package com.itextpdf.signatures.validation;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.asn1.IASN1Encodable;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ICertificateStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IRevokedStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ISingleResp;
import com.itextpdf.commons.utils.DateTimeUtil;
import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.signatures.CertificateUtil;
import com.itextpdf.signatures.IssuingCertificateRetriever;
import com.itextpdf.signatures.TimestampConstants;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import com.itextpdf.signatures.validation.context.CertificateSource;
import com.itextpdf.signatures.validation.context.ValidationContext;
import com.itextpdf.signatures.validation.context.ValidatorContext;
import com.itextpdf.signatures.validation.report.CertificateReportItem;
import com.itextpdf.signatures.validation.report.ReportItem;
import com.itextpdf.signatures.validation.report.ValidationReport;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Supplier;

/* loaded from: classes2.dex */
public class OCSPValidator {
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    static final String CERT_IS_EXPIRED = "Certificate is expired on {0}. Its revocation status could have been removed from the database, so the OCSP response status could be falsely valid.";
    static final String CERT_IS_REVOKED = "Certificate status is revoked.";
    static final String CERT_STATUS_IS_UNKNOWN = "Certificate status is unknown.";
    static final String FRESHNESS_CHECK = "OCSP response is not fresh enough: this update: {0}, validation date: {1}, freshness: {2}.";
    static final String INVALID_OCSP = "OCSP response is invalid.";
    static final String ISSUERS_DO_NOT_MATCH = "OCSP: Issuers don't match.";
    static final String ISSUER_MISSING = "Issuer certificate wasn't found.";
    static final String OCSP_CHECK = "OCSP response check.";
    static final String OCSP_COULD_NOT_BE_VERIFIED = "OCSP response could not be verified: it does not contain responder in the certificate chain and response is not signed by issuer certificate or any from the trusted store.";
    static final String OCSP_IS_NO_LONGER_VALID = "OCSP is no longer valid: {0} after {1}";
    static final String OCSP_RESPONDER_DID_NOT_SIGN = "OCSP response could not be verified against this responder.";
    static final String OCSP_RESPONDER_IS_CA = "Responder certificate is the CA certificate.";
    static final String OCSP_RESPONDER_NOT_RETRIEVED = "OCSP response could not be verified: \" +\n            \"Unexpected exception occurred retrieving responder.";
    static final String OCSP_RESPONDER_NOT_VERIFIED = "OCSP response could not be verified: \" +\n            \" Unexpected exception occurred while validating responder certificate.";
    static final String OCSP_RESPONDER_TRUSTED = "Responder certificate is a trusted certificate.";
    static final String OCSP_RESPONDER_TRUST_NOT_RETRIEVED = "OCSP response could not be verified: \" +\n            \"responder trust state could not be retrieved.";
    static final String SERIAL_NUMBERS_DO_NOT_MATCH = "OCSP: Serial numbers don't match.";
    static final String UNABLE_TO_CHECK_IF_ISSUERS_MATCH = "OCSP response could not be verified: Unexpected exception occurred checking if issuers match.";
    static final String UNABLE_TO_RETRIEVE_ISSUER = "OCSP response could not be verified: Unexpected exception occurred while retrieving issuer";
    private final ValidatorChainBuilder builder;
    private final IssuingCertificateRetriever certificateRetriever;
    private final SignatureValidationProperties properties;

    public OCSPValidator(ValidatorChainBuilder validatorChainBuilder) {
        this.certificateRetriever = validatorChainBuilder.getCertificateRetriever();
        this.properties = validatorChainBuilder.getProperties();
        this.builder = validatorChainBuilder;
    }

    private static void addResponderValidationReport(ValidationReport validationReport, ValidationReport validationReport2) {
        for (ReportItem reportItem : validationReport2.getLogs()) {
            if (ReportItem.ReportItemStatus.INVALID == reportItem.getStatus()) {
                reportItem = reportItem.setStatus(ReportItem.ReportItemStatus.INDETERMINATE);
            }
            validationReport.addReportItem(reportItem);
        }
    }

    private Date getArchiveCutoffExtension(IBasicOCSPResp iBasicOCSPResp) {
        IBouncyCastleFactory iBouncyCastleFactory = BOUNCY_CASTLE_FACTORY;
        IASN1Encodable extensionParsedValue = iBasicOCSPResp.getExtensionParsedValue(iBouncyCastleFactory.createOCSPObjectIdentifiers().getIdPkixOcspArchiveCutoff());
        if (!extensionParsedValue.isNull()) {
            try {
                return iBouncyCastleFactory.createASN1GeneralizedTime(extensionParsedValue).getDate();
            } catch (Exception unused) {
            }
        }
        return (Date) TimestampConstants.UNDEFINED_TIMESTAMP_DATE;
    }

    public /* synthetic */ Set lambda$verifyOcspResponder$0(IBasicOCSPResp iBasicOCSPResp) {
        return this.certificateRetriever.retrieveOCSPResponderByNameCertificate(iBasicOCSPResp);
    }

