package iaik.pki;

import iaik.asn1.ObjectID;
import iaik.asn1.structures.AlgorithmID;
import iaik.asn1.structures.GeneralName;
import iaik.asn1.structures.GeneralNames;
import iaik.asn1.structures.Name;
import iaik.logging.Log;
import iaik.logging.LogFactory;
import iaik.logging.TransactionId;
import iaik.pki.certretriever.CrlIssuerFinder;
import iaik.pki.pathvalidation.TrustResultImpl;
import iaik.pki.pathvalidation.ValidationResult;
import iaik.pki.pathvalidation.ValidationResultValid;
import iaik.pki.revocation.RevocationTrustProfile;
import iaik.pki.revocation.TrustResult;
import iaik.pki.store.certinfo.CertInfo;
import iaik.pki.store.certinfo.CertInfoStoreException;
import iaik.pki.store.revocation.SupplementalRevocationSources;
import iaik.pki.utils.CertUtil;
import iaik.pki.utils.Constants;
import iaik.pki.utils.NameUtils;
import iaik.pki.utils.UtilsException;
import iaik.utils.CryptoUtils;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.ExtendedKeyUsage;
import iaik.x509.extensions.SubjectKeyIdentifier;
import iaik.x509.ocsp.CertID;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.Arrays;
import java.util.Date;
import java.util.List;

/* loaded from: classes.dex */
public class RevocationTrustProfileImpl implements RevocationTrustProfile {
    protected CertInfo issuer_;
    protected PKIModule pki_;
    protected PublicKey publicKey_;
    protected static Log log_ = LogFactory.getLog(Constants.MODULE_NAME);
    protected static CrlIssuerFinder crlIssuerFinder_ = CrlIssuerFinder.getInstance();
    protected static final X509Certificate[] EMPTY_SUPPLEMENT = new X509Certificate[0];
    protected static final boolean[] CRL_KEY_USAGE = {false, false, false, false, false, false, true, false, false};

    public RevocationTrustProfileImpl(CertInfo certInfo, PublicKey publicKey, PKIModule pKIModule) {
        if (certInfo == null) {
            throw new NullPointerException("issuer mustn't be null");
        }
        if (publicKey == null) {
            throw new NullPointerException("public key mustn't be null");
        }
        if (pKIModule == null) {
            throw new NullPointerException("pki module mustn't be null");
        }
        this.pki_ = pKIModule;
        this.issuer_ = certInfo;
        this.publicKey_ = publicKey;
    }

    protected boolean checkAuthorityKeyIdentifier(AuthorityKeyIdentifier authorityKeyIdentifier, X509Certificate x509Certificate, TransactionId transactionId) {
        boolean z;
        boolean z2;
        if (authorityKeyIdentifier == null) {
            log_.debug(transactionId, "No AuthorityKeyIdentifier included in crl.", null);
            return false;
        }
        log_.debug(transactionId, "Checking AuthorityKeyIdentifier of crl.", null);
        if (authorityKeyIdentifier.getKeyIdentifier() != null) {
            try {
                SubjectKeyIdentifier subjectKeyIdentifier = (SubjectKeyIdentifier) x509Certificate.getExtension(SubjectKeyIdentifier.oid);
                if (subjectKeyIdentifier == null) {
                    log_.debug(transactionId, "No SubjectKeyIdentifier included in crl issuer candidate.", null);
                    z = false;
                } else if (Arrays.equals(authorityKeyIdentifier.getKeyIdentifier(), subjectKeyIdentifier.get())) {
                    log_.debug(transactionId, "SubjectKeyIdentifier of crl issuer candidate matches AuthorityKeyIdentifier of crl. ", null);
                    z = true;
                } else {
                    log_.debug(transactionId, "SubjectKeyIdentifier of crl issuer candidate does not match AuthorityKeyIdentifier of crl.", null);
                    z = false;
                }
                return z;
            } catch (X509ExtensionInitException e) {
                log_.debug(transactionId, "Cannot get SubjectKeyIdentifier of crl issuer candidate.", e);
                return false;
            }
        }
        GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer();
        if (authorityCertIssuer == null) {
            log_.debug(transactionId, "Neither KeyIdentifier nor AuthorityCertIssuer included in crl AuthorityKeyIdentifier extension.", null);
            return false;
        }
        GeneralName[] names = authorityCertIssuer.getNames(4);
        if (names.length != 1) {
            log_.debug(transactionId, "More than one Directory Name included in AuthorityCertIssuer of crl AuthorityKeyIdentifier extension.", null);
            return false;
        }
        try {
            if (NameUtils.getNormalizedName((Name) names[0].getName()).equals(NameUtils.getNormalizedName((Name) x509Certificate.getSubjectDN()))) {
                BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
                if (authorityCertSerialNumber == null) {
                    log_.debug(transactionId, "AuthorityCertIssuer but no AuthorityCertSerialNumber included AuthorityKeyIdentifier of crl.", null);
                    z2 = false;
                } else if (authorityCertSerialNumber.equals(x509Certificate.getSerialNumber())) {
                    log_.debug(transactionId, "AuthorityCertIssuer and AuthorityCertSerialNumber in AuthorityKeyIdentifier of crl match SubjectDN and serial number of crl issuer candidate", null);
                    z2 = true;
                } else {
                    log_.debug(transactionId, "AuthorityCertSerialNumber in AuthorityKeyIdentifier of crl does not match serial number of crl issuer candidate", null);
                    z2 = false;
                }
            } else {
                log_.debug(transactionId, "AuthorityCertIssuer in CRL's AuthorityKeyIdentifier does not match SubjectDN of crl issuer candidate.", null);
                z2 = false;
            }
            return z2;
        } catch (UtilsException e2) {
            log_.debug(transactionId, "Could not compare AuthorityCertIssuer in AuthorityKeyIdentifier extension of crl with SubjectDN of CRL issuer candidate", null);
            return false;
        } catch (ClassCastException e3) {
            log_.debug(transactionId, "AuthorityCertIssuer in AuthorityKeyIdentifier of crl extension is not a Directory Name.", null);
            return false;
        }
    }

