package com.itextpdf.signatures;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ICertificateStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IRevokedStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ISingleResp;
import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes8.dex */
public class OCSPVerifier extends RootStoreVerifier {
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    protected static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OCSPVerifier.class);
    protected static final String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
    private ICrlClient crlClient;
    private IOcspClient ocspClient;
    protected List<IBasicOCSPResp> ocsps;

    public OCSPVerifier(CertificateVerifier certificateVerifier, List<IBasicOCSPResp> list) {
        super(certificateVerifier);
        this.ocsps = list;
    }

    private boolean checkCrlResponses(ICrlClient iCrlClient, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        Iterator<byte[]> it = iCrlClient.getEncoded(x509Certificate, null).iterator();
        while (it.hasNext()) {
            if (verifyCrl(SignUtils.parseCrlFromStream(new ByteArrayInputStream(it.next())), x509Certificate, x509Certificate2, date)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyCrl(CRL crl, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (!(crl instanceof X509CRL)) {
            return false;
        }
        CRLVerifier cRLVerifier = new CRLVerifier(null, null);
        cRLVerifier.setRootStore(this.rootStore);
        cRLVerifier.setOnlineCheckingAllowed(this.onlineCheckingAllowed);
        return cRLVerifier.verify((X509CRL) crl, x509Certificate, x509Certificate2, date);
    }

    private boolean verifyOcsp(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (iBasicOCSPResp == null) {
            return false;
        }
        return verify(iBasicOCSPResp, x509Certificate, x509Certificate2, date);
    }

    public IBasicOCSPResp getOcspResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (x509Certificate == null && x509Certificate2 == null) {
            return null;
        }
        return new OcspClientBouncyCastle(null).getBasicOCSPResp(x509Certificate, x509Certificate2, null);
    }

