package com.itextpdf.signatures;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.io.font.PdfEncodings;
import com.itextpdf.io.source.ByteBuffer;
import com.itextpdf.kernel.exceptions.PdfException;
import com.itextpdf.kernel.pdf.PdfArray;
import com.itextpdf.kernel.pdf.PdfCatalog;
import com.itextpdf.kernel.pdf.PdfDeveloperExtension;
import com.itextpdf.kernel.pdf.PdfDictionary;
import com.itextpdf.kernel.pdf.PdfDocument;
import com.itextpdf.kernel.pdf.PdfIndirectReference;
import com.itextpdf.kernel.pdf.PdfName;
import com.itextpdf.kernel.pdf.PdfObject;
import com.itextpdf.kernel.pdf.PdfStream;
import com.itextpdf.kernel.pdf.PdfVersion;
import com.itextpdf.signatures.OID;
import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import com.itextpdf.text.pdf.security.SecurityConstants;
import fd.b;
import java.io.ByteArrayInputStream;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;

/* loaded from: classes3.dex */
public class LtvVerification {
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    private static final fd.a LOGGER = b.d(LtvVerification.class);
    private final PdfDocument document;
    private IIssuingCertificateRetriever issuingCertificateRetriever;
    private RevocationDataNecessity revocationDataNecessity;
    private String securityProviderCode;
    private final SignatureUtil sgnUtil;
    private boolean used;
    private final Map<PdfName, ValidationData> validated;

    /* loaded from: classes3.dex */
    public enum CertificateInclusion {
        YES,
        NO
    }

    /* loaded from: classes3.dex */
    public enum CertificateOption {
        SIGNING_CERTIFICATE,
        WHOLE_CHAIN,
        ALL_CERTIFICATES
    }

    /* loaded from: classes3.dex */
    public enum Level {
        OCSP,
        CRL,
        OCSP_CRL,
        OCSP_OPTIONAL_CRL
    }

    /* loaded from: classes3.dex */
    public enum RevocationDataNecessity {
        REQUIRED_FOR_SIGNING_CERTIFICATE,
        OPTIONAL
    }

    /* loaded from: classes3.dex */
    public static class ValidationData {
        public List<byte[]> certs;
        public List<byte[]> crls;
        public List<byte[]> ocsps;

        private ValidationData() {
            this.crls = new ArrayList();
            this.ocsps = new ArrayList();
            this.certs = new ArrayList();
        }
    }

    public LtvVerification(PdfDocument pdfDocument) {
        this.validated = new HashMap();
        this.used = false;
        this.securityProviderCode = null;
        this.revocationDataNecessity = RevocationDataNecessity.OPTIONAL;
        this.issuingCertificateRetriever = new DefaultIssuingCertificateRetriever();
        this.document = pdfDocument;
        this.sgnUtil = new SignatureUtil(pdfDocument);
    }

    public LtvVerification(PdfDocument pdfDocument, String str) {
        this(pdfDocument);
        this.securityProviderCode = str;
    }

