package com.itextpdf.signatures;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ISingleResp;
import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
import com.itextpdf.commons.utils.MessageFormatUtil;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;

/* loaded from: classes4.dex */
public class OCSPVerifier extends RootStoreVerifier {
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    protected static final a70.b LOGGER = a70.c.i(OCSPVerifier.class);
    protected static final String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
    protected List<IBasicOCSPResp> ocsps;

    public OCSPVerifier(CertificateVerifier certificateVerifier, List<IBasicOCSPResp> list) {
        super(certificateVerifier);
        this.ocsps = list;
    }

    public IBasicOCSPResp getOcspResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        IBasicOCSPResp basicOCSPResp;
        if ((x509Certificate == null && x509Certificate2 == null) || (basicOCSPResp = new OcspClientBouncyCastle(null).getBasicOCSPResp(x509Certificate, x509Certificate2, null)) == null) {
            return null;
        }
        for (ISingleResp iSingleResp : basicOCSPResp.getResponses()) {
            if (Objects.equals(iSingleResp.getCertStatus(), BOUNCY_CASTLE_FACTORY.createCertificateStatus().getGood())) {
                return basicOCSPResp;
            }
        }
        return null;
    }

    public boolean isSignatureValid(IBasicOCSPResp iBasicOCSPResp, Certificate certificate) {
        try {
            return SignUtils.isSignatureValid(iBasicOCSPResp, certificate, BOUNCY_CASTLE_FACTORY.getProviderName());
        } catch (Exception unused) {
            return false;
        }
    }

    public void isValidResponse(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, Date date) throws GeneralSecurityException {
        CRL crl;
        X509Certificate x509Certificate2 = null;
        X509Certificate x509Certificate3 = isSignatureValid(iBasicOCSPResp, x509Certificate) ? x509Certificate : null;
        if (x509Certificate3 == null) {
            if (iBasicOCSPResp.getCerts() == null) {
                KeyStore keyStore = this.rootStore;
                if (keyStore != null) {
                    try {
                        for (X509Certificate x509Certificate4 : SignUtils.getCertificates(keyStore)) {
                            if (isSignatureValid(iBasicOCSPResp, x509Certificate4)) {
                                x509Certificate2 = x509Certificate4;
                                break;
                            }
                        }
                    } catch (Exception unused) {
                    }
                }
                x509Certificate2 = x509Certificate3;
                if (x509Certificate2 == null) {
                    throw new VerificationException(x509Certificate, "OCSP response could not be verified: it does not contain certificate chain and response is not signed by issuer certificate or any from the root store.");
                }
                return;
            }
            Iterator<X509Certificate> it = SignUtils.getCertsFromOcspResponse(iBasicOCSPResp).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                X509Certificate next = it.next();
                try {
                    List<String> extendedKeyUsage = next.getExtendedKeyUsage();
                    if (extendedKeyUsage != null && extendedKeyUsage.contains(id_kp_OCSPSigning) && isSignatureValid(iBasicOCSPResp, next)) {
                        x509Certificate3 = next;
                        break;
                    }
                } catch (CertificateParsingException unused2) {
                }
            }
            if (x509Certificate3 == null) {
                throw new VerificationException(x509Certificate, "OCSP response could not be verified");
            }
            x509Certificate3.verify(x509Certificate.getPublicKey());
            x509Certificate3.checkValidity(date);
            if (SignUtils.getExtensionValueByOid(x509Certificate3, BOUNCY_CASTLE_FACTORY.createOCSPObjectIdentifiers().getIdPkixOcspNoCheck().getId()) == null) {
                try {
                    crl = CertificateUtil.getCRL(x509Certificate3);
                } catch (Exception unused3) {
                    crl = null;
                }
                if (crl == null || !(crl instanceof X509CRL)) {
                    LOGGER.error("Authorized OCSP responder certificate revocation status cannot be checked");
                    return;
                }
                CRLVerifier cRLVerifier = new CRLVerifier(null, null);
                cRLVerifier.setRootStore(this.rootStore);
                cRLVerifier.setOnlineCheckingAllowed(this.onlineCheckingAllowed);
                if (!cRLVerifier.verify((X509CRL) crl, x509Certificate3, x509Certificate, date)) {
                    throw new VerificationException(x509Certificate, "Authorized OCSP responder certificate was revoked.");
                }
            }
        }
    }

    @Override // com.itextpdf.signatures.RootStoreVerifier, com.itextpdf.signatures.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        int i11;
        ArrayList arrayList = new ArrayList();
        List<IBasicOCSPResp> list = this.ocsps;
        boolean z11 = false;
        if (list != null) {
            Iterator<IBasicOCSPResp> it = list.iterator();
            i11 = 0;
            while (it.hasNext()) {
                if (verify(it.next(), x509Certificate, x509Certificate2, date)) {
                    i11++;
                }
            }
        } else {
            i11 = 0;
        }
        if (this.onlineCheckingAllowed && i11 == 0 && verify(getOcspResponse(x509Certificate, x509Certificate2), x509Certificate, x509Certificate2, date)) {
            i11++;
            z11 = true;
        }
        LOGGER.info("Valid OCSPs found: " + i11);
        if (i11 > 0) {
            Class<?> cls = getClass();
            StringBuilder sb2 = new StringBuilder();
            sb2.append("Valid OCSPs Found: ");
            sb2.append(i11);
            sb2.append(z11 ? " (online)" : "");
            arrayList.add(new VerificationOK(x509Certificate, cls, sb2.toString()));
        }
        CertificateVerifier certificateVerifier = this.verifier;
        if (certificateVerifier != null) {
            arrayList.addAll(certificateVerifier.verify(x509Certificate, x509Certificate2, date));
        }
        return arrayList;
    }

    public boolean verify(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (iBasicOCSPResp == null) {
            return false;
        }
        for (ISingleResp iSingleResp : iBasicOCSPResp.getResponses()) {
            if (x509Certificate.getSerialNumber().equals(iSingleResp.getCertID().getSerialNumber())) {
                if (x509Certificate2 == null) {
                    x509Certificate2 = x509Certificate;
                }
                try {
                    if (SignUtils.checkIfIssuersMatch(iSingleResp.getCertID(), x509Certificate2)) {
                        if (iSingleResp.getNextUpdate() == null) {
                            Date add180Sec = SignUtils.add180Sec(iSingleResp.getThisUpdate());
                            a70.b bVar = LOGGER;
                            bVar.info(MessageFormatUtil.format("No 'next update' for OCSP Response; assuming {0}", add180Sec));
                            if (date.after(add180Sec)) {
                                bVar.info(MessageFormatUtil.format("OCSP no longer valid: {0} after {1}", date, add180Sec));
                            }
                        } else if (date.after(iSingleResp.getNextUpdate())) {
                            LOGGER.info(MessageFormatUtil.format("OCSP no longer valid: {0} after {1}", date, iSingleResp.getNextUpdate()));
                        }
                        if (Objects.equals(iSingleResp.getCertStatus(), BOUNCY_CASTLE_FACTORY.createCertificateStatus().getGood())) {
                            isValidResponse(iBasicOCSPResp, x509Certificate2, date);
                            return true;
                        }
                    } else {
                        LOGGER.info("OCSP: Issuers doesn't match.");
                    }
                } catch (AbstractOCSPException | AbstractOperatorCreationException unused) {
                    continue;
                } catch (IOException e11) {
                    throw new GeneralSecurityException(e11.getMessage());
                }
            }
        }
        return false;
    }
}
