package com.appmattus.certificatetransparency.internal.verifier;

import com.appmattus.certificatetransparency.SctVerificationResult;
import com.appmattus.certificatetransparency.internal.serialization.OutputStreamExtKt;
import com.appmattus.certificatetransparency.internal.utils.Base64;
import com.appmattus.certificatetransparency.internal.utils.CertificateExtKt;
import com.appmattus.certificatetransparency.internal.utils.asn1.bytes.ByteBuffer;
import com.appmattus.certificatetransparency.internal.verifier.model.IssuerInformation;
import com.appmattus.certificatetransparency.internal.verifier.model.LogId;
import com.appmattus.certificatetransparency.internal.verifier.model.SignedCertificateTimestamp;
import com.appmattus.certificatetransparency.internal.verifier.model.Version;
import com.appmattus.certificatetransparency.loglist.LogServer;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;

@Metadata(d1 = {"\u0000\f\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\b\u0000\u0018\u00002\u00020\u0001:\u0001\u0002¨\u0006\u0003"}, d2 = {"Lcom/appmattus/certificatetransparency/internal/verifier/LogSignatureVerifier;", "Lcom/appmattus/certificatetransparency/internal/verifier/SignatureVerifier;", "Companion", "certificatetransparency"}, k = 1, mv = {1, 8, 0})
@SourceDebugExtension({"SMAP\nLogSignatureVerifier.kt\nKotlin\n*S Kotlin\n*F\n+ 1 LogSignatureVerifier.kt\ncom/appmattus/certificatetransparency/internal/verifier/LogSignatureVerifier\n+ 2 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n+ 3 fake.kt\nkotlin/jvm/internal/FakeKt\n*L\n1#1,296:1\n1603#2,9:297\n1855#2:306\n1856#2:308\n1612#2:309\n1747#2,3:310\n1#3:307\n1#3:313\n*S KotlinDebug\n*F\n+ 1 LogSignatureVerifier.kt\ncom/appmattus/certificatetransparency/internal/verifier/LogSignatureVerifier\n*L\n207#1:297,9\n207#1:306\n207#1:308\n207#1:309\n244#1:310,3\n207#1:307\n*E\n"})
/* loaded from: classes.dex */
public final class LogSignatureVerifier implements SignatureVerifier {
    public final LogServer logServer;

    @Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\u0010\t\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0004\b\u0086\u0003\u0018\u00002\u00020\u0001R\u0014\u0010\u0003\u001a\u00020\u00028\u0002X\u0082T¢\u0006\u0006\n\u0004\b\u0003\u0010\u0004R\u0014\u0010\u0006\u001a\u00020\u00058\u0002X\u0082T¢\u0006\u0006\n\u0004\b\u0006\u0010\u0007R\u0014\u0010\b\u001a\u00020\u00028\u0002X\u0082T¢\u0006\u0006\n\u0004\b\b\u0010\u0004¨\u0006\t"}, d2 = {"Lcom/appmattus/certificatetransparency/internal/verifier/LogSignatureVerifier$Companion;", "", "", "PRECERT_ENTRY", "J", "", "X509_AUTHORITY_KEY_IDENTIFIER", "Ljava/lang/String;", "X509_ENTRY", "certificatetransparency"}, k = 1, mv = {1, 8, 0})
    /* loaded from: classes.dex */
    public static final class Companion {
    }

    public LogSignatureVerifier(LogServer logServer) {
        Intrinsics.checkNotNullParameter(logServer, "logServer");
        this.logServer = logServer;
    }

    /* JADX WARN: Code restructure failed: missing block: B:31:0x00b7, code lost:
    
        if (r7.equals("1.3.6.1.4.1.11129.2.4.3") == false) goto L40;
     */
    /* JADX WARN: Code restructure failed: missing block: B:39:0x00c0, code lost:
    
        if (r7.equals("1.3.6.1.4.1.11129.2.4.2") == false) goto L40;
     */
    /* JADX WARN: Multi-variable type inference failed */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static com.appmattus.certificatetransparency.internal.utils.asn1.x509.TbsCertificate createTbsForVerification(java.security.cert.X509Certificate r12, com.appmattus.certificatetransparency.internal.verifier.model.IssuerInformation r13) {
        /*
            Method dump skipped, instructions count: 624
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.appmattus.certificatetransparency.internal.verifier.LogSignatureVerifier.createTbsForVerification(java.security.cert.X509Certificate, com.appmattus.certificatetransparency.internal.verifier.model.IssuerInformation):com.appmattus.certificatetransparency.internal.utils.asn1.x509.TbsCertificate");
    }