    public static /* synthetic */ ReportItem lambda$verifyOcspResponder$1(X509Certificate x509Certificate, Exception exc) {
        return new CertificateReportItem(x509Certificate, OCSP_CHECK, OCSP_RESPONDER_NOT_RETRIEVED, exc, ReportItem.ReportItemStatus.INDETERMINATE);
    }

    private void verifyOcspResponder(ValidationReport validationReport, ValidationContext validationContext, final IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, Date date) {
        ValidationReport validationReport2;
        ValidationContext certificateSource = validationContext.setCertificateSource(CertificateSource.OCSP_ISSUER);
        if (CertificateUtil.isSignatureValid(iBasicOCSPResp, x509Certificate)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, OCSP_RESPONDER_IS_CA, ReportItem.ReportItemStatus.INFO));
            return;
        }
        Set set = (Set) SafeCalling.onRuntimeExceptionLog(new Supplier() { // from class: com.itextpdf.signatures.validation.j
            @Override // java.util.function.Supplier
            public final Object get() {
                Set lambda$verifyOcspResponder$0;
                lambda$verifyOcspResponder$0 = OCSPValidator.this.lambda$verifyOcspResponder$0(iBasicOCSPResp);
                return lambda$verifyOcspResponder$0;
            }
        }, Collections.emptySet(), validationReport, new a(x509Certificate, 4));
        if (set.isEmpty()) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, OCSP_COULD_NOT_BE_VERIFIED, ReportItem.ReportItemStatus.INDETERMINATE));
            return;
        }
        int size = set.size();
        ValidationReport[] validationReportArr = new ValidationReport[size];
        Iterator it = set.iterator();
        int i2 = 0;
        while (it.hasNext()) {
            X509Certificate x509Certificate2 = (X509Certificate) ((Certificate) it.next());
            ValidationReport validationReport3 = new ValidationReport();
            int i3 = i2 + 1;
            validationReportArr[i2] = validationReport3;
            if (CertificateUtil.isSignatureValid(iBasicOCSPResp, x509Certificate2)) {
                try {
                    if (this.certificateRetriever.getTrustedCertificatesStore().isCertificateTrustedForOcsp(x509Certificate2) || this.certificateRetriever.getTrustedCertificatesStore().isCertificateGenerallyTrusted(x509Certificate2)) {
                        validationReport3.addReportItem(new CertificateReportItem(x509Certificate2, OCSP_CHECK, OCSP_RESPONDER_TRUSTED, ReportItem.ReportItemStatus.INFO));
                        validationReport.merge(validationReport3);
                        return;
                    }
                    try {
                        x509Certificate2.verify(x509Certificate.getPublicKey());
                        validationReport2 = new ValidationReport();
                        try {
                        } catch (RuntimeException e) {
                            e = e;
                        }
                    } catch (Exception e2) {
                        validationReport3.addReportItem(new CertificateReportItem(x509Certificate2, OCSP_CHECK, INVALID_OCSP, e2, ReportItem.ReportItemStatus.INVALID));
                    }
                    try {
                        this.builder.getCertificateChainValidator().validate(validationReport2, certificateSource, x509Certificate2, date);
                        addResponderValidationReport(validationReport3, validationReport2);
                        if (validationReport3.getValidationResult() == ValidationReport.ValidationResult.VALID) {
                            addResponderValidationReport(validationReport, validationReport3);
                            return;
                        }
                    } catch (RuntimeException e3) {
                        e = e3;
                        validationReport3.addReportItem(new CertificateReportItem(x509Certificate2, OCSP_CHECK, OCSP_RESPONDER_NOT_VERIFIED, e, ReportItem.ReportItemStatus.INDETERMINATE));
                        i2 = i3;
                    }
                } catch (RuntimeException e4) {
                    validationReport.addReportItem(new CertificateReportItem(x509Certificate2, OCSP_CHECK, OCSP_RESPONDER_TRUST_NOT_RETRIEVED, e4, ReportItem.ReportItemStatus.INDETERMINATE));
                }
            } else {
                validationReport3.addReportItem(new CertificateReportItem(x509Certificate2, OCSP_CHECK, OCSP_RESPONDER_DID_NOT_SIGN, ReportItem.ReportItemStatus.INDETERMINATE));
            }
            i2 = i3;
        }
        for (int i4 = 0; i4 < size; i4++) {
            validationReport.merge(validationReportArr[i4]);
        }
    }

