package org.bouncycastle.jce.provider;

import a.d;
import g1.n;
import g1.o;
import h.a1;
import h.b0;
import h.f;
import h.k;
import h.r;
import h.s;
import h.y;
import h.y0;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.Extension;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import k1.b;
import k1.c;
import n.g;
import n.i;
import n.j;
import n.l;
import o.u;
import u.d0;
import u.h;
import u.o0;
import u.v;
import u.x;
import v.m;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class ProvOcspRevocationChecker implements n {
    private static final int DEFAULT_OCSP_MAX_RESPONSE_SIZE = 32768;
    private static final int DEFAULT_OCSP_TIMEOUT = 15000;
    private static final Map oids;
    private final b helper;
    private boolean isEnabledOCSP;
    private String ocspURL;
    private o parameters;
    private final ProvRevocationChecker parent;

    static {
        HashMap hashMap = new HashMap();
        oids = hashMap;
        hashMap.put(new r("1.2.840.113549.1.1.5"), "SHA1WITHRSA");
        hashMap.put(o.n.f2131m, "SHA224WITHRSA");
        hashMap.put(o.n.f2128j, "SHA256WITHRSA");
        hashMap.put(o.n.f2129k, "SHA384WITHRSA");
        hashMap.put(o.n.f2130l, "SHA512WITHRSA");
        hashMap.put(k.a.f1702m, "GOST3411WITHGOST3410");
        hashMap.put(k.a.f1703n, "GOST3411WITHECGOST3410");
        hashMap.put(f1.a.f785g, "GOST3411-2012-256WITHECGOST3410-2012-256");
        hashMap.put(f1.a.f786h, "GOST3411-2012-512WITHECGOST3410-2012-512");
        hashMap.put(q0.a.f2501a, "SHA1WITHPLAIN-ECDSA");
        hashMap.put(q0.a.f2502b, "SHA224WITHPLAIN-ECDSA");
        hashMap.put(q0.a.f2503c, "SHA256WITHPLAIN-ECDSA");
        hashMap.put(q0.a.f2504d, "SHA384WITHPLAIN-ECDSA");
        hashMap.put(q0.a.f2505e, "SHA512WITHPLAIN-ECDSA");
        hashMap.put(q0.a.f2506f, "RIPEMD160WITHPLAIN-ECDSA");
        hashMap.put(t0.a.f2915a, "SHA1WITHCVC-ECDSA");
        hashMap.put(t0.a.f2916b, "SHA224WITHCVC-ECDSA");
        hashMap.put(t0.a.f2917c, "SHA256WITHCVC-ECDSA");
        hashMap.put(t0.a.f2918d, "SHA384WITHCVC-ECDSA");
        hashMap.put(t0.a.f2919e, "SHA512WITHCVC-ECDSA");
        hashMap.put(x0.a.f3648a, "XMSS");
        hashMap.put(x0.a.f3649b, "XMSSMT");
        hashMap.put(new r("1.2.840.113549.1.1.4"), "MD5WITHRSA");
        hashMap.put(new r("1.2.840.113549.1.1.2"), "MD2WITHRSA");
        hashMap.put(new r("1.2.840.10040.4.3"), "SHA1WITHDSA");
        hashMap.put(m.f3411q0, "SHA1WITHECDSA");
        hashMap.put(m.f3414t0, "SHA224WITHECDSA");
        hashMap.put(m.f3415u0, "SHA256WITHECDSA");
        hashMap.put(m.f3416v0, "SHA384WITHECDSA");
        hashMap.put(m.f3417w0, "SHA512WITHECDSA");
        hashMap.put(e1.b.f635h, "SHA1WITHRSA");
        hashMap.put(e1.b.f634g, "SHA1WITHDSA");
        hashMap.put(m.b.Q, "SHA224WITHDSA");
        hashMap.put(m.b.R, "SHA256WITHDSA");
    }

    public ProvOcspRevocationChecker(ProvRevocationChecker provRevocationChecker, b bVar) {
        this.parent = provRevocationChecker;
        this.helper = bVar;
    }

    private static byte[] calcKeyHash(MessageDigest messageDigest, PublicKey publicKey) {
        return messageDigest.digest(o0.h(publicKey.getEncoded()).f3183b1.s());
    }

    private n.b createCertID(n.b bVar, u.n nVar, h.m mVar) {
        return createCertID(bVar.f2004a1, nVar, mVar);
    }

