package org.apache.poi.poifs.crypt.dsig.services;

import N6.t;
import S6.AbstractC0511n;
import S6.AbstractC0514q;
import S6.AbstractC0517u;
import S6.C0500c;
import S6.C0510m;
import S6.InterfaceC0502e;
import S6.N;
import S6.r;
import c8.C0824a;
import c8.u;
import c8.v;
import com.google.android.material.color.utilities.h;
import com.google.android.material.color.utilities.o;
import d7.C1914a;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import k7.InterfaceC2060a;
import o3.C2188c;
import org.apache.poi.hemf.record.emfplus.S;
import org.apache.poi.poifs.crypt.CryptoFunctions;
import org.apache.poi.poifs.crypt.HashAlgorithm;
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
import org.apache.poi.poifs.crypt.dsig.services.TimeStampHttpClient;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.D;
import org.bouncycastle.cms.F;
import org.bouncycastle.cms.g;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.tsp.TSPException;
import org.bouncycastle.tsp.TSPValidationException;
import org.bouncycastle.tsp.d;
import org.spongycastle.asn1.ASN1Encoding;
import u7.C3353c;
import w7.C3440c;
import w7.InterfaceC3437A;
import w7.i;
import w7.k;
import w7.m;
import w7.n;

/* loaded from: classes4.dex */
public class TSPTimeStampService implements TimeStampService {
    private static final J6.c LOG = J6.b.a(TSPTimeStampService.class);

    /* renamed from: org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService$1 */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm;

        static {
            int[] iArr = new int[HashAlgorithm.values().length];
            $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm = iArr;
            try {
                iArr[HashAlgorithm.sha1.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha384.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha512.ordinal()] = 4;
            } catch (NoSuchFieldError unused4) {
            }
        }
    }

    public static boolean lambda$retrieveCRL$3(i iVar) {
        return iVar.f33643d == 0;
    }

    public static Stream lambda$retrieveCRL$4(i iVar) {
        ASN1Object aSN1Object = iVar.f33642c;
        m[] mVarArr = (aSN1Object instanceof n ? (n) aSN1Object : aSN1Object != null ? new n(r.r(aSN1Object)) : null).f33670c;
        m[] mVarArr2 = new m[mVarArr.length];
        System.arraycopy(mVarArr, 0, mVarArr2, 0, mVarArr.length);
        return Stream.of((Object[]) mVarArr2);
    }

    public static boolean lambda$retrieveCRL$5(m mVar) {
        return mVar.f33669d == 6;
    }

    public static /* synthetic */ String lambda$retrieveCRL$6(m mVar) {
        return ASN1IA5String.getInstance(mVar.g()).getString();
    }

    public /* synthetic */ Stream lambda$retrieveCRL$9(List list, final X509Certificate x509Certificate, SignatureConfig signatureConfig, final String str) {
        SignatureConfig.CRLEntry downloadCRL;
        List list2 = (List) list.stream().filter(new Predicate() { // from class: org.apache.poi.poifs.crypt.dsig.services.a
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean lambda$null$7;
                lambda$null$7 = TSPTimeStampService.this.lambda$null$7(x509Certificate, str, (SignatureConfig.CRLEntry) obj);
                return lambda$null$7;
            }
        }).collect(Collectors.toList());
        Stream filter = list.stream().filter(new b(this, x509Certificate, str));
        if (list2.isEmpty() && (downloadCRL = downloadCRL(signatureConfig, str)) != null) {
            list2.add(downloadCRL);
        }
        return Stream.concat(list2.stream(), filter).map(new org.apache.poi.hwpf.model.b(2));
    }

    public static String lambda$timeStamp$0(X509CertificateHolder x509CertificateHolder) {
        C3353c f = C3353c.f(x509CertificateHolder.f27977c.f33632d.f33686j);
        return f.f32998e.d(f);
    }

    public static boolean lambda$timeStamp$1(C3353c c3353c, BigInteger bigInteger, X509CertificateHolder x509CertificateHolder) {
        return c3353c.equals(C3353c.f(x509CertificateHolder.f27977c.f33632d.f33683g)) && bigInteger.equals(x509CertificateHolder.f27977c.f33632d.f33682e.t());
    }

