package iaik.pki.revocation;

import iaik.asn1.structures.AlgorithmID;
import iaik.asn1.structures.Name;
import iaik.logging.TransactionId;
import iaik.pki.pathvalidation.ChainingModes;
import iaik.pki.pathvalidation.TrustResultImpl;
import iaik.pki.store.revocation.OCSPRevocationSource;
import iaik.pki.store.revocation.RevocationStoreException;
import iaik.pki.store.revocation.SupplementalRevocationSources;
import iaik.pki.utils.DBTypeParser;
import iaik.utils.CryptoUtils;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.ReasonCode;
import iaik.x509.extensions.ocsp.NoCheck;
import iaik.x509.ocsp.BasicOCSPResponse;
import iaik.x509.ocsp.CertID;
import iaik.x509.ocsp.CertStatus;
import iaik.x509.ocsp.OCSPException;
import iaik.x509.ocsp.ReqCert;
import iaik.x509.ocsp.ResponderID;
import iaik.x509.ocsp.RevokedInfo;
import iaik.x509.ocsp.SingleResponse;
import iaik.x509.ocsp.extensions.commonpki.CertHash;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* loaded from: classes.dex */
class I extends B implements CertificateStatusChecker {
    private Date A(ReqCert reqCert, BasicOCSPResponse basicOCSPResponse, String str, TransactionId transactionId) {
        Date producedAt = basicOCSPResponse.getProducedAt();
        String str2 = "producedAt";
        if (producedAt == null) {
            try {
                producedAt = basicOCSPResponse.getSingleResponse(reqCert).getThisUpdate();
                str2 = "thisUpdate";
            } catch (OCSPException e) {
            }
        }
        B.A.debug(transactionId, new StringBuffer("Chaining mode is ").append(str).append(", using OCSP ").append(str2).append(" (").append(producedAt).append(") for checking OCSP issuer trust.").toString(), null);
        return producedAt;
    }

    private boolean A(X509Certificate x509Certificate, SingleResponse singleResponse, String str, TransactionId transactionId) {
        boolean z;
        Set positiveOCSPResponders = this.C.getPositiveOCSPResponders();
        if (positiveOCSPResponders == null) {
            return true;
        }
        if (!positiveOCSPResponders.contains(RevocationConfiguration.POSITIVE_OCSP_ALL) && !positiveOCSPResponders.contains(str)) {
            return true;
        }
        try {
            CertHash certHash = (CertHash) singleResponse.getExtension(CertHash.oid);
            if (certHash != null) {
                B.A.debug(transactionId, "CertHash included in OCSP response.", null);
                if (certHash.identifiesCert(x509Certificate)) {
                    B.A.debug(transactionId, "CertHash matches target certificate.", null);
                    z = true;
                } else {
                    B.A.debug(transactionId, "CertHash does not match target certificate.", null);
                    z = false;
                }
            } else {
                B.A.debug(transactionId, new StringBuffer("Responder at uri \"").append(str).append("\" is configured as positive responder, but no CertHash included in response.").toString(), null);
                z = false;
            }
            return z;
        } catch (Exception e) {
            B.A.error(transactionId, "Error checking CertHash extension of OCSP response.", e);
            throw new StatusCheckingException("Error checking CertHash extension of OCSP response.", e, new StringBuffer().append(getClass().getName()).append(DBTypeParser.SEPARATOR).toString());
        }
    }

    protected E A(ReqCert reqCert, BasicOCSPResponse basicOCSPResponse, Date date, TransactionId transactionId) {
        if (basicOCSPResponse.hasUnsupportedCriticalExtension()) {
            B.A.info(transactionId, "BasicOCSPResponse contains unsupported critical extensions.", null);
            new H(date, RevocationStatusUnknown.UNKNOWN_REASON_UNSUPPORTED_CRITICAL_EXTENSION);
        }
        try {
            SingleResponse singleResponse = basicOCSPResponse.getSingleResponse(reqCert);
            if (singleResponse.hasUnsupportedCriticalExtension()) {
                B.A.info(transactionId, "SingleResponse contains unsupported critical extensions.", null);
                new H(date, RevocationStatusUnknown.UNKNOWN_REASON_UNSUPPORTED_CRITICAL_EXTENSION);
            }
            CertStatus certStatus = singleResponse.getCertStatus();
            switch (certStatus.getCertStatus()) {