    private n.b createCertID(u.b bVar, u.n nVar, h.m mVar) {
        try {
            MessageDigest h4 = this.helper.h(c.a(bVar.f3099a1));
            return new n.b(bVar, new a1(h4.digest(nVar.f3173b1.f3213h1.g())), new a1(h4.digest(nVar.f3173b1.f3214i1.f3183b1.s())), mVar);
        } catch (Exception e4) {
            throw new CertPathValidatorException("problem creating ID: " + e4, e4);
        }
    }

    private u.n extractCert() {
        try {
            return u.n.h(this.parameters.f1025e.getEncoded());
        } catch (Exception e4) {
            String h4 = org.bouncycastle.jcajce.provider.symmetric.a.h(e4, new StringBuilder("cannot process signing cert: "));
            o oVar = this.parameters;
            throw new CertPathValidatorException(h4, e4, oVar.f1023c, oVar.f1024d);
        }
    }

    private static String getDigestName(r rVar) {
        String a4 = c.a(rVar);
        int indexOf = a4.indexOf(45);
        if (indexOf <= 0 || a4.startsWith("SHA3")) {
            return a4;
        }
        return a4.substring(0, indexOf) + a4.substring(indexOf + 1);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static URI getOcspResponderURI(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(v.v1.u());
        if (extensionValue == null) {
            return null;
        }
        byte[] bArr = s.r(extensionValue).f1170a1;
        u.a[] aVarArr = (bArr instanceof h ? (h) bArr : bArr != 0 ? new h(y.u(bArr)) : null).f3139a1;
        int length = aVarArr.length;
        u.a[] aVarArr2 = new u.a[length];
        System.arraycopy(aVarArr, 0, aVarArr2, 0, aVarArr.length);
        for (int i4 = 0; i4 != length; i4++) {
            u.a aVar = aVarArr2[i4];
            if (u.a.f3083c1.n(aVar.f3084a1)) {
                x xVar = aVar.f3085b1;
                if (xVar.f3250b1 == 6) {
                    try {
                        return new URI(((b0) xVar.f3249a1).d());
                    } catch (URISyntaxException unused) {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        return null;
    }

    private static String getSignatureName(u.b bVar) {
        f fVar = bVar.f3100b1;
        r rVar = bVar.f3099a1;
        if (fVar != null && !y0.f1199b1.m(fVar) && rVar.n(o.n.f2127i)) {
            return d.j(new StringBuilder(), getDigestName(u.h(fVar).f2176a1.f3099a1), "WITHRSAANDMGF1");
        }
        Map map = oids;
        return map.containsKey(rVar) ? (String) map.get(rVar) : rVar.u();
    }

    private static X509Certificate getSignerCert(n.a aVar, X509Certificate x509Certificate, X509Certificate x509Certificate2, b bVar) {
        h.o oVar = aVar.f2000a1.f2024c1.f2018a1;
        byte[] bArr = oVar instanceof s ? ((s) oVar).f1170a1 : null;
        if (bArr != null) {
            MessageDigest h4 = bVar.h("SHA1");
            if (x509Certificate2 != null && Arrays.equals(bArr, calcKeyHash(h4, x509Certificate2.getPublicKey()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && Arrays.equals(bArr, calcKeyHash(h4, x509Certificate.getPublicKey()))) {
                return x509Certificate;
            }
        } else {
            t.a aVar2 = t.a.S1;
            s.c i4 = s.c.i(aVar2, oVar instanceof s ? null : s.c.h(oVar));
            if (x509Certificate2 != null && i4.equals(s.c.i(aVar2, x509Certificate2.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate2;
            }
            if (x509Certificate != null && i4.equals(s.c.i(aVar2, x509Certificate.getSubjectX500Principal().getEncoded()))) {
                return x509Certificate;
            }
        }
        return null;
    }

    private static boolean responderMatches(n.h hVar, X509Certificate x509Certificate, b bVar) {
        h.o oVar = hVar.f2018a1;
        byte[] bArr = oVar instanceof s ? ((s) oVar).f1170a1 : null;
        if (bArr != null) {
            return Arrays.equals(bArr, calcKeyHash(bVar.h("SHA1"), x509Certificate.getPublicKey()));
        }
        t.a aVar = t.a.S1;
        return s.c.i(aVar, oVar instanceof s ? null : s.c.h(oVar)).equals(s.c.i(aVar, x509Certificate.getSubjectX500Principal().getEncoded()));
    }

