package sun.security.provider.certpath;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import sun.security.provider.certpath.OCSP;
import sun.security.util.ObjectIdentifier;
import sun.security.util.i;
import sun.security.util.k;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X509CertImpl;
import sun.security.x509.ah;
import sun.security.x509.bo;

/* loaded from: classes2.dex */
public final class OCSPResponse {
    private static final boolean c = false;
    private static final int f = 0;
    private static final int g = 1;
    private static final int h = 2;
    private static final int i = 1;
    private static final int j = 2;
    private static final String k = "1.3.6.1.5.5.7.3.9";
    private static final long n = 900000;
    private final ResponseStatus l;
    private final Map<c, a> m;
    private static ResponseStatus[] a = ResponseStatus.values();
    private static final sun.security.util.e b = sun.security.util.e.a("certpath");
    private static final ObjectIdentifier d = ObjectIdentifier.a(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
    private static final ObjectIdentifier e = ObjectIdentifier.a(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 2});

    /* loaded from: classes2.dex */
    public enum ResponseStatus {
        SUCCESSFUL,
        MALFORMED_REQUEST,
        INTERNAL_ERROR,
        TRY_LATER,
        UNUSED,
        SIG_REQUIRED,
        UNAUTHORIZED
    }

    /* loaded from: classes2.dex */
    static final class a implements OCSP.RevocationStatus {
        private static OCSP.RevocationStatus.Reason[] f = OCSP.RevocationStatus.Reason.values();
        private final c a;
        private final OCSP.RevocationStatus.CertStatus b;
        private final Date c;
        private final Date d;
        private final Date e;
        private final OCSP.RevocationStatus.Reason g;

        private a(k kVar) throws IOException {
            if (kVar.e != 48) {
                throw new IOException("Bad ASN.1 encoding in SingleResponse");
            }
            i iVar = kVar.g;
            this.a = new c(iVar.k().g);
            k k = iVar.k();
            short s = (byte) (k.e & 31);
            if (s == 1) {
                this.b = OCSP.RevocationStatus.CertStatus.REVOKED;
                this.e = k.g.s();
                if (k.g.x() != 0) {
                    k k2 = k.g.k();
                    if (((byte) (k2.e & 31)) == 0) {
                        int e = k2.g.e();
                        if (e < 0 || e >= f.length) {
                            this.g = OCSP.RevocationStatus.Reason.UNSPECIFIED;
                        } else {
                            this.g = f[e];
                        }
                    } else {
                        this.g = OCSP.RevocationStatus.Reason.UNSPECIFIED;
                    }
                } else {
                    this.g = OCSP.RevocationStatus.Reason.UNSPECIFIED;
                }
                if (OCSPResponse.b != null) {
                    OCSPResponse.b.c("Revocation time: " + this.e);
                    OCSPResponse.b.c("Revocation reason: " + this.g);
                }
            } else {
                this.e = null;
                this.g = OCSP.RevocationStatus.Reason.UNSPECIFIED;
                if (s == 0) {
                    this.b = OCSP.RevocationStatus.CertStatus.GOOD;
                } else {
                    if (s != 2) {
                        throw new IOException("Invalid certificate status");
                    }
                    this.b = OCSP.RevocationStatus.CertStatus.UNKNOWN;
                }
            }
            this.c = iVar.s();
            if (iVar.x() == 0) {
                this.d = null;
            } else {
                k k3 = iVar.k();
                if (((byte) (k3.e & 31)) == 0) {
                    this.d = k3.g.s();
                } else {
                    this.d = null;
                }
            }
            if (iVar.x() > 0) {
                k k4 = iVar.k();
                if (k4.a((byte) 1)) {
                    k[] a = k4.g.a(3);
                    for (k kVar2 : a) {
                        ah ahVar = new ah(kVar2);
                        if (OCSPResponse.b != null) {
                            OCSPResponse.b.c("OCSP single extension: " + ahVar);
                        }
                        if (ahVar.d()) {
                            throw new IOException("Unsupported OCSP critical extension: " + ahVar.e());
                        }
                    }
                }
            }
            long currentTimeMillis = System.currentTimeMillis();
            Date date = new Date(currentTimeMillis + OCSPResponse.n);
            Date date2 = new Date(currentTimeMillis - OCSPResponse.n);
            if (OCSPResponse.b != null) {
                OCSPResponse.b.c("Response's validity interval is from " + this.c + (this.d != null ? " until " + this.d : ""));
            }
            if ((this.c == null || !date.before(this.c)) && (this.d == null || !date2.after(this.d))) {
                return;
            }
            if (OCSPResponse.b != null) {
                OCSPResponse.b.c("Response is unreliable: its validity interval is out-of-date");
            }
            throw new IOException("Response is unreliable: its validity interval is out-of-date");
        }