    private void addRevocationDataForCertificate(X509Certificate x509Certificate, Certificate[] certificateArr, X509Certificate x509Certificate2, IOcspClient iOcspClient, ICrlClient iCrlClient, Level level, CertificateInclusion certificateInclusion, CertificateOption certificateOption, ValidationData validationData, Set<X509Certificate> set) {
        String str;
        byte[] bArr;
        Collection<byte[]> encoded;
        byte[] encoded2;
        set.add(x509Certificate2);
        if (SignUtils.getExtensionValueByOid(x509Certificate2, OID.X509Extensions.VALIDITY_ASSURED_SHORT_TERM) != null) {
            LOGGER.info(MessageFormatUtil.format(SignLogMessageConstant.REVOCATION_DATA_NOT_ADDED_VALIDITY_ASSURED, x509Certificate2.getSubjectX500Principal()));
            return;
        }
        boolean z5 = false;
        if (iOcspClient == null || level == Level.CRL || (encoded2 = iOcspClient.getEncoded(x509Certificate2, getParent(x509Certificate2, certificateArr), null)) == null || !BOUNCY_CASTLE_FACTORY.createCertificateStatus().getGood().equals(OcspClientBouncyCastle.getCertificateStatus(encoded2))) {
            str = null;
            bArr = null;
        } else {
            validationData.ocsps.add(buildOCSPResponse(encoded2));
            LOGGER.info("OCSP added");
            if (certificateOption == CertificateOption.ALL_CERTIFICATES) {
                str = null;
                addRevocationDataForOcspCert(encoded2, x509Certificate, iOcspClient, iCrlClient, level, certificateInclusion, certificateOption, validationData, set);
            } else {
                str = null;
            }
            z5 = true;
            bArr = encoded2;
        }
        if (iCrlClient != null && ((level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && bArr == null)) && (encoded = iCrlClient.getEncoded(x509Certificate2, str)) != null)) {
            for (byte[] bArr2 : encoded) {
                Iterator<byte[]> it = validationData.crls.iterator();
                while (true) {
                    if (it.hasNext()) {
                        if (Arrays.equals(it.next(), bArr2)) {
                            break;
                        }
                    } else {
                        validationData.crls.add(bArr2);
                        LOGGER.info("CRL added");
                        if (certificateOption == CertificateOption.ALL_CERTIFICATES) {
                            addRevocationDataForChain(x509Certificate, this.issuingCertificateRetriever.getCrlIssuerCertificates(SignUtils.parseCrlFromStream(new ByteArrayInputStream(bArr2))), iOcspClient, iCrlClient, level, certificateInclusion, certificateOption, validationData, set);
                        }
                        z5 = true;
                    }
                }
            }
        }
        if (this.revocationDataNecessity == RevocationDataNecessity.REQUIRED_FOR_SIGNING_CERTIFICATE && x509Certificate.equals(x509Certificate2) && !z5) {
            throw new PdfException(SignExceptionMessageConstant.NO_REVOCATION_DATA_FOR_SIGNING_CERTIFICATE);
        }
    }

    private void addRevocationDataForChain(X509Certificate x509Certificate, Certificate[] certificateArr, IOcspClient iOcspClient, ICrlClient iCrlClient, Level level, CertificateInclusion certificateInclusion, CertificateOption certificateOption, ValidationData validationData, Set<X509Certificate> set) {
        Certificate[] retrieveMissingCertificates = certificateOption == CertificateOption.ALL_CERTIFICATES ? retrieveMissingCertificates(certificateArr) : certificateArr;
        for (Certificate certificate : retrieveMissingCertificates) {
            X509Certificate x509Certificate2 = (X509Certificate) certificate;
            LOGGER.info(MessageFormatUtil.format("Certificate: {0}", BOUNCY_CASTLE_FACTORY.createX500Name(x509Certificate2)));
            if ((certificateOption != CertificateOption.SIGNING_CERTIFICATE || x509Certificate2.equals(x509Certificate)) && !set.contains(x509Certificate2)) {
                addRevocationDataForCertificate(x509Certificate, retrieveMissingCertificates, x509Certificate2, iOcspClient, iCrlClient, level, certificateInclusion, certificateOption, validationData, set);
            }
        }
    }

    private void addRevocationDataForOcspCert(byte[] bArr, X509Certificate x509Certificate, IOcspClient iOcspClient, ICrlClient iCrlClient, Level level, CertificateInclusion certificateInclusion, CertificateOption certificateOption, ValidationData validationData, Set<X509Certificate> set) {
        X509Certificate x509Certificate2;
        IBouncyCastleFactory iBouncyCastleFactory = BOUNCY_CASTLE_FACTORY;
        IBasicOCSPResp createBasicOCSPResp = iBouncyCastleFactory.createBasicOCSPResp(iBouncyCastleFactory.createBasicOCSPResponse(bArr));
        List<X509Certificate> iterableToList = iterableToList(SignUtils.getCertsFromOcspResponse(createBasicOCSPResp));
        Iterator<X509Certificate> it = iterableToList.iterator();
        while (true) {
            if (!it.hasNext()) {
                x509Certificate2 = null;
                break;
            } else {
                x509Certificate2 = it.next();
                if (SignUtils.isSignatureValid(createBasicOCSPResp, x509Certificate2, BOUNCY_CASTLE_FACTORY.getProviderName())) {
                    break;
                }
            }
        }
        if (x509Certificate2 != null && SignUtils.getExtensionValueByOid(x509Certificate2, OID.X509Extensions.ID_PKIX_OCSP_NOCHECK) != null) {
            iterableToList.remove(x509Certificate2);
            set.add(x509Certificate2);
        }
        addRevocationDataForChain(x509Certificate, (Certificate[]) iterableToList.toArray(new X509Certificate[0]), iOcspClient, iCrlClient, level, certificateInclusion, certificateOption, validationData, set);
    }