    public static boolean validatedOcspResponse(n.a aVar, o oVar, byte[] bArr, X509Certificate x509Certificate, b bVar) {
        try {
            y yVar = aVar.f2003d1;
            Signature createSignature = bVar.createSignature(getSignatureName(aVar.f2001b1));
            X509Certificate signerCert = getSignerCert(aVar, oVar.f1025e, x509Certificate, bVar);
            if (signerCert == null && yVar == null) {
                throw new CertPathValidatorException("OCSP responder certificate not found");
            }
            j jVar = aVar.f2000a1;
            int i4 = oVar.f1024d;
            CertPath certPath = oVar.f1023c;
            if (signerCert != null) {
                createSignature.initVerify(signerCert.getPublicKey());
            } else {
                X509Certificate x509Certificate2 = (X509Certificate) bVar.c("X.509").generateCertificate(new ByteArrayInputStream(yVar.v(0).c().getEncoded()));
                x509Certificate2.verify(oVar.f1025e.getPublicKey());
                x509Certificate2.checkValidity(new Date(oVar.f1022b.getTime()));
                if (!responderMatches(jVar.f2024c1, x509Certificate2, bVar)) {
                    throw new CertPathValidatorException("responder certificate does not match responderID", null, certPath, i4);
                }
                List<String> extendedKeyUsage = x509Certificate2.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(d0.f3120c1.f3121a1.u())) {
                    throw new CertPathValidatorException("responder certificate not valid for signing OCSP responses", null, certPath, i4);
                }
                createSignature.initVerify(x509Certificate2);
            }
            createSignature.update(jVar.g());
            if (!createSignature.verify(aVar.f2002c1.u())) {
                return false;
            }
            if (bArr != null && !Arrays.equals(bArr, jVar.f2027f1.h(n.d.f2011b).f3245c1.f1170a1)) {
                throw new CertPathValidatorException("nonce mismatch in OCSP response", null, certPath, i4);
            }
            return true;
        } catch (IOException e4) {
            throw new CertPathValidatorException(d.d(e4, new StringBuilder("OCSP response failure: ")), e4, oVar.f1023c, oVar.f1024d);
        } catch (CertPathValidatorException e5) {
            throw e5;
        } catch (GeneralSecurityException e6) {
            throw new CertPathValidatorException("OCSP response failure: " + e6.getMessage(), e6, oVar.f1023c, oVar.f1024d);
        }
    }

