package com.appmattus.certificatetransparency.internal.verifier;

import androidx.core.view.ViewCompat;
import com.appmattus.certificatetransparency.SctVerificationResult;
import com.appmattus.certificatetransparency.internal.serialization.OutputStreamExtKt;
import com.appmattus.certificatetransparency.internal.utils.Base64;
import com.appmattus.certificatetransparency.internal.utils.CertificateExtKt;
import com.appmattus.certificatetransparency.internal.verifier.model.IssuerInformation;
import com.appmattus.certificatetransparency.internal.verifier.model.SignedCertificateTimestamp;
import com.appmattus.certificatetransparency.internal.verifier.model.Version;
import com.appmattus.certificatetransparency.loglist.LogServer;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt__IterablesKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.Intrinsics;
import ru.domesticroots.bouncycastle.asn1.ASN1InputStream;
import ru.domesticroots.bouncycastle.asn1.ASN1ObjectIdentifier;
import ru.domesticroots.bouncycastle.asn1.DERBitString;
import ru.domesticroots.bouncycastle.asn1.x500.X500Name;
import ru.domesticroots.bouncycastle.asn1.x509.Certificate;
import ru.domesticroots.bouncycastle.asn1.x509.Extension;
import ru.domesticroots.bouncycastle.asn1.x509.Extensions;
import ru.domesticroots.bouncycastle.asn1.x509.TBSCertificate;
import ru.domesticroots.bouncycastle.asn1.x509.V3TBSCertificateGenerator;

@Metadata(d1 = {"\u0000h\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0012\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0010\u000b\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\b\u0000\u0018\u0000 (2\u00020\u0001:\u0001(B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0018\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\nH\u0002J \u0010\u000b\u001a\b\u0012\u0004\u0012\u00020\r0\f2\u0006\u0010\u000e\u001a\u00020\u000f2\b\u0010\u0010\u001a\u0004\u0018\u00010\rH\u0002J\u0018\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u00142\u0006\u0010\u0015\u001a\u00020\u0016H\u0002J \u0010\u0017\u001a\u00020\u00122\u0006\u0010\u0018\u001a\u00020\u00122\u0006\u0010\u0019\u001a\u00020\u00122\u0006\u0010\u0015\u001a\u00020\u0016H\u0002J%\u0010\u001a\u001a\u00020\u001b2\u0006\u0010\u0015\u001a\u00020\u00162\u0006\u0010\u0013\u001a\u00020\b2\u0006\u0010\u001c\u001a\u00020\nH\u0000¢\u0006\u0002\b\u001dJ\u0018\u0010\u001e\u001a\u00020\u001b2\u0006\u0010\u0015\u001a\u00020\u00162\u0006\u0010\u001f\u001a\u00020\u0012H\u0002J\u001e\u0010 \u001a\u00020\u001b2\u0006\u0010\u0015\u001a\u00020\u00162\f\u0010!\u001a\b\u0012\u0004\u0012\u00020\u00140\fH\u0016J\f\u0010\"\u001a\u00020#*\u00020$H\u0002J\u0014\u0010%\u001a\u00020&*\u00020'2\u0006\u0010\u0015\u001a\u00020\u0016H\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006)"}, d2 = {"Lcom/appmattus/certificatetransparency/internal/verifier/LogSignatureVerifier;", "Lcom/appmattus/certificatetransparency/internal/verifier/SignatureVerifier;", "logServer", "Lcom/appmattus/certificatetransparency/loglist/LogServer;", "(Lcom/appmattus/certificatetransparency/loglist/LogServer;)V", "createTbsForVerification", "Lru/domesticroots/bouncycastle/asn1/x509/TBSCertificate;", "preCertificate", "Ljava/security/cert/X509Certificate;", "issuerInformation", "Lcom/appmattus/certificatetransparency/internal/verifier/model/IssuerInformation;", "getExtensionsWithoutPoisonAndSct", "", "Lru/domesticroots/bouncycastle/asn1/x509/Extension;", "extensions", "Lru/domesticroots/bouncycastle/asn1/x509/Extensions;", "replacementX509authorityKeyIdentifier", "serializeSignedSctData", "", "certificate", "Ljava/security/cert/Certificate;", "sct", "Lcom/appmattus/certificatetransparency/internal/verifier/model/SignedCertificateTimestamp;", "serializeSignedSctDataForPreCertificate", "preCertBytes", "issuerKeyHash", "verifySCTOverPreCertificate", "Lcom/appmattus/certificatetransparency/SctVerificationResult;", "issuerInfo", "verifySCTOverPreCertificate$domesticroots_certificatetransparency_release", "verifySctSignatureOverBytes", "toVerify", "verifySignature", "chain", "hasX509AuthorityKeyIdentifier", "", "Lru/domesticroots/bouncycastle/asn1/x509/Certificate;", "serializeCommonSctFields", "", "Ljava/io/OutputStream;", "Companion", "domesticroots-certificatetransparency_release"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes.dex */
public final class LogSignatureVerifier {
    private final LogServer a;

