package com.itextpdf.signatures.validation.v1;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ICertificateStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IRevokedStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ISingleResp;
import com.itextpdf.commons.utils.DateTimeUtil;
import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.signatures.CertificateUtil;
import com.itextpdf.signatures.IssuingCertificateRetriever;
import com.itextpdf.signatures.TimestampConstants;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import com.itextpdf.signatures.validation.v1.context.CertificateSource;
import com.itextpdf.signatures.validation.v1.context.ValidationContext;
import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
import com.itextpdf.signatures.validation.v1.report.ReportItem;
import com.itextpdf.signatures.validation.v1.report.ValidationReport;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Date;

/* loaded from: classes2.dex */
public class OCSPValidator {
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    static final String CERT_IS_REVOKED = "Certificate status is revoked.";
    static final String CERT_STATUS_IS_UNKNOWN = "Certificate status is unknown.";
    static final String FRESHNESS_CHECK = "OCSP response is not fresh enough: this update: {0}, validation date: {1}, freshness: {2}.";
    static final String INVALID_OCSP = "OCSP response is invalid.";
    static final String ISSUERS_DO_NOT_MATCH = "OCSP: Issuers don't match.";
    static final String OCSP_CHECK = "OCSP response check.";
    static final String OCSP_COULD_NOT_BE_VERIFIED = "OCSP response could not be verified: it does not contain responder in the certificate chain and response is not signed by issuer certificate or any from the trusted store.";
    static final String OCSP_IS_NO_LONGER_VALID = "OCSP is no longer valid: {0} after {1}";
    static final String SERIAL_NUMBERS_DO_NOT_MATCH = "OCSP: Serial numbers don't match.";
    static final String UNABLE_TO_CHECK_IF_ISSUERS_MATCH = "OCSP response could not be verified: unable to check if issuers match.";
    private final ValidatorChainBuilder builder;
    private final IssuingCertificateRetriever certificateRetriever;
    private final SignatureValidationProperties properties;

    public OCSPValidator(ValidatorChainBuilder validatorChainBuilder) {
        this.certificateRetriever = validatorChainBuilder.getCertificateRetriever();
        this.properties = validatorChainBuilder.getProperties();
        this.builder = validatorChainBuilder;
    }

    private void addResponderValidationReport(ValidationReport validationReport, ValidationReport validationReport2) {
        for (ReportItem reportItem : validationReport2.getLogs()) {
            if (ReportItem.ReportItemStatus.INVALID == reportItem.getStatus()) {
                reportItem = reportItem.setStatus(ReportItem.ReportItemStatus.INDETERMINATE);
            }
            validationReport.addReportItem(reportItem);
        }
    }

    private void verifyOcspResponder(ValidationReport validationReport, ValidationContext validationContext, IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate) {
        ValidationContext certificateSource = validationContext.setCertificateSource(CertificateSource.OCSP_ISSUER);
        ValidationReport validationReport2 = new ValidationReport();
        X509Certificate x509Certificate2 = CertificateUtil.isSignatureValid(iBasicOCSPResp, x509Certificate) ? x509Certificate : null;
        if (x509Certificate2 == null) {
            X509Certificate x509Certificate3 = (X509Certificate) this.certificateRetriever.retrieveOCSPResponderCertificate(iBasicOCSPResp);
            if (x509Certificate3 == null) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, OCSP_COULD_NOT_BE_VERIFIED, ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            if (!this.certificateRetriever.isCertificateTrusted(x509Certificate3)) {
                try {
                    x509Certificate3.verify(x509Certificate.getPublicKey());
                    this.builder.getCertificateChainValidator().validate(validationReport2, certificateSource, x509Certificate3, iBasicOCSPResp.getProducedAt());
                    addResponderValidationReport(validationReport, validationReport2);
                    return;
                } catch (Exception e7) {
                    validationReport.addReportItem(new CertificateReportItem(x509Certificate3, OCSP_CHECK, INVALID_OCSP, e7, ReportItem.ReportItemStatus.INVALID));
                    return;
                }
            }
            x509Certificate2 = x509Certificate3;
        }
        this.builder.getCertificateChainValidator().validate(validationReport2, certificateSource.setCertificateSource(CertificateSource.TRUSTED), x509Certificate2, iBasicOCSPResp.getProducedAt());
        addResponderValidationReport(validationReport, validationReport2);
    }

    public void validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, ISingleResp iSingleResp, IBasicOCSPResp iBasicOCSPResp, Date date) {
        long millis;
        ValidationContext validatorContext = validationContext.setValidatorContext(ValidatorContext.OCSP_VALIDATOR);
        if (CertificateUtil.isSelfSigned(x509Certificate)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, "Certificate is self-signed: it cannot be revoked.", ReportItem.ReportItemStatus.INFO));
            return;
        }
        if (!x509Certificate.getSerialNumber().equals(iSingleResp.getCertID().getSerialNumber())) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, SERIAL_NUMBERS_DO_NOT_MATCH, ReportItem.ReportItemStatus.INDETERMINATE));
            return;
        }
        Certificate retrieveIssuerCertificate = this.certificateRetriever.retrieveIssuerCertificate(x509Certificate);
        try {
            if (!CertificateUtil.checkIfIssuersMatch(iSingleResp.getCertID(), (X509Certificate) retrieveIssuerCertificate)) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, ISSUERS_DO_NOT_MATCH, ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            Duration freshness = this.properties.getFreshness(validatorContext);
            Date thisUpdate = iSingleResp.getThisUpdate();
            millis = freshness.toMillis();
            if (thisUpdate.before(DateTimeUtil.addMillisToDate(date, -millis))) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(FRESHNESS_CHECK, iSingleResp.getThisUpdate(), date, freshness), ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            if (iSingleResp.getNextUpdate() != TimestampConstants.UNDEFINED_TIMESTAMP_DATE && date.after(iSingleResp.getNextUpdate())) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(OCSP_IS_NO_LONGER_VALID, date, iSingleResp.getNextUpdate()), ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            ICertificateStatus certStatus = iSingleResp.getCertStatus();
            IBouncyCastleFactory iBouncyCastleFactory = BOUNCY_CASTLE_FACTORY;
            IRevokedStatus createRevokedStatus = iBouncyCastleFactory.createRevokedStatus(certStatus);
            boolean equals = iBouncyCastleFactory.createCertificateStatus().getGood().equals(certStatus);
            if (equals || (createRevokedStatus != null && date.before(createRevokedStatus.getRevocationTime()))) {
                verifyOcspResponder(validationReport, validatorContext, iBasicOCSPResp, (X509Certificate) retrieveIssuerCertificate);
                if (equals) {
                    return;
                }
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(SignLogMessageConstant.VALID_CERTIFICATE_IS_REVOKED, createRevokedStatus.getRevocationTime()), ReportItem.ReportItemStatus.INFO));
                return;
            }
            if (createRevokedStatus != null) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, CERT_IS_REVOKED, ReportItem.ReportItemStatus.INVALID));
            } else {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, CERT_STATUS_IS_UNKNOWN, ReportItem.ReportItemStatus.INDETERMINATE));
            }
        } catch (Exception unused) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, UNABLE_TO_CHECK_IF_ISSUERS_MATCH, ReportItem.ReportItemStatus.INDETERMINATE));
        }
    }
}
