package org.bouncycastle.jce.provider;

import O.O;
import com.bytedance.bdp.appbase.service.protocol.file.FileService;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers;
import org.bouncycastle.asn1.eac.EACObjectIdentifiers;
import org.bouncycastle.asn1.isara.IsaraObjectIdentifiers;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.BasicOCSPResponse;
import org.bouncycastle.asn1.ocsp.CertID;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.OCSPResponse;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.asn1.ocsp.ResponseBytes;
import org.bouncycastle.asn1.ocsp.ResponseData;
import org.bouncycastle.asn1.ocsp.RevokedInfo;
import org.bouncycastle.asn1.ocsp.SingleResponse;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.rosstandart.RosstandartObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStrictStyle;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.jcajce.PKIXCertRevocationChecker;
import org.bouncycastle.jcajce.PKIXCertRevocationCheckerParameters;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jcajce.util.MessageDigestUtils;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.Properties;

/* loaded from: classes5.dex */
public class ProvOcspRevocationChecker implements PKIXCertRevocationChecker {
    public static final Map a;
    public final ProvRevocationChecker b;
    public final JcaJceHelper c;
    public PKIXCertRevocationCheckerParameters d;
    public boolean e;
    public String f;

    static {
        HashMap hashMap = new HashMap();
        a = hashMap;
        hashMap.put(new ASN1ObjectIdentifier("1.2.840.113549.1.1.5"), "SHA1WITHRSA");
        hashMap.put(PKCSObjectIdentifiers.u_, "SHA224WITHRSA");
        hashMap.put(PKCSObjectIdentifiers.r_, "SHA256WITHRSA");
        hashMap.put(PKCSObjectIdentifiers.s_, "SHA384WITHRSA");
        hashMap.put(PKCSObjectIdentifiers.t_, "SHA512WITHRSA");
        hashMap.put(CryptoProObjectIdentifiers.n, "GOST3411WITHGOST3410");
        hashMap.put(CryptoProObjectIdentifiers.o, "GOST3411WITHECGOST3410");
        hashMap.put(RosstandartObjectIdentifiers.i, "GOST3411-2012-256WITHECGOST3410-2012-256");
        hashMap.put(RosstandartObjectIdentifiers.j, "GOST3411-2012-512WITHECGOST3410-2012-512");
        hashMap.put(BSIObjectIdentifiers.d, "SHA1WITHPLAIN-ECDSA");
        hashMap.put(BSIObjectIdentifiers.e, "SHA224WITHPLAIN-ECDSA");
        hashMap.put(BSIObjectIdentifiers.f, "SHA256WITHPLAIN-ECDSA");
        hashMap.put(BSIObjectIdentifiers.g, "SHA384WITHPLAIN-ECDSA");
        hashMap.put(BSIObjectIdentifiers.h, "SHA512WITHPLAIN-ECDSA");
        hashMap.put(BSIObjectIdentifiers.i, "RIPEMD160WITHPLAIN-ECDSA");
        hashMap.put(EACObjectIdentifiers.s, "SHA1WITHCVC-ECDSA");
        hashMap.put(EACObjectIdentifiers.t, "SHA224WITHCVC-ECDSA");
        hashMap.put(EACObjectIdentifiers.u, "SHA256WITHCVC-ECDSA");
        hashMap.put(EACObjectIdentifiers.v, "SHA384WITHCVC-ECDSA");
        hashMap.put(EACObjectIdentifiers.w, "SHA512WITHCVC-ECDSA");
        hashMap.put(IsaraObjectIdentifiers.a, "XMSS");
        hashMap.put(IsaraObjectIdentifiers.b, "XMSSMT");
        hashMap.put(new ASN1ObjectIdentifier("1.2.840.113549.1.1.4"), "MD5WITHRSA");
        hashMap.put(new ASN1ObjectIdentifier("1.2.840.113549.1.1.2"), "MD2WITHRSA");
        hashMap.put(new ASN1ObjectIdentifier("1.2.840.10040.4.3"), "SHA1WITHDSA");
        hashMap.put(X9ObjectIdentifiers.i, "SHA1WITHECDSA");
        hashMap.put(X9ObjectIdentifiers.m, "SHA224WITHECDSA");
        hashMap.put(X9ObjectIdentifiers.n, "SHA256WITHECDSA");
        hashMap.put(X9ObjectIdentifiers.o, "SHA384WITHECDSA");
        hashMap.put(X9ObjectIdentifiers.p, "SHA512WITHECDSA");
        hashMap.put(OIWObjectIdentifiers.k, "SHA1WITHRSA");
        hashMap.put(OIWObjectIdentifiers.j, "SHA1WITHDSA");
        hashMap.put(NISTObjectIdentifiers.X, "SHA224WITHDSA");
        hashMap.put(NISTObjectIdentifiers.Y, "SHA256WITHDSA");
    }