    private static byte[] buildOCSPResponse(byte[] bArr) {
        IBouncyCastleFactory iBouncyCastleFactory = BOUNCY_CASTLE_FACTORY;
        return iBouncyCastleFactory.createOCSPResp(iBouncyCastleFactory.createOCSPResponse(iBouncyCastleFactory.createOCSPResponseStatus(iBouncyCastleFactory.createOCSPRespBuilderInstance().getSuccessful()), iBouncyCastleFactory.createResponseBytes(iBouncyCastleFactory.createOCSPObjectIdentifiers().getIdPkixOcspBasic(), iBouncyCastleFactory.createDEROctetString(bArr)))).getEncoded();
    }

    public static String convertToHex(byte[] bArr) {
        ByteBuffer byteBuffer = new ByteBuffer();
        for (byte b10 : bArr) {
            byteBuffer.appendHex(b10);
        }
        return PdfEncodings.convertToString(byteBuffer.toByteArray(), null).toUpperCase();
    }

    private void createDss() {
        outputDss(new PdfDictionary(), new PdfDictionary(), new PdfArray(), new PdfArray(), new PdfArray());
    }

    private static void deleteOldReferences(PdfArray pdfArray, PdfArray pdfArray2) {
        if (pdfArray == null || pdfArray2 == null) {
            return;
        }
        Iterator<PdfObject> it = pdfArray2.iterator();
        while (it.hasNext()) {
            PdfIndirectReference indirectReference = it.next().getIndirectReference();
            int i4 = 0;
            while (i4 < pdfArray.size()) {
                if (Objects.equals(indirectReference, pdfArray.get(i4).getIndirectReference())) {
                    pdfArray.remove(i4);
                    i4--;
                }
                i4++;
            }
        }
    }

    private PdfName getSignatureHashKey(String str) {
        return new PdfName(convertToHex(hashBytesSha1(PdfEncodings.convertToBytes(this.sgnUtil.getSignature(str).getContents().getValue(), (String) null))));
    }

    private static byte[] hashBytesSha1(byte[] bArr) {
        return MessageDigest.getInstance(SecurityConstants.SHA1).digest(bArr);
    }

    private static List<X509Certificate> iterableToList(Iterable<X509Certificate> iterable) {
        ArrayList arrayList = new ArrayList();
        Iterator<X509Certificate> it = iterable.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next());
        }
        return arrayList;
    }

