package com.appmattus.certificatetransparency.internal.verifier;

import am.b;
import am.d;
import am.e;
import am.h;
import am.j;
import com.appmattus.certificatetransparency.SctVerificationResult;
import com.appmattus.certificatetransparency.internal.serialization.CTConstants;
import com.appmattus.certificatetransparency.internal.serialization.OutputStreamExtKt;
import com.appmattus.certificatetransparency.internal.utils.CertificateExtKt;
import com.appmattus.certificatetransparency.internal.verifier.model.IssuerInformation;
import com.appmattus.certificatetransparency.internal.verifier.model.SignedCertificateTimestamp;
import com.appmattus.certificatetransparency.internal.verifier.model.Version;
import com.appmattus.certificatetransparency.loglist.LogServer;
import d3.i4;
import gl.v;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import kotlin.jvm.internal.i;
import kotlin.jvm.internal.p;
import tj.n;
import xn.a;
import yl.c;

/* loaded from: classes.dex */
public final class LogSignatureVerifier implements SignatureVerifier {
    public static final Companion Companion = new Companion(null);
    private static final long PRECERT_ENTRY = 1;
    private static final String X509_AUTHORITY_KEY_IDENTIFIER = "2.5.29.35";
    private static final long X509_ENTRY = 0;
    private final LogServer logServer;

    /* loaded from: classes.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(i iVar) {
            this();
        }
    }

    public LogSignatureVerifier(LogServer logServer) {
        p.e(logServer, "logServer");
        this.logServer = logServer;
    }

    private final h createTbsForVerification(X509Certificate x509Certificate, IssuerInformation issuerInformation) {
        if (!(x509Certificate.getVersion() >= 3)) {
            throw new IllegalArgumentException("Failed requirement.".toString());
        }
        gl.p pVar = new gl.p(x509Certificate.getEncoded());
        try {
            b parsedPreCertificate = b.s(pVar.e());
            p.d(parsedPreCertificate, "parsedPreCertificate");
            h hVar = parsedPreCertificate.f292o;
            if (hasX509AuthorityKeyIdentifier(parsedPreCertificate) && issuerInformation.getIssuedByPreCertificateSigningCert()) {
                if (!(issuerInformation.getX509authorityKeyIdentifier() != null)) {
                    throw new IllegalArgumentException("Failed requirement.".toString());
                }
            }
            e eVar = hVar.f319y;
            p.d(eVar, "parsedPreCertificate.tbsCertificate.extensions");
            List<d> extensionsWithoutPoisonAndSct = getExtensionsWithoutPoisonAndSct(eVar, issuerInformation.getX509authorityKeyIdentifier());
            j jVar = new j();
            jVar.f322b = hVar.f310p;
            jVar.f323c = hVar.f311q;
            c name = issuerInformation.getName();
            if (name == null) {
                name = hVar.f312r;
            }
            jVar.f324d = name;
            jVar.f325e = hVar.f313s;
            jVar.f326f = hVar.f314t;
            jVar.f327g = hVar.f315u;
            jVar.f328h = hVar.f316v;
            jVar.f331k = hVar.f317w;
            jVar.f332l = hVar.f318x;
            Object[] array = extensionsWithoutPoisonAndSct.toArray(new d[0]);
            if (array == null) {
                throw new NullPointerException("null cannot be cast to non-null type kotlin.Array<T of kotlin.collections.ArraysKt__ArraysJVMKt.toTypedArray>");
            }
            e eVar2 = new e((d[]) array);
            jVar.f329i = eVar2;
            d dVar = (d) eVar2.f300n.get(d.f295q);
            if (dVar != null && dVar.f298o) {
                jVar.f330j = true;
            }
            h a10 = jVar.a();
            i4.a(pVar, null);
            return a10;
        } finally {
        }
    }