    public ProvOcspRevocationChecker(ProvRevocationChecker provRevocationChecker, JcaJceHelper jcaJceHelper) {
        this.b = provRevocationChecker;
        this.c = jcaJceHelper;
    }

    public static String a(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        String a2 = MessageDigestUtils.a(aSN1ObjectIdentifier);
        int indexOf = a2.indexOf(45);
        if (indexOf <= 0 || a2.startsWith("SHA3")) {
            return a2;
        }
        new StringBuilder();
        return O.C(a2.substring(0, indexOf), a2.substring(indexOf + 1));
    }

    public static String a(AlgorithmIdentifier algorithmIdentifier) {
        ASN1Encodable b = algorithmIdentifier.b();
        if (b != null && !DERNull.a.a(b) && algorithmIdentifier.a().b(PKCSObjectIdentifiers.q_)) {
            RSASSAPSSparams a2 = RSASSAPSSparams.a(b);
            new StringBuilder();
            return O.C(a(a2.a().a()), "WITHRSAANDMGF1");
        }
        Map map = a;
        boolean containsKey = map.containsKey(algorithmIdentifier.a());
        ASN1ObjectIdentifier a3 = algorithmIdentifier.a();
        return containsKey ? (String) map.get(a3) : a3.b();
    }

    public static URI a(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.x.b());
        if (extensionValue == null) {
            return null;
        }
        AccessDescription[] a2 = AuthorityInformationAccess.a(ASN1OctetString.a(extensionValue).c()).a();
        for (int i = 0; i != a2.length; i++) {
            AccessDescription accessDescription = a2[i];
            if (AccessDescription.b.b(accessDescription.a())) {
                GeneralName b = accessDescription.b();
                if (b.a() == 6) {
                    try {
                        return new URI(((ASN1String) b.b()).b());
                    } catch (URISyntaxException unused) {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        return null;
    }

    public static X509Certificate a(BasicOCSPResponse basicOCSPResponse, X509Certificate x509Certificate, X509Certificate x509Certificate2, JcaJceHelper jcaJceHelper) throws NoSuchProviderException, NoSuchAlgorithmException {
        ResponderID a2 = basicOCSPResponse.a().a();
        byte[] a3 = a2.a();
        if (a3 != null) {
            MessageDigest f = jcaJceHelper.f(FileService.Algorithm.SHA1PARAM);
            if (x509Certificate2 != null && Arrays.a(a3, a(f, x509Certificate2.getPublicKey()))) {
                return x509Certificate2;
            }
            if (x509Certificate == null || !Arrays.a(a3, a(f, x509Certificate.getPublicKey()))) {
                return null;
            }
            return x509Certificate;
        }
        X500Name a4 = X500Name.a(BCStrictStyle.a, a2.b());
        if (x509Certificate2 != null && a4.equals(X500Name.a(BCStrictStyle.a, x509Certificate2.getSubjectX500Principal().getEncoded()))) {
            return x509Certificate2;
        }
        if (x509Certificate == null || !a4.equals(X500Name.a(BCStrictStyle.a, x509Certificate.getSubjectX500Principal().getEncoded()))) {
            return null;
        }
        return x509Certificate;
    }

    private CertID a(CertID certID, Certificate certificate, ASN1Integer aSN1Integer) throws CertPathValidatorException {
        return a(certID.a(), certificate, aSN1Integer);
    }

    private CertID a(AlgorithmIdentifier algorithmIdentifier, Certificate certificate, ASN1Integer aSN1Integer) throws CertPathValidatorException {
        try {
            MessageDigest f = this.c.f(MessageDigestUtils.a(algorithmIdentifier.a()));
            return new CertID(algorithmIdentifier, new DEROctetString(f.digest(certificate.g().a("DER"))), new DEROctetString(f.digest(certificate.h().d().f())), aSN1Integer);
        } catch (Exception e) {
            throw new CertPathValidatorException("problem creating ID: " + e, e);
        }
    }