    public static void serializeCommonSctFields(ByteArrayOutputStream byteArrayOutputStream, SignedCertificateTimestamp signedCertificateTimestamp) {
        if (signedCertificateTimestamp.sctVersion != Version.V1) {
            throw new IllegalArgumentException("Can only serialize SCT v1 for now.".toString());
        }
        OutputStreamExtKt.writeUint(byteArrayOutputStream, r0.getNumber(), 1);
        OutputStreamExtKt.writeUint(byteArrayOutputStream, 0L, 1);
        OutputStreamExtKt.writeUint(byteArrayOutputStream, signedCertificateTimestamp.timestamp.toEpochMilli(), 8);
    }

    public static byte[] serializeSignedSctData(X509Certificate x509Certificate, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 0L, 2);
            byte[] encoded = x509Certificate.getEncoded();
            Intrinsics.checkNotNullExpressionValue(encoded, "certificate.encoded");
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, 16777215, encoded);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, 65535, signedCertificateTimestamp.extensions);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            CloseableKt.closeFinally(byteArrayOutputStream, null);
            Intrinsics.checkNotNullExpressionValue(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    public static byte[] serializeSignedSctDataForPreCertificate(byte[] bArr, byte[] bArr2, SignedCertificateTimestamp signedCertificateTimestamp) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            serializeCommonSctFields(byteArrayOutputStream, signedCertificateTimestamp);
            OutputStreamExtKt.writeUint(byteArrayOutputStream, 1L, 2);
            byteArrayOutputStream.write(bArr2);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, 16777215, bArr);
            OutputStreamExtKt.writeVariableLength(byteArrayOutputStream, 65535, signedCertificateTimestamp.extensions);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            CloseableKt.closeFinally(byteArrayOutputStream, null);
            Intrinsics.checkNotNullExpressionValue(byteArray, "ByteArrayOutputStream().…t.toByteArray()\n        }");
            return byteArray;
        } finally {
        }
    }

    public final SctVerificationResult verifySctSignatureOverBytes(SignedCertificateTimestamp signedCertificateTimestamp, byte[] bArr) {
        String str;
        LogServer logServer = this.logServer;
        String algorithm = logServer.key.getAlgorithm();
        if (Intrinsics.areEqual(algorithm, "EC")) {
            str = "SHA256withECDSA";
        } else {
            if (!Intrinsics.areEqual(algorithm, "RSA")) {
                String algorithm2 = logServer.key.getAlgorithm();
                Intrinsics.checkNotNullExpressionValue(algorithm2, "logServer.key.algorithm");
                return new UnsupportedSignatureAlgorithm(algorithm2, null);
            }
            str = "SHA256withRSA";
        }
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(logServer.key);
            signature.update(bArr);
            return signature.verify(signedCertificateTimestamp.signature.signature) ? new SctVerificationResult.Valid(signedCertificateTimestamp, logServer.operatorAt(signedCertificateTimestamp.timestamp)) : SctVerificationResult.Invalid.FailedVerification.INSTANCE;
        } catch (InvalidKeyException e) {
            return new LogPublicKeyNotValid(e);
        } catch (NoSuchAlgorithmException e2) {
            return new UnsupportedSignatureAlgorithm(str, e2);
        } catch (SignatureException e3) {
            return new SignatureNotValid(e3);
        }
    }

