package com.babylon.certificatetransparency.internal.verifier;

import ac.c0;
import ac.h;
import ac.m;
import ac.n;
import ac.z;
import androidx.activity.q;
import be.a;
import be.b;
import cb.e1;
import cb.u;
import com.babylon.certificatetransparency.SctVerificationResult;
import com.babylon.certificatetransparency.internal.logclient.model.SignedCertificateTimestamp;
import com.babylon.certificatetransparency.internal.logclient.model.Version;
import com.babylon.certificatetransparency.internal.serialization.CTConstants;
import com.babylon.certificatetransparency.internal.serialization.OutputStreamExtKt;
import com.babylon.certificatetransparency.internal.utils.CertificateInfo;
import com.babylon.certificatetransparency.internal.verifier.model.IssuerInformation;
import com.babylon.certificatetransparency.loglist.LogServer;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import kotlin.collections.x;
import kotlin.jvm.internal.l;
import kotlin.jvm.internal.o;
import org.bouncycastle.util.Strings;
import org.conscrypt.EvpMdRef;
import yb.c;

/* loaded from: classes.dex */
public final class LogSignatureVerifier implements SignatureVerifier {
    public static final Companion Companion = new Companion(null);
    private static final long PRECERT_ENTRY = 1;
    private static final String X509_AUTHORITY_KEY_IDENTIFIER = "2.5.29.35";
    private static final long X509_ENTRY = 0;
    private final LogServer logServer;

    /* loaded from: classes.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(l lVar) {
            this();
        }
    }

    public LogSignatureVerifier(LogServer logServer) {
        o.f(logServer, "logServer");
        this.logServer = logServer;
    }

    private final z createTbsForVerification(X509Certificate x509Certificate, IssuerInformation issuerInformation) {
        if (!(x509Certificate.getVersion() >= 3)) {
            throw new IllegalArgumentException("Failed requirement.".toString());
        }
        cb.o oVar = new cb.o(x509Certificate.getEncoded());
        try {
            h parsedPreCertificate = h.o(oVar.h());
            o.e(parsedPreCertificate, "parsedPreCertificate");
            if (hasX509AuthorityKeyIdentifier(parsedPreCertificate) && issuerInformation.getIssuedByPreCertificateSigningCert()) {
                if (!(issuerInformation.getX509authorityKeyIdentifier() != null)) {
                    throw new IllegalArgumentException("Failed requirement.".toString());
                }
            }
            n nVar = parsedPreCertificate.f225b.f310l;
            o.e(nVar, "parsedPreCertificate.tbsCertificate.extensions");
            List<m> extensionsWithoutPoisonAndSct = getExtensionsWithoutPoisonAndSct(nVar, issuerInformation.getX509authorityKeyIdentifier());
            c0 c0Var = new c0();
            z zVar = parsedPreCertificate.f225b;
            c0Var.f181b = zVar.f301c;
            c0Var.f182c = zVar.f302d;
            c name = issuerInformation.getName();
            if (name == null) {
                name = zVar.f303e;
            }
            c0Var.f183d = name;
            c0Var.f184e = zVar.f304f;
            c0Var.f185f = zVar.f305g;
            c0Var.f186g = zVar.f306h;
            c0Var.f187h = zVar.f307i;
            e1 e1Var = zVar.f308j;
            if (e1Var == null) {
                e1Var = null;
            }
            c0Var.f190k = e1Var;
            e1 e1Var2 = zVar.f309k;
            if (e1Var2 == null) {
                e1Var2 = null;
            }
            c0Var.f191l = e1Var2;
            Object[] array = extensionsWithoutPoisonAndSct.toArray(new m[0]);
            o.d(array, "null cannot be cast to non-null type kotlin.Array<T of kotlin.collections.ArraysKt__ArraysJVMKt.toTypedArray>");
            n nVar2 = new n((m[]) array);
            c0Var.f188i = nVar2;
            m o10 = nVar2.o(m.f241e);
            if (o10 != null && o10.f257b) {
                c0Var.f189j = true;
            }
            z a10 = c0Var.a();
            q.o0(oVar, null);
            return a10;
        } finally {
        }
    }