    public static /* synthetic */ IllegalStateException lambda$timeStamp$2() {
        return new IllegalStateException("TSP response token has no signer certificate");
    }

    public SignatureConfig.CRLEntry downloadCRL(SignatureConfig signatureConfig, String str) {
        if (!signatureConfig.isAllowCRLDownload()) {
            return null;
        }
        TimeStampHttpClient tspHttpClient = signatureConfig.getTspHttpClient();
        tspHttpClient.init(signatureConfig);
        tspHttpClient.setBasicAuthentication(null, null);
        try {
            TimeStampHttpClient.TimeStampHttpClientResponse timeStampHttpClientResponse = tspHttpClient.get(str);
            if (!timeStampHttpClientResponse.isOK()) {
                return null;
            }
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                byte[] responseBytes = timeStampHttpClientResponse.getResponseBytes();
                return signatureConfig.addCRL(str, ((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(responseBytes))).getIssuerX500Principal().getName(), responseBytes);
            } catch (GeneralSecurityException e9) {
                LOG.v().b(e9).f(str, "CRL download failed from {}");
                return null;
            }
        } catch (IOException unused) {
        }
    }

    public C0510m mapDigestAlgoToOID(HashAlgorithm hashAlgorithm) {
        int i9 = AnonymousClass1.$SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[hashAlgorithm.ordinal()];
        if (i9 == 1) {
            return InterfaceC3437A.f33621r1;
        }
        if (i9 == 2) {
            return InterfaceC2060a.f24720a;
        }
        if (i9 == 3) {
            return InterfaceC2060a.f24721b;
        }
        if (i9 == 4) {
            return InterfaceC2060a.f24722c;
        }
        throw new IllegalArgumentException("unsupported digest algo: " + hashAlgorithm);
    }

    /* renamed from: matchCRLbyCN */
    public boolean lambda$null$8(SignatureConfig.CRLEntry cRLEntry, X509Certificate x509Certificate, String str) {
        return x509Certificate.getSubjectX500Principal().getName().equals(cRLEntry.getCertCN());
    }

    /* renamed from: matchCRLbyUrl */
    public boolean lambda$null$7(SignatureConfig.CRLEntry cRLEntry, X509Certificate x509Certificate, String str) {
        return str.equals(cRLEntry.getCrlURL());
    }

    /* JADX WARN: Type inference failed for: r2v1, types: [w7.c, org.bouncycastle.asn1.ASN1Object] */
    public List<byte[]> retrieveCRL(final SignatureConfig signatureConfig, final X509Certificate x509Certificate) throws IOException {
        C3440c c3440c;
        final List<SignatureConfig.CRLEntry> crlEntries = signatureConfig.getCrlEntries();
        byte[] extensionValue = x509Certificate.getExtensionValue(k.f33654o.f2825c);
        if (extensionValue == null) {
            return Collections.emptyList();
        }
        Object k9 = AbstractC0514q.k(AbstractC0511n.r(extensionValue).f2831c);
        if (k9 instanceof C3440c) {
            c3440c = (C3440c) k9;
        } else if (k9 != null) {
            r r9 = r.r(k9);
            ?? aSN1Object = new ASN1Object();
            aSN1Object.f33627c = r9;
            c3440c = aSN1Object;
        } else {
            c3440c = null;
        }
        return (List) Stream.of((Object[]) c3440c.f()).map(new d(0)).filter(new org.apache.poi.extractor.ole2.b(1)).filter(new org.apache.poi.hslf.record.n(3)).flatMap(new o(27)).filter(new y6.i(3)).map(new h(27)).flatMap(new Function() { // from class: org.apache.poi.poifs.crypt.dsig.services.e
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Stream lambda$retrieveCRL$9;
                lambda$retrieveCRL$9 = TSPTimeStampService.this.lambda$retrieveCRL$9(crlEntries, x509Certificate, signatureConfig, (String) obj);
                return lambda$retrieveCRL$9;
            }
        }).filter(new N6.h(2)).collect(Collectors.toList());
    }