    private void outputDss(PdfDictionary pdfDictionary, PdfDictionary pdfDictionary2, PdfArray pdfArray, PdfArray pdfArray2, PdfArray pdfArray3) {
        PdfCatalog catalog = this.document.getCatalog();
        if (this.document.getPdfVersion().compareTo(PdfVersion.PDF_2_0) < 0) {
            catalog.addDeveloperExtension(PdfDeveloperExtension.ESIC_1_7_EXTENSIONLEVEL5);
        }
        Iterator<PdfName> it = this.validated.keySet().iterator();
        while (it.hasNext()) {
            PdfName next = it.next();
            PdfArray pdfArray4 = new PdfArray();
            PdfArray pdfArray5 = new PdfArray();
            PdfArray pdfArray6 = new PdfArray();
            PdfDictionary pdfDictionary3 = new PdfDictionary();
            Iterator<byte[]> it2 = this.validated.get(next).crls.iterator();
            while (it2.hasNext()) {
                Iterator<PdfName> it3 = it;
                PdfStream pdfStream = new PdfStream(it2.next());
                pdfStream.setCompressionLevel(-1);
                pdfStream.makeIndirect(this.document);
                pdfArray5.add(pdfStream);
                pdfArray2.add(pdfStream);
                pdfArray2.setModified();
                it = it3;
            }
            Iterator<PdfName> it4 = it;
            Iterator<byte[]> it5 = this.validated.get(next).ocsps.iterator();
            while (it5.hasNext()) {
                PdfStream pdfStream2 = new PdfStream(it5.next());
                pdfStream2.setCompressionLevel(-1);
                pdfArray4.add(pdfStream2);
                pdfArray.add(pdfStream2);
                pdfArray.setModified();
            }
            Iterator<byte[]> it6 = this.validated.get(next).certs.iterator();
            while (it6.hasNext()) {
                PdfStream pdfStream3 = new PdfStream(it6.next());
                pdfStream3.setCompressionLevel(-1);
                pdfStream3.makeIndirect(this.document);
                pdfArray6.add(pdfStream3);
                pdfArray3.add(pdfStream3);
                pdfArray3.setModified();
            }
            if (pdfArray4.size() > 0) {
                pdfArray4.makeIndirect(this.document);
                pdfDictionary3.put(PdfName.OCSP, pdfArray4);
            }
            if (pdfArray5.size() > 0) {
                pdfArray5.makeIndirect(this.document);
                pdfDictionary3.put(PdfName.CRL, pdfArray5);
            }
            if (pdfArray6.size() > 0) {
                pdfArray6.makeIndirect(this.document);
                pdfDictionary3.put(PdfName.Cert, pdfArray6);
            }
            pdfDictionary3.makeIndirect(this.document);
            pdfDictionary2.put(next, pdfDictionary3);
            it = it4;
        }
        pdfDictionary2.makeIndirect(this.document);
        pdfDictionary2.setModified();
        pdfDictionary.put(PdfName.VRI, pdfDictionary2);
        if (pdfArray.size() > 0) {
            pdfArray.makeIndirect(this.document);
            pdfDictionary.put(PdfName.OCSPs, pdfArray);
        }
        if (pdfArray2.size() > 0) {
            pdfArray2.makeIndirect(this.document);
            pdfDictionary.put(PdfName.CRLs, pdfArray2);
        }
        if (pdfArray3.size() > 0) {
            pdfArray3.makeIndirect(this.document);
            pdfDictionary.put(PdfName.Certs, pdfArray3);
        }
        pdfDictionary.makeIndirect(this.document);
        pdfDictionary.setModified();
        catalog.put(PdfName.DSS, pdfDictionary);
    }

    private Certificate[] retrieveMissingCertificates(Certificate[] certificateArr) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Certificate certificate : certificateArr) {
            for (Certificate certificate2 : this.issuingCertificateRetriever.retrieveMissingCertificates(new Certificate[]{certificate})) {
                linkedHashMap.put(((X509Certificate) certificate2).getSubjectX500Principal().getName(), certificate2);
            }
        }
        return (Certificate[]) linkedHashMap.values().toArray(new Certificate[0]);
    }

    private void updateDss() {
        PdfDictionary asDictionary;
        PdfDictionary pdfObject = this.document.getCatalog().getPdfObject();
        pdfObject.setModified();
        PdfDictionary asDictionary2 = pdfObject.getAsDictionary(PdfName.DSS);
        PdfName pdfName = PdfName.OCSPs;
        PdfArray asArray = asDictionary2.getAsArray(pdfName);
        PdfName pdfName2 = PdfName.CRLs;
        PdfArray asArray2 = asDictionary2.getAsArray(pdfName2);
        PdfName pdfName3 = PdfName.Certs;
        PdfArray asArray3 = asDictionary2.getAsArray(pdfName3);
        asDictionary2.remove(pdfName);
        asDictionary2.remove(pdfName2);
        asDictionary2.remove(pdfName3);
        PdfDictionary asDictionary3 = asDictionary2.getAsDictionary(PdfName.VRI);
        if (asDictionary3 != null) {
            for (PdfName pdfName4 : asDictionary3.keySet()) {
                if (this.validated.containsKey(pdfName4) && (asDictionary = asDictionary3.getAsDictionary(pdfName4)) != null) {
                    deleteOldReferences(asArray, asDictionary.getAsArray(PdfName.OCSP));
                    deleteOldReferences(asArray2, asDictionary.getAsArray(PdfName.CRL));
                    deleteOldReferences(asArray3, asDictionary.getAsArray(PdfName.Cert));
                }
            }
        }
        if (asArray == null) {
            asArray = new PdfArray();
        }
        PdfArray pdfArray = asArray;
        PdfArray pdfArray2 = asArray2 == null ? new PdfArray() : asArray2;
        PdfArray pdfArray3 = asArray3 == null ? new PdfArray() : asArray3;
        if (asDictionary3 == null) {
            asDictionary3 = new PdfDictionary();
        }
        outputDss(asDictionary2, asDictionary3, pdfArray, pdfArray2, pdfArray3);
    }

