package com.babylon.certificatetransparency.internal.verifier;

import com.babylon.certificatetransparency.SctVerificationResult;
import com.babylon.certificatetransparency.internal.logclient.model.SignedCertificateTimestamp;
import com.babylon.certificatetransparency.internal.logclient.model.Version;
import com.babylon.certificatetransparency.internal.serialization.CTConstants;
import com.babylon.certificatetransparency.internal.serialization.OutputStreamExtKt;
import com.babylon.certificatetransparency.internal.utils.CertificateExtKt;
import com.babylon.certificatetransparency.internal.verifier.model.IssuerInformation;
import com.babylon.certificatetransparency.loglist.LogServer;
import g.b0.u;
import g.f0.b;
import g.g0.d.p;
import g.g0.d.v;
import i.b.a.a3.c;
import i.b.a.b3.b0;
import i.b.a.b3.f0;
import i.b.a.b3.g;
import i.b.a.b3.l;
import i.b.a.b3.m;
import i.b.a.k;
import i.b.a.o;
import i.b.n.r.a;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/* compiled from: LogSignatureVerifier.kt */
/* loaded from: classes.dex */
public final class LogSignatureVerifier implements SignatureVerifier {
    public static final Companion Companion = new Companion(null);
    private static final long PRECERT_ENTRY = 1;
    private static final String X509_AUTHORITY_KEY_IDENTIFIER = "2.5.29.35";
    private static final long X509_ENTRY = 0;
    private final LogServer logServer;

    /* compiled from: LogSignatureVerifier.kt */
    /* loaded from: classes.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(p pVar) {
            this();
        }
    }

    public LogSignatureVerifier(LogServer logServer) {
        v.p(logServer, "logServer");
        this.logServer = logServer;
    }

    private final b0 createTbsForVerification(X509Certificate x509Certificate, IssuerInformation issuerInformation) {
        boolean z = true;
        if (!(x509Certificate.getVersion() >= 3)) {
            throw new IllegalArgumentException("Failed requirement.".toString());
        }
        k kVar = new k(x509Certificate.getEncoded());
        try {
            g O = g.O(kVar.h());
            v.o(O, "parsedPreCertificate");
            if (hasX509AuthorityKeyIdentifier(O) && issuerInformation.getIssuedByPreCertificateSigningCert()) {
                if (issuerInformation.getX509authorityKeyIdentifier() == null) {
                    z = false;
                }
                if (!z) {
                    throw new IllegalArgumentException("Failed requirement.".toString());
                }
            }
            b0 i0 = O.i0();
            v.o(i0, "parsedPreCertificate.tbsCertificate");
            m O2 = i0.O();
            v.o(O2, "parsedPreCertificate.tbsCertificate.extensions");
            List<l> extensionsWithoutPoisonAndSct = getExtensionsWithoutPoisonAndSct(O2, issuerInformation.getX509authorityKeyIdentifier());
            f0 f0Var = new f0();
            b0 i02 = O.i0();
            v.o(i02, "tbsPart");
            f0Var.i(i02.e0());
            f0Var.j(i02.f0());
            c name = issuerInformation.getName();
            if (name == null) {
                name = i02.c0();
            }
            f0Var.f(name);
            f0Var.l(i02.g0());
            f0Var.c(i02.F());
            f0Var.m(i02.h0());
            f0Var.o(i02.i0());
            f0Var.h(i02.d0());
            f0Var.p(i02.j0());
            Object[] array = extensionsWithoutPoisonAndSct.toArray(new l[0]);
            if (array == null) {
                throw new NullPointerException("null cannot be cast to non-null type kotlin.Array<T>");
            }
            f0Var.d(new m((l[]) array));
            b0 a2 = f0Var.a();
            b.a(kVar, null);
            v.o(a2, "ASN1InputStream(preCerti…BSCertificate()\n        }");
            return a2;
        } finally {
        }
    }

