package org.conscrypt.ct;

import com.miui.miapm.block.core.MethodRecorder;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.conscrypt.NativeCrypto;
import org.conscrypt.OpenSSLX509Certificate;
import org.conscrypt.ct.SignedCertificateTimestamp;
import org.conscrypt.ct.VerifiedSCT;

/* loaded from: classes8.dex */
public class CTVerifier {
    private final CTLogStore store;

    public CTVerifier(CTLogStore cTLogStore) {
        this.store = cTLogStore;
    }

    private List<SignedCertificateTimestamp> getSCTsFromOCSPResponse(byte[] bArr, OpenSSLX509Certificate[] openSSLX509CertificateArr) {
        MethodRecorder.i(60575);
        if (bArr == null || openSSLX509CertificateArr.length < 2) {
            List<SignedCertificateTimestamp> emptyList = Collections.emptyList();
            MethodRecorder.o(60575);
            return emptyList;
        }
        byte[] bArr2 = NativeCrypto.get_ocsp_single_extension(bArr, "1.3.6.1.4.1.11129.2.4.5", openSSLX509CertificateArr[0].getContext(), openSSLX509CertificateArr[0], openSSLX509CertificateArr[1].getContext(), openSSLX509CertificateArr[1]);
        if (bArr2 == null) {
            List<SignedCertificateTimestamp> emptyList2 = Collections.emptyList();
            MethodRecorder.o(60575);
            return emptyList2;
        }
        try {
            List<SignedCertificateTimestamp> sCTsFromSCTList = getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(bArr2)), SignedCertificateTimestamp.Origin.OCSP_RESPONSE);
            MethodRecorder.o(60575);
            return sCTsFromSCTList;
        } catch (SerializationException unused) {
            List<SignedCertificateTimestamp> emptyList3 = Collections.emptyList();
            MethodRecorder.o(60575);
            return emptyList3;
        }
    }

    private static List<SignedCertificateTimestamp> getSCTsFromSCTList(byte[] bArr, SignedCertificateTimestamp.Origin origin) {
        MethodRecorder.i(60569);
        if (bArr == null) {
            List<SignedCertificateTimestamp> emptyList = Collections.emptyList();
            MethodRecorder.o(60569);
            return emptyList;
        }
        try {
            byte[][] readList = Serialization.readList(bArr, 2, 2);
            ArrayList arrayList = new ArrayList();
            for (byte[] bArr2 : readList) {
                try {
                    arrayList.add(SignedCertificateTimestamp.decode(bArr2, origin));
                } catch (SerializationException unused) {
                }
            }
            MethodRecorder.o(60569);
            return arrayList;
        } catch (SerializationException unused2) {
            List<SignedCertificateTimestamp> emptyList2 = Collections.emptyList();
            MethodRecorder.o(60569);
            return emptyList2;
        }
    }

    private List<SignedCertificateTimestamp> getSCTsFromTLSExtension(byte[] bArr) {
        MethodRecorder.i(60571);
        List<SignedCertificateTimestamp> sCTsFromSCTList = getSCTsFromSCTList(bArr, SignedCertificateTimestamp.Origin.TLS_EXTENSION);
        MethodRecorder.o(60571);
        return sCTsFromSCTList;
    }

    private List<SignedCertificateTimestamp> getSCTsFromX509Extension(OpenSSLX509Certificate openSSLX509Certificate) {
        MethodRecorder.i(60578);
        byte[] extensionValue = openSSLX509Certificate.getExtensionValue("1.3.6.1.4.1.11129.2.4.2");
        if (extensionValue == null) {
            List<SignedCertificateTimestamp> emptyList = Collections.emptyList();
            MethodRecorder.o(60578);
            return emptyList;
        }
        try {
            List<SignedCertificateTimestamp> sCTsFromSCTList = getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(extensionValue)), SignedCertificateTimestamp.Origin.EMBEDDED);
            MethodRecorder.o(60578);
            return sCTsFromSCTList;
        } catch (SerializationException unused) {
            List<SignedCertificateTimestamp> emptyList2 = Collections.emptyList();
            MethodRecorder.o(60578);
            return emptyList2;
        }
    }

    private void markSCTsAsInvalid(List<SignedCertificateTimestamp> list, CTVerificationResult cTVerificationResult) {
        MethodRecorder.i(60567);
        Iterator<SignedCertificateTimestamp> it = list.iterator();
        while (it.hasNext()) {
            cTVerificationResult.add(new VerifiedSCT(it.next(), VerifiedSCT.Status.INVALID_SCT));
        }
        MethodRecorder.o(60567);
    }