        /* JADX INFO: Access modifiers changed from: private */
        public c d() {
            return this.a;
        }

        @Override // sun.security.provider.certpath.OCSP.RevocationStatus
        public OCSP.RevocationStatus.CertStatus a() {
            return this.b;
        }

        @Override // sun.security.provider.certpath.OCSP.RevocationStatus
        public Date b() {
            return (Date) this.e.clone();
        }

        @Override // sun.security.provider.certpath.OCSP.RevocationStatus
        public OCSP.RevocationStatus.Reason c() {
            return this.g;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("SingleResponse:  \n");
            sb.append(this.a);
            sb.append("\nCertStatus: " + this.b + "\n");
            if (this.b == OCSP.RevocationStatus.CertStatus.REVOKED) {
                sb.append("revocationTime is " + this.e + "\n");
                sb.append("revocationReason is " + this.g + "\n");
            }
            sb.append("thisUpdate is " + this.c + "\n");
            if (this.d != null) {
                sb.append("nextUpdate is " + this.d + "\n");
            }
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPResponse(byte[] bArr, Date date, X509Certificate x509Certificate) throws IOException, CertPathValidatorException {
        k kVar = new k(bArr);
        if (kVar.e != 48) {
            throw new IOException("Bad encoding in OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        i f2 = kVar.f();
        int e2 = f2.e();
        if (e2 < 0 || e2 >= a.length) {
            throw new IOException("Unknown OCSPResponse status: " + e2);
        }
        this.l = a[e2];
        if (b != null) {
            b.c("OCSP response status: " + this.l);
        }
        if (this.l != ResponseStatus.SUCCESSFUL) {
            this.m = Collections.emptyMap();
            return;
        }
        k k2 = f2.k();
        if (!k2.a((byte) 0)) {
            throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 context specific tag 0.");
        }
        k k3 = k2.g.k();
        if (k3.e != 48) {
            throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        i iVar = k3.g;
        ObjectIdentifier j2 = iVar.j();
        if (!j2.b(d)) {
            if (b != null) {
                b.c("OCSP response type: " + j2);
            }
            throw new IOException("Unsupported OCSP response type: " + j2);
        }
        if (b != null) {
            b.c("OCSP response type: basic");
        }
        k[] a2 = new i(iVar.h()).a(2);
        if (a2.length < 3) {
            throw new IOException("Unexpected BasicOCSPResponse value");
        }
        k kVar2 = a2[0];
        byte[] A = a2[0].A();
        if (kVar2.e != 48) {
            throw new IOException("Bad encoding in tbsResponseData element of OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        i iVar2 = kVar2.g;
        k k4 = iVar2.k();
        if (k4.a((byte) 0) && k4.e() && k4.c()) {
            k k5 = k4.g.k();
            k5.k();
            if (k5.g.x() != 0) {
                throw new IOException("Bad encoding in version  element of OCSP response: bad format");
            }
            k4 = iVar2.k();
        }
        short s = (byte) (k4.e & 31);
        if (s == 1) {
            if (b != null) {
                b.c("OCSP Responder name: " + new bo(k4.f()));
            }
        } else if (s != 2) {
            throw new IOException("Bad encoding in responderID element of OCSP response: expected ASN.1 context specific tag 0 or 1");
        }
        k k6 = iVar2.k();
        if (b != null) {
            b.c("OCSP response produced at: " + k6.z());
        }
        k[] a3 = iVar2.a(1);
        this.m = new HashMap(a3.length);
        if (b != null) {
            b.c("OCSP number of SingleResponses: " + a3.length);
        }
        for (k kVar3 : a3) {
            a aVar = new a(kVar3);
            this.m.put(aVar.d(), aVar);
        }
