package com.itextpdf.text.pdf.security;

import com.itextpdf.text.log.Logger;
import com.itextpdf.text.log.LoggerFactory;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;

/* loaded from: classes53.dex */
public class OCSPVerifier extends RootStoreVerifier {
    protected static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OCSPVerifier.class);
    protected List<BasicOCSPResp> ocsps;

    public OCSPVerifier(CertificateVerifier certificateVerifier, List<BasicOCSPResp> list) {
        super(certificateVerifier);
        this.ocsps = list;
    }

    public BasicOCSPResp getOcspResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        BasicOCSPResp basicOCSPResp;
        if ((x509Certificate != null || x509Certificate2 != null) && (basicOCSPResp = new OcspClientBouncyCastle().getBasicOCSPResp(x509Certificate, x509Certificate2, null)) != null) {
            for (SingleResp singleResp : basicOCSPResp.getResponses()) {
                if (singleResp.getCertStatus() == CertificateStatus.GOOD) {
                    return basicOCSPResp;
                }
            }
            return null;
        }
        return null;
    }

    public boolean isSignatureValid(BasicOCSPResp basicOCSPResp, Certificate certificate) {
        try {
            return basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certificate.getPublicKey()));
        } catch (OCSPException e) {
            return false;
        } catch (OperatorCreationException e2) {
            return false;
        }
    }

    public void isValidResponse(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate) throws GeneralSecurityException, IOException {
        X509Certificate x509Certificate2 = x509Certificate;
        X509CertificateHolder[] certs = basicOCSPResp.getCerts();
        if (certs.length > 0) {
            x509Certificate2 = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certs[0]);
            try {
                x509Certificate2.verify(x509Certificate.getPublicKey());
            } catch (GeneralSecurityException e) {
                if (super.verify(x509Certificate2, x509Certificate, null).size() == 0) {
                    throw new VerificationException(x509Certificate2, "Responder certificate couldn't be verified");
                }
            }
        }
        if (!verifyResponse(basicOCSPResp, x509Certificate2)) {
            throw new VerificationException(x509Certificate2, "OCSP response could not be verified");
        }
    }

    @Override // com.itextpdf.text.pdf.security.RootStoreVerifier, com.itextpdf.text.pdf.security.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException, IOException {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        if (this.ocsps != null) {
            Iterator<BasicOCSPResp> it = this.ocsps.iterator();
            while (it.hasNext()) {
                if (verify(it.next(), x509Certificate, x509Certificate2, date)) {
                    i++;
                }
            }
        }
        boolean z = false;
        if (this.onlineCheckingAllowed && i == 0 && verify(getOcspResponse(x509Certificate, x509Certificate2), x509Certificate, x509Certificate2, date)) {
            i++;
            z = true;
        }
        LOGGER.info("Valid OCSPs found: " + i);
        if (i > 0) {
            arrayList.add(new VerificationOK(x509Certificate, getClass(), "Valid OCSPs Found: " + i + (z ? " (online)" : "")));
        }
        if (this.verifier != null) {
            arrayList.addAll(this.verifier.verify(x509Certificate, x509Certificate2, date));
        }
        return arrayList;
    }

    public boolean verify(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException, IOException {
        if (basicOCSPResp == null) {
            return false;
        }
        SingleResp[] responses = basicOCSPResp.getResponses();
        for (int i = 0; i < responses.length; i++) {
            if (x509Certificate.getSerialNumber().equals(responses[i].getCertID().getSerialNumber())) {
                if (x509Certificate2 == null) {
                    x509Certificate2 = x509Certificate;
                }
                try {
                    if (responses[i].getCertID().matchesIssuer(new X509CertificateHolder(x509Certificate2.getEncoded()), new BcDigestCalculatorProvider())) {
                        Date nextUpdate = responses[i].getNextUpdate();
                        if (nextUpdate == null) {
                            nextUpdate = new Date(responses[i].getThisUpdate().getTime() + 180000);
                            LOGGER.info(String.format("No 'next update' for OCSP Response; assuming %s", nextUpdate));
                        }
                        if (date.after(nextUpdate)) {
                            LOGGER.info(String.format("OCSP no longer valid: %s after %s", date, nextUpdate));
                        } else if (responses[i].getCertStatus() == CertificateStatus.GOOD) {
                            isValidResponse(basicOCSPResp, x509Certificate2);
                            return true;
                        }
                    } else {
                        LOGGER.info("OCSP: Issuers doesn't match.");
                    }
                } catch (OCSPException e) {
                }
            }
        }
        return false;
    }

    public boolean verifyResponse(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate) {
        if (isSignatureValid(basicOCSPResp, x509Certificate)) {
            return true;
        }
        if (this.rootStore == null) {
            return false;
        }
        try {
            Enumeration<String> aliases = this.rootStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                try {
                    if (this.rootStore.isCertificateEntry(nextElement) && isSignatureValid(basicOCSPResp, (X509Certificate) this.rootStore.getCertificate(nextElement))) {
                        return true;
                    }
                } catch (GeneralSecurityException e) {
                }
            }
            return false;
        } catch (GeneralSecurityException e2) {
            return false;
        }
    }
}
