package org.bouncycastle.jce.provider;

import defpackage.caf;
import defpackage.cda;
import defpackage.dm7;
import defpackage.dn0;
import defpackage.dnb;
import defpackage.e1;
import defpackage.eda;
import defpackage.fa2;
import defpackage.fc0;
import defpackage.fy2;
import defpackage.g1;
import defpackage.gr7;
import defpackage.gv2;
import defpackage.hbf;
import defpackage.hda;
import defpackage.hy2;
import defpackage.i1;
import defpackage.ib0;
import defpackage.ie9;
import defpackage.k1;
import defpackage.k7d;
import defpackage.l0c;
import defpackage.m1;
import defpackage.m3a;
import defpackage.m8;
import defpackage.n1;
import defpackage.nsa;
import defpackage.o1;
import defpackage.of;
import defpackage.pg4;
import defpackage.q0c;
import defpackage.q4c;
import defpackage.qc1;
import defpackage.qv3;
import defpackage.r0c;
import defpackage.rc1;
import defpackage.rsa;
import defpackage.s1;
import defpackage.sc1;
import defpackage.ssa;
import defpackage.t6;
import defpackage.tm;
import defpackage.u06;
import defpackage.x1c;
import defpackage.xhb;
import defpackage.y1;
import defpackage.z60;
import defpackage.zvc;
import defpackage.zw7;
import defpackage.zz0;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.Extension;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class ProvOcspRevocationChecker implements rsa {
    private static final int DEFAULT_OCSP_MAX_RESPONSE_SIZE = 32768;
    private static final int DEFAULT_OCSP_TIMEOUT = 15000;
    private static final Map oids;
    private final gr7 helper;
    private boolean isEnabledOCSP;
    private String ocspURL;
    private ssa parameters;
    private final ProvRevocationChecker parent;

    static {
        HashMap hashMap = new HashMap();
        oids = hashMap;
        hashMap.put(new n1("1.2.840.113549.1.1.5"), "SHA1WITHRSA");
        hashMap.put(nsa.H0, "SHA224WITHRSA");
        hashMap.put(nsa.E0, "SHA256WITHRSA");
        hashMap.put(nsa.F0, "SHA384WITHRSA");
        hashMap.put(nsa.G0, "SHA512WITHRSA");
        hashMap.put(gv2.m, "GOST3411WITHGOST3410");
        hashMap.put(gv2.n, "GOST3411WITHECGOST3410");
        hashMap.put(q4c.g, "GOST3411-2012-256WITHECGOST3410-2012-256");
        hashMap.put(q4c.h, "GOST3411-2012-512WITHECGOST3410-2012-512");
        hashMap.put(fc0.f13222a, "SHA1WITHPLAIN-ECDSA");
        hashMap.put(fc0.b, "SHA224WITHPLAIN-ECDSA");
        hashMap.put(fc0.c, "SHA256WITHPLAIN-ECDSA");
        hashMap.put(fc0.f13223d, "SHA384WITHPLAIN-ECDSA");
        hashMap.put(fc0.e, "SHA512WITHPLAIN-ECDSA");
        hashMap.put(fc0.f, "RIPEMD160WITHPLAIN-ECDSA");
        hashMap.put(qv3.f19352a, "SHA1WITHCVC-ECDSA");
        hashMap.put(qv3.b, "SHA224WITHCVC-ECDSA");
        hashMap.put(qv3.c, "SHA256WITHCVC-ECDSA");
        hashMap.put(qv3.f19353d, "SHA384WITHCVC-ECDSA");
        hashMap.put(qv3.e, "SHA512WITHCVC-ECDSA");
        hashMap.put(dm7.f12371a, "XMSS");
        hashMap.put(dm7.b, "XMSSMT");
        hashMap.put(new n1("1.2.840.113549.1.1.4"), "MD5WITHRSA");
        hashMap.put(new n1("1.2.840.113549.1.1.2"), "MD2WITHRSA");
        hashMap.put(new n1("1.2.840.10040.4.3"), "SHA1WITHDSA");
        hashMap.put(hbf.Q1, "SHA1WITHECDSA");
        hashMap.put(hbf.T1, "SHA224WITHECDSA");
        hashMap.put(hbf.U1, "SHA256WITHECDSA");
        hashMap.put(hbf.V1, "SHA384WITHECDSA");
        hashMap.put(hbf.W1, "SHA512WITHECDSA");
        hashMap.put(hda.h, "SHA1WITHRSA");
        hashMap.put(hda.g, "SHA1WITHDSA");
        hashMap.put(m3a.P, "SHA224WITHDSA");
        hashMap.put(m3a.Q, "SHA256WITHDSA");
    }

