package com.appmattus.certificatetransparency.internal.verifier;

import ch.qos.logback.core.CoreConstants;
import com.appmattus.certificatetransparency.SctVerificationResult;
import com.appmattus.certificatetransparency.internal.serialization.OutputStreamExtKt;
import com.appmattus.certificatetransparency.internal.utils.Base64;
import com.appmattus.certificatetransparency.internal.utils.CertificateExtKt;
import com.appmattus.certificatetransparency.internal.utils.asn1.ASN1Sequence;
import com.appmattus.certificatetransparency.internal.utils.asn1.x509.Certificate;
import com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extension;
import com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extensions;
import com.appmattus.certificatetransparency.internal.utils.asn1.x509.TbsCertificate;
import com.appmattus.certificatetransparency.internal.verifier.model.IssuerInformation;
import com.appmattus.certificatetransparency.internal.verifier.model.SignedCertificateTimestamp;
import com.appmattus.certificatetransparency.internal.verifier.model.Version;
import com.appmattus.certificatetransparency.loglist.LogServer;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import kotlin.collections.CollectionsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: LogSignatureVerifier.kt */
/* loaded from: classes4.dex */
public final class LogSignatureVerifier {
    public static final Companion Companion = new Companion(null);
    private final LogServer logServer;

    /* compiled from: LogSignatureVerifier.kt */
    /* loaded from: classes4.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public LogSignatureVerifier(LogServer logServer) {
        Intrinsics.checkNotNullParameter(logServer, "logServer");
        this.logServer = logServer;
    }

    private final TbsCertificate createTbsForVerification(X509Certificate x509Certificate, IssuerInformation issuerInformation) {
        if (x509Certificate.getVersion() < 3) {
            throw new IllegalArgumentException("Failed requirement.");
        }
        Certificate.Companion companion = Certificate.Companion;
        byte[] encoded = x509Certificate.getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "getEncoded(...)");
        Certificate create$default = Certificate.Companion.create$default(companion, encoded, null, 2, null);
        if (hasX509AuthorityKeyIdentifier(create$default) && issuerInformation.getIssuedByPreCertificateSigningCert() && issuerInformation.getX509authorityKeyIdentifier() == null) {
            throw new IllegalArgumentException("Failed requirement.");
        }
        Extensions extensions = create$default.getTbsCertificate().getExtensions();
        Intrinsics.checkNotNull(extensions);
        List extensionsWithoutPoisonAndSct = getExtensionsWithoutPoisonAndSct(extensions, issuerInformation.getX509authorityKeyIdentifier());
        TbsCertificate tbsCertificate = create$default.getTbsCertificate();
        ASN1Sequence name = issuerInformation.getName();
        if (name == null) {
            name = tbsCertificate.getIssuer();
        }
        return TbsCertificate.copy$default(tbsCertificate, null, name, Extensions.Companion.create$default(Extensions.Companion, extensionsWithoutPoisonAndSct, null, 2, null), 1, null);
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Code restructure failed: missing block: B:10:0x0034, code lost:
    
        if (r2.equals("1.3.6.1.4.1.11129.2.4.2") == false) goto L21;
     */
    /* JADX WARN: Code restructure failed: missing block: B:7:0x002b, code lost:
    
        if (r2.equals("1.3.6.1.4.1.11129.2.4.3") == false) goto L21;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private final java.util.List getExtensionsWithoutPoisonAndSct(com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extensions r5, com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extension r6) {
        /*
            r4 = this;
            java.util.List r5 = r5.getValues()
            java.util.ArrayList r0 = new java.util.ArrayList
            r0.<init>()
            java.util.Iterator r5 = r5.iterator()
        Ld:
            boolean r1 = r5.hasNext()
            if (r1 == 0) goto L4c
            java.lang.Object r1 = r5.next()
            com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extension r1 = (com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extension) r1
            java.lang.String r2 = r1.getObjectIdentifier()
            int r3 = r2.hashCode()
            switch(r3) {
                case -455597388: goto L39;
                case 316732866: goto L2e;
                case 316732867: goto L25;
                default: goto L24;
            }
        L24:
            goto L46
        L25:
            java.lang.String r3 = "1.3.6.1.4.1.11129.2.4.3"
            boolean r2 = r2.equals(r3)
            if (r2 != 0) goto L37
            goto L46
        L2e:
            java.lang.String r3 = "1.3.6.1.4.1.11129.2.4.2"
            boolean r2 = r2.equals(r3)
            if (r2 != 0) goto L37
            goto L46
        L37:
            r1 = 0
            goto L46
        L39:
            java.lang.String r3 = "2.5.29.35"
            boolean r2 = r2.equals(r3)
            if (r2 != 0) goto L42
            goto L46
        L42:
            if (r6 != 0) goto L45
            goto L46
        L45:
            r1 = r6
        L46:
            if (r1 == 0) goto Ld
            r0.add(r1)
            goto Ld
        L4c:
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.appmattus.certificatetransparency.internal.verifier.LogSignatureVerifier.getExtensionsWithoutPoisonAndSct(com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extensions, com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extension):java.util.List");
    }