    public boolean addVerification(String str, IOcspClient iOcspClient, ICrlClient iCrlClient, CertificateOption certificateOption, Level level, CertificateInclusion certificateInclusion) {
        if (this.used) {
            throw new IllegalStateException(SignExceptionMessageConstant.VERIFICATION_ALREADY_OUTPUT);
        }
        PdfPKCS7 readSignatureData = this.sgnUtil.readSignatureData(str, this.securityProviderCode);
        LOGGER.info("Adding verification for " + str);
        Certificate[] certificates = readSignatureData.getCertificates();
        X509Certificate signingCertificate = readSignatureData.getSigningCertificate();
        ValidationData validationData = new ValidationData();
        HashSet hashSet = new HashSet();
        addRevocationDataForChain(signingCertificate, certificates, iOcspClient, iCrlClient, level, certificateInclusion, certificateOption, validationData, hashSet);
        if (certificateOption == CertificateOption.ALL_CERTIFICATES) {
            addRevocationDataForChain(signingCertificate, readSignatureData.getTimestampCertificates(), iOcspClient, iCrlClient, level, certificateInclusion, certificateOption, validationData, hashSet);
        }
        if (certificateInclusion == CertificateInclusion.YES) {
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                validationData.certs.add(((X509Certificate) it.next()).getEncoded());
            }
        }
        if (validationData.crls.size() == 0 && validationData.ocsps.size() == 0) {
            return false;
        }
        this.validated.put(getSignatureHashKey(str), validationData);
        return true;
    }

    public boolean addVerification(String str, Collection<byte[]> collection, Collection<byte[]> collection2, Collection<byte[]> collection3) {
        if (this.used) {
            throw new IllegalStateException(SignExceptionMessageConstant.VERIFICATION_ALREADY_OUTPUT);
        }
        ValidationData validationData = new ValidationData();
        if (collection != null) {
            Iterator<byte[]> it = collection.iterator();
            while (it.hasNext()) {
                validationData.ocsps.add(buildOCSPResponse(it.next()));
            }
        }
        if (collection2 != null) {
            validationData.crls.addAll(collection2);
        }
        if (collection3 != null) {
            validationData.certs.addAll(collection3);
        }
        this.validated.put(getSignatureHashKey(str), validationData);
        return true;
    }

    public X509Certificate getParent(X509Certificate x509Certificate, Certificate[] certificateArr) {
        for (Certificate certificate : certificateArr) {
            X509Certificate x509Certificate2 = (X509Certificate) certificate;
            if (x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    return x509Certificate2;
                } catch (Exception unused) {
                }
            }
        }
        return null;
    }

    public void merge() {
        if (this.used || this.validated.size() == 0) {
            return;
        }
        this.used = true;
        if (this.document.getCatalog().getPdfObject().get(PdfName.DSS) == null) {
            createDss();
        } else {
            updateDss();
        }
    }

    public LtvVerification setIssuingCertificateRetriever(IIssuingCertificateRetriever iIssuingCertificateRetriever) {
        this.issuingCertificateRetriever = iIssuingCertificateRetriever;
        return this;
    }

    public LtvVerification setRevocationDataNecessity(RevocationDataNecessity revocationDataNecessity) {
        this.revocationDataNecessity = revocationDataNecessity;
        return this;
    }
}