    private final List<m> getExtensionsWithoutPoisonAndSct(n nVar, m mVar) {
        Vector vector = nVar.f260b;
        int size = vector.size();
        u[] uVarArr = new u[size];
        for (int i10 = 0; i10 != size; i10++) {
            uVarArr[i10] = (u) vector.elementAt(i10);
        }
        ArrayList arrayList = new ArrayList();
        for (int i11 = 0; i11 < size; i11++) {
            u uVar = uVarArr[i11];
            if (!o.a(uVar.f8046a, CTConstants.POISON_EXTENSION_OID)) {
                arrayList.add(uVar);
            }
        }
        ArrayList arrayList2 = new ArrayList();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            Object next = it.next();
            if (!o.a(((u) next).f8046a, "1.3.6.1.4.1.11129.2.4.2")) {
                arrayList2.add(next);
            }
        }
        ArrayList arrayList3 = new ArrayList(x.H1(arrayList2, 10));
        Iterator it2 = arrayList2.iterator();
        while (it2.hasNext()) {
            u uVar2 = (u) it2.next();
            arrayList3.add((!o.a(uVar2.f8046a, X509_AUTHORITY_KEY_IDENTIFIER) || mVar == null) ? nVar.o(uVar2) : mVar);
        }
        return arrayList3;
    }

    private final boolean hasX509AuthorityKeyIdentifier(h hVar) {
        return hVar.f225b.f310l.o(new u(X509_AUTHORITY_KEY_IDENTIFIER)) != null;
    }

    private final void serializeCommonSctFields(OutputStream outputStream, SignedCertificateTimestamp signedCertificateTimestamp) {
        if (!(signedCertificateTimestamp.getSctVersion() == Version.V1)) {
            throw new IllegalArgumentException("Can only serialize SCT v1 for now.".toString());
        }
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getSctVersion().getNumber(), 1);
        OutputStreamExtKt.writeUint(outputStream, 0L, 1);
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getTimestamp(), 8);
    }

    private final byte[] serializeSignedSctData(Certificate certificate, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 0L, 2);
            byte[] encoded = certificate.getEncoded();
            o.e(encoded, "certificate.encoded");
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, encoded, CTConstants.MAX_CERTIFICATE_LENGTH);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            q.o0(byteArrayOutputStream, null);
            o.e(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final byte[] serializeSignedSctDataForPreCertificate(byte[] bArr, byte[] bArr2, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 1L, 2);
            byteArrayOutputStream.write(bArr2);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, bArr, CTConstants.MAX_CERTIFICATE_LENGTH);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            q.o0(byteArrayOutputStream, null);
            o.e(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final SctVerificationResult verifySctSignatureOverBytes(SignedCertificateTimestamp signedCertificateTimestamp, byte[] bArr) {
        String str;
        SctVerificationResult signatureNotValid;
        if (o.a(this.logServer.getKey().getAlgorithm(), "EC")) {
            str = "SHA256withECDSA";
        } else {
            if (!o.a(this.logServer.getKey().getAlgorithm(), "RSA")) {
                String algorithm = this.logServer.getKey().getAlgorithm();
                o.e(algorithm, "logServer.key.algorithm");
                return new UnsupportedSignatureAlgorithm(algorithm, null, 2, null);
            }
            str = "SHA256withRSA";
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(this.logServer.getKey());
            signature.update(bArr);
            return signature.verify(signedCertificateTimestamp.getSignature().getSignature()) ? SctVerificationResult.Valid.INSTANCE : SctVerificationResult.Invalid.FailedVerification.INSTANCE;
        } catch (InvalidKeyException e10) {
            signatureNotValid = new LogPublicKeyNotValid(e10);
            return signatureNotValid;
        } catch (NoSuchAlgorithmException e11) {
            signatureNotValid = new UnsupportedSignatureAlgorithm(str, e11);
            return signatureNotValid;
        } catch (SignatureException e12) {
            signatureNotValid = new SignatureNotValid(e12);
            return signatureNotValid;
        }
    }

