package org.bouncycastle.jce.provider;

import defpackage.a0c;
import defpackage.asa;
import defpackage.bw3;
import defpackage.de;
import defpackage.dn0;
import defpackage.e1;
import defpackage.esa;
import defpackage.f70;
import defpackage.fsa;
import defpackage.fv2;
import defpackage.fv3;
import defpackage.fy2;
import defpackage.g1;
import defpackage.g1c;
import defpackage.hh4;
import defpackage.hy2;
import defpackage.i1;
import defpackage.i3a;
import defpackage.ihb;
import defpackage.jc0;
import defpackage.k1;
import defpackage.k9f;
import defpackage.ke0;
import defpackage.lmb;
import defpackage.m1;
import defpackage.mb0;
import defpackage.n;
import defpackage.n1;
import defpackage.o1;
import defpackage.o6d;
import defpackage.paf;
import defpackage.pca;
import defpackage.qc1;
import defpackage.rc1;
import defpackage.rca;
import defpackage.s1;
import defpackage.sc1;
import defpackage.t6;
import defpackage.uca;
import defpackage.uzb;
import defpackage.v3c;
import defpackage.vm;
import defpackage.vw7;
import defpackage.wl7;
import defpackage.xd9;
import defpackage.xuc;
import defpackage.y06;
import defpackage.y1;
import defpackage.zq7;
import defpackage.zzb;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.Extension;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class ProvOcspRevocationChecker implements esa {
    private static final int DEFAULT_OCSP_MAX_RESPONSE_SIZE = 32768;
    private static final int DEFAULT_OCSP_TIMEOUT = 15000;
    private static final Map oids;
    private final zq7 helper;
    private boolean isEnabledOCSP;
    private String ocspURL;
    private fsa parameters;
    private final ProvRevocationChecker parent;

    static {
        HashMap hashMap = new HashMap();
        oids = hashMap;
        hashMap.put(new n1("1.2.840.113549.1.1.5"), "SHA1WITHRSA");
        hashMap.put(asa.G0, "SHA224WITHRSA");
        hashMap.put(asa.D0, "SHA256WITHRSA");
        hashMap.put(asa.E0, "SHA384WITHRSA");
        hashMap.put(asa.F0, "SHA512WITHRSA");
        hashMap.put(fv2.m, "GOST3411WITHGOST3410");
        hashMap.put(fv2.n, "GOST3411WITHECGOST3410");
        hashMap.put(v3c.g, "GOST3411-2012-256WITHECGOST3410-2012-256");
        hashMap.put(v3c.h, "GOST3411-2012-512WITHECGOST3410-2012-512");
        hashMap.put(jc0.f15266a, "SHA1WITHPLAIN-ECDSA");
        hashMap.put(jc0.b, "SHA224WITHPLAIN-ECDSA");
        hashMap.put(jc0.c, "SHA256WITHPLAIN-ECDSA");
        hashMap.put(jc0.f15267d, "SHA384WITHPLAIN-ECDSA");
        hashMap.put(jc0.e, "SHA512WITHPLAIN-ECDSA");
        hashMap.put(jc0.f, "RIPEMD160WITHPLAIN-ECDSA");
        hashMap.put(bw3.f2724a, "SHA1WITHCVC-ECDSA");
        hashMap.put(bw3.b, "SHA224WITHCVC-ECDSA");
        hashMap.put(bw3.c, "SHA256WITHCVC-ECDSA");
        hashMap.put(bw3.f2725d, "SHA384WITHCVC-ECDSA");
        hashMap.put(bw3.e, "SHA512WITHCVC-ECDSA");
        hashMap.put(wl7.f22312a, "XMSS");
        hashMap.put(wl7.b, "XMSSMT");
        hashMap.put(new n1("1.2.840.113549.1.1.4"), "MD5WITHRSA");
        hashMap.put(new n1("1.2.840.113549.1.1.2"), "MD2WITHRSA");
        hashMap.put(new n1("1.2.840.10040.4.3"), "SHA1WITHDSA");
        hashMap.put(paf.P1, "SHA1WITHECDSA");
        hashMap.put(paf.S1, "SHA224WITHECDSA");
        hashMap.put(paf.T1, "SHA256WITHECDSA");
        hashMap.put(paf.U1, "SHA384WITHECDSA");
        hashMap.put(paf.V1, "SHA512WITHECDSA");
        hashMap.put(uca.h, "SHA1WITHRSA");
        hashMap.put(uca.g, "SHA1WITHDSA");
        hashMap.put(i3a.P, "SHA224WITHDSA");
        hashMap.put(i3a.Q, "SHA256WITHDSA");
    }