    protected boolean checkCRLCertificate(X509Certificate x509Certificate, TransactionId transactionId) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        return keyUsage == null ? x509Certificate.getVersion() == 0 : keyUsage[6];
    }

    protected boolean checkIssuerCandidate(X509Certificate x509Certificate, AuthorityKeyIdentifier authorityKeyIdentifier, Date date, TransactionId transactionId) {
        return (authorityKeyIdentifier == null || checkAuthorityKeyIdentifier(authorityKeyIdentifier, x509Certificate, transactionId)) && isCertificateValid(x509Certificate, date, transactionId);
    }

    protected boolean checkOCSPCertificate(X509Certificate x509Certificate, TransactionId transactionId) {
        try {
            ExtendedKeyUsage extendedKeyUsage = (ExtendedKeyUsage) x509Certificate.getExtension(ExtendedKeyUsage.oid);
            if (extendedKeyUsage == null) {
                log_.warn(transactionId, "Extended key usage extension not included in OCSP signer certificate.", null);
            } else {
                ObjectID[] keyPurposeIDs = extendedKeyUsage.getKeyPurposeIDs();
                if (keyPurposeIDs == null) {
                    log_.warn(transactionId, "OCSP signer certificate does not have the ocsp signing extended key usage set.", null);
                } else {
                    int i = 0;
                    while (true) {
                        if (i >= keyPurposeIDs.length) {
                            log_.warn(transactionId, "OCSP signer certificate does not have the ocsp signing extended key usage set.", null);
                            break;
                        }
                        if (keyPurposeIDs[i].equals(ExtendedKeyUsage.ocspSigning)) {
                            log_.debug(transactionId, "OCSP signing extended key usage included in OCSP signer certificate.", null);
                            break;
                        }
                        i++;
                    }
                }
            }
        } catch (X509ExtensionInitException e) {
            log_.warn(transactionId, "Cannot get the extended key usage extension from ocsp signer certificate.", null);
        }
        return true;
    }

    /* JADX WARN: Removed duplicated region for block: B:25:0x00c2  */
    /* JADX WARN: Removed duplicated region for block: B:49:0x00f8 A[Catch: RevocationStoreException -> 0x0158, TryCatch #7 {RevocationStoreException -> 0x0158, blocks: (B:47:0x00e4, B:49:0x00f8, B:50:0x00fc, B:52:0x0144, B:57:0x0151, B:58:0x0154, B:63:0x0162), top: B:46:0x00e4, inners: #0 }] */
    /* JADX WARN: Removed duplicated region for block: B:71:0x013c  */
    @Override // iaik.pki.revocation.RevocationTrustProfile
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public iaik.x509.X509Certificate[] getIssuerCertificate(iaik.pki.store.revocation.RevocationSource r10, java.util.Date r11, iaik.logging.TransactionId r12) {
        /*
            Method dump skipped, instructions count: 392
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: iaik.pki.RevocationTrustProfileImpl.getIssuerCertificate(iaik.pki.store.revocation.RevocationSource, java.util.Date, iaik.logging.TransactionId):iaik.x509.X509Certificate[]");
    }