    /* JADX WARN: Type inference failed for: r4v11, types: [b8.l, java.lang.Object] */
    /* JADX WARN: Type inference failed for: r5v14, types: [b8.f, java.lang.Object] */
    /* JADX WARN: Type inference failed for: r7v0, types: [c8.x, c8.b, java.lang.Object] */
    @Override // org.apache.poi.poifs.crypt.dsig.services.TimeStampService
    public byte[] timeStamp(SignatureInfo signatureInfo, byte[] bArr, RevocationData revocationData) throws Exception {
        org.bouncycastle.util.c cVar;
        SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
        byte[] digest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()).digest(bArr);
        BigInteger bigInteger = new BigInteger(128, new SecureRandom());
        i3.i iVar = new i3.i(2);
        iVar.f23857b = C0500c.f2798e;
        String tspRequestPolicy = signatureConfig.getTspRequestPolicy();
        if (tspRequestPolicy != null) {
            iVar.f23856a = new C0510m(tspRequestPolicy);
        }
        org.bouncycastle.tsp.b a9 = iVar.a(mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()), digest, bigInteger);
        TimeStampHttpClient tspHttpClient = signatureConfig.getTspHttpClient();
        tspHttpClient.init(signatureConfig);
        tspHttpClient.setContentTypeIn(signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query");
        TimeStampHttpClient.TimeStampHttpClientResponse post = tspHttpClient.post(signatureConfig.getTspUrl(), a9.f28141a.getEncoded());
        if (!post.isOK()) {
            throw new IOException("Requesting timestamp data failed");
        }
        byte[] responseBytes = post.getResponseBytes();
        if (responseBytes.length == 0) {
            throw new IllegalStateException("Content-Length is zero");
        }
        org.bouncycastle.tsp.c cVar2 = new org.bouncycastle.tsp.c(responseBytes);
        cVar2.c(a9);
        if (cVar2.a() != 0) {
            J6.c cVar3 = LOG;
            cVar3.h().f(t.a(cVar2.a()), "status: {}");
            cVar3.h().f(cVar2.b(), "status string: {}");
            N n9 = cVar2.f28142a.f32722c.f3334e;
            W6.a aVar = n9 != null ? new W6.a(n9, 0) : null;
            if (aVar != null) {
                cVar3.h().f(t.a(aVar.s()), "fail info int value: {}");
                if (256 == aVar.s()) {
                    cVar3.h().i("unaccepted policy");
                }
            }
            throw new IllegalStateException("timestamp response status != 0: " + cVar2.a());
        }
        org.bouncycastle.tsp.d dVar = cVar2.f28143b;
        D d9 = dVar.f28145b;
        org.bouncycastle.tsp.e eVar = dVar.f28146c;
        A7.c cVar4 = d9.f27991a.f27987c;
        final BigInteger bigInteger2 = cVar4.f87e;
        final C3353c c3353c = cVar4.f86d;
        J6.c cVar5 = LOG;
        cVar5.h().f(bigInteger2, "signer cert serial number: {}");
        cVar5.h().f(c3353c, "signer cert issuer: {}");
        AbstractC0517u abstractC0517u = dVar.f28144a.f28028c.f;
        g.f28027g.getClass();
        if (abstractC0517u != null) {
            InterfaceC0502e[] interfaceC0502eArr = abstractC0517u.f2843c;
            ArrayList arrayList = new ArrayList(interfaceC0502eArr.length);
            int i9 = 0;
            while (i9 < interfaceC0502eArr.length) {
                if (i9 >= interfaceC0502eArr.length) {
                    throw new NoSuchElementException();
                }
                int i10 = i9 + 1;
                AbstractC0514q aSN1Primitive = interfaceC0502eArr[i9].toASN1Primitive();
                if (aSN1Primitive instanceof r) {
                    arrayList.add(new X509CertificateHolder(w7.e.f(aSN1Primitive)));
                }
                i9 = i10;
            }
            cVar = new org.bouncycastle.util.c(arrayList);
        } else {
            cVar = new org.bouncycastle.util.c(new ArrayList());
        }
        Map map = (Map) cVar.d().stream().collect(Collectors.toMap(new o(26), Function.identity()));
        X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) map.values().stream().filter(new Predicate() { // from class: org.apache.poi.poifs.crypt.dsig.services.c
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean lambda$timeStamp$1;