    public ProvOcspRevocationChecker(ProvRevocationChecker provRevocationChecker, zq7 zq7Var) {
        this.parent = provRevocationChecker;
        this.helper = zq7Var;
    }

    private static byte[] calcKeyHash(MessageDigest messageDigest, PublicKey publicKey) {
        return messageDigest.digest(o6d.h(publicKey.getEncoded()).f17922d.r());
    }

    private qc1 createCertID(qc1 qc1Var, sc1 sc1Var, k1 k1Var) throws CertPathValidatorException {
        return createCertID(qc1Var.c, sc1Var, k1Var);
    }

    private qc1 createCertID(vm vmVar, sc1 sc1Var, k1 k1Var) throws CertPathValidatorException {
        try {
            MessageDigest d2 = this.helper.d(xd9.a(vmVar.c));
            return new qc1(vmVar, new hy2(d2.digest(sc1Var.f20067d.j.c("DER"))), new hy2(d2.digest(sc1Var.f20067d.k.f17922d.r())), k1Var);
        } catch (Exception e) {
            throw new CertPathValidatorException("problem creating ID: " + e, e);
        }
    }

    private sc1 extractCert() throws CertPathValidatorException {
        try {
            return sc1.h(this.parameters.e.getEncoded());
        } catch (Exception e) {
            String a2 = de.a(e, fv3.c("cannot process signing cert: "));
            fsa fsaVar = this.parameters;
            throw new CertPathValidatorException(a2, e, fsaVar.c, fsaVar.f13444d);
        }
    }

    private static String getDigestName(n1 n1Var) {
        String a2 = xd9.a(n1Var);
        int indexOf = a2.indexOf(45);
        if (indexOf > 0 && !a2.startsWith("SHA3")) {
            a2 = a2.substring(0, indexOf) + a2.substring(indexOf + 1);
        }
        return a2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static URI getOcspResponderURI(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(hh4.x.c);
        if (extensionValue == null) {
            return null;
        }
        byte[] bArr = o1.s(extensionValue).c;
        t6[] t6VarArr = (bArr instanceof f70 ? (f70) bArr : bArr != 0 ? new f70(s1.s(bArr)) : null).c;
        int length = t6VarArr.length;
        t6[] t6VarArr2 = new t6[length];
        System.arraycopy(t6VarArr, 0, t6VarArr2, 0, t6VarArr.length);
        for (int i = 0; i != length; i++) {
            t6 t6Var = t6VarArr2[i];
            if (t6.e.m(t6Var.c)) {
                y06 y06Var = t6Var.f20496d;
                if (y06Var.f22990d == 6) {
                    try {
                        return new URI(((y1) y06Var.c).g());
                    } catch (URISyntaxException unused) {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        return null;
    }

    private static String getSignatureName(vm vmVar) {
        e1 e1Var = vmVar.f21782d;
        if (e1Var != null && !fy2.c.l(e1Var) && vmVar.c.m(asa.C0)) {
            return n.e(new StringBuilder(), getDigestName(lmb.h(e1Var).c.c), "WITHRSAANDMGF1");
        }
        Map map = oids;
        return map.containsKey(vmVar.c) ? (String) map.get(vmVar.c) : vmVar.c.c;
    }

    private static X509Certificate getSignerCert(dn0 dn0Var, X509Certificate x509Certificate, X509Certificate x509Certificate2, zq7 zq7Var) throws NoSuchProviderException, NoSuchAlgorithmException {
        m1 m1Var = dn0Var.c.e.c;
        byte[] bArr = m1Var instanceof o1 ? ((o1) m1Var).c : null;
        if (bArr != null) {
            MessageDigest d2 = zq7Var.d("SHA1");
            if (x509Certificate2 != null && Arrays.equals(bArr, calcKeyHash(d2, x509Certificate2.getPublicKey()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && Arrays.equals(bArr, calcKeyHash(d2, x509Certificate.getPublicKey()))) {
                return x509Certificate;
            }
        } else {
            mb0 mb0Var = mb0.h;
            k9f h = k9f.h(mb0Var, m1Var instanceof o1 ? null : k9f.i(m1Var));
            if (x509Certificate2 != null && h.equals(k9f.h(mb0Var, x509Certificate2.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && h.equals(k9f.h(mb0Var, x509Certificate.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate;
            }
        }
        return null;
    }