    private final List<l> getExtensionsWithoutPoisonAndSct(m mVar, l lVar) {
        o[] c0 = mVar.c0();
        v.o(c0, "extensions.extensionOIDs");
        ArrayList arrayList = new ArrayList();
        for (o oVar : c0) {
            v.o(oVar, "it");
            if (!v.g(oVar.l0(), CTConstants.POISON_EXTENSION_OID)) {
                arrayList.add(oVar);
            }
        }
        ArrayList<o> arrayList2 = new ArrayList();
        for (Object obj : arrayList) {
            o oVar2 = (o) obj;
            v.o(oVar2, "it");
            if (!v.g(oVar2.l0(), CTConstants.SCT_CERTIFICATE_OID)) {
                arrayList2.add(obj);
            }
        }
        ArrayList arrayList3 = new ArrayList(u.Z(arrayList2, 10));
        for (o oVar3 : arrayList2) {
            v.o(oVar3, "it");
            arrayList3.add((!v.g(oVar3.l0(), X509_AUTHORITY_KEY_IDENTIFIER) || lVar == null) ? mVar.V(oVar3) : lVar);
        }
        return arrayList3;
    }

    private final boolean hasX509AuthorityKeyIdentifier(g gVar) {
        b0 i0 = gVar.i0();
        v.o(i0, "tbsCertificate");
        return i0.O().V(new o(X509_AUTHORITY_KEY_IDENTIFIER)) != null;
    }

    private final void serializeCommonSctFields(OutputStream outputStream, SignedCertificateTimestamp signedCertificateTimestamp) {
        if (!(signedCertificateTimestamp.getSctVersion() == Version.V1)) {
            throw new IllegalArgumentException("Can only serialize SCT v1 for now.".toString());
        }
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getSctVersion().getNumber(), 1);
        OutputStreamExtKt.writeUint(outputStream, 0L, 1);
        OutputStreamExtKt.writeUint(outputStream, signedCertificateTimestamp.getTimestamp(), 8);
    }

    private final byte[] serializeSignedSctData(Certificate certificate, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 0L, 2);
            byte[] encoded = certificate.getEncoded();
            v.o(encoded, "certificate.encoded");
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, encoded, 16777215);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            b.a(byteArrayOutputStream, null);
            v.o(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final byte[] serializeSignedSctDataForPreCertificate(byte[] bArr, byte[] bArr2, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 1L, 2);
            byteArrayOutputStream.write(bArr2);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, bArr, 16777215);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, signedCertificateTimestamp.getExtensions(), 65535);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            b.a(byteArrayOutputStream, null);
            v.o(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    private final SctVerificationResult verifySctSignatureOverBytes(SignedCertificateTimestamp signedCertificateTimestamp, byte[] bArr) {
        String str;
        SctVerificationResult signatureNotValid;
        if (v.g(this.logServer.getKey().getAlgorithm(), "EC")) {
            str = "SHA256withECDSA";
        } else {
            if (!v.g(this.logServer.getKey().getAlgorithm(), "RSA")) {
                String algorithm = this.logServer.getKey().getAlgorithm();
                v.o(algorithm, "logServer.key.algorithm");
                return new UnsupportedSignatureAlgorithm(algorithm, null, 2, null);
            }
            str = "SHA256withRSA";
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(this.logServer.getKey());
            signature.update(bArr);
            return signature.verify(signedCertificateTimestamp.getSignature().getSignature()) ? SctVerificationResult.Valid.INSTANCE : SctVerificationResult.Invalid.FailedVerification.INSTANCE;
        } catch (InvalidKeyException e2) {
            signatureNotValid = new LogPublicKeyNotValid(e2);
            return signatureNotValid;
        } catch (NoSuchAlgorithmException e3) {
            signatureNotValid = new UnsupportedSignatureAlgorithm(str, e3);
            return signatureNotValid;
        } catch (SignatureException e4) {
            signatureNotValid = new SignatureNotValid(e4);
            return signatureNotValid;
        }
    }