    private final boolean hasX509AuthorityKeyIdentifier(Certificate certificate) {
        List values;
        Extensions extensions = certificate.getTbsCertificate().getExtensions();
        if (extensions == null || (values = extensions.getValues()) == null || values.isEmpty()) {
            return false;
        }
        Iterator it = values.iterator();
        while (it.hasNext()) {
            if (Intrinsics.areEqual(((Extension) it.next()).getObjectIdentifier(), "2.5.29.35")) {
                return true;
            }
        }
        return false;
    }

    private final void serializeCommonSctFields(OutputStream outputStream, SignedCertificateTimestamp signedCertificateTimestamp) {
        if (signedCertificateTimestamp.getSctVersion() != Version.V1) {
            throw new IllegalArgumentException("Can only serialize SCT v1 for now.");
        }
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getSctVersion().getNumber(), 1);
        OutputStreamExtKt.writeUint(outputStream, 0L, 1);
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getTimestamp().toEpochMilli(), 8);
    }

    private final byte[] serializeSignedSctData(X509Certificate x509Certificate, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 0L, 2);
            byte[] encoded = x509Certificate.getEncoded();
            Intrinsics.checkNotNullExpressionValue(encoded, "getEncoded(...)");
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, encoded, 16777215);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            CloseableKt.closeFinally(byteArrayOutputStream, null);
            Intrinsics.checkNotNullExpressionValue(byteArray, "use(...)");
            return byteArray;
        } finally {
        }
    }

    private final byte[] serializeSignedSctDataForPreCertificate(byte[] bArr, byte[] bArr2, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 1L, 2);
            byteArrayOutputStream.write(bArr2);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, bArr, 16777215);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            CloseableKt.closeFinally(byteArrayOutputStream, null);
            Intrinsics.checkNotNullExpressionValue(byteArray, "use(...)");
            return byteArray;
        } finally {
        }
    }

    private final SctVerificationResult verifySctSignatureOverBytes(SignedCertificateTimestamp signedCertificateTimestamp, byte[] bArr) {
        String str;
        String algorithm = this.logServer.getKey().getAlgorithm();
        if (Intrinsics.areEqual(algorithm, "EC")) {
            str = "SHA256withECDSA";
        } else {
            if (!Intrinsics.areEqual(algorithm, "RSA")) {
                String algorithm2 = this.logServer.getKey().getAlgorithm();
                Intrinsics.checkNotNullExpressionValue(algorithm2, "getAlgorithm(...)");
                return new UnsupportedSignatureAlgorithm(algorithm2, null, 2, null);
            }
            str = "SHA256withRSA";
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(this.logServer.getKey());
            signature.update(bArr);
            return signature.verify(signedCertificateTimestamp.getSignature().getSignature()) ? new SctVerificationResult.Valid(signedCertificateTimestamp, this.logServer.operatorAt(signedCertificateTimestamp.getTimestamp())) : new SctVerificationResult() { // from class: com.appmattus.certificatetransparency.SctVerificationResult$Invalid$FailedVerification
                public String toString() {
                    return "SCT signature failed verification";
                }
            };
        } catch (InvalidKeyException e) {
            return new LogPublicKeyNotValid(e);
        } catch (NoSuchAlgorithmException e2) {
            return new UnsupportedSignatureAlgorithm(str, e2);
        } catch (SignatureException e3) {
            return new SignatureNotValid(e3);
        }
    }

    public final SctVerificationResult verifySCTOverPreCertificate$certificatetransparency(SignedCertificateTimestamp sct, X509Certificate certificate, IssuerInformation issuerInfo) {
        CertificateEncodingFailed certificateEncodingFailed;
        Intrinsics.checkNotNullParameter(sct, "sct");
        Intrinsics.checkNotNullParameter(certificate, "certificate");
        Intrinsics.checkNotNullParameter(issuerInfo, "issuerInfo");
        try {
            return verifySctSignatureOverBytes(sct, serializeSignedSctDataForPreCertificate(CollectionsKt.toByteArray(CollectionsKt.toList(createTbsForVerification(certificate, issuerInfo).getBytes())), issuerInfo.getKeyHash(), sct));
        } catch (IOException e) {
            certificateEncodingFailed = new CertificateEncodingFailed(e);
            return certificateEncodingFailed;
        } catch (CertificateException e2) {
            certificateEncodingFailed = new CertificateEncodingFailed(e2);
            return certificateEncodingFailed;
        }
    }

    public SctVerificationResult verifySignature(SignedCertificateTimestamp sct, List chain) {
        IssuerInformation issuerInformation;
        CertificateEncodingFailed certificateEncodingFailed;
        Intrinsics.checkNotNullParameter(sct, "sct");
        Intrinsics.checkNotNullParameter(chain, "chain");
        final Instant now = Instant.now();
        if (sct.getTimestamp().compareTo(now) > 0) {
            final Instant timestamp = sct.getTimestamp();
            Intrinsics.checkNotNull(now);
            return new SctVerificationResult(timestamp, now) { // from class: com.appmattus.certificatetransparency.SctVerificationResult$Invalid$FutureTimestamp
                private final Instant now;
                private final Instant timestamp;

