package com.itextpdf.signatures.validation.v1;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive;
import com.itextpdf.commons.bouncycastle.asn1.x509.IDistributionPoint;
import com.itextpdf.commons.bouncycastle.asn1.x509.IIssuingDistributionPoint;
import com.itextpdf.commons.bouncycastle.asn1.x509.IReasonFlags;
import com.itextpdf.commons.utils.DateTimeUtil;
import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.commons.utils.ThrowingAction;
import com.itextpdf.signatures.CertificateUtil;
import com.itextpdf.signatures.IssuingCertificateRetriever;
import com.itextpdf.signatures.TimestampConstants;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import com.itextpdf.signatures.validation.v1.context.CertificateSource;
import com.itextpdf.signatures.validation.v1.context.ValidationContext;
import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
import com.itextpdf.signatures.validation.v1.report.ReportItem;
import com.itextpdf.signatures.validation.v1.report.ValidationReport;
import java.io.IOException;
import java.security.cert.CRLReason;
import java.security.cert.Certificate;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;

/* loaded from: classes5.dex */
public class CRLValidator {
    static final int ALL_REASONS = 32895;
    static final String ATTRIBUTE_CERTS_ASSERTED = "The onlyContainsAttributeCerts is asserted. Conforming CRLs issuers MUST set the onlyContainsAttributeCerts boolean to FALSE.";
    static final String CERTIFICATE_IS_EXPIRED = "Certificate is expired on {0} and could have been removed from the CRL.";
    static final String CERTIFICATE_IS_NOT_IN_THE_CRL_SCOPE = "Certificate isn't in the current CRL scope.";
    static final String CERTIFICATE_IS_UNREVOKED = "The certificate was unrevoked.";
    static final String CERTIFICATE_REVOKED = "Certificate was revoked by {0} on {1}.";
    static final String CRL_CHECK = "CRL response check.";
    static final String CRL_INVALID = "CRL response is invalid.";
    static final String CRL_ISSUER_CHAIN_FAILED = "Unable to validate CRL response: Unexpected exception occurred validating issuer certificate.";
    static final String CRL_ISSUER_NOT_FOUND = "Unable to validate CRL response: no issuer certificate found.";
    static final String CRL_ISSUER_NO_COMMON_ROOT = "The CRL issuer does not share the root of the inspected certificate.";
    static final String CRL_ISSUER_REQUEST_FAILED = "Unable to validate CRL response: Unexpected exception occurred retrieving issuer certificate.";
    private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
    static final String FRESHNESS_CHECK = "CRL response is not fresh enough: this update: {0}, validation date: {1}, freshness: {2}.";
    static final String ONLY_SOME_REASONS_CHECKED = "Revocation status cannot be determined since not all reason codes are covered by the current CRL.";
    static final String SAME_REASONS_CHECK = "CRLs that cover the same reason codes were already verified.";
    static final String UPDATE_DATE_BEFORE_CHECK_DATE = "nextUpdate: {0} of CRLResponse is before validation date {1}.";
    private final ValidatorChainBuilder builder;
    private final IssuingCertificateRetriever certificateRetriever;
    private final Map<Certificate, Integer> checkedReasonsMask = new HashMap();
    private final SignatureValidationProperties properties;

    /* JADX INFO: Access modifiers changed from: protected */
    public CRLValidator(ValidatorChainBuilder validatorChainBuilder) {
        this.certificateRetriever = validatorChainBuilder.getCertificateRetriever();
        this.properties = validatorChainBuilder.getProperties();
        this.builder = validatorChainBuilder;
    }

    private static void addResponderValidationReport(ValidationReport validationReport, ValidationReport validationReport2) {
        for (ReportItem reportItem : validationReport2.getLogs()) {
            if (ReportItem.ReportItemStatus.INVALID == reportItem.getStatus()) {
                reportItem = reportItem.setStatus(ReportItem.ReportItemStatus.INDETERMINATE);
            }
            validationReport.addReportItem(reportItem);
        }
    }