    public static boolean a(BasicOCSPResponse basicOCSPResponse, PKIXCertRevocationCheckerParameters pKIXCertRevocationCheckerParameters, byte[] bArr, X509Certificate x509Certificate, JcaJceHelper jcaJceHelper) throws CertPathValidatorException {
        try {
            ASN1Sequence d = basicOCSPResponse.d();
            Signature g = jcaJceHelper.g(a(basicOCSPResponse.b()));
            X509Certificate a2 = a(basicOCSPResponse, pKIXCertRevocationCheckerParameters.e(), x509Certificate, jcaJceHelper);
            if (a2 == null && d == null) {
                throw new CertPathValidatorException("OCSP responder certificate not found");
            }
            if (a2 != null) {
                g.initVerify(a2.getPublicKey());
            } else {
                X509Certificate x509Certificate2 = (X509Certificate) jcaJceHelper.h("X.509").generateCertificate(new ByteArrayInputStream(d.a(0).j().getEncoded()));
                x509Certificate2.verify(pKIXCertRevocationCheckerParameters.e().getPublicKey());
                x509Certificate2.checkValidity(pKIXCertRevocationCheckerParameters.b());
                if (!a(basicOCSPResponse.a().a(), x509Certificate2, jcaJceHelper)) {
                    throw new CertPathValidatorException("responder certificate does not match responderID", null, pKIXCertRevocationCheckerParameters.c(), pKIXCertRevocationCheckerParameters.d());
                }
                List<String> extendedKeyUsage = x509Certificate2.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(KeyPurposeId.j.a())) {
                    throw new CertPathValidatorException("responder certificate not valid for signing OCSP responses", null, pKIXCertRevocationCheckerParameters.c(), pKIXCertRevocationCheckerParameters.d());
                }
                g.initVerify(x509Certificate2);
            }
            g.update(basicOCSPResponse.a().a("DER"));
            if (!g.verify(basicOCSPResponse.c().f())) {
                return false;
            }
            if (bArr == null || Arrays.a(bArr, basicOCSPResponse.a().c().a(OCSPObjectIdentifiers.c).c().c())) {
                return true;
            }
            throw new CertPathValidatorException("nonce mismatch in OCSP response", null, pKIXCertRevocationCheckerParameters.c(), pKIXCertRevocationCheckerParameters.d());
        } catch (IOException e) {
            new StringBuilder();
            throw new CertPathValidatorException(O.C("OCSP response failure: ", e.getMessage()), e, pKIXCertRevocationCheckerParameters.c(), pKIXCertRevocationCheckerParameters.d());
        } catch (CertPathValidatorException e2) {
            throw e2;
        } catch (GeneralSecurityException e3) {
            new StringBuilder();
            throw new CertPathValidatorException(O.C("OCSP response failure: ", e3.getMessage()), e3, pKIXCertRevocationCheckerParameters.c(), pKIXCertRevocationCheckerParameters.d());
        }
    }

    public static boolean a(ResponderID responderID, X509Certificate x509Certificate, JcaJceHelper jcaJceHelper) throws NoSuchProviderException, NoSuchAlgorithmException {
        byte[] a2 = responderID.a();
        return a2 != null ? Arrays.a(a2, a(jcaJceHelper.f(FileService.Algorithm.SHA1PARAM), x509Certificate.getPublicKey())) : X500Name.a(BCStrictStyle.a, responderID.b()).equals(X500Name.a(BCStrictStyle.a, x509Certificate.getSubjectX500Principal().getEncoded()));
    }

    public static byte[] a(MessageDigest messageDigest, PublicKey publicKey) {
        return messageDigest.digest(SubjectPublicKeyInfo.a(publicKey.getEncoded()).d().f());
    }

    private Certificate b() throws CertPathValidatorException {
        try {
            return Certificate.a(this.d.e().getEncoded());
        } catch (Exception e) {
            new StringBuilder();
            throw new CertPathValidatorException(O.C("cannot process signing cert: ", e.getMessage()), e, this.d.c(), this.d.d());
        }
    }

    public List<CertPathValidatorException> a() {
        return null;
    }

    @Override // org.bouncycastle.jcajce.PKIXCertRevocationChecker
    public void a(PKIXCertRevocationCheckerParameters pKIXCertRevocationCheckerParameters) {
        this.d = pKIXCertRevocationCheckerParameters;
        this.e = Properties.a("ocsp.enable");
        this.f = Properties.c("ocsp.responderURL");
    }

    public void a(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("forward checking not supported");
        }
        this.d = null;
        this.e = Properties.a("ocsp.enable");
        this.f = Properties.c("ocsp.responderURL");
    }