    public boolean isSignatureValid(IBasicOCSPResp iBasicOCSPResp, Certificate certificate) {
        try {
            return SignUtils.isSignatureValid(iBasicOCSPResp, certificate, BOUNCY_CASTLE_FACTORY.getProviderName());
        } catch (Exception unused) {
            return false;
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:36:0x0083 A[RETURN] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void isValidResponse(com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp r6, java.security.cert.X509Certificate r7, java.util.Date r8) throws java.security.GeneralSecurityException {
        /*
            r5 = this;
            boolean r8 = r5.isSignatureValid(r6, r7)
            r0 = 0
            if (r8 == 0) goto L9
            r8 = r7
            goto La
        L9:
            r8 = r0
        La:
            if (r8 != 0) goto Lf3
            com.itextpdf.commons.bouncycastle.cert.IX509CertificateHolder[] r1 = r6.getCerts()
            int r1 = r1.length
            if (r1 <= 0) goto Lc7
            java.lang.Iterable r1 = com.itextpdf.signatures.SignUtils.getCertsFromOcspResponse(r6)
            java.util.Iterator r1 = r1.iterator()
        L1b:
            boolean r2 = r1.hasNext()
            if (r2 == 0) goto L3c
            java.lang.Object r2 = r1.next()
            java.security.cert.X509Certificate r2 = (java.security.cert.X509Certificate) r2
            java.util.List r3 = r2.getExtendedKeyUsage()     // Catch: java.security.cert.CertificateParsingException -> L1b
            if (r3 == 0) goto L1b
            java.lang.String r4 = "1.3.6.1.5.5.7.3.9"
            boolean r3 = r3.contains(r4)     // Catch: java.security.cert.CertificateParsingException -> L1b
            if (r3 == 0) goto L1b
            boolean r3 = r5.isSignatureValid(r6, r2)     // Catch: java.security.cert.CertificateParsingException -> L1b
            if (r3 == 0) goto L1b
            r8 = r2
        L3c:
            if (r8 == 0) goto Lbf
            java.security.PublicKey r1 = r7.getPublicKey()
            r8.verify(r1)
            java.util.Date r1 = r6.getProducedAt()
            r8.checkValidity(r1)
            com.itextpdf.commons.bouncycastle.IBouncyCastleFactory r1 = com.itextpdf.signatures.OCSPVerifier.BOUNCY_CASTLE_FACTORY
            com.itextpdf.commons.bouncycastle.asn1.ocsp.IOCSPObjectIdentifiers r2 = r1.createOCSPObjectIdentifiers()
            com.itextpdf.commons.bouncycastle.asn1.IASN1ObjectIdentifier r2 = r2.getIdPkixOcspNoCheck()
            java.lang.String r2 = r2.getId()
            byte[] r2 = com.itextpdf.signatures.SignUtils.getExtensionValueByOid(r8, r2)
            if (r2 == 0) goto L61
            return
        L61:
            com.itextpdf.signatures.IOcspClient r2 = r5.ocspClient
            if (r2 == 0) goto L84
            byte[] r2 = r2.getEncoded(r8, r7, r0)
            if (r2 == 0) goto L78
            com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive r2 = r1.createASN1Primitive(r2)     // Catch: java.io.IOException -> L78
            com.itextpdf.commons.bouncycastle.asn1.ocsp.IBasicOCSPResponse r2 = r1.createBasicOCSPResponse(r2)     // Catch: java.io.IOException -> L78
            com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp r1 = r1.createBasicOCSPResp(r2)     // Catch: java.io.IOException -> L78
            goto L79
        L78:
            r1 = r0
        L79:
            java.util.Date r2 = r6.getProducedAt()
            boolean r1 = r5.verifyOcsp(r1, r8, r7, r2)
            if (r1 == 0) goto L84
            return
        L84:
            com.itextpdf.signatures.ICrlClient r1 = r5.crlClient
            if (r1 == 0) goto L93
            java.util.Date r2 = r6.getProducedAt()
            boolean r1 = r5.checkCrlResponses(r1, r8, r7, r2)
            if (r1 == 0) goto L93
            return
        L93:
            com.itextpdf.signatures.OcspClientBouncyCastle r1 = new com.itextpdf.signatures.OcspClientBouncyCastle
            r1.<init>(r0)
            com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp r0 = r1.getBasicOCSPResp(r8, r7, r0)
            java.util.Date r1 = r6.getProducedAt()
            boolean r0 = r5.verifyOcsp(r0, r8, r7, r1)
            if (r0 == 0) goto La7
            return
        La7:
            com.itextpdf.signatures.CrlClientOnline r0 = new com.itextpdf.signatures.CrlClientOnline
            r0.<init>()
            java.util.Date r6 = r6.getProducedAt()
            boolean r5 = r5.checkCrlResponses(r0, r8, r7, r6)
            if (r5 == 0) goto Lb7
            return
        Lb7:
            com.itextpdf.signatures.VerificationException r5 = new com.itextpdf.signatures.VerificationException
            java.lang.String r6 = "Authorized OCSP responder certificate revocation status cannot be checked"
            r5.<init>(r8, r6)
            throw r5
        Lbf:
            com.itextpdf.signatures.VerificationException r5 = new com.itextpdf.signatures.VerificationException
            java.lang.String r6 = "OCSP response could not be verified"
            r5.<init>(r7, r6)
            throw r5
        Lc7:
            java.security.KeyStore r0 = r5.rootStore
            if (r0 == 0) goto Le8
            java.security.KeyStore r0 = r5.rootStore     // Catch: java.lang.Exception -> Le8
            java.lang.Iterable r0 = com.itextpdf.signatures.SignUtils.getCertificates(r0)     // Catch: java.lang.Exception -> Le8
            java.util.Iterator r0 = r0.iterator()     // Catch: java.lang.Exception -> Le8
        Ld5:
            boolean r1 = r0.hasNext()     // Catch: java.lang.Exception -> Le8
            if (r1 == 0) goto Le8
            java.lang.Object r1 = r0.next()     // Catch: java.lang.Exception -> Le8
            java.security.cert.X509Certificate r1 = (java.security.cert.X509Certificate) r1     // Catch: java.lang.Exception -> Le8
            boolean r2 = r5.isSignatureValid(r6, r1)     // Catch: java.lang.Exception -> Le8
            if (r2 == 0) goto Ld5
            r8 = r1
        Le8:
            if (r8 == 0) goto Leb
            goto Lf3
        Leb:
            com.itextpdf.signatures.VerificationException r5 = new com.itextpdf.signatures.VerificationException
            java.lang.String r6 = "OCSP response could not be verified: it does not contain certificate chain and response is not signed by issuer certificate or any from the root store."
            r5.<init>(r7, r6)
            throw r5
        Lf3:
            java.util.Date r5 = r6.getProducedAt()
            r8.checkValidity(r5)
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: com.itextpdf.signatures.OCSPVerifier.isValidResponse(com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp, java.security.cert.X509Certificate, java.util.Date):void");
    }