    public LogSignatureVerifier(LogServer logServer) {
        Intrinsics.g(logServer, "logServer");
        this.a = logServer;
    }

    private final TBSCertificate a(X509Certificate x509Certificate, IssuerInformation issuerInformation) {
        boolean z = true;
        if (!(x509Certificate.getVersion() >= 3)) {
            throw new IllegalArgumentException("Failed requirement.".toString());
        }
        ASN1InputStream aSN1InputStream = new ASN1InputStream(x509Certificate.getEncoded());
        try {
            Certificate parsedPreCertificate = Certificate.C(aSN1InputStream.l());
            Intrinsics.f(parsedPreCertificate, "parsedPreCertificate");
            if (c(parsedPreCertificate) && issuerInformation.getIssuedByPreCertificateSigningCert()) {
                if (issuerInformation.getX509authorityKeyIdentifier() == null) {
                    z = false;
                }
                if (!z) {
                    throw new IllegalArgumentException("Failed requirement.".toString());
                }
            }
            Extensions D = parsedPreCertificate.H().D();
            Intrinsics.f(D, "parsedPreCertificate.tbsCertificate.extensions");
            List<Extension> b = b(D, issuerInformation.getX509authorityKeyIdentifier());
            V3TBSCertificateGenerator v3TBSCertificateGenerator = new V3TBSCertificateGenerator();
            TBSCertificate H = parsedPreCertificate.H();
            v3TBSCertificateGenerator.f(H.L());
            v3TBSCertificateGenerator.g(H.M());
            X500Name name = issuerInformation.getName();
            if (name == null) {
                name = H.I();
            }
            v3TBSCertificateGenerator.d(name);
            v3TBSCertificateGenerator.h(H.N());
            v3TBSCertificateGenerator.b(H.C());
            v3TBSCertificateGenerator.i(H.O());
            v3TBSCertificateGenerator.j(H.Q());
            v3TBSCertificateGenerator.e((DERBitString) H.K());
            v3TBSCertificateGenerator.k((DERBitString) H.R());
            Object[] array = b.toArray(new Extension[0]);
            if (array == null) {
                throw new NullPointerException("null cannot be cast to non-null type kotlin.Array<T of kotlin.collections.ArraysKt__ArraysJVMKt.toTypedArray>");
            }
            v3TBSCertificateGenerator.c(new Extensions((Extension[]) array));
            TBSCertificate a = v3TBSCertificateGenerator.a();
            CloseableKt.a(aSN1InputStream, null);
            Intrinsics.f(a, "ASN1InputStream(preCerti…BSCertificate()\n        }");
            return a;
        } finally {
        }
    }

    private final List<Extension> b(Extensions extensions, Extension extension) {
        int u;
        ASN1ObjectIdentifier[] D = extensions.D();
        Intrinsics.f(D, "extensions.extensionOIDs");
        ArrayList arrayList = new ArrayList();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : D) {
            if (!Intrinsics.c(aSN1ObjectIdentifier.W(), "1.3.6.1.4.1.11129.2.4.3")) {
                arrayList.add(aSN1ObjectIdentifier);
            }
        }
        ArrayList<ASN1ObjectIdentifier> arrayList2 = new ArrayList();
        for (Object obj : arrayList) {
            if (!Intrinsics.c(((ASN1ObjectIdentifier) obj).W(), "1.3.6.1.4.1.11129.2.4.2")) {
                arrayList2.add(obj);
            }
        }
        u = CollectionsKt__IterablesKt.u(arrayList2, 10);
        ArrayList arrayList3 = new ArrayList(u);
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : arrayList2) {
            arrayList3.add((!Intrinsics.c(aSN1ObjectIdentifier2.W(), "2.5.29.35") || extension == null) ? extensions.C(aSN1ObjectIdentifier2) : extension);
        }
        return arrayList3;
    }

    private final boolean c(Certificate certificate) {
        return certificate.H().D().C(new ASN1ObjectIdentifier("2.5.29.35")) != null;
    }

    private final void d(OutputStream outputStream, SignedCertificateTimestamp signedCertificateTimestamp) {
        if (!(signedCertificateTimestamp.getSctVersion() == Version.V1)) {
            throw new IllegalArgumentException("Can only serialize SCT v1 for now.".toString());
        }
        OutputStreamExtKt.a(outputStream, signedCertificateTimestamp.getSctVersion().getNumber(), 1);
        OutputStreamExtKt.a(outputStream, 0L, 1);
        OutputStreamExtKt.a(outputStream, signedCertificateTimestamp.getTimestamp(), 8);
    }