                lambda$timeStamp$1 = TSPTimeStampService.lambda$timeStamp$1(C3353c.this, bigInteger2, (X509CertificateHolder) obj);
                return lambda$timeStamp$1;
            }
        }).findFirst().orElseThrow(new S(28));
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        jcaX509CertificateConverter.f27979a = new org.bouncycastle.cert.jcajce.c();
        X509Certificate a10 = jcaX509CertificateConverter.a(x509CertificateHolder);
        do {
            revocationData.addCertificate(a10);
            X500Principal issuerX500Principal = a10.getIssuerX500Principal();
            if (a10.getSubjectX500Principal().equals(issuerX500Principal)) {
                break;
            }
            X509CertificateHolder x509CertificateHolder2 = (X509CertificateHolder) map.get(issuerX500Principal.getName());
            a10 = x509CertificateHolder2 != null ? jcaX509CertificateConverter.a(x509CertificateHolder2) : signatureConfig.getCachedCertificateByPrinicipal(issuerX500Principal.getName());
            if (a10 != null) {
                retrieveCRL(signatureConfig, a10).forEach(new C2188c(revocationData, 6));
            }
        } while (a10 != null);
        D4.a aVar2 = new D4.a();
        ?? obj = new Object();
        ?? obj2 = new Object();
        v vVar = new v();
        ?? obj3 = new Object();
        obj3.f9149a = u.f9152b;
        obj3.f9157b = obj2;
        F f = new F(aVar2, obj, new C0824a(obj3, x509CertificateHolder), vVar);
        d.a aVar3 = dVar.f28147d;
        try {
            b8.g a11 = vVar.a(aVar3.b());
            v.b bVar = ((v.a) a11).f9155b;
            bVar.write(x509CertificateHolder.f27977c.getEncoded());
            bVar.close();
            if (!org.bouncycastle.util.a.d(aVar3.a(), ((v.a) a11).getDigest())) {
                throw new TSPValidationException("certificate hash does not match certID hash.");
            }
            C1914a c1914a = aVar3.f28148a;
            if ((c1914a != null ? c1914a.f23085d : aVar3.f28149b.f23088e) != null) {
                X6.h hVar = new X6.h(x509CertificateHolder.f27977c);
                C1914a c1914a2 = aVar3.f28148a;
                if (!(c1914a2 != null ? c1914a2.f23085d : aVar3.f28149b.f23088e).f33672d.j(hVar.f3424d)) {
                    throw new TSPValidationException("certificate serial number does not match certID for signature.");
                }
                C1914a c1914a3 = aVar3.f28148a;
                m[] mVarArr = (c1914a3 != null ? c1914a3.f23085d : aVar3.f28149b.f23088e).f33671c.f33670c;
                int length = mVarArr.length;
                m[] mVarArr2 = new m[length];
                System.arraycopy(mVarArr, 0, mVarArr2, 0, mVarArr.length);
                for (int i11 = 0; i11 != length; i11++) {
                    m mVar = mVarArr2[i11];
                    if (mVar.f33669d != 4 || !C3353c.f(mVar.f33668c).equals(C3353c.f(hVar.f3423c))) {
                    }
                }
                throw new TSPValidationException("certificate name does not match certID for signature. ");
            }
            org.bouncycastle.tsp.a.a(x509CertificateHolder);
            if (!x509CertificateHolder.a(eVar.f28151b)) {
                throw new TSPValidationException("certificate not valid when time stamp created.");
            }
            if (!dVar.f28145b.d(f)) {
                throw new TSPValidationException("signature not created by certificate.");
            }
            if (signatureConfig.getTspValidator() != null) {
                signatureConfig.getTspValidator().validate(revocationData.getX509chain(), revocationData);
            }
            LOG.h().f(eVar.f28151b, "time-stamp token time: {}");
            return dVar.f28144a.f28029d.e(ASN1Encoding.DL);
        } catch (IOException e9) {
            throw new TSPException(E8.a.q("problem processing certificate: ", e9), e9);
        } catch (CMSException e10) {
            if (e10.a() != null) {
                throw new TSPException(e10.getMessage(), e10.a());
            }
            throw new TSPException("CMS exception: " + e10, e10);
        } catch (OperatorCreationException e11) {
            throw new TSPException("unable to create digest: " + e11.getMessage(), e11);
        }
    }
}