    private static boolean responderMatches(uzb uzbVar, X509Certificate x509Certificate, zq7 zq7Var) throws NoSuchProviderException, NoSuchAlgorithmException {
        m1 m1Var = uzbVar.c;
        k9f k9fVar = null;
        byte[] bArr = m1Var instanceof o1 ? ((o1) m1Var).c : null;
        if (bArr != null) {
            return Arrays.equals(bArr, calcKeyHash(zq7Var.d("SHA1"), x509Certificate.getPublicKey()));
        }
        mb0 mb0Var = mb0.h;
        if (!(m1Var instanceof o1)) {
            k9fVar = k9f.i(m1Var);
        }
        return k9f.h(mb0Var, k9fVar).equals(k9f.h(mb0Var, x509Certificate.getSubjectX500Principal().getEncoded()));
    }

    public static boolean validatedOcspResponse(dn0 dn0Var, fsa fsaVar, byte[] bArr, X509Certificate x509Certificate, zq7 zq7Var) throws CertPathValidatorException {
        try {
            s1 s1Var = dn0Var.f;
            Signature createSignature = zq7Var.createSignature(getSignatureName(dn0Var.f12343d));
            X509Certificate signerCert = getSignerCert(dn0Var, fsaVar.e, x509Certificate, zq7Var);
            if (signerCert == null && s1Var == null) {
                throw new CertPathValidatorException("OCSP responder certificate not found");
            }
            if (signerCert != null) {
                createSignature.initVerify(signerCert.getPublicKey());
            } else {
                X509Certificate x509Certificate2 = (X509Certificate) zq7Var.j("X.509").generateCertificate(new ByteArrayInputStream(s1Var.t(0).f().getEncoded()));
                x509Certificate2.verify(fsaVar.e.getPublicKey());
                x509Certificate2.checkValidity(new Date(fsaVar.b.getTime()));
                if (!responderMatches(dn0Var.c.e, x509Certificate2, zq7Var)) {
                    throw new CertPathValidatorException("responder certificate does not match responderID", null, fsaVar.c, fsaVar.f13444d);
                }
                List<String> extendedKeyUsage = x509Certificate2.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(vw7.f21943d.c.c)) {
                    throw new CertPathValidatorException("responder certificate not valid for signing OCSP responses", null, fsaVar.c, fsaVar.f13444d);
                }
                createSignature.initVerify(x509Certificate2);
            }
            createSignature.update(dn0Var.c.c("DER"));
            if (!createSignature.verify(dn0Var.e.r())) {
                return false;
            }
            if (bArr != null && !Arrays.equals(bArr, dn0Var.c.h.h(pca.b).e.c)) {
                throw new CertPathValidatorException("nonce mismatch in OCSP response", null, fsaVar.c, fsaVar.f13444d);
            }
            return true;
        } catch (IOException e) {
            throw new CertPathValidatorException(ke0.f(e, fv3.c("OCSP response failure: ")), e, fsaVar.c, fsaVar.f13444d);
        } catch (CertPathValidatorException e2) {
            throw e2;
        } catch (GeneralSecurityException e3) {
            StringBuilder c = fv3.c("OCSP response failure: ");
            c.append(e3.getMessage());
            throw new CertPathValidatorException(c.toString(), e3, fsaVar.c, fsaVar.f13444d);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // defpackage.esa
    public void check(Certificate certificate) throws CertPathValidatorException {
        byte[] bArr;
        boolean z;
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Map<X509Certificate, byte[]> ocspResponses = this.parent.getOcspResponses();
        URI ocspResponder = this.parent.getOcspResponder();
        if (ocspResponder == null) {
            if (this.ocspURL != null) {
                try {
                    ocspResponder = new URI(this.ocspURL);
                } catch (URISyntaxException e) {
                    StringBuilder c = fv3.c("configuration error: ");
                    c.append(e.getMessage());
                    String sb = c.toString();
                    fsa fsaVar = this.parameters;
                    throw new CertPathValidatorException(sb, e, fsaVar.c, fsaVar.f13444d);
                }
            } else {
                ocspResponder = getOcspResponderURI(x509Certificate);
            }
        }
        URI uri = ocspResponder;
        if (ocspResponses.get(x509Certificate) != null || uri == null) {
            List<Extension> ocspExtensions = this.parent.getOcspExtensions();
            bArr = null;
            for (int i = 0; i != ocspExtensions.size(); i++) {
                Extension extension = ocspExtensions.get(i);
                byte[] value = extension.getValue();
                if (pca.b.c.equals(extension.getId())) {
                    bArr = value;
                }
            }
            z = false;
        } else {
            if (this.ocspURL == null && this.parent.getOcspResponder() == null && !this.isEnabledOCSP) {
                fsa fsaVar2 = this.parameters;
                throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, fsaVar2.c, fsaVar2.f13444d);