    private final List<d> getExtensionsWithoutPoisonAndSct(e eVar, d dVar) {
        Vector vector = eVar.f301o;
        int size = vector.size();
        v[] vVarArr = new v[size];
        for (int i10 = 0; i10 != size; i10++) {
            vVarArr[i10] = (v) vector.elementAt(i10);
        }
        ArrayList arrayList = new ArrayList();
        for (int i11 = 0; i11 < size; i11++) {
            v vVar = vVarArr[i11];
            if (!p.a(vVar.f8993n, CTConstants.POISON_EXTENSION_OID)) {
                arrayList.add(vVar);
            }
        }
        ArrayList arrayList2 = new ArrayList();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            Object next = it.next();
            if (!p.a(((v) next).f8993n, CTConstants.SCT_CERTIFICATE_OID)) {
                arrayList2.add(next);
            }
        }
        ArrayList arrayList3 = new ArrayList(n.h(arrayList2, 10));
        Iterator it2 = arrayList2.iterator();
        while (it2.hasNext()) {
            v vVar2 = (v) it2.next();
            arrayList3.add((!p.a(vVar2.f8993n, X509_AUTHORITY_KEY_IDENTIFIER) || dVar == null) ? (d) eVar.f300n.get(vVar2) : dVar);
        }
        return arrayList3;
    }

    private final boolean hasX509AuthorityKeyIdentifier(b bVar) {
        return ((d) bVar.f292o.f319y.f300n.get(new v(X509_AUTHORITY_KEY_IDENTIFIER))) != null;
    }

    private final void serializeCommonSctFields(OutputStream outputStream, SignedCertificateTimestamp signedCertificateTimestamp) {
        if (!(signedCertificateTimestamp.getSctVersion() == Version.V1)) {
            throw new IllegalArgumentException("Can only serialize SCT v1 for now.".toString());
        }
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getSctVersion().getNumber(), 1);
        OutputStreamExtKt.writeUint(outputStream, 0L, 1);
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getTimestamp(), 8);
    }

    private final byte[] serializeSignedSctData(Certificate certificate, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 0L, 2);
            byte[] encoded = certificate.getEncoded();
            p.d(encoded, "certificate.encoded");
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, encoded, CTConstants.MAX_CERTIFICATE_LENGTH);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            i4.a(byteArrayOutputStream, null);
            p.d(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final byte[] serializeSignedSctDataForPreCertificate(byte[] bArr, byte[] bArr2, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, PRECERT_ENTRY, 2);
            byteArrayOutputStream.write(bArr2);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, bArr, CTConstants.MAX_CERTIFICATE_LENGTH);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            i4.a(byteArrayOutputStream, null);
            p.d(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final SctVerificationResult verifySctSignatureOverBytes(SignedCertificateTimestamp signedCertificateTimestamp, byte[] bArr) {
        String str;
        SctVerificationResult signatureNotValid;
        if (p.a(this.logServer.getKey().getAlgorithm(), "EC")) {
            str = "SHA256withECDSA";
        } else {
            if (!p.a(this.logServer.getKey().getAlgorithm(), "RSA")) {
                String algorithm = this.logServer.getKey().getAlgorithm();
                p.d(algorithm, "logServer.key.algorithm");
                return new UnsupportedSignatureAlgorithm(algorithm, null, 2, null);
            }
            str = "SHA256withRSA";
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(this.logServer.getKey());
            signature.update(bArr);
            return signature.verify(signedCertificateTimestamp.getSignature().getSignature()) ? SctVerificationResult.Valid.INSTANCE : SctVerificationResult.Invalid.FailedVerification.INSTANCE;
        } catch (InvalidKeyException e10) {
            signatureNotValid = new LogPublicKeyNotValid(e10);
            return signatureNotValid;
        } catch (NoSuchAlgorithmException e11) {
            signatureNotValid = new UnsupportedSignatureAlgorithm(str, e11);
            return signatureNotValid;
        } catch (SignatureException e12) {
            signatureNotValid = new SignatureNotValid(e12);
            return signatureNotValid;
        }
    }