    @Override // iaik.pki.revocation.RevocationTrustProfile
    public X509Certificate[] getIssuerCertificate(byte[] bArr, AuthorityKeyIdentifier authorityKeyIdentifier, Date date, TransactionId transactionId) {
        X509Certificate x509Certificate;
        boolean z = true;
        if (bArr != null) {
            try {
                x509Certificate = this.issuer_.getCertificate(transactionId);
            } catch (CertInfoStoreException e) {
                log_.debug(transactionId, "Could not find an OCSP issuer certificate", null);
                x509Certificate = null;
            }
            if (x509Certificate != null) {
                try {
                    if (CryptoUtils.compareBlock(bArr, CertID.calculateIssuerKeyHash(x509Certificate.getPublicKey(), AlgorithmID.sha1)) == -1) {
                        if (authorityKeyIdentifier != null && !checkAuthorityKeyIdentifier(authorityKeyIdentifier, x509Certificate, transactionId)) {
                            z = false;
                        }
                        if (z && isCertificateValid(x509Certificate, date, transactionId) && isCertificateValid(x509Certificate, date, transactionId)) {
                            return new X509Certificate[]{x509Certificate};
                        }
                    }
                } catch (Exception e2) {
                    log_.error(transactionId, "Error comparing key hashes of OCSP responder and issuer candidate.", null);
                }
            }
        } else {
            log_.debug(transactionId, "Could not find an ocsp issuer. No key hash available.", null);
        }
        return new X509Certificate[0];
    }

    protected boolean isCertificateValid(X509Certificate x509Certificate, Date date, TransactionId transactionId) {
        try {
            x509Certificate.checkValidity(date);
            return true;
        } catch (CertificateExpiredException e) {
            log_.debug(transactionId, "Certificate issuer cert expired for CRL signing.", null);
            return false;
        } catch (CertificateNotYetValidException e2) {
            log_.debug(transactionId, "Certificate issuer cert not yet valid for CRL signing.", null);
            return false;
        }
    }

    @Override // iaik.pki.revocation.RevocationTrustProfile
    public TrustResult isIssuerTrustedOCSPResponder(X509Certificate x509Certificate, Date date, SupplementalRevocationSources supplementalRevocationSources, boolean z, TransactionId transactionId) {
        boolean z2;
        if (x509Certificate == null) {
            throw new NullPointerException("OCSP responder must not be null");
        }
        boolean z3 = false;
        try {
            X509Certificate certificate = this.issuer_.getCertificate(transactionId);
            if (x509Certificate.equals(certificate)) {
                log_.debug(transactionId, "Directly signed OCSP response.", null);
                return new TrustResultImpl(true, this.publicKey_);
            }
            try {
                if (NameUtils.getNormalizedName((Name) x509Certificate.getIssuerDN()).equals(NameUtils.getNormalizedName((Name) certificate.getSubjectDN())) && CertUtil.checkIssuer(certificate, x509Certificate, false, date, transactionId)) {
                    log_.debug(transactionId, "Delegated OCSP responder.", null);
                    z2 = true;
                } else {
                    z2 = false;
                }
            } catch (UtilsException e) {
                if (CertUtil.checkIssuer(certificate, x509Certificate, false, date, transactionId)) {
                    log_.warn(transactionId, "Could not check issuerDN-subjectDN match. Only checked key identifiers.", null);
                    log_.debug(transactionId, "Delegated OCSP responder.", null);
                    z3 = true;
                }
                z2 = z3;
            }
            try {
                checkOCSPCertificate(x509Certificate, transactionId);
                PKIResult A = z2 ? ((C) this.pki_).A(date, false, new X509Certificate[]{x509Certificate, certificate}, supplementalRevocationSources, (boolean[]) null, z, true, transactionId) : ((C) this.pki_).A(date, x509Certificate, supplementalRevocationSources, (boolean[]) null, z, true, true, transactionId);
                ValidationResult validationResult = A.getValidationResult();
                List revocationInfoList = validationResult == null ? null : validationResult.getRevocationInfoList();
                if (!A.isCertificateValid()) {
                    TrustResultImpl trustResultImpl = new TrustResultImpl(false, null);
                    trustResultImpl.setRevocationInfoList(revocationInfoList);
                    return trustResultImpl;
                }
                ValidationResultValid validationResultValid = (ValidationResultValid) validationResult;
                List certificateChain = validationResultValid.getCertificateChain();
                if (certificateChain.size() <= 1) {
                    log_.info(transactionId, "OCSP issuer directly trusted", null);
                    return new TrustResultImpl(true, validationResultValid.getPublicKey());
                }
                if (((X509Certificate) certificateChain.get(1)).equals(certificate)) {
                    TrustResultImpl trustResultImpl2 = new TrustResultImpl(true, validationResultValid.getPublicKey());
                    trustResultImpl2.setRevocationInfoList(revocationInfoList);
                    return trustResultImpl2;
                }
                log_.warn(transactionId, "ocsp signer not directly signed by the cert issuer, accepting anyway", null);
                TrustResultImpl trustResultImpl3 = new TrustResultImpl(true, validationResultValid.getPublicKey());
                trustResultImpl3.setRevocationInfoList(revocationInfoList);
                return trustResultImpl3;
            } catch (PKIException e2) {
                log_.info(transactionId, "Cannot validate ocsp responder", e2);
                return new TrustResultImpl(false, null);
            }
        } catch (CertInfoStoreException e3) {
            log_.warn(transactionId, "Can't get issuer cert", e3);
            return new TrustResultImpl(false, null);
        }
    }