            }
            try {
                ocspResponses.put(x509Certificate, OcspCache.getOcspResponse(createCertID(new vm(uca.f), extractCert(), new k1(x509Certificate.getSerialNumber())), this.parameters, uri, this.parent.getOcspResponderCert(), this.parent.getOcspExtensions(), this.helper).getEncoded());
                z = true;
                bArr = null;
            } catch (IOException e2) {
                fsa fsaVar3 = this.parameters;
                throw new CertPathValidatorException("unable to encode OCSP response", e2, fsaVar3.c, fsaVar3.f13444d);
            }
        }
        if (ocspResponses.isEmpty()) {
            fsa fsaVar4 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, fsaVar4.c, fsaVar4.f13444d);
        }
        byte[] bArr2 = ocspResponses.get(x509Certificate);
        rca rcaVar = bArr2 instanceof rca ? (rca) bArr2 : bArr2 != 0 ? new rca(s1.s(bArr2)) : null;
        k1 k1Var = new k1(x509Certificate.getSerialNumber());
        if (rcaVar == null) {
            fsa fsaVar5 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, fsaVar5.c, fsaVar5.f13444d);
        }
        if (rcaVar.c.c.s() != 0) {
            StringBuilder c2 = fv3.c("OCSP response failed: ");
            g1 g1Var = rcaVar.c.c;
            g1Var.getClass();
            c2.append(new BigInteger(g1Var.c));
            String sb2 = c2.toString();
            fsa fsaVar6 = this.parameters;
            throw new CertPathValidatorException(sb2, null, fsaVar6.c, fsaVar6.f13444d);
        }
        zzb h = zzb.h(rcaVar.f19578d);
        if (h.c.m(pca.f18600a)) {
            try {
                dn0 h2 = dn0.h(h.f23979d.c);
                if (z || validatedOcspResponse(h2, this.parameters, bArr, this.parent.getOcspResponderCert(), this.helper)) {
                    s1 s1Var = a0c.h(h2.c).g;
                    qc1 qc1Var = null;
                    for (int i2 = 0; i2 != s1Var.size(); i2++) {
                        e1 t = s1Var.t(i2);
                        xuc xucVar = t instanceof xuc ? (xuc) t : t != null ? new xuc(s1.s(t)) : null;
                        if (k1Var.m(xucVar.c.f)) {
                            i1 i1Var = xucVar.f;
                            if (i1Var != null) {
                                fsa fsaVar7 = this.parameters;
                                fsaVar7.getClass();
                                if (new Date(fsaVar7.b.getTime()).after(i1Var.t())) {
                                    throw new ExtCertPathValidatorException();
                                }
                            }
                            if (qc1Var == null || !qc1Var.c.equals(xucVar.c.c)) {
                                qc1Var = createCertID(xucVar.c, extractCert(), k1Var);
                            }
                            if (qc1Var.equals(xucVar.c)) {
                                rc1 rc1Var = xucVar.f22914d;
                                int i3 = rc1Var.c;
                                if (i3 == 0) {
                                    return;
                                }
                                if (i3 != 1) {
                                    fsa fsaVar8 = this.parameters;
                                    throw new CertPathValidatorException("certificate revoked, details unknown", null, fsaVar8.c, fsaVar8.f13444d);
                                }
                                m1 m1Var = rc1Var.f19572d;
                                g1c g1cVar = !(m1Var instanceof g1c) ? m1Var != null ? new g1c(s1.s(m1Var)) : null : (g1c) m1Var;
                                String str = "certificate revoked, reason=(" + g1cVar.f13574d + "), date=" + g1cVar.c.t();
                                fsa fsaVar9 = this.parameters;
                                throw new CertPathValidatorException(str, null, fsaVar9.c, fsaVar9.f13444d);
                            }
                        }
                    }
                }
            } catch (CertPathValidatorException e3) {
                throw e3;
            } catch (Exception e4) {
                fsa fsaVar10 = this.parameters;
                throw new CertPathValidatorException("unable to process OCSP response", e4, fsaVar10.c, fsaVar10.f13444d);
            }
        }
    }

    public List<CertPathValidatorException> getSoftFailExceptions() {
        return null;
    }

    public Set<String> getSupportedExtensions() {
        return null;
    }

    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.parameters = null;
        this.isEnabledOCSP = ihb.b("ocsp.enable");
        this.ocspURL = ihb.a("ocsp.responderURL");
    }

    @Override // defpackage.esa
    public void initialize(fsa fsaVar) {
        this.parameters = fsaVar;
        this.isEnabledOCSP = ihb.b("ocsp.enable");
        this.ocspURL = ihb.a("ocsp.responderURL");
    }

    public boolean isForwardCheckingSupported() {
        return false;
    }

    public void setParameter(String str, Object obj) {
    }
}