    @Override // g1.n
    public void check(Certificate certificate) {
        Map ocspResponses;
        URI ocspResponder;
        List ocspExtensions;
        byte[] bArr;
        boolean z3;
        byte[] value;
        String id;
        X509Certificate ocspResponderCert;
        X509Certificate ocspResponderCert2;
        List ocspExtensions2;
        URI ocspResponder2;
        X509Certificate x509Certificate = (X509Certificate) certificate;
        ocspResponses = this.parent.getOcspResponses();
        ocspResponder = this.parent.getOcspResponder();
        if (ocspResponder == null) {
            if (this.ocspURL != null) {
                try {
                    ocspResponder = new URI(this.ocspURL);
                } catch (URISyntaxException e4) {
                    String str = "configuration error: " + e4.getMessage();
                    o oVar = this.parameters;
                    throw new CertPathValidatorException(str, e4, oVar.f1023c, oVar.f1024d);
                }
            } else {
                ocspResponder = getOcspResponderURI(x509Certificate);
            }
        }
        URI uri = ocspResponder;
        if (ocspResponses.get(x509Certificate) != null || uri == null) {
            ocspExtensions = this.parent.getOcspExtensions();
            bArr = null;
            for (int i4 = 0; i4 != ocspExtensions.size(); i4++) {
                Extension c4 = a.c(ocspExtensions.get(i4));
                value = c4.getValue();
                String u4 = n.d.f2011b.u();
                id = c4.getId();
                if (u4.equals(id)) {
                    bArr = value;
                }
            }
            z3 = false;
        } else {
            if (this.ocspURL == null) {
                ocspResponder2 = this.parent.getOcspResponder();
                if (ocspResponder2 == null && !this.isEnabledOCSP) {
                    o oVar2 = this.parameters;
                    throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, oVar2.f1023c, oVar2.f1024d);
                }
            }
            n.b createCertID = createCertID(new u.b(e1.b.f633f), extractCert(), new h.m(x509Certificate.getSerialNumber()));
            o oVar3 = this.parameters;
            ocspResponderCert2 = this.parent.getOcspResponderCert();
            ocspExtensions2 = this.parent.getOcspExtensions();
            try {
                ocspResponses.put(x509Certificate, OcspCache.getOcspResponse(createCertID, oVar3, uri, ocspResponderCert2, ocspExtensions2, this.helper).getEncoded());
                bArr = null;
                z3 = true;
            } catch (IOException e5) {
                o oVar4 = this.parameters;
                throw new CertPathValidatorException("unable to encode OCSP response", e5, oVar4.f1023c, oVar4.f1024d);
            }
        }
        if (ocspResponses.isEmpty()) {
            o oVar5 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, oVar5.f1023c, oVar5.f1024d);
        }
        Object obj = ocspResponses.get(x509Certificate);
        n.f fVar = obj instanceof n.f ? (n.f) obj : obj != null ? new n.f(y.u(obj)) : null;
        h.m mVar = new h.m(x509Certificate.getSerialNumber());
        if (fVar == null) {
            o oVar6 = this.parameters;
            throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, oVar6.f1023c, oVar6.f1024d);
        }
        g gVar = fVar.f2015a1;
        if (gVar.f2017a1.t() != 0) {
            StringBuilder sb = new StringBuilder("OCSP response failed: ");
            h.h hVar = gVar.f2017a1;
            hVar.getClass();
            sb.append(new BigInteger(hVar.f1106a1));
            String sb2 = sb.toString();
            o oVar7 = this.parameters;
            throw new CertPathValidatorException(sb2, null, oVar7.f1023c, oVar7.f1024d);
        }
        i h4 = i.h(fVar.f2016b1);
        if (h4.f2019a1.n(n.d.f2010a)) {
            try {
                n.a h5 = n.a.h(h4.f2020b1.f1170a1);
                if (!z3) {
                    o oVar8 = this.parameters;
                    ocspResponderCert = this.parent.getOcspResponderCert();
                    if (!validatedOcspResponse(h5, oVar8, bArr, ocspResponderCert, this.helper)) {
                        return;
                    }
                }
                y yVar = j.h(h5.f2000a1).f2026e1;
                n.b bVar = null;
                for (int i5 = 0; i5 != yVar.x(); i5++) {
                    f v4 = yVar.v(i5);
                    l lVar = v4 instanceof l ? (l) v4 : v4 != null ? new l(y.u(v4)) : null;
                    if (mVar.n(lVar.f2030a1.f2007d1)) {
                        k kVar = lVar.f2033d1;
                        if (kVar != null) {
                            o oVar9 = this.parameters;
                            oVar9.getClass();
                            if (new Date(oVar9.f1022b.getTime()).after(kVar.t())) {
                                throw new m1.b();
                            }
                        }
                        n.b bVar2 = lVar.f2030a1;
                        if (bVar == null || !bVar.f2004a1.equals(bVar2.f2004a1)) {
                            bVar = createCertID(bVar2, extractCert(), mVar);
                        }
                        if (bVar.equals(bVar2)) {
                            n.c cVar = lVar.f2031b1;
                            int i6 = cVar.f2008a1;
                            if (i6 == 0) {
                                return;
                            }
                            if (i6 != 1) {
                                o oVar10 = this.parameters;
                                throw new CertPathValidatorException("certificate revoked, details unknown", null, oVar10.f1023c, oVar10.f1024d);
                            }
                            h.o oVar11 = cVar.f2009b1;
                            n.k kVar2 = !(oVar11 instanceof n.k) ? oVar11 != null ? new n.k(y.u(oVar11)) : null : (n.k) oVar11;
                            String str2 = "certificate revoked, reason=(" + kVar2.f2029b1 + "), date=" + kVar2.f2028a1.t();
                            o oVar12 = this.parameters;
                            throw new CertPathValidatorException(str2, null, oVar12.f1023c, oVar12.f1024d);
                        }
                    }
                }
            } catch (CertPathValidatorException e6) {
                throw e6;
            } catch (Exception e7) {
                o oVar13 = this.parameters;
                throw new CertPathValidatorException("unable to process OCSP response", e7, oVar13.f1023c, oVar13.f1024d);
            }
        }
    }

    public List<CertPathValidatorException> getSoftFailExceptions() {
        return null;
    }

    public Set<String> getSupportedExtensions() {
        return null;
    }

    public void init(boolean z3) {
        if (z3) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.parameters = null;
        this.isEnabledOCSP = k3.g.c("ocsp.enable");
        this.ocspURL = k3.g.b("ocsp.responderURL");
    }

    @Override // g1.n
    public void initialize(o oVar) {
        this.parameters = oVar;
        this.isEnabledOCSP = k3.g.c("ocsp.enable");
        this.ocspURL = k3.g.b("ocsp.responderURL");
    }

    public boolean isForwardCheckingSupported() {
        return false;
    }

    public void setParameter(String str, Object obj) {
    }
}