                case 0:
                    return new L(date);
                case 1:
                    RevokedInfo revokedInfo = certStatus.getRevokedInfo();
                    Date revocationTime = revokedInfo.getRevocationTime();
                    ReasonCode revocationReason = revokedInfo.getRevocationReason();
                    if (!revocationTime.after(date)) {
                        if (revocationReason != null) {
                            return new K(date, revocationReason.getReasonCode(), revocationTime);
                        }
                        K k = new K(date, 0, revocationTime);
                        B.A.error(transactionId, new StringBuffer("Got invalid revocation information for ").append(reqCert).append("!").toString(), null);
                        return k;
                    }
                    String str = "no reason code included";
                    if (revocationReason != null) {
                        int reasonCode = revocationReason.getReasonCode();
                        str = (reasonCode < 0 || reasonCode > RevocationStatusRevoked.ALL_ARRAY.length) ? new StringBuffer("unexpected reason code ").append(reasonCode).toString() : RevocationStatusRevoked.ALL_ARRAY[reasonCode];
                    }
                    B.A.info(transactionId, new StringBuffer("Certificate revoked at ").append(revocationTime).append(" (reason: ").append(str).append("), but valid at ").append(date).toString(), null);
                    return new L(date);
                case 2:
                    String unknownInfo = certStatus.getUnknownInfo().toString();
                    return new H(date, !RevocationStatusUnknown.ALL.contains(unknownInfo) ? RevocationStatusUnknown.UNKNOWN_REASON_UNSPECIFIED : unknownInfo);
                default:
                    B.A.error(transactionId, new StringBuffer("Got invalid ocsp satus code : ").append(certStatus.getCertStatus()).append(" for:").append(reqCert).toString(), null);
                    return new H(date, RevocationStatus.UNKNOWN);
            }
        } catch (OCSPException e) {
            B.A.error(transactionId, "Cannot extract single response from ocsp response", e);
            return new H(date, RevocationStatus.UNKNOWN);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:111:0x014f  */
    /* JADX WARN: Removed duplicated region for block: B:113:? A[RETURN, SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:114:0x03a8  */
    /* JADX WARN: Removed duplicated region for block: B:127:0x03bc  */
    /* JADX WARN: Removed duplicated region for block: B:13:0x0077  */
    /* JADX WARN: Removed duplicated region for block: B:16:0x0089  */
    /* JADX WARN: Removed duplicated region for block: B:46:0x00ce  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected iaik.pki.revocation.E A(java.util.Date r30, java.lang.String r31, iaik.x509.X509Certificate r32, iaik.x509.X509Certificate r33, iaik.pki.store.revocation.SupplementalRevocationSources r34, iaik.pki.revocation.RevocationTrustProfile r35, iaik.pki.revocation.RevocationProfile r36, iaik.logging.TransactionId r37) {
        /*
            Method dump skipped, instructions count: 967
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: iaik.pki.revocation.I.A(java.util.Date, java.lang.String, iaik.x509.X509Certificate, iaik.x509.X509Certificate, iaik.pki.store.revocation.SupplementalRevocationSources, iaik.pki.revocation.RevocationTrustProfile, iaik.pki.revocation.RevocationProfile, iaik.logging.TransactionId):iaik.pki.revocation.E");
    }

    protected TrustResult A(ReqCert reqCert, OCSPRevocationSource oCSPRevocationSource, RevocationTrustProfile revocationTrustProfile, Date date, String str, byte[] bArr, boolean z, SupplementalRevocationSources supplementalRevocationSources, TransactionId transactionId) {
        Date A;
        AuthorityKeyIdentifier authorityKeyIdentifier;
        if (oCSPRevocationSource == null) {
            throw new NullPointerException("OCSP Source must not be null");
        }
        oCSPRevocationSource.getOCSPResponse();
        BasicOCSPResponse basicResponse = oCSPRevocationSource.getBasicResponse();
        if (basicResponse == null) {
            throw new NullPointerException("OCSP basic response must not be null");
        }