    private void verifyEmbeddedSCTs(List<SignedCertificateTimestamp> list, OpenSSLX509Certificate[] openSSLX509CertificateArr, CTVerificationResult cTVerificationResult) {
        MethodRecorder.i(60562);
        if (list.isEmpty()) {
            MethodRecorder.o(60562);
            return;
        }
        CertificateEntry certificateEntry = null;
        if (openSSLX509CertificateArr.length >= 2) {
            try {
                certificateEntry = CertificateEntry.createForPrecertificate(openSSLX509CertificateArr[0], openSSLX509CertificateArr[1]);
            } catch (CertificateException unused) {
            }
        }
        if (certificateEntry == null) {
            markSCTsAsInvalid(list, cTVerificationResult);
            MethodRecorder.o(60562);
            return;
        }
        for (SignedCertificateTimestamp signedCertificateTimestamp : list) {
            cTVerificationResult.add(new VerifiedSCT(signedCertificateTimestamp, verifySingleSCT(signedCertificateTimestamp, certificateEntry)));
        }
        MethodRecorder.o(60562);
    }

    private void verifyExternalSCTs(List<SignedCertificateTimestamp> list, OpenSSLX509Certificate openSSLX509Certificate, CTVerificationResult cTVerificationResult) {
        MethodRecorder.i(60565);
        if (list.isEmpty()) {
            MethodRecorder.o(60565);
            return;
        }
        try {
            CertificateEntry createForX509Certificate = CertificateEntry.createForX509Certificate(openSSLX509Certificate);
            for (SignedCertificateTimestamp signedCertificateTimestamp : list) {
                cTVerificationResult.add(new VerifiedSCT(signedCertificateTimestamp, verifySingleSCT(signedCertificateTimestamp, createForX509Certificate)));
            }
            MethodRecorder.o(60565);
        } catch (CertificateException unused) {
            markSCTsAsInvalid(list, cTVerificationResult);
            MethodRecorder.o(60565);
        }
    }

    private VerifiedSCT.Status verifySingleSCT(SignedCertificateTimestamp signedCertificateTimestamp, CertificateEntry certificateEntry) {
        MethodRecorder.i(60566);
        this.store.getKnownLog(signedCertificateTimestamp.getLogID());
        VerifiedSCT.Status status = VerifiedSCT.Status.UNKNOWN_LOG;
        MethodRecorder.o(60566);
        return status;
    }

    public CTVerificationResult verifySignedCertificateTimestamps(List<X509Certificate> list, byte[] bArr, byte[] bArr2) throws CertificateEncodingException {
        MethodRecorder.i(60556);
        OpenSSLX509Certificate[] openSSLX509CertificateArr = new OpenSSLX509Certificate[list.size()];
        Iterator<X509Certificate> it = list.iterator();
        int i = 0;
        while (it.hasNext()) {
            openSSLX509CertificateArr[i] = OpenSSLX509Certificate.fromCertificate(it.next());
            i++;
        }
        CTVerificationResult verifySignedCertificateTimestamps = verifySignedCertificateTimestamps(openSSLX509CertificateArr, bArr, bArr2);
        MethodRecorder.o(60556);
        return verifySignedCertificateTimestamps;
    }

    public CTVerificationResult verifySignedCertificateTimestamps(OpenSSLX509Certificate[] openSSLX509CertificateArr, byte[] bArr, byte[] bArr2) throws CertificateEncodingException {
        MethodRecorder.i(60560);
        if (openSSLX509CertificateArr.length == 0) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException("Chain of certificates mustn't be empty.");
            MethodRecorder.o(60560);
            throw illegalArgumentException;
        }
        OpenSSLX509Certificate openSSLX509Certificate = openSSLX509CertificateArr[0];
        CTVerificationResult cTVerificationResult = new CTVerificationResult();
        verifyExternalSCTs(getSCTsFromTLSExtension(bArr), openSSLX509Certificate, cTVerificationResult);
        verifyExternalSCTs(getSCTsFromOCSPResponse(bArr2, openSSLX509CertificateArr), openSSLX509Certificate, cTVerificationResult);
        verifyEmbeddedSCTs(getSCTsFromX509Extension(openSSLX509CertificateArr[0]), openSSLX509CertificateArr, cTVerificationResult);
        MethodRecorder.o(60560);
        return cTVerificationResult;
    }
}
