate2);
            }
            createSignature.update(nn0Var.c.c("DER"));
            if (!createSignature.verify(nn0Var.e.r())) {
                return false;
            }
            if (bArr != null && !Arrays.equals(bArr, nn0Var.c.h.h(tga.b).e.c)) {
                throw new CertPathValidatorException("nonce mismatch in OCSP response", null, jwaVar.c, jwaVar.f15621d);
            }
            return true;
        } catch (IOException e) {
            throw new CertPathValidatorException(hy.c(e, qs2.e("OCSP response failure: ")), e, jwaVar.c, jwaVar.f15621d);
        } catch (CertPathValidatorException e2) {
            throw e2;
        } catch (GeneralSecurityException e3) {
            StringBuilder e4 = qs2.e("OCSP response failure: ");
            e4.append(e3.getMessage());
            throw new CertPathValidatorException(e4.toString(), e3, jwaVar.c, jwaVar.f15621d);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // defpackage.iwa
    public void check(Certificate certificate) throws CertPathValidatorException {
        byte[] bArr;
        boolean z;
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Map<X509Certificate, byte[]> ocspResponses = this.parent.getOcspResponses();
        URI ocspResponder = this.parent.getOcspResponder();
        if (ocspResponder == null) {
            if (this.ocspURL != null) {
                try {
                    ocspResponder = new URI(this.ocspURL);
                } catch (URISyntaxException e) {
                    StringBuilder e2 = qs2.e("configuration error: ");
                    e2.append(e.getMessage());
                    String sb = e2.toString();
                    jwa jwaVar = this.parameters;
                    throw new CertPathValidatorException(sb, e, jwaVar.c, jwaVar.f15621d);
                }
            } else {
                ocspResponder = getOcspResponderURI(x509Certificate);
            }
        }
        URI uri = ocspResponder;
        if (ocspResponses.get(x509Certificate) != null || uri == null) {
            List<Extension> ocspExtensions = this.parent.getOcspExtensions();
            bArr = null;
            for (int i = 0; i != ocspExtensions.size(); i++) {
                Extension extension = ocspExtensions.get(i);
                byte[] value = extension.getValue();
                if (tga.b.c.equals(extension.getId())) {
                    bArr = value;
                }
            }
            z = false;
        } else {
            if (this.ocspURL == null && this.parent.getOcspResponder() == null && !this.isEnabledOCSP) {
                jwa jwaVar2 = this.parameters;
                throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, jwaVar2.c, jwaVar2.f15621d);
            }
            try {
                ocspResponses.put(x509Certificate, OcspCache.getOcspResponse(createCertID(new qm(yga.f), extractCert(), new m1(x509Certificate.getSerialNumber())), this.parameters, uri, this.parent.getOcspResponderCert(), this.parent.getOcspExtensions(), this.helper).getEncoded());
                z = true;
                bArr = null;
            } catch (IOException e3) {
                jwa jwaVar3 = this.parameters;
                throw new CertPathValidatorException("unable to encode OCSP response", e3, jwaVar3.c, jwaVar3.f15621d);
            }
        }
        if (ocspResponses.isEmpty()) {
            jwa jwaVar4 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, jwaVar4.c, jwaVar4.f15621d);
        }
        byte[] bArr2 = ocspResponses.get(x509Certificate);
        vga vgaVar = bArr2 instanceof vga ? (vga) bArr2 : bArr2 != 0 ? new vga(u1.s(bArr2)) : null;
        m1 m1Var = new m1(x509Certificate.getSerialNumber());
        if (vgaVar == null) {
            jwa jwaVar5 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, jwaVar5.c, jwaVar5.f15621d);
        }
        if (vgaVar.c.c.s() != 0) {
            StringBuilder e4 = qs2.e("OCSP response failed: ");
            i1 i1Var = vgaVar.c.c;
            i1Var.getClass();
            e4.append(new BigInteger(i1Var.c));
            String sb2 = e4.toString();
            jwa jwaVar6 = this.parameters;
            throw new CertPathValidatorException(sb2, null, jwaVar6.c, jwaVar6.f15621d);
        }
        j4c h = j4c.h(vgaVar.f21717d);
        if (h.c.l(tga.f20670a)) {
            try {
                nn0 h2 = nn0.h(h.f15232d.c);
                if (z || validatedOcspResponse(h2, this.parameters, bArr, this.parent.getOcspResponderCert(), this.helper)) {
                    u1 u1Var = k4c.h(h2.c).g;
                    yd1 yd1Var = null;
                    for (int i2 = 0; i2 != u1Var.size(); i2++) {
                        g1 t = u1Var.t(i2);
                        pzc pzcVar = t instanceof pzc ? (pzc) t : t != null ? new pzc(u1.s(t)) : null;
                        if (m1Var.l(pzcVar.c.f)) {
                            k1 k1Var = pzcVar.f;
                            if (k1Var != null) {
                                jwa jwaVar7 = this.parameters;
                                jwaVar7.getClass();
                                if (new Date(jwaVar7.b.getTime()).after(k1Var.t())) {
                                    throw new ExtCertPathValidatorException();
                                }
                            }
                            if (yd1Var == null || !yd1Var.c.equals(pzcVar.c.c)) {
                                yd1Var = createCertID(pzcVar.c, extractCert(), m1Var);
                            }
                            if (yd1Var.equals(pzcVar.c)) {
                                zd1 zd1Var = pzcVar.f18851d;
                                int i3 = zd1Var.c;
                                if (i3 == 0) {
                                    return;
                                }
                                if (i3 != 1) {
                                    jwa jwaVar8 = this.parameters;
                                    throw new CertPathValidatorException("certificate revoked, details unknown", null, jwaVar8.c, jwaVar8.f15621d);
                                }
                                o1 o1Var = zd1Var.f23754d;
                                r5c r5cVar = !(o1Var instanceof r5c) ? o1Var != null ? new r5c(u1.s(o1Var)) : null : (r5c) o1Var;
                                String str = "certificate revoked, reason=(" + r5cVar.f19456d + "), date=" + r5cVar.c.t();
                                jwa jwaVar9 = this.parameters;
                                throw new CertPathValidatorException(str, null, jwaVar9.c, jwaVar9.f15621d);
                            }
                        }
                    }
                }
            } catch (CertPathValidatorException e5) {
                throw e5;
            } catch (Exception e6) {
                jwa jwaVar10 = this.parameters;
                throw new CertPathValidatorException("unable to process OCSP response", e6, jwaVar10.c, jwaVar10.f15621d);
            }
        }
    }

    public List<CertPathValidatorException> getSoftFailExceptions() {
        return null;
    }

    public Set<String> getSupportedExtensions() {
        return null;
    }

    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.parameters = null;
        this.isEnabledOCSP = nlb.b("ocsp.enable");
        this.ocspURL = nlb.a("ocsp.responderURL");
    }

    @Override // defpackage.iwa
    public void initialize(jwa jwaVar) {
        this.parameters = jwaVar;
        this.isEnabledOCSP = nlb.b("ocsp.enable");
        this.ocspURL = nlb.a("ocsp.responderURL");
    }

    public boolean isForwardCheckingSupported() {
        return false;
    }

    public void setParameter(String str, Object obj) {
    }
}