    public final SctVerificationResult verifySCTOverPreCertificate$certificatetransparency(SignedCertificateTimestamp sct, X509Certificate certificate, IssuerInformation issuerInfo) {
        CertificateEncodingFailed certificateEncodingFailed;
        p.e(sct, "sct");
        p.e(certificate, "certificate");
        p.e(issuerInfo, "issuerInfo");
        try {
            byte[] encoded = createTbsForVerification(certificate, issuerInfo).getEncoded();
            p.d(encoded, "preCertificateTBS.encoded");
            return verifySctSignatureOverBytes(sct, serializeSignedSctDataForPreCertificate(encoded, issuerInfo.getKeyHash(), sct));
        } catch (IOException e10) {
            certificateEncodingFailed = new CertificateEncodingFailed(e10);
            return certificateEncodingFailed;
        } catch (CertificateException e11) {
            certificateEncodingFailed = new CertificateEncodingFailed(e11);
            return certificateEncodingFailed;
        }
    }

    @Override // com.appmattus.certificatetransparency.internal.verifier.SignatureVerifier
    public SctVerificationResult verifySignature(SignedCertificateTimestamp sct, List<? extends Certificate> chain) {
        IssuerInformation issuerInformation;
        CertificateEncodingFailed certificateEncodingFailed;
        p.e(sct, "sct");
        p.e(chain, "chain");
        long currentTimeMillis = System.currentTimeMillis();
        if (sct.getTimestamp() > currentTimeMillis) {
            return new SctVerificationResult.Invalid.FutureTimestamp(sct.getTimestamp(), currentTimeMillis);
        }
        if (this.logServer.getValidUntil() != null && sct.getTimestamp() > this.logServer.getValidUntil().longValue()) {
            return new SctVerificationResult.Invalid.LogServerUntrusted(sct.getTimestamp(), this.logServer.getValidUntil().longValue());
        }
        if (!Arrays.equals(this.logServer.getId(), sct.getId().getKeyId())) {
            return new LogIdMismatch(a.b(sct.getId().getKeyId()), a.b(this.logServer.getId()));
        }
        Certificate certificate = chain.get(0);
        if (!CertificateExtKt.isPreCertificate(certificate) && !CertificateExtKt.hasEmbeddedSct(certificate)) {
            try {
                return verifySctSignatureOverBytes(sct, serializeSignedSctData(certificate, sct));
            } catch (IOException e10) {
                certificateEncodingFailed = new CertificateEncodingFailed(e10);
                return certificateEncodingFailed;
            } catch (CertificateEncodingException e11) {
                certificateEncodingFailed = new CertificateEncodingFailed(e11);
                return certificateEncodingFailed;
            }
        }
        if (chain.size() < 2) {
            return NoIssuer.INSTANCE;
        }
        Certificate certificate2 = chain.get(1);
        try {
            if (!CertificateExtKt.isPreCertificateSigningCert(certificate2)) {
                try {
                    issuerInformation = CertificateExtKt.issuerInformation(certificate2);
                } catch (NoSuchAlgorithmException e12) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e12);
                }
            } else {
                if (chain.size() < 3) {
                    return NoIssuerWithPreCert.INSTANCE;
                }
                try {
                    issuerInformation = CertificateExtKt.issuerInformationFromPreCertificate(certificate2, chain.get(2));
                } catch (IOException e13) {
                    return new ASN1ParsingFailed(e13);
                } catch (NoSuchAlgorithmException e14) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e14);
                } catch (CertificateEncodingException e15) {
                    return new CertificateEncodingFailed(e15);
                }
            }
            return verifySCTOverPreCertificate$certificatetransparency(sct, (X509Certificate) certificate, issuerInformation);
        } catch (CertificateParsingException e16) {
            return new CertificateParsingFailed(e16);
        }
    }
}