    private final byte[] e(java.security.cert.Certificate certificate, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            d(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.a(byteArrayOutputStream, 0L, 2);
            byte[] encoded = certificate.getEncoded();
            Intrinsics.f(encoded, "certificate.encoded");
            OutputStreamExtKt.b(byteArrayOutputStream, encoded, ViewCompat.MEASURED_SIZE_MASK);
            OutputStreamExtKt.b(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            CloseableKt.a(byteArrayOutputStream, null);
            Intrinsics.f(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final byte[] f(byte[] bArr, byte[] bArr2, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            d(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.a(byteArrayOutputStream, 1L, 2);
            byteArrayOutputStream.write(bArr2);
            OutputStreamExtKt.b(byteArrayOutputStream, bArr, ViewCompat.MEASURED_SIZE_MASK);
            OutputStreamExtKt.b(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            CloseableKt.a(byteArrayOutputStream, null);
            Intrinsics.f(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final SctVerificationResult h(SignedCertificateTimestamp signedCertificateTimestamp, byte[] bArr) {
        String str;
        SctVerificationResult signatureNotValid;
        if (Intrinsics.c(this.a.getKey().getAlgorithm(), "EC")) {
            str = "SHA256withECDSA";
        } else {
            if (!Intrinsics.c(this.a.getKey().getAlgorithm(), "RSA")) {
                String algorithm = this.a.getKey().getAlgorithm();
                Intrinsics.f(algorithm, "logServer.key.algorithm");
                return new UnsupportedSignatureAlgorithm(algorithm, null, 2, null);
            }
            str = "SHA256withRSA";
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(this.a.getKey());
            signature.update(bArr);
            return signature.verify(signedCertificateTimestamp.getSignature().getSignature()) ? SctVerificationResult.Valid.a : SctVerificationResult.Invalid.FailedVerification.a;
        } catch (InvalidKeyException e) {
            signatureNotValid = new LogPublicKeyNotValid(e);
            return signatureNotValid;
        } catch (NoSuchAlgorithmException e2) {
            signatureNotValid = new UnsupportedSignatureAlgorithm(str, e2);
            return signatureNotValid;
        } catch (SignatureException e3) {
            signatureNotValid = new SignatureNotValid(e3);
            return signatureNotValid;
        }
    }

    public final SctVerificationResult g(SignedCertificateTimestamp sct, X509Certificate certificate, IssuerInformation issuerInfo) {
        CertificateEncodingFailed certificateEncodingFailed;
        Intrinsics.g(sct, "sct");
        Intrinsics.g(certificate, "certificate");
        Intrinsics.g(issuerInfo, "issuerInfo");
        try {
            byte[] z = a(certificate, issuerInfo).z();
            Intrinsics.f(z, "preCertificateTBS.encoded");
            return h(sct, f(z, issuerInfo.getKeyHash(), sct));
        } catch (IOException e) {
            certificateEncodingFailed = new CertificateEncodingFailed(e);
            return certificateEncodingFailed;
        } catch (CertificateException e2) {
            certificateEncodingFailed = new CertificateEncodingFailed(e2);
            return certificateEncodingFailed;
        }
    }

    public SctVerificationResult i(SignedCertificateTimestamp sct, List<? extends java.security.cert.Certificate> chain) {
        IssuerInformation d;
        CertificateEncodingFailed certificateEncodingFailed;
        Intrinsics.g(sct, "sct");
        Intrinsics.g(chain, "chain");
        long currentTimeMillis = System.currentTimeMillis();
        if (sct.getTimestamp() > currentTimeMillis) {
            return new SctVerificationResult.Invalid.FutureTimestamp(sct.getTimestamp(), currentTimeMillis);
        }
        if (this.a.getValidUntil() != null && sct.getTimestamp() > this.a.getValidUntil().longValue()) {
            return new SctVerificationResult.Invalid.LogServerUntrusted(sct.getTimestamp(), this.a.getValidUntil().longValue());
        }
        if (!Arrays.equals(this.a.getC(), sct.getId().getKeyId())) {
            return new LogIdMismatch(Base64.a.b(sct.getId().getKeyId()), Base64.a.b(this.a.getC()));
        }
        java.security.cert.Certificate certificate = chain.get(0);
        if (!CertificateExtKt.b(certificate) && !CertificateExtKt.a(certificate)) {
            try {
                return h(sct, e(certificate, sct));
            } catch (IOException e) {
                certificateEncodingFailed = new CertificateEncodingFailed(e);
                return certificateEncodingFailed;
            } catch (CertificateEncodingException e2) {
                certificateEncodingFailed = new CertificateEncodingFailed(e2);
                return certificateEncodingFailed;
            }
        }
        if (chain.size() < 2) {
            return NoIssuer.a;
        }
        java.security.cert.Certificate certificate2 = chain.get(1);
        try {
            if (!CertificateExtKt.c(certificate2)) {
                try {
                    d = CertificateExtKt.d(certificate2);
                } catch (NoSuchAlgorithmException e3) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e3);
                }
            } else {
                if (chain.size() < 3) {
                    return NoIssuerWithPreCert.a;
                }
                try {
                    d = CertificateExtKt.e(certificate2, chain.get(2));
                } catch (IOException e4) {
                    return new ASN1ParsingFailed(e4);
                } catch (NoSuchAlgorithmException e5) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e5);
                } catch (CertificateEncodingException e6) {
                    return new CertificateEncodingFailed(e6);
                }
            }
            return g(sct, (X509Certificate) certificate, d);
        } catch (CertificateParsingException e7) {
            return new CertificateParsingFailed(e7);
        }
    }
}