    public ProvOcspRevocationChecker(ProvRevocationChecker provRevocationChecker, gr7 gr7Var) {
        this.parent = provRevocationChecker;
        this.helper = gr7Var;
    }

    private static byte[] calcKeyHash(MessageDigest messageDigest, PublicKey publicKey) {
        return messageDigest.digest(k7d.h(publicKey.getEncoded()).f15876d.r());
    }

    private qc1 createCertID(qc1 qc1Var, sc1 sc1Var, k1 k1Var) throws CertPathValidatorException {
        return createCertID(qc1Var.c, sc1Var, k1Var);
    }

    private qc1 createCertID(tm tmVar, sc1 sc1Var, k1 k1Var) throws CertPathValidatorException {
        try {
            MessageDigest d2 = this.helper.d(ie9.a(tmVar.c));
            return new qc1(tmVar, new hy2(d2.digest(sc1Var.f20109d.j.c("DER"))), new hy2(d2.digest(sc1Var.f20109d.k.f15876d.r())), k1Var);
        } catch (Exception e) {
            throw new CertPathValidatorException("problem creating ID: " + e, e);
        }
    }

    private sc1 extractCert() throws CertPathValidatorException {
        try {
            return sc1.h(this.parameters.e.getEncoded());
        } catch (Exception e) {
            String d2 = of.d(e, m8.m("cannot process signing cert: "));
            ssa ssaVar = this.parameters;
            throw new CertPathValidatorException(d2, e, ssaVar.c, ssaVar.f20360d);
        }
    }

    private static String getDigestName(n1 n1Var) {
        String a2 = ie9.a(n1Var);
        int indexOf = a2.indexOf(45);
        if (indexOf > 0 && !a2.startsWith("SHA3")) {
            a2 = a2.substring(0, indexOf) + a2.substring(indexOf + 1);
        }
        return a2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static URI getOcspResponderURI(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(pg4.x.c);
        if (extensionValue == null) {
            return null;
        }
        byte[] bArr = o1.s(extensionValue).c;
        t6[] t6VarArr = (bArr instanceof z60 ? (z60) bArr : bArr != 0 ? new z60(s1.s(bArr)) : null).c;
        int length = t6VarArr.length;
        t6[] t6VarArr2 = new t6[length];
        System.arraycopy(t6VarArr, 0, t6VarArr2, 0, t6VarArr.length);
        for (int i = 0; i != length; i++) {
            t6 t6Var = t6VarArr2[i];
            if (t6.e.m(t6Var.c)) {
                u06 u06Var = t6Var.f20521d;
                if (u06Var.f20916d == 6) {
                    try {
                        return new URI(((y1) u06Var.c).g());
                    } catch (URISyntaxException unused) {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        return null;
    }

    private static String getSignatureName(tm tmVar) {
        e1 e1Var = tmVar.f20730d;
        if (e1Var != null && !fy2.c.l(e1Var) && tmVar.c.m(nsa.D0)) {
            return fa2.h(new StringBuilder(), getDigestName(dnb.h(e1Var).c.c), "WITHRSAANDMGF1");
        }
        Map map = oids;
        return map.containsKey(tmVar.c) ? (String) map.get(tmVar.c) : tmVar.c.c;
    }

    private static X509Certificate getSignerCert(dn0 dn0Var, X509Certificate x509Certificate, X509Certificate x509Certificate2, gr7 gr7Var) throws NoSuchProviderException, NoSuchAlgorithmException {
        m1 m1Var = dn0Var.c.e.c;
        byte[] bArr = m1Var instanceof o1 ? ((o1) m1Var).c : null;
        if (bArr != null) {
            MessageDigest d2 = gr7Var.d("SHA1");
            if (x509Certificate2 != null && Arrays.equals(bArr, calcKeyHash(d2, x509Certificate2.getPublicKey()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && Arrays.equals(bArr, calcKeyHash(d2, x509Certificate.getPublicKey()))) {
                return x509Certificate;
            }
        } else {
            ib0 ib0Var = ib0.h;
            caf h = caf.h(ib0Var, m1Var instanceof o1 ? null : caf.i(m1Var));
            if (x509Certificate2 != null && h.equals(caf.h(ib0Var, x509Certificate2.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && h.equals(caf.h(ib0Var, x509Certificate.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate;
            }
        }
        return null;
    }

