package com.itextpdf.signatures;

import Ac.a;
import Ac.b;
import Oa.g;
import androidx.datastore.preferences.protobuf.H;
import com.itextpdf.commons.utils.MessageFormatUtil;
import fa.C0800j;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.OCSPException;
import p5.C1635d;
import za.C2213b;
import za.C2223l;
import za.InterfaceC2215d;

/* loaded from: classes3.dex */
public class OCSPVerifier extends RootStoreVerifier {
    protected static final a LOGGER = b.d(OCSPVerifier.class);
    protected static final String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
    protected List<Oa.a> ocsps;

    public OCSPVerifier(CertificateVerifier certificateVerifier, List<Oa.a> list) {
        super(certificateVerifier);
        this.ocsps = list;
    }

    public Oa.a getOcspResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Oa.a basicOCSPResp;
        if ((x509Certificate == null && x509Certificate2 == null) || (basicOCSPResp = new OcspClientBouncyCastle(null).getBasicOCSPResp(x509Certificate, x509Certificate2, null)) == null) {
            return null;
        }
        for (C1635d c1635d : basicOCSPResp.b()) {
            if (c1635d.n() == null) {
                return basicOCSPResp;
            }
        }
        return null;
    }

    public boolean isSignatureValid(Oa.a aVar, Certificate certificate) {
        try {
            return SignUtils.isSignatureValid(aVar, certificate, "BC");
        } catch (Exception unused) {
            return false;
        }
    }

    public void isValidResponse(Oa.a aVar, X509Certificate x509Certificate, Date date) {
        CRL crl;
        X509Certificate x509Certificate2 = isSignatureValid(aVar, x509Certificate) ? x509Certificate : null;
        if (x509Certificate2 == null) {
            aVar.a();
            Iterator<X509Certificate> it = SignUtils.getCertsFromOcspResponse(aVar).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                X509Certificate next = it.next();
                try {
                    List<String> extendedKeyUsage = next.getExtendedKeyUsage();
                    if (extendedKeyUsage != null && extendedKeyUsage.contains(id_kp_OCSPSigning) && isSignatureValid(aVar, next)) {
                        x509Certificate2 = next;
                        break;
                    }
                } catch (CertificateParsingException unused) {
                }
            }
            if (x509Certificate2 == null) {
                throw new VerificationException(x509Certificate, "OCSP response could not be verified");
            }
            x509Certificate2.verify(x509Certificate.getPublicKey());
            x509Certificate2.checkValidity(date);
            if (x509Certificate2.getExtensionValue(InterfaceC2215d.f28780c.f18128a) == null) {
                try {
                    crl = CertificateUtil.getCRL(x509Certificate2);
                } catch (Exception unused2) {
                    crl = null;
                }
                if (crl == null || !(crl instanceof X509CRL)) {
                    LOGGER.error("Authorized OCSP responder certificate revocation status cannot be checked");
                    return;
                }
                CRLVerifier cRLVerifier = new CRLVerifier(null, null);
                cRLVerifier.setRootStore(this.rootStore);
                cRLVerifier.setOnlineCheckingAllowed(this.onlineCheckingAllowed);
                if (!cRLVerifier.verify((X509CRL) crl, x509Certificate2, x509Certificate, date)) {
                    throw new VerificationException(x509Certificate, "Authorized OCSP responder certificate was revoked.");
                }
            }
        }
    }

    @Override // com.itextpdf.signatures.RootStoreVerifier, com.itextpdf.signatures.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) {
        int i3;
        ArrayList arrayList = new ArrayList();
        List<Oa.a> list = this.ocsps;
        boolean z10 = false;
        if (list != null) {
            Iterator<Oa.a> it = list.iterator();
            i3 = 0;
            while (it.hasNext()) {
                if (verify(it.next(), x509Certificate, x509Certificate2, date)) {
                    i3++;
                }
            }
        } else {
            i3 = 0;
        }
        if (this.onlineCheckingAllowed && i3 == 0 && verify(getOcspResponse(x509Certificate, x509Certificate2), x509Certificate, x509Certificate2, date)) {
            i3++;
            z10 = true;
        }
        LOGGER.j("Valid OCSPs found: " + i3);
        if (i3 > 0) {
            Class<?> cls = getClass();
            StringBuilder sb2 = new StringBuilder("Valid OCSPs Found: ");
            sb2.append(i3);
            sb2.append(z10 ? " (online)" : "");
            arrayList.add(new VerificationOK(x509Certificate, cls, sb2.toString()));
        }
        CertificateVerifier certificateVerifier = this.verifier;
        if (certificateVerifier != null) {
            arrayList.addAll(certificateVerifier.verify(x509Certificate, x509Certificate2, date));
        }
        return arrayList;
    }