    @Override // iaik.pki.revocation.RevocationTrustProfile
    public TrustResult isIssuerTrustedToIssueCRL(X509Certificate x509Certificate, Date date, SupplementalRevocationSources supplementalRevocationSources, TransactionId transactionId) {
        boolean checkCRLCertificate;
        if (x509Certificate == null) {
            throw new NullPointerException("issuer certificate must not be null");
        }
        boolean z = false;
        try {
            if (x509Certificate.equals(this.issuer_.getCertificate(transactionId))) {
                z = true;
            }
        } catch (CertInfoStoreException e) {
            log_.warn(transactionId, "Can't get issuer cert", e);
        }
        if (x509Certificate.getVersion() < 2) {
            log_.warn(transactionId, "V1 CRL issuer certificate, don't perform key usage check", null);
            checkCRLCertificate = true;
        } else {
            checkCRLCertificate = checkCRLCertificate(x509Certificate, transactionId);
        }
        if (z && checkCRLCertificate) {
            return new TrustResultImpl(true, this.publicKey_);
        }
        try {
            PKIResult A = ((C) this.pki_).A(date, x509Certificate, supplementalRevocationSources, (boolean[]) null, false, true, true, transactionId);
            ValidationResult validationResult = A.getValidationResult();
            List revocationInfoList = validationResult == null ? null : validationResult.getRevocationInfoList();
            if (!A.isCertificateValid()) {
                TrustResultImpl trustResultImpl = new TrustResultImpl(false, null);
                trustResultImpl.setRevocationInfoList(revocationInfoList);
                return trustResultImpl;
            }
            ValidationResultValid validationResultValid = (ValidationResultValid) validationResult;
            if (checkCRLCertificate) {
                TrustResultImpl trustResultImpl2 = new TrustResultImpl(true, validationResultValid.getPublicKey());
                trustResultImpl2.setRevocationInfoList(revocationInfoList);
                return trustResultImpl2;
            }
            if (validationResultValid.getCertificateChain().size() == 1) {
                log_.debug(transactionId, "crlSign bit not set - accepting anyway, because crl signer certificate is a trust anchor", null);
                return new TrustResultImpl(true, validationResultValid.getPublicKey());
            }
            log_.info(transactionId, "CRL signer not trusted to sign crls (crlSign bit not set)", null);
            TrustResultImpl trustResultImpl3 = new TrustResultImpl(false, null);
            trustResultImpl3.setRevocationInfoList(revocationInfoList);
            return trustResultImpl3;
        } catch (PKIException e2) {
            log_.info(transactionId, "Cannot validate crl signer", e2);
            return new TrustResultImpl(false, null);
        }
    }

    @Override // iaik.pki.revocation.RevocationTrustProfile
    public TrustResult isIssuerTrustedToIssueDeltaCRL(X509Certificate x509Certificate, Date date, SupplementalRevocationSources supplementalRevocationSources, TransactionId transactionId) {
        return null;
    }
}