    public void validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, ISingleResp iSingleResp, IBasicOCSPResp iBasicOCSPResp, Date date, Date date2) {
        int i2;
        Exception exc;
        OCSPValidator oCSPValidator = this;
        ValidationContext validatorContext = validationContext.setValidatorContext(ValidatorContext.OCSP_VALIDATOR);
        if (CertificateUtil.isSelfSigned(x509Certificate)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, "Certificate is self-signed. Revocation data check will be skipped.", ReportItem.ReportItemStatus.INFO));
            return;
        }
        if (!x509Certificate.getSerialNumber().equals(iSingleResp.getCertID().getSerialNumber())) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, SERIAL_NUMBERS_DO_NOT_MATCH, ReportItem.ReportItemStatus.INDETERMINATE));
            return;
        }
        try {
            List<X509Certificate> retrieveIssuerCertificate = oCSPValidator.certificateRetriever.retrieveIssuerCertificate(x509Certificate);
            if (retrieveIssuerCertificate.isEmpty()) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(ISSUER_MISSING, x509Certificate.getSubjectX500Principal()), ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            int size = retrieveIssuerCertificate.size();
            ValidationReport[] validationReportArr = new ValidationReport[size];
            int i3 = 0;
            while (i3 < retrieveIssuerCertificate.size()) {
                validationReportArr[i3] = new ValidationReport();
                try {
                } catch (Exception e) {
                    i2 = i3;
                    exc = e;
                }
                if (CertificateUtil.checkIfIssuersMatch(iSingleResp.getCertID(), retrieveIssuerCertificate.get(i3))) {
                    Duration freshness = oCSPValidator.properties.getFreshness(validatorContext);
                    if (DateTimeUtil.addMillisToDate(iSingleResp.getThisUpdate(), freshness.toMillis()).before(date)) {
                        validationReportArr[i3].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(FRESHNESS_CHECK, iSingleResp.getThisUpdate(), date, freshness), ReportItem.ReportItemStatus.INDETERMINATE));
                    } else {
                        Date nextUpdate = iSingleResp.getNextUpdate();
                        Object obj = TimestampConstants.UNDEFINED_TIMESTAMP_DATE;
                        if (nextUpdate == obj || !date.after(iSingleResp.getNextUpdate())) {
                            ICertificateStatus certStatus = iSingleResp.getCertStatus();
                            IBouncyCastleFactory iBouncyCastleFactory = BOUNCY_CASTLE_FACTORY;
                            IRevokedStatus createRevokedStatus = iBouncyCastleFactory.createRevokedStatus(certStatus);
                            boolean equals = iBouncyCastleFactory.createCertificateStatus().getGood().equals(certStatus);
                            if (equals && x509Certificate.getNotAfter().before(iBasicOCSPResp.getProducedAt())) {
                                Date archiveCutoffExtension = oCSPValidator.getArchiveCutoffExtension(iBasicOCSPResp);
                                if (obj == archiveCutoffExtension || x509Certificate.getNotAfter().before(archiveCutoffExtension)) {
                                    validationReportArr[i3].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(CERT_IS_EXPIRED, x509Certificate.getNotAfter()), ReportItem.ReportItemStatus.INDETERMINATE));
                                }
                            }
                            if (equals || (createRevokedStatus != null && date.before(createRevokedStatus.getRevocationTime()))) {
                                i2 = i3;
                                verifyOcspResponder(validationReportArr[i3], validatorContext, iBasicOCSPResp, retrieveIssuerCertificate.get(i3), date2);
                                if (!equals) {
                                    validationReportArr[i2].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(SignLogMessageConstant.VALID_CERTIFICATE_IS_REVOKED, createRevokedStatus.getRevocationTime()), ReportItem.ReportItemStatus.INFO));
                                }
                            } else {
                                if (createRevokedStatus != null) {
                                    validationReportArr[i3].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, CERT_IS_REVOKED, ReportItem.ReportItemStatus.INVALID));
                                } else {
                                    validationReportArr[i3].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, CERT_STATUS_IS_UNKNOWN, ReportItem.ReportItemStatus.INDETERMINATE));
                                }
                                i2 = i3;
                            }
                            if (validationReportArr[i2].getValidationResult() == ValidationReport.ValidationResult.VALID) {
                                validationReport.merge(validationReportArr[i2]);
                                return;
                            } else {
                                i3 = i2 + 1;
                                oCSPValidator = this;
                            }
                        } else {
                            validationReportArr[i3].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, MessageFormatUtil.format(OCSP_IS_NO_LONGER_VALID, date, iSingleResp.getNextUpdate()), ReportItem.ReportItemStatus.INDETERMINATE));
                        }
                    }
                } else {
                    try {
                        validationReportArr[i3].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, ISSUERS_DO_NOT_MATCH, ReportItem.ReportItemStatus.INDETERMINATE));
                    } catch (Exception e2) {
                        exc = e2;
                        i2 = i3;
                        validationReportArr[i2].addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, UNABLE_TO_CHECK_IF_ISSUERS_MATCH, exc, ReportItem.ReportItemStatus.INDETERMINATE));
                        i3 = i2 + 1;
                        oCSPValidator = this;
                    }
                }
                i2 = i3;
                i3 = i2 + 1;
                oCSPValidator = this;
            }
            for (int i4 = 0; i4 < size; i4++) {
                validationReport.merge(validationReportArr[i4]);
            }
        } catch (RuntimeException e3) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, OCSP_CHECK, UNABLE_TO_RETRIEVE_ISSUER, e3, ReportItem.ReportItemStatus.INDETERMINATE));
        }
    }
}