        B.A.debug(transactionId, "Checking if OCSP responder is trusted", null);
        if (oCSPRevocationSource.isSupplemental()) {
            oCSPRevocationSource.setDownloadTime(null);
        } else {
            try {
                byte[] nonce = basicResponse.getNonce();
                if (nonce != null) {
                    if (CryptoUtils.equalsBlock(bArr, nonce)) {
                        B.A.debug(transactionId, "Nonce check OK", null);
                    } else {
                        B.A.warn(transactionId, "Nonce value received from responder does not match sent nonce value", null);
                    }
                } else if (z) {
                    B.A.warn(transactionId, "Nonce not returned in server response", null);
                }
            } catch (X509ExtensionInitException e) {
                B.A.warn(transactionId, "Could not check nonce values", e);
            }
        }
        X509Certificate issuer = oCSPRevocationSource.getIssuer();
        if (ChainingModes.PKIX_MODE.equalsIgnoreCase(str)) {
            A = oCSPRevocationSource.getDownloadTime();
            if (B.A.isDebugEnabled()) {
                if (A == null) {
                    B.A.debug(transactionId, new StringBuffer("Chaining mode is \"").append(str).append("\", but no OCSP download time available. Using original date (").append(date).append(") for checking OCSP issuer trust.").toString(), null);
                } else {
                    B.A.debug(transactionId, new StringBuffer("Chaining mode is \"").append(str).append("\", using OCSP download time (").append(A).append(") for checking OCSP issuer trust.").toString(), null);
                }
            }
            if (A == null) {
                A = date;
            }
        } else {
            if (!ChainingModes.CHAIN_MODE.equalsIgnoreCase(str)) {
                String stringBuffer = new StringBuffer("Chaining mode").append(str).append("not supported.").toString();
                B.A.error(transactionId, stringBuffer, null);
                throw new StatusCheckingException(stringBuffer, null, new StringBuffer().append(getClass().getName()).append(":13").toString());
            }
            A = A(reqCert, basicResponse, new StringBuffer("\"").append(str).append("\"").toString(), transactionId);
        }
        if (A == null) {
            if (B.A.isDebugEnabled()) {
                B.A.debug(transactionId, new StringBuffer("No date information available from OCSP source, using original date (").append(date).append(") for checking OCSP issuer trust.").toString(), null);
            }
            A = date;
        }
        if (issuer != null) {
            return revocationTrustProfile.isIssuerTrustedOCSPResponder(issuer, A, supplementalRevocationSources, A(issuer, transactionId), transactionId);
        }
        ResponderID responderID = basicResponse.getResponderID();
        if (basicResponse.containsCertificates()) {
            X509Certificate[] certificates = basicResponse.getCertificates();
            B.A.debug(transactionId, new StringBuffer().append(certificates.length).append(" ocsp issuer candidate(s) included in response").toString(), null);
            List A2 = A(certificates, responderID, !supplementalRevocationSources.useSupplementalRevocationSourcesOnly(), transactionId);
            if (A2.size() > 0) {
                return A(A2, oCSPRevocationSource, revocationTrustProfile, A, supplementalRevocationSources, transactionId);
            }
        }
        B.A.debug(transactionId, "Trying to get ocsp issuer certificate from store", null);
        try {
            authorityKeyIdentifier = (AuthorityKeyIdentifier) basicResponse.getExtension(AuthorityKeyIdentifier.oid);
        } catch (X509ExtensionInitException e2) {
            authorityKeyIdentifier = null;
        }
        X509Certificate[] issuerCertificate = responderID.byName() ? revocationTrustProfile.getIssuerCertificate(oCSPRevocationSource, A, transactionId) : revocationTrustProfile.getIssuerCertificate(responderID.getKeyHash(), authorityKeyIdentifier, A, transactionId);
        B.A.debug(transactionId, new StringBuffer("Found ").append(issuerCertificate.length).append(" ocsp issuer candidate(s)").toString(), null);