    public final SctVerificationResult verifySignature(SignedCertificateTimestamp sct, List chain) {
        CertificateEncodingFailed certificateEncodingFailed;
        IssuerInformation issuerInfo;
        CertificateEncodingFailed certificateEncodingFailed2;
        List<String> extendedKeyUsage;
        Set<String> criticalExtensionOIDs;
        Intrinsics.checkNotNullParameter(sct, "sct");
        Intrinsics.checkNotNullParameter(chain, "chain");
        Instant now = Instant.now();
        int compareTo = sct.timestamp.compareTo(now);
        Instant instant = sct.timestamp;
        if (compareTo > 0) {
            Intrinsics.checkNotNullExpressionValue(now, "now");
            return new SctVerificationResult.Invalid.FutureTimestamp(instant, now);
        }
        LogServer logServer = this.logServer;
        Instant instant2 = logServer.validUntil;
        if (instant2 != null && instant.compareTo(instant2) > 0) {
            return new SctVerificationResult.Invalid.LogServerUntrusted(instant, logServer.validUntil);
        }
        LogId logId = sct.id;
        byte[] bArr = logId.keyId;
        byte[] bArr2 = logServer.id;
        if (!Arrays.equals(bArr2, bArr)) {
            return new LogIdMismatch(Base64.toBase64String(logId.keyId), Base64.toBase64String(bArr2));
        }
        X509Certificate certificate = (X509Certificate) chain.get(0);
        Intrinsics.checkNotNullParameter(certificate, "<this>");
        if ((!(certificate instanceof X509Certificate) || (criticalExtensionOIDs = certificate.getCriticalExtensionOIDs()) == null || !criticalExtensionOIDs.contains("1.3.6.1.4.1.11129.2.4.3")) && !CertificateExtKt.hasEmbeddedSct(certificate)) {
            try {
                return verifySctSignatureOverBytes(sct, serializeSignedSctData(certificate, sct));
            } catch (IOException e) {
                certificateEncodingFailed = new CertificateEncodingFailed(e);
                return certificateEncodingFailed;
            } catch (CertificateEncodingException e2) {
                certificateEncodingFailed = new CertificateEncodingFailed(e2);
                return certificateEncodingFailed;
            }
        }
        if (chain.size() < 2) {
            return NoIssuer.INSTANCE;
        }
        X509Certificate x509Certificate = (X509Certificate) chain.get(1);
        try {
            Intrinsics.checkNotNullParameter(x509Certificate, "<this>");
            try {
                try {
                    if ((x509Certificate instanceof X509Certificate) && (extendedKeyUsage = x509Certificate.getExtendedKeyUsage()) != null) {
                        if (extendedKeyUsage.contains("1.3.6.1.4.1.11129.2.4.4")) {
                            if (chain.size() < 3) {
                                return NoIssuerWithPreCert.INSTANCE;
                            }
                            try {
                                issuerInfo = CertificateExtKt.issuerInformationFromPreCertificate(x509Certificate, (Certificate) chain.get(2));
                                Intrinsics.checkNotNullParameter(sct, "sct");
                                Intrinsics.checkNotNullParameter(certificate, "certificate");
                                Intrinsics.checkNotNullParameter(issuerInfo, "issuerInfo");
                                return verifySctSignatureOverBytes(sct, serializeSignedSctDataForPreCertificate(CollectionsKt.toByteArray(CollectionsKt.toList((ByteBuffer) createTbsForVerification(certificate, issuerInfo).bytes$delegate.getValue())), issuerInfo.keyHash, sct));
                            } catch (IOException e3) {
                                return new ASN1ParsingFailed(e3);
                            } catch (NoSuchAlgorithmException e4) {
                                return new UnsupportedSignatureAlgorithm("SHA-256", e4);
                            } catch (CertificateEncodingException e5) {
                                return new CertificateEncodingFailed(e5);
                            }
                        }
                    }
                    return verifySctSignatureOverBytes(sct, serializeSignedSctDataForPreCertificate(CollectionsKt.toByteArray(CollectionsKt.toList((ByteBuffer) createTbsForVerification(certificate, issuerInfo).bytes$delegate.getValue())), issuerInfo.keyHash, sct));
                } catch (IOException e6) {
                    certificateEncodingFailed2 = new CertificateEncodingFailed(e6);
                    return certificateEncodingFailed2;
                } catch (CertificateException e7) {
                    certificateEncodingFailed2 = new CertificateEncodingFailed(e7);
                    return certificateEncodingFailed2;
                }
                Intrinsics.checkNotNullParameter(x509Certificate, "<this>");
                PublicKey publicKey = x509Certificate.getPublicKey();
                Intrinsics.checkNotNullExpressionValue(publicKey, "publicKey");
                Intrinsics.checkNotNullParameter(publicKey, "<this>");
                byte[] digest = MessageDigest.getInstance("SHA-256").digest(publicKey.getEncoded());
                Intrinsics.checkNotNullExpressionValue(digest, "getInstance(\"SHA-256\").digest(encoded)");
                issuerInfo = new IssuerInformation(null, digest, null, false);
                Intrinsics.checkNotNullParameter(sct, "sct");
                Intrinsics.checkNotNullParameter(certificate, "certificate");
                Intrinsics.checkNotNullParameter(issuerInfo, "issuerInfo");
            } catch (NoSuchAlgorithmException e8) {
                return new UnsupportedSignatureAlgorithm("SHA-256", e8);
            }
        } catch (CertificateParsingException e9) {
            return new CertificateParsingFailed(e9);
        }
    }
}