    private static boolean responderMatches(l0c l0cVar, X509Certificate x509Certificate, gr7 gr7Var) throws NoSuchProviderException, NoSuchAlgorithmException {
        m1 m1Var = l0cVar.c;
        caf cafVar = null;
        byte[] bArr = m1Var instanceof o1 ? ((o1) m1Var).c : null;
        if (bArr != null) {
            return Arrays.equals(bArr, calcKeyHash(gr7Var.d("SHA1"), x509Certificate.getPublicKey()));
        }
        ib0 ib0Var = ib0.h;
        if (!(m1Var instanceof o1)) {
            cafVar = caf.i(m1Var);
        }
        return caf.h(ib0Var, cafVar).equals(caf.h(ib0Var, x509Certificate.getSubjectX500Principal().getEncoded()));
    }

    public static boolean validatedOcspResponse(dn0 dn0Var, ssa ssaVar, byte[] bArr, X509Certificate x509Certificate, gr7 gr7Var) throws CertPathValidatorException {
        try {
            s1 s1Var = dn0Var.f;
            Signature createSignature = gr7Var.createSignature(getSignatureName(dn0Var.f12389d));
            X509Certificate signerCert = getSignerCert(dn0Var, ssaVar.e, x509Certificate, gr7Var);
            if (signerCert == null && s1Var == null) {
                throw new CertPathValidatorException("OCSP responder certificate not found");
            }
            if (signerCert != null) {
                createSignature.initVerify(signerCert.getPublicKey());
            } else {
                X509Certificate x509Certificate2 = (X509Certificate) gr7Var.r("X.509").generateCertificate(new ByteArrayInputStream(s1Var.t(0).f().getEncoded()));
                x509Certificate2.verify(ssaVar.e.getPublicKey());
                x509Certificate2.checkValidity(new Date(ssaVar.b.getTime()));
                if (!responderMatches(dn0Var.c.e, x509Certificate2, gr7Var)) {
                    throw new CertPathValidatorException("responder certificate does not match responderID", null, ssaVar.c, ssaVar.f20360d);
                }
                List<String> extendedKeyUsage = x509Certificate2.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(zw7.f23934d.c.c)) {
                    throw new CertPathValidatorException("responder certificate not valid for signing OCSP responses", null, ssaVar.c, ssaVar.f20360d);
                }
                createSignature.initVerify(x509Certificate2);
            }
            createSignature.update(dn0Var.c.c("DER"));
            if (!createSignature.verify(dn0Var.e.r())) {
                return false;
            }
            if (bArr != null && !Arrays.equals(bArr, dn0Var.c.h.h(cda.b).e.c)) {
                throw new CertPathValidatorException("nonce mismatch in OCSP response", null, ssaVar.c, ssaVar.f20360d);
            }
            return true;
        } catch (IOException e) {
            throw new CertPathValidatorException(zz0.d(e, m8.m("OCSP response failure: ")), e, ssaVar.c, ssaVar.f20360d);
        } catch (CertPathValidatorException e2) {
            throw e2;
        } catch (GeneralSecurityException e3) {
            StringBuilder m = m8.m("OCSP response failure: ");
            m.append(e3.getMessage());
            throw new CertPathValidatorException(m.toString(), e3, ssaVar.c, ssaVar.f20360d);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // defpackage.rsa
    public void check(Certificate certificate) throws CertPathValidatorException {
        byte[] bArr;
        boolean z;
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Map<X509Certificate, byte[]> ocspResponses = this.parent.getOcspResponses();
        URI ocspResponder = this.parent.getOcspResponder();
        if (ocspResponder == null) {
            if (this.ocspURL != null) {
                try {
                    ocspResponder = new URI(this.ocspURL);
                } catch (URISyntaxException e) {
                    StringBuilder m = m8.m("configuration error: ");
                    m.append(e.getMessage());
                    String sb = m.toString();
                    ssa ssaVar = this.parameters;
                    throw new CertPathValidatorException(sb, e, ssaVar.c, ssaVar.f20360d);
                }
            } else {
                ocspResponder = getOcspResponderURI(x509Certificate);
            }
        }
        URI uri = ocspResponder;
        if (ocspResponses.get(x509Certificate) != null || uri == null) {
            List<Extension> ocspExtensions = this.parent.getOcspExtensions();
            bArr = null;
            for (int i = 0; i != ocspExtensions.size(); i++) {
                Extension extension = ocspExtensions.get(i);
                byte[] value = extension.getValue();
                if (cda.b.c.equals(extension.getId())) {
                    bArr = value;
                }
            }
            z = false;
        } else {
            if (this.ocspURL == null && this.parent.getOcspResponder() == null && !this.isEnabledOCSP) {
                ssa ssaVar2 = this.parameters;
                throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, ssaVar2.c, ssaVar2.f20360d);