    private static int computeInterimReasonsMask(IIssuingDistributionPoint iIssuingDistributionPoint, IDistributionPoint iDistributionPoint) {
        int i = 32895;
        if (!iIssuingDistributionPoint.isNull()) {
            IReasonFlags onlySomeReasons = iIssuingDistributionPoint.getOnlySomeReasons();
            if (!onlySomeReasons.isNull()) {
                i = 32895 & onlySomeReasons.intValue();
            }
        }
        if (iDistributionPoint != null) {
            IReasonFlags reasons = iDistributionPoint.getReasons();
            if (!reasons.isNull()) {
                return reasons.intValue() & i;
            }
        }
        return i;
    }

    private static Date getExpiredCertsOnCRLExtensionDate(X509CRL x509crl) {
        IASN1Primitive iASN1Primitive;
        try {
            iASN1Primitive = CertificateUtil.getExtensionValue(x509crl, FACTORY.createExtension().getExpiredCertsOnCRL().getId());
        } catch (IOException | RuntimeException unused) {
            iASN1Primitive = null;
        }
        if (iASN1Primitive != null) {
            try {
                return FACTORY.createASN1GeneralizedTime(iASN1Primitive).getDate();
            } catch (Exception unused2) {
            }
        }
        return (Date) TimestampConstants.UNDEFINED_TIMESTAMP_DATE;
    }

    private static IIssuingDistributionPoint getIssuingDistributionPointExtension(X509CRL x509crl) {
        IASN1Primitive iASN1Primitive;
        try {
            iASN1Primitive = CertificateUtil.getExtensionValue(x509crl, FACTORY.createExtension().getIssuingDistributionPoint().getId());
        } catch (IOException | RuntimeException unused) {
            iASN1Primitive = null;
        }
        return FACTORY.createIssuingDistributionPoint(iASN1Primitive);
    }

    private Certificate getRoot(Certificate certificate) {
        Certificate[] retrieveMissingCertificates = this.certificateRetriever.retrieveMissingCertificates(new Certificate[]{certificate});
        return retrieveMissingCertificates[retrieveMissingCertificates.length - 1];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ ReportItem lambda$verifyCrlIntegrity$1(X509Certificate x509Certificate, Exception exc) {
        return new CertificateReportItem(x509Certificate, CRL_CHECK, CRL_INVALID, exc, ReportItem.ReportItemStatus.INDETERMINATE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ ReportItem lambda$verifyCrlIntegrity$3(X509Certificate x509Certificate, Exception exc) {
        return new CertificateReportItem(x509Certificate, CRL_CHECK, CRL_ISSUER_CHAIN_FAILED, exc, ReportItem.ReportItemStatus.INDETERMINATE);
    }