    public boolean verify(Oa.a aVar, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) {
        Date B9;
        Date B10;
        if (aVar == null) {
            return false;
        }
        C1635d[] b6 = aVar.b();
        for (int i3 = 0; i3 < b6.length; i3++) {
            BigInteger serialNumber = x509Certificate.getSerialNumber();
            C1635d c1635d = b6[i3];
            c1635d.getClass();
            C2213b c2213b = ((C2223l) c1635d.f26189a).f28798a;
            new Oa.b(c2213b);
            if (serialNumber.equals(c2213b.f28775i.B())) {
                if (x509Certificate2 == null) {
                    x509Certificate2 = x509Certificate;
                }
                try {
                    C1635d c1635d2 = b6[i3];
                    c1635d2.getClass();
                    if (SignUtils.checkIfIssuersMatch(new Oa.b(((C2223l) c1635d2.f26189a).f28798a), x509Certificate2)) {
                        C0800j c0800j = ((C2223l) b6[i3].f26189a).f28801i;
                        Date date2 = null;
                        if (c0800j == null) {
                            B9 = null;
                        } else {
                            X509CertificateHolder[] x509CertificateHolderArr = g.f4022a;
                            try {
                                B9 = c0800j.B();
                            } catch (Exception e7) {
                                throw new IllegalStateException(H.k(e7, new StringBuilder("exception processing GeneralizedTime: ")));
                            }
                        }
                        if (B9 == null) {
                            C0800j c0800j2 = ((C2223l) b6[i3].f26189a).f28800c;
                            X509CertificateHolder[] x509CertificateHolderArr2 = g.f4022a;
                            try {
                                Date add180Sec = SignUtils.add180Sec(c0800j2.B());
                                a aVar2 = LOGGER;
                                aVar2.j(MessageFormatUtil.format("No 'next update' for OCSP Response; assuming {0}", add180Sec));
                                if (date.after(add180Sec)) {
                                    aVar2.j(MessageFormatUtil.format("OCSP no longer valid: {0} after {1}", date, add180Sec));
                                }
                            } catch (Exception e10) {
                                throw new IllegalStateException(H.k(e10, new StringBuilder("exception processing GeneralizedTime: ")));
                            }
                        } else {
                            C0800j c0800j3 = ((C2223l) b6[i3].f26189a).f28801i;
                            if (c0800j3 == null) {
                                B10 = null;
                            } else {
                                X509CertificateHolder[] x509CertificateHolderArr3 = g.f4022a;
                                try {
                                    B10 = c0800j3.B();
                                } catch (Exception e11) {
                                    throw new IllegalStateException(H.k(e11, new StringBuilder("exception processing GeneralizedTime: ")));
                                }
                            }
                            if (date.after(B10)) {
                                a aVar3 = LOGGER;
                                C0800j c0800j4 = ((C2223l) b6[i3].f26189a).f28801i;
                                if (c0800j4 != null) {
                                    X509CertificateHolder[] x509CertificateHolderArr4 = g.f4022a;
                                    try {
                                        date2 = c0800j4.B();
                                    } catch (Exception e12) {
                                        throw new IllegalStateException(H.k(e12, new StringBuilder("exception processing GeneralizedTime: ")));
                                    }
                                }
                                aVar3.j(MessageFormatUtil.format("OCSP no longer valid: {0} after {1}", date, date2));
                            }
                        }
                        if (b6[i3].n() == null) {
                            isValidResponse(aVar, x509Certificate2, date);
                            return true;
                        }
                    } else {
                        LOGGER.j("OCSP: Issuers doesn't match.");
                    }
                } catch (IOException e13) {
                    throw new GeneralSecurityException(e13.getMessage());
                } catch (OCSPException unused) {
                    continue;
                }
            }
        }
        return false;
    }
}