    public final SctVerificationResult verifySCTOverPreCertificate$jgosdk_release(SignedCertificateTimestamp sct, X509Certificate certificate, IssuerInformation issuerInfo) {
        CertificateEncodingFailed certificateEncodingFailed;
        o.f(sct, "sct");
        o.f(certificate, "certificate");
        o.f(issuerInfo, "issuerInfo");
        try {
            byte[] encoded = createTbsForVerification(certificate, issuerInfo).getEncoded();
            o.e(encoded, "preCertificateTBS.encoded");
            return verifySctSignatureOverBytes(sct, serializeSignedSctDataForPreCertificate(encoded, issuerInfo.getKeyHash(), sct));
        } catch (IOException e10) {
            certificateEncodingFailed = new CertificateEncodingFailed(e10);
            return certificateEncodingFailed;
        } catch (CertificateException e11) {
            certificateEncodingFailed = new CertificateEncodingFailed(e11);
            return certificateEncodingFailed;
        }
    }

    @Override // com.babylon.certificatetransparency.internal.verifier.SignatureVerifier
    public SctVerificationResult verifySignature(SignedCertificateTimestamp sct, List<? extends Certificate> chain) {
        IssuerInformation issuerInformation;
        CertificateEncodingFailed certificateEncodingFailed;
        o.f(sct, "sct");
        o.f(chain, "chain");
        long currentTimeMillis = System.currentTimeMillis();
        if (sct.getTimestamp() > currentTimeMillis) {
            return new SctVerificationResult.Invalid.FutureTimestamp(sct.getTimestamp(), currentTimeMillis);
        }
        if (this.logServer.getValidUntil() != null && sct.getTimestamp() > this.logServer.getValidUntil().longValue()) {
            return new SctVerificationResult.Invalid.LogServerUntrusted(sct.getTimestamp(), this.logServer.getValidUntil().longValue());
        }
        if (!Arrays.equals(this.logServer.getId(), sct.getId().getKeyId())) {
            byte[] keyId = sct.getId().getKeyId();
            b bVar = a.f7778a;
            String a10 = Strings.a(a.b(keyId.length, keyId));
            byte[] id2 = this.logServer.getId();
            return new LogIdMismatch(a10, Strings.a(a.b(id2.length, id2)));
        }
        Certificate certificate = chain.get(0);
        if (!CertificateInfo.isPreCertificate(certificate) && !CertificateInfo.hasEmbeddedSct(certificate)) {
            try {
                return verifySctSignatureOverBytes(sct, serializeSignedSctData(certificate, sct));
            } catch (IOException e10) {
                certificateEncodingFailed = new CertificateEncodingFailed(e10);
                return certificateEncodingFailed;
            } catch (CertificateEncodingException e11) {
                certificateEncodingFailed = new CertificateEncodingFailed(e11);
                return certificateEncodingFailed;
            }
        }
        if (chain.size() < 2) {
            return NoIssuer.INSTANCE;
        }
        Certificate certificate2 = chain.get(1);
        try {
            if (!CertificateInfo.isPreCertificateSigningCert(certificate2)) {
                try {
                    issuerInformation = CertificateInfo.issuerInformation(certificate2);
                } catch (NoSuchAlgorithmException e12) {
                    return new UnsupportedSignatureAlgorithm(EvpMdRef.SHA256.JCA_NAME, e12);
                }
            } else {
                if (chain.size() < 3) {
                    return NoIssuerWithPreCert.INSTANCE;
                }
                try {
                    issuerInformation = CertificateInfo.issuerInformationFromPreCertificate(certificate2, chain.get(2));
                } catch (IOException e13) {
                    return new ASN1ParsingFailed(e13);
                } catch (NoSuchAlgorithmException e14) {
                    return new UnsupportedSignatureAlgorithm(EvpMdRef.SHA256.JCA_NAME, e14);
                } catch (CertificateEncodingException e15) {
                    return new CertificateEncodingFailed(e15);
                }
            }
            return verifySCTOverPreCertificate$jgosdk_release(sct, (X509Certificate) certificate, issuerInformation);
        } catch (CertificateParsingException e16) {
            return new CertificateParsingFailed(e16);
        }
    }
}