        if (iVar2.x() > 0) {
            k k7 = iVar2.k();
            if (k7.a((byte) 1)) {
                k[] a4 = k7.g.a(3);
                for (k kVar4 : a4) {
                    ah ahVar = new ah(kVar4);
                    if (b != null) {
                        b.c("OCSP extension: " + ahVar);
                    }
                    if (!ahVar.e().b(e) && ahVar.d()) {
                        throw new IOException("Unsupported OCSP critical extension: " + ahVar.e());
                    }
                }
            }
        }
        AlgorithmId a5 = AlgorithmId.a(a2[1]);
        sun.security.provider.certpath.a.a(a5);
        byte[] o = a2[2].o();
        X509CertImpl[] x509CertImplArr = null;
        if (a2.length > 3) {
            k kVar5 = a2[3];
            if (!kVar5.a((byte) 0)) {
                throw new IOException("Bad encoding in certs element of OCSP response: expected ASN.1 context specific tag 0.");
            }
            k[] a6 = kVar5.f().a(3);
            x509CertImplArr = new X509CertImpl[a6.length];
            for (int i2 = 0; i2 < a6.length; i2++) {
                try {
                    x509CertImplArr[i2] = new X509CertImpl(a6[i2].A());
                } catch (CertificateException e3) {
                    throw new IOException("Bad encoding in X509 Certificate", e3);
                }
            }
        }
        if (x509CertImplArr != null && x509CertImplArr[0] != null) {
            X509CertImpl x509CertImpl = x509CertImplArr[0];
            if (!x509CertImpl.equals(x509Certificate) && x509CertImpl.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                sun.security.provider.certpath.a.a(x509CertImpl);
                try {
                    List<String> extendedKeyUsage = x509CertImpl.getExtendedKeyUsage();
                    if (extendedKeyUsage == null || !extendedKeyUsage.contains(k)) {
                        throw new CertPathValidatorException("Responder's certificate not valid for signing OCSP responses");
                    }
                    try {
                        x509CertImpl.verify(x509Certificate.getPublicKey());
                        x509Certificate = x509CertImpl;
                    } catch (GeneralSecurityException e4) {
                        x509Certificate = null;
                    }
                } catch (CertificateParsingException e5) {
                    throw new CertPathValidatorException("Responder's certificate not valid for signing OCSP responses", e5);
                }
            }
        }
        if (x509Certificate == null) {
            throw new CertPathValidatorException("Unable to verify OCSP Responder's signature");
        }
        if (!a(A, x509Certificate, a5, o)) {
            throw new CertPathValidatorException("Error verifying OCSP Responder's signature");
        }
    }

    private boolean a(byte[] bArr, X509Certificate x509Certificate, AlgorithmId algorithmId, byte[] bArr2) throws CertPathValidatorException {
        try {
            Signature signature = Signature.getInstance(algorithmId.a());
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            if (signature.verify(bArr2)) {
                if (b != null) {
                    b.c("Verified signature of OCSP Responder");
                }
                return true;
            }
            if (b != null) {
                b.c("Error verifying signature of OCSP Responder");
            }
            return false;
        } catch (InvalidKeyException e2) {
            throw new CertPathValidatorException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertPathValidatorException(e3);
        } catch (SignatureException e4) {
            throw new CertPathValidatorException(e4);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ResponseStatus a() {
        return this.l;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public a a(c cVar) {
        return this.m.get(cVar);
    }
}