    private void verifyCrlIntegrity(ValidationReport validationReport, final ValidationContext validationContext, final X509Certificate x509Certificate, final X509CRL x509crl, final Date date) {
        try {
            Certificate[] crlIssuerCertificates = this.certificateRetriever.getCrlIssuerCertificates(x509crl);
            if (crlIssuerCertificates == null || crlIssuerCertificates.length == 0) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CRL_CHECK, CRL_ISSUER_NOT_FOUND, ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            final Certificate certificate = crlIssuerCertificates[0];
            if (!getRoot(certificate).equals(getRoot(x509Certificate))) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CRL_CHECK, CRL_ISSUER_NO_COMMON_ROOT, ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            SafeCalling.onExceptionLog(new ThrowingAction() { // from class: com.itextpdf.signatures.validation.v1.CRLValidator$$ExternalSyntheticLambda0
                @Override // com.itextpdf.commons.utils.ThrowingAction
                public final void execute() {
                    x509crl.verify(certificate.getPublicKey());
                }
            }, validationReport, new Function() { // from class: com.itextpdf.signatures.validation.v1.CRLValidator$$ExternalSyntheticLambda1
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    return CRLValidator.lambda$verifyCrlIntegrity$1(x509Certificate, (Exception) obj);
                }
            });
            final ValidationReport validationReport2 = new ValidationReport();
            SafeCalling.onExceptionLog(new ThrowingAction() { // from class: com.itextpdf.signatures.validation.v1.CRLValidator$$ExternalSyntheticLambda2
                @Override // com.itextpdf.commons.utils.ThrowingAction
                public final void execute() {
                    CRLValidator.this.m4485xb8119090(validationReport2, validationContext, certificate, date);
                }
            }, validationReport, new Function() { // from class: com.itextpdf.signatures.validation.v1.CRLValidator$$ExternalSyntheticLambda3
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    return CRLValidator.lambda$verifyCrlIntegrity$3(x509Certificate, (Exception) obj);
                }
            });
            addResponderValidationReport(validationReport, validationReport2);
        } catch (RuntimeException e) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CRL_CHECK, CRL_ISSUER_REQUEST_FAILED, e, ReportItem.ReportItemStatus.INDETERMINATE));
        }
    }

    private static void verifyRevocation(ValidationReport validationReport, X509Certificate x509Certificate, Date date, X509CRL x509crl) {
        X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate.getSerialNumber());
        if (revokedCertificate != null) {
            Date revocationDate = revokedCertificate.getRevocationDate();
            if (date.before(revocationDate)) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CRL_CHECK, MessageFormatUtil.format(SignLogMessageConstant.VALID_CERTIFICATE_IS_REVOKED, revocationDate), ReportItem.ReportItemStatus.INFO));
            } else if (CRLReason.REMOVE_FROM_CRL == revokedCertificate.getRevocationReason()) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CRL_CHECK, MessageFormatUtil.format(CERTIFICATE_IS_UNREVOKED, revocationDate), ReportItem.ReportItemStatus.INFO));
            } else {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CRL_CHECK, MessageFormatUtil.format(CERTIFICATE_REVOKED, x509crl.getIssuerX500Principal(), revokedCertificate.getRevocationDate()), ReportItem.ReportItemStatus.INVALID));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: lambda$verifyCrlIntegrity$2$com-itextpdf-signatures-validation-v1-CRLValidator, reason: not valid java name */
    public /* synthetic */ void m4485xb8119090(ValidationReport validationReport, ValidationContext validationContext, Certificate certificate, Date date) throws Exception {
        this.builder.getCertificateChainValidator().validate(validationReport, validationContext.setCertificateSource(CertificateSource.CRL_ISSUER), (X509Certificate) certificate, date);
    }

    @Deprecated
    public void validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, X509CRL x509crl, Date date) {
        validate(validationReport, validationContext, x509Certificate, x509crl, date, DateTimeUtil.getCurrentTimeDate());
    }

    /* JADX WARN: Removed duplicated region for block: B:43:0x011a  */
    /* JADX WARN: Removed duplicated region for block: B:46:0x0132  */
    /* JADX WARN: Removed duplicated region for block: B:49:0x0140  */
    /* JADX WARN: Removed duplicated region for block: B:51:? A[RETURN, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void validate(com.itextpdf.signatures.validation.v1.report.ValidationReport r8, com.itextpdf.signatures.validation.v1.context.ValidationContext r9, java.security.cert.X509Certificate r10, java.security.cert.X509CRL r11, java.util.Date r12, java.util.Date r13) {
        /*
            Method dump skipped, instructions count: 333
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.itextpdf.signatures.validation.v1.CRLValidator.validate(com.itextpdf.signatures.validation.v1.report.ValidationReport, com.itextpdf.signatures.validation.v1.context.ValidationContext, java.security.cert.X509Certificate, java.security.cert.X509CRL, java.util.Date, java.util.Date):void");
    }
}