    @Override // org.bouncycastle.jcajce.PKIXCertRevocationChecker
    public void check(java.security.cert.Certificate certificate) throws CertPathValidatorException {
        byte[] bArr;
        boolean z;
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Map<X509Certificate, byte[]> ocspResponses = this.b.getOcspResponses();
        URI ocspResponder = this.b.getOcspResponder();
        if (ocspResponder == null) {
            if (this.f != null) {
                try {
                    ocspResponder = new URI(this.f);
                } catch (URISyntaxException e) {
                    throw new CertPathValidatorException("configuration error: " + e.getMessage(), e, this.d.c(), this.d.d());
                }
            } else {
                ocspResponder = a(x509Certificate);
            }
        }
        if (ocspResponses.get(x509Certificate) != null || ocspResponder == null) {
            List<java.security.cert.Extension> ocspExtensions = this.b.getOcspExtensions();
            bArr = null;
            for (int i = 0; i != ocspExtensions.size(); i++) {
                java.security.cert.Extension extension = ocspExtensions.get(i);
                byte[] value = extension.getValue();
                if (OCSPObjectIdentifiers.c.b().equals(extension.getId())) {
                    bArr = value;
                }
            }
            z = false;
        } else {
            if (this.f == null && this.b.getOcspResponder() == null && !this.e) {
                throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, this.d.c(), this.d.d());
            }
            try {
                ocspResponses.put(x509Certificate, OcspCache.a(a(new AlgorithmIdentifier(OIWObjectIdentifiers.i), b(), new ASN1Integer(x509Certificate.getSerialNumber())), this.d, ocspResponder, this.b.getOcspResponderCert(), this.b.getOcspExtensions(), this.c).getEncoded());
                bArr = null;
                z = true;
            } catch (IOException e2) {
                throw new CertPathValidatorException("unable to encode OCSP response", e2, this.d.c(), this.d.d());
            }
        }
        if (ocspResponses.isEmpty()) {
            throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, this.d.c(), this.d.d());
        }
        OCSPResponse a2 = OCSPResponse.a(ocspResponses.get(x509Certificate));
        ASN1Integer aSN1Integer = new ASN1Integer(x509Certificate.getSerialNumber());
        if (a2 == null) {
            throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, this.d.c(), this.d.d());
        }
        if (a2.a().a() != 0) {
            throw new CertPathValidatorException("OCSP response failed: " + a2.a().b(), null, this.d.c(), this.d.d());
        }
        ResponseBytes a3 = ResponseBytes.a(a2.b());
        if (a3.a().b(OCSPObjectIdentifiers.b)) {
            try {
                BasicOCSPResponse a4 = BasicOCSPResponse.a(a3.b().c());
                if (z || a(a4, this.d, bArr, this.b.getOcspResponderCert(), this.c)) {
                    ASN1Sequence b = ResponseData.a(a4.a()).b();
                    CertID certID = null;
                    for (int i2 = 0; i2 != b.e(); i2++) {
                        SingleResponse a5 = SingleResponse.a(b.a(i2));
                        if (aSN1Integer.b(a5.a().b())) {
                            ASN1GeneralizedTime c = a5.c();
                            if (c != null && this.d.b().after(c.c())) {
                                throw new ExtCertPathValidatorException("OCSP response expired");
                            }
                            if (certID == null || !certID.a().equals(a5.a().a())) {
                                certID = a(a5.a(), b(), aSN1Integer);
                            }
                            if (certID.equals(a5.a())) {
                                if (a5.b().a() == 0) {
                                    return;
                                }
                                if (a5.b().a() != 1) {
                                    throw new CertPathValidatorException("certificate revoked, details unknown", null, this.d.c(), this.d.d());
                                }
                                RevokedInfo a6 = RevokedInfo.a(a5.b().b());
                                throw new CertPathValidatorException("certificate revoked, reason=(" + a6.b() + "), date=" + a6.a().c(), null, this.d.c(), this.d.d());
                            }
                        }
                    }
                }
            } catch (CertPathValidatorException e3) {
                throw e3;
            } catch (Exception e4) {
                throw new CertPathValidatorException("unable to process OCSP response", e4, this.d.c(), this.d.d());
            }
        }
    }
}