        return A(Arrays.asList(issuerCertificate), oCSPRevocationSource, revocationTrustProfile, A, supplementalRevocationSources, transactionId);
    }

    protected TrustResult A(List list, OCSPRevocationSource oCSPRevocationSource, RevocationTrustProfile revocationTrustProfile, Date date, SupplementalRevocationSources supplementalRevocationSources, TransactionId transactionId) {
        TrustResult trustResultImpl = new TrustResultImpl(false, null);
        Iterator it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            X509Certificate x509Certificate = (X509Certificate) it.next();
            trustResultImpl = revocationTrustProfile.isIssuerTrustedOCSPResponder(x509Certificate, date, supplementalRevocationSources, A(x509Certificate, transactionId), transactionId);
            if (trustResultImpl.isCertificateTrusted()) {
                oCSPRevocationSource.setIssuer(x509Certificate);
                break;
            }
        }
        return trustResultImpl;
    }

    protected ReqCert A(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        if (str == null) {
            throw new NullPointerException("OCSP hash algorithm must not be null");
        }
        AlgorithmID algorithmID = AlgorithmID.getAlgorithmID(str);
        if (algorithmID == null) {
            throw new StatusCheckingException(new StringBuffer("Cannot get an algorithm id for hash algorithm: ").append(str).toString(), null, new StringBuffer().append(getClass().getName()).append(":0").toString());
        }
        try {
            return new ReqCert(0, new CertID(algorithmID, (Name) x509Certificate.getIssuerDN(), x509Certificate2.getPublicKey(), x509Certificate.getSerialNumber()));
        } catch (Exception e) {
            throw new StatusCheckingException("Error creating ocsp request", e, new StringBuffer().append(getClass().getName()).append(":1").toString());
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:6:0x001b  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected java.util.List A(iaik.x509.X509Certificate[] r9, iaik.x509.ocsp.ResponderID r10, boolean r11, iaik.logging.TransactionId r12) {
        /*
            r8 = this;
            r3 = 0
            r0 = 1
            r1 = 0
            if (r11 == 0) goto L99
            iaik.pki.PKIFactory r2 = iaik.pki.PKIFactory.getInstance()     // Catch: iaik.pki.PKIException -> L3f
            iaik.pki.store.certinfo.CertInfoStore r2 = r2.getCertInfoStore()     // Catch: iaik.pki.PKIException -> L3f
            boolean r4 = r2.hasWriteableCertStore(r12)     // Catch: iaik.pki.PKIException -> L93
            if (r4 == 0) goto L96
        L13:
            java.util.Vector r5 = new java.util.Vector
            r5.<init>()
            int r4 = r9.length
            if (r4 == 0) goto L3e
            r4 = r1
        L1c:
            int r6 = r9.length
            if (r4 < r6) goto L44
            boolean r0 = r5.isEmpty()
            if (r0 == 0) goto L31
            iaik.asn1.structures.Name r3 = r10.getName()
            java.lang.String r4 = r3.getName()
            r2 = r1
        L2e:
            int r0 = r9.length
            if (r2 < r0) goto L58
        L31:
            boolean r0 = r5.isEmpty()
            if (r0 == 0) goto L3e
            java.lang.String r2 = iaik.pki.utils.NameUtils.getNormalizedName(r3)     // Catch: iaik.pki.utils.UtilsException -> L8f
        L3b:
            int r0 = r9.length     // Catch: iaik.pki.utils.UtilsException -> L8f
            if (r1 < r0) goto L73
        L3e:
            return r5
        L3f:
            r0 = move-exception
            r0 = r3
        L41:
            r2 = r0
            r0 = r1
            goto L13
        L44:
            r6 = r9[r4]
            boolean r7 = r10.isResponderIdFor(r6)     // Catch: java.security.NoSuchAlgorithmException -> L91
            if (r7 == 0) goto L4f
            r5.add(r6)     // Catch: java.security.NoSuchAlgorithmException -> L91
        L4f:
            if (r0 == 0) goto L55
            r7 = 1
            r2.createCertInfo(r6, r7, r12)     // Catch: iaik.pki.store.certinfo.CertInfoStoreException -> L8d java.security.NoSuchAlgorithmException -> L91
        L55:
            int r4 = r4 + 1
            goto L1c
        L58:
            r0 = r9[r2]
            java.security.Principal r0 = r0.getSubjectDN()
            iaik.asn1.structures.Name r0 = (iaik.asn1.structures.Name) r0