    public void setCrlClient(ICrlClient iCrlClient) {
        this.crlClient = iCrlClient;
    }

    public void setOcspClient(IOcspClient iOcspClient) {
        this.ocspClient = iOcspClient;
    }

    @Override // com.itextpdf.signatures.RootStoreVerifier, com.itextpdf.signatures.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        int i;
        ArrayList arrayList = new ArrayList();
        List<IBasicOCSPResp> list = this.ocsps;
        int i2 = 0;
        if (list != null) {
            Iterator<IBasicOCSPResp> it = list.iterator();
            i = 0;
            while (it.hasNext()) {
                if (verify(it.next(), x509Certificate, x509Certificate2, date)) {
                    i++;
                }
            }
        } else {
            i = 0;
        }
        if (this.onlineCheckingAllowed && verify(getOcspResponse(x509Certificate, x509Certificate2), x509Certificate, x509Certificate2, date)) {
            i++;
            i2 = 1;
        }
        int i3 = i2;
        LOGGER.info("Valid OCSPs found: " + i);
        if (i > 0) {
            arrayList.add(new VerificationOK(x509Certificate, getClass(), "Valid OCSPs Found: " + i + (i2 != 0 ? " (" + i3 + " online)" : "")));
        }
        if (this.verifier != null) {
            arrayList.addAll(this.verifier.verify(x509Certificate, x509Certificate2, date));
        }
        return arrayList;
    }

    public boolean verify(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (iBasicOCSPResp == null) {
            return false;
        }
        for (ISingleResp iSingleResp : iBasicOCSPResp.getResponses()) {
            if (x509Certificate.getSerialNumber().equals(iSingleResp.getCertID().getSerialNumber())) {
                if (x509Certificate2 == null) {
                    x509Certificate2 = x509Certificate;
                }
                try {
                    if (!SignUtils.checkIfIssuersMatch(iSingleResp.getCertID(), x509Certificate2)) {
                        LOGGER.info("OCSP: Issuers doesn't match.");
                    } else if (iSingleResp.getNextUpdate() == null || !date.after(iSingleResp.getNextUpdate())) {
                        ICertificateStatus certStatus = iSingleResp.getCertStatus();
                        IBouncyCastleFactory iBouncyCastleFactory = BOUNCY_CASTLE_FACTORY;
                        IRevokedStatus createRevokedStatus = iBouncyCastleFactory.createRevokedStatus(certStatus);
                        boolean equals = iBouncyCastleFactory.createCertificateStatus().getGood().equals(certStatus);
                        if (equals || (createRevokedStatus != null && date.before(createRevokedStatus.getRevocationTime()))) {
                            isValidResponse(iBasicOCSPResp, x509Certificate2, date);
                            if (equals) {
                                return true;
                            }
                            LOGGER.warn(MessageFormatUtil.format(SignLogMessageConstant.VALID_CERTIFICATE_IS_REVOKED, createRevokedStatus.getRevocationTime()));
                            return true;
                        }
                    } else {
                        LOGGER.info(MessageFormatUtil.format("OCSP is no longer valid: {0} after {1}", date, iSingleResp.getNextUpdate()));
                    }
                } catch (AbstractOCSPException | AbstractOperatorCreationException unused) {
                    continue;
                } catch (IOException e) {
                    throw new GeneralSecurityException(e.getMessage());
                }
            }
        }
        return false;
    }
}