            }
            try {
                ocspResponses.put(x509Certificate, OcspCache.getOcspResponse(createCertID(new tm(hda.f), extractCert(), new k1(x509Certificate.getSerialNumber())), this.parameters, uri, this.parent.getOcspResponderCert(), this.parent.getOcspExtensions(), this.helper).getEncoded());
                z = true;
                bArr = null;
            } catch (IOException e2) {
                ssa ssaVar3 = this.parameters;
                throw new CertPathValidatorException("unable to encode OCSP response", e2, ssaVar3.c, ssaVar3.f20360d);
            }
        }
        if (ocspResponses.isEmpty()) {
            ssa ssaVar4 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, ssaVar4.c, ssaVar4.f20360d);
        }
        byte[] bArr2 = ocspResponses.get(x509Certificate);
        eda edaVar = bArr2 instanceof eda ? (eda) bArr2 : bArr2 != 0 ? new eda(s1.s(bArr2)) : null;
        k1 k1Var = new k1(x509Certificate.getSerialNumber());
        if (edaVar == null) {
            ssa ssaVar5 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, ssaVar5.c, ssaVar5.f20360d);
        }
        if (edaVar.c.c.s() != 0) {
            StringBuilder m2 = m8.m("OCSP response failed: ");
            g1 g1Var = edaVar.c.c;
            g1Var.getClass();
            m2.append(new BigInteger(g1Var.c));
            String sb2 = m2.toString();
            ssa ssaVar6 = this.parameters;
            throw new CertPathValidatorException(sb2, null, ssaVar6.c, ssaVar6.f20360d);
        }
        q0c h = q0c.h(edaVar.f12768d);
        if (h.c.m(cda.f2995a)) {
            try {
                dn0 h2 = dn0.h(h.f18946d.c);
                if (z || validatedOcspResponse(h2, this.parameters, bArr, this.parent.getOcspResponderCert(), this.helper)) {
                    s1 s1Var = r0c.h(h2.c).g;
                    qc1 qc1Var = null;
                    for (int i2 = 0; i2 != s1Var.size(); i2++) {
                        e1 t = s1Var.t(i2);
                        zvc zvcVar = t instanceof zvc ? (zvc) t : t != null ? new zvc(s1.s(t)) : null;
                        if (k1Var.m(zvcVar.c.f)) {
                            i1 i1Var = zvcVar.f;
                            if (i1Var != null) {
                                ssa ssaVar7 = this.parameters;
                                ssaVar7.getClass();
                                if (new Date(ssaVar7.b.getTime()).after(i1Var.t())) {
                                    throw new ExtCertPathValidatorException();
                                }
                            }
                            if (qc1Var == null || !qc1Var.c.equals(zvcVar.c.c)) {
                                qc1Var = createCertID(zvcVar.c, extractCert(), k1Var);
                            }
                            if (qc1Var.equals(zvcVar.c)) {
                                rc1 rc1Var = zvcVar.f23926d;
                                int i3 = rc1Var.c;
                                if (i3 == 0) {
                                    return;
                                }
                                if (i3 != 1) {
                                    ssa ssaVar8 = this.parameters;
                                    throw new CertPathValidatorException("certificate revoked, details unknown", null, ssaVar8.c, ssaVar8.f20360d);
                                }
                                m1 m1Var = rc1Var.f19607d;
                                x1c x1cVar = !(m1Var instanceof x1c) ? m1Var != null ? new x1c(s1.s(m1Var)) : null : (x1c) m1Var;
                                String str = "certificate revoked, reason=(" + x1cVar.f22515d + "), date=" + x1cVar.c.t();
                                ssa ssaVar9 = this.parameters;
                                throw new CertPathValidatorException(str, null, ssaVar9.c, ssaVar9.f20360d);
                            }
                        }
                    }
                }
            } catch (CertPathValidatorException e3) {
                throw e3;
            } catch (Exception e4) {
                ssa ssaVar10 = this.parameters;
                throw new CertPathValidatorException("unable to process OCSP response", e4, ssaVar10.c, ssaVar10.f20360d);
            }
        }
    }

    public List<CertPathValidatorException> getSoftFailExceptions() {
        return null;
    }

    public Set<String> getSupportedExtensions() {
        return null;
    }

    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.parameters = null;
        this.isEnabledOCSP = xhb.b("ocsp.enable");
        this.ocspURL = xhb.a("ocsp.responderURL");
    }

    @Override // defpackage.rsa
    public void initialize(ssa ssaVar) {
        this.parameters = ssaVar;
        this.isEnabledOCSP = xhb.b("ocsp.enable");
        this.ocspURL = xhb.a("ocsp.responderURL");
    }

    public boolean isForwardCheckingSupported() {
        return false;
    }

    public void setParameter(String str, Object obj) {
    }
}