    public final SctVerificationResult verifySCTOverPreCertificate$certificatetransparency(SignedCertificateTimestamp signedCertificateTimestamp, X509Certificate x509Certificate, IssuerInformation issuerInformation) {
        CertificateEncodingFailed certificateEncodingFailed;
        v.p(signedCertificateTimestamp, "sct");
        v.p(x509Certificate, "certificate");
        v.p(issuerInformation, "issuerInfo");
        try {
            byte[] encoded = createTbsForVerification(x509Certificate, issuerInformation).getEncoded();
            v.o(encoded, "preCertificateTBS.encoded");
            return verifySctSignatureOverBytes(signedCertificateTimestamp, serializeSignedSctDataForPreCertificate(encoded, issuerInformation.getKeyHash(), signedCertificateTimestamp));
        } catch (IOException e2) {
            certificateEncodingFailed = new CertificateEncodingFailed(e2);
            return certificateEncodingFailed;
        } catch (CertificateException e3) {
            certificateEncodingFailed = new CertificateEncodingFailed(e3);
            return certificateEncodingFailed;
        }
    }

    @Override // com.babylon.certificatetransparency.internal.verifier.SignatureVerifier
    public SctVerificationResult verifySignature(SignedCertificateTimestamp signedCertificateTimestamp, List<? extends Certificate> list) {
        IssuerInformation issuerInformation;
        CertificateEncodingFailed certificateEncodingFailed;
        v.p(signedCertificateTimestamp, "sct");
        v.p(list, "chain");
        long currentTimeMillis = System.currentTimeMillis();
        if (signedCertificateTimestamp.getTimestamp() > currentTimeMillis) {
            return new SctVerificationResult.Invalid.FutureTimestamp(signedCertificateTimestamp.getTimestamp(), currentTimeMillis);
        }
        if (this.logServer.getValidUntil() != null && signedCertificateTimestamp.getTimestamp() > this.logServer.getValidUntil().longValue()) {
            return new SctVerificationResult.Invalid.LogServerUntrusted(signedCertificateTimestamp.getTimestamp(), this.logServer.getValidUntil().longValue());
        }
        if (!Arrays.equals(this.logServer.getId(), signedCertificateTimestamp.getId().getKeyId())) {
            String i2 = a.i(signedCertificateTimestamp.getId().getKeyId());
            v.o(i2, "Base64.toBase64String(sct.id.keyId)");
            String i3 = a.i(this.logServer.getId());
            v.o(i3, "Base64.toBase64String(logServer.id)");
            return new LogIdMismatch(i2, i3);
        }
        Certificate certificate = list.get(0);
        if (!CertificateExtKt.isPreCertificate(certificate) && !CertificateExtKt.hasEmbeddedSct(certificate)) {
            try {
                return verifySctSignatureOverBytes(signedCertificateTimestamp, serializeSignedSctData(certificate, signedCertificateTimestamp));
            } catch (IOException e2) {
                certificateEncodingFailed = new CertificateEncodingFailed(e2);
                return certificateEncodingFailed;
            } catch (CertificateEncodingException e3) {
                certificateEncodingFailed = new CertificateEncodingFailed(e3);
                return certificateEncodingFailed;
            }
        }
        if (list.size() < 2) {
            return NoIssuer.INSTANCE;
        }
        Certificate certificate2 = list.get(1);
        try {
            if (!CertificateExtKt.isPreCertificateSigningCert(certificate2)) {
                try {
                    issuerInformation = CertificateExtKt.issuerInformation(certificate2);
                } catch (NoSuchAlgorithmException e4) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e4);
                }
            } else {
                if (list.size() < 3) {
                    return NoIssuerWithPreCert.INSTANCE;
                }
                try {
                    issuerInformation = CertificateExtKt.issuerInformationFromPreCertificate(certificate2, list.get(2));
                } catch (IOException e5) {
                    return new ASN1ParsingFailed(e5);
                } catch (NoSuchAlgorithmException e6) {
                    return new UnsupportedSignatureAlgorithm("SHA-256", e6);
                } catch (CertificateEncodingException e7) {
                    return new CertificateEncodingFailed(e7);
                }
            }
            return verifySCTOverPreCertificate$certificatetransparency(signedCertificateTimestamp, (X509Certificate) certificate, issuerInformation);
        } catch (CertificateParsingException e8) {
            return new CertificateParsingFailed(e8);
        }
    }
}