            java.lang.String r0 = r0.getName()
            boolean r0 = r4.equals(r0)
            if (r0 == 0) goto L6f
            r0 = r9[r2]
            r5.add(r0)
        L6f:
            int r0 = r2 + 1
            r2 = r0
            goto L2e
        L73:
            r0 = r9[r1]     // Catch: iaik.pki.utils.UtilsException -> L8f
            java.security.Principal r0 = r0.getSubjectDN()     // Catch: iaik.pki.utils.UtilsException -> L8f
            iaik.asn1.structures.Name r0 = (iaik.asn1.structures.Name) r0     // Catch: iaik.pki.utils.UtilsException -> L8f
            java.lang.String r0 = iaik.pki.utils.NameUtils.getNormalizedName(r0)     // Catch: iaik.pki.utils.UtilsException -> L8f
            boolean r0 = r2.equals(r0)     // Catch: iaik.pki.utils.UtilsException -> L8f
            if (r0 == 0) goto L8a
            r0 = r9[r1]     // Catch: iaik.pki.utils.UtilsException -> L8f
            r5.add(r0)     // Catch: iaik.pki.utils.UtilsException -> L8f
        L8a:
            int r1 = r1 + 1
            goto L3b
        L8d:
            r6 = move-exception
            goto L55
        L8f:
            r0 = move-exception
            goto L3e
        L91:
            r6 = move-exception
            goto L55
        L93:
            r0 = move-exception
            r0 = r2
            goto L41
        L96:
            r0 = r1
            goto L13
        L99:
            r0 = r1
            r2 = r3
            goto L13
        */
        throw new UnsupportedOperationException("Method not decompiled: iaik.pki.revocation.I.A(iaik.x509.X509Certificate[], iaik.x509.ocsp.ResponderID, boolean, iaik.logging.TransactionId):java.util.List");
    }

    protected boolean A(X509Certificate x509Certificate, TransactionId transactionId) {
        if (x509Certificate == null) {
            return false;
        }
        try {
            if (x509Certificate.getExtension(NoCheck.oid) == null) {
                return false;
            }
            B.A.info(transactionId, "\"NoCheck\" extension included in OCSP reponder certificate.", null);
            return true;
        } catch (X509ExtensionInitException e) {
            B.A.debug(transactionId, "Unable to check if \"NoCheck\" extension is included in OCSP responder certificate", null);
            return false;
        }
    }

    @Override // iaik.pki.revocation.CertificateStatusChecker
    public RevocationStatus getCertificateStatus(X509Certificate x509Certificate, boolean z, X509Certificate x509Certificate2, PublicKey publicKey, Date date, String str, SupplementalRevocationSources supplementalRevocationSources, RevocationTrustProfile revocationTrustProfile, RevocationProfile revocationProfile, TransactionId transactionId) {
        B.A.debug(transactionId, "Entering OCSPCertificateStatusChecker.", null);
        if (this.C == null) {
            throw new StatusCheckingException("Status checking not yet configured", null, new StringBuffer().append(getClass().getName()).append(":10").toString());
        }
        if (revocationTrustProfile == null) {
            throw new NullPointerException("Trust profile mustn't be null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("Argument \"certificate\" must not be null.");
        }
        if (date == null) {
            throw new NullPointerException("Argument \"concernedDate\" must not be null.");
        }
        if (revocationProfile == null) {
            throw new NullPointerException("Profile mustn't be null");
        }
        try {
            x509Certificate.checkValidity(date);
            try {
                return A(date, str, x509Certificate, x509Certificate2, supplementalRevocationSources, revocationTrustProfile, revocationProfile, transactionId);
            } catch (RevocationStoreException e) {
                B.A.info(transactionId, "Can't get OCSP revocation info ", e);
                return new H(date, RevocationStatusUnknown.UNKNOWN_REASON_SERVICE_UNAVAILABLE);
            }
        } catch (Exception e2) {
            B.A.error(transactionId, new StringBuffer("provided certificate not valid at ").append(date).toString(), e2);
            throw new StatusCheckingException("Certificate must be valid", e2, new StringBuffer().append(getClass().getName()).append(":11").toString());
        }
    }
}