                {
                    Intrinsics.checkNotNullParameter(timestamp, "timestamp");
                    Intrinsics.checkNotNullParameter(now, "now");
                    this.timestamp = timestamp;
                    this.now = now;
                }

                public boolean equals(Object obj) {
                    if (this == obj) {
                        return true;
                    }
                    if (!(obj instanceof SctVerificationResult$Invalid$FutureTimestamp)) {
                        return false;
                    }
                    SctVerificationResult$Invalid$FutureTimestamp sctVerificationResult$Invalid$FutureTimestamp = (SctVerificationResult$Invalid$FutureTimestamp) obj;
                    return Intrinsics.areEqual(this.timestamp, sctVerificationResult$Invalid$FutureTimestamp.timestamp) && Intrinsics.areEqual(this.now, sctVerificationResult$Invalid$FutureTimestamp.now);
                }

                public int hashCode() {
                    return (this.timestamp.hashCode() * 31) + this.now.hashCode();
                }

                public String toString() {
                    return "SCT timestamp, " + this.timestamp + ", is in the future, current timestamp is " + this.now + CoreConstants.DOT;
                }
            };
        }
        if (this.logServer.getValidUntil() != null && sct.getTimestamp().compareTo(this.logServer.getValidUntil()) > 0) {
            final Instant timestamp2 = sct.getTimestamp();
            final Instant validUntil = this.logServer.getValidUntil();
            return new SctVerificationResult(timestamp2, validUntil) { // from class: com.appmattus.certificatetransparency.SctVerificationResult$Invalid$LogServerUntrusted
                private final Instant logServerValidUntil;
                private final Instant timestamp;

                {
                    Intrinsics.checkNotNullParameter(timestamp2, "timestamp");
                    Intrinsics.checkNotNullParameter(validUntil, "logServerValidUntil");
                    this.timestamp = timestamp2;
                    this.logServerValidUntil = validUntil;
                }

                public boolean equals(Object obj) {
                    if (this == obj) {
                        return true;
                    }
                    if (!(obj instanceof SctVerificationResult$Invalid$LogServerUntrusted)) {
                        return false;
                    }
                    SctVerificationResult$Invalid$LogServerUntrusted sctVerificationResult$Invalid$LogServerUntrusted = (SctVerificationResult$Invalid$LogServerUntrusted) obj;
                    return Intrinsics.areEqual(this.timestamp, sctVerificationResult$Invalid$LogServerUntrusted.timestamp) && Intrinsics.areEqual(this.logServerValidUntil, sctVerificationResult$Invalid$LogServerUntrusted.logServerValidUntil);
                }

                public int hashCode() {
                    return (this.timestamp.hashCode() * 31) + this.logServerValidUntil.hashCode();
                }

                public String toString() {
                    return "SCT timestamp, " + this.timestamp + ", is greater than the log server validity, " + this.logServerValidUntil + CoreConstants.DOT;
                }
            };
        }
        if (!Arrays.equals(this.logServer.getId(), sct.getId().getKeyId())) {
            Base64 base64 = Base64.INSTANCE;
            return new LogIdMismatch(base64.toBase64String(sct.getId().getKeyId()), base64.toBase64String(this.logServer.getId()));
        }
        X509Certificate x509Certificate = (X509Certificate) chain.get(0);
        if (!CertificateExtKt.isPreCertificate(x509Certificate) && !CertificateExtKt.hasEmbeddedSct(x509Certificate)) {
            try {
                return verifySctSignatureOverBytes(sct, serializeSignedSctData(x509Certificate, sct));
            } catch (IOException e) {
                certificateEncodingFailed = new CertificateEncodingFailed(e);
                return certificateEncodingFailed;
            } catch (CertificateEncodingException e2) {
                certificateEncodingFailed = new CertificateEncodingFailed(e2);
                return certificateEncodingFailed;
            }
        }
        if (chain.size() < 2) {
            return NoIssuer.INSTANCE;
        }
        X509Certificate x509Certificate2 = (X509Certificate) chain.get(1);
        try {
            if (!CertificateExtKt.isPreCertificateSigningCert(x509Certificate2)) {
                try {
                    issuerInformation = CertificateExtKt.issuerInformation(x509Certificate2);
                } catch (NoSuchAlgorithmException e3) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e3);
                }
            } else {
                if (chain.size() < 3) {
                    return NoIssuerWithPreCert.INSTANCE;
                }
                try {
                    issuerInformation = CertificateExtKt.issuerInformationFromPreCertificate(x509Certificate2, (java.security.cert.Certificate) chain.get(2));
                } catch (IOException e4) {
                    return new ASN1ParsingFailed(e4);
                } catch (NoSuchAlgorithmException e5) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e5);
                } catch (CertificateEncodingException e6) {
                    return new CertificateEncodingFailed(e6);
                }
            }
            return verifySCTOverPreCertificate$certificatetransparency(sct, x509Certificate, issuerInformation);
        } catch (CertificateParsingException e7) {
            return new CertificateParsingFailed(e7);
        }
    }
}
