package by.avest.crypto.conscrypt.cert.verify;

import by.avest.crypto.conscrypt.AvProvider;
import by.avest.crypto.conscrypt.NativeCrypto;
import by.avest.crypto.conscrypt.OpenSSLCRLHolder;
import by.avest.crypto.conscrypt.OpenSSLCertStack;
import by.avest.crypto.conscrypt.OpenSSLCertStore;
import by.avest.crypto.conscrypt.OpenSSLCertStoreContext;
import by.avest.crypto.conscrypt.OpenSSLX509CRL;
import by.avest.crypto.conscrypt.OpenSSLX509Certificate;
import by.avest.crypto.conscrypt.OpenSSLX509CertificateHolder;
import by.avest.crypto.conscrypt.pkcs7.PKCS7;
import by.avest.crypto.conscrypt.x509.x509at.X509AttributeCertificate;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchProviderException;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;

/* loaded from: classes.dex */
public class CertVerify {
    private PKIXBuilderParameters certPathBuildParams;
    private Set<OpenSSLX509CertificateHolder> certificates;
    private Set<OpenSSLCRLHolder> crls;
    private DirectoryCertPathParameters dirParameters;
    private List<OpenSSLX509CRL> opensslCrls;
    private boolean revocationEnabled;
    private Set<OpenSSLX509CertificateHolder> trustedCertificates;
    private VerifyParams verifyParams;
    private OpenSSLCertStore certStore = new OpenSSLCertStore();
    private OpenSSLCertStoreContext storeCtx = new OpenSSLCertStoreContext();
    private OpenSSLCertStack certStack = new OpenSSLCertStack();

    public CertVerify(DirectoryCertPathParameters directoryCertPathParameters, VerifyParams verifyParams) {
        if (directoryCertPathParameters == null) {
            throw new IllegalArgumentException("DirectoryCertPathParameters cannot be null");
        }
        debug("CertVerify(): setDirectoryCertPathParameters");
        setDirectoryCertPathParameters(directoryCertPathParameters);
        debug("CertVerify(): setVerifyParams");
        setVerifyParams(verifyParams);
    }

    public CertVerify(PKIXBuilderParameters pKIXBuilderParameters, VerifyParams verifyParams) throws CertStoreException {
        if (pKIXBuilderParameters == null) {
            throw new IllegalArgumentException("PKIXBuilderParameters certificate path build parameters cannot be null.");
        }
        initWithPKIXParams(pKIXBuilderParameters);
        debug("CertVerify(): setVerifyParams");
        setVerifyParams(verifyParams);
    }

    public CertVerify(PKIXBuilderParameters pKIXBuilderParameters, boolean z) throws CertStoreException {
        long j;
        if (pKIXBuilderParameters == null) {
            throw new NullPointerException("PKIXBuilderParameters certificate path build parameters cannot be null.");
        }
        initWithPKIXParams(pKIXBuilderParameters);
        VerifyParams verifyParams = new VerifyParams();
        if (z || this.certPathBuildParams.isRevocationEnabled()) {
            this.revocationEnabled = true;
            j = 4108;
        } else {
            j = 0;
        }
        int maxPathLength = this.certPathBuildParams.getMaxPathLength();
        if (maxPathLength >= 0) {
            verifyParams.setDepth(maxPathLength);
        }
        j = this.certPathBuildParams.isAnyPolicyInhibited() ? j | 512 : j;
        j = this.certPathBuildParams.isExplicitPolicyRequired() ? j | 256 : j;
        j = this.certPathBuildParams.isPolicyMappingInhibited() ? j | 1024 : j;
        Iterator<String> it = this.certPathBuildParams.getInitialPolicies().iterator();
        while (it.hasNext()) {
            verifyParams.addPolicy(it.next());
        }
        Date date = this.certPathBuildParams.getDate();
        if (date == null) {
            verifyParams.setDate(new Date());
        } else {
            verifyParams.setDate(date);
        }
        verifyParams.setFlags(j);
        debug("CertVerify(): setVerifyParams");
        setVerifyParams(verifyParams);
    }

    public CertVerify(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("X509Certificate authority certificate cannot be null.");
        }
        setCertificates(Arrays.asList(x509Certificate));
    }

    public CertVerify(Collection<? extends X509Certificate> collection, Collection<? extends X509CRL> collection2, VerifyParams verifyParams) {
        if (collection != null) {
            debug("CertVerify(): setCertificates, len=" + collection.size());
            setCertificates(collection);
        }
        if (collection2 != null) {
            debug("CertVerify(): setCRLs, len=" + collection2.size());
            setCRLs(collection2);
        }
        debug("CertVerify(): setVerifyParams");
        setVerifyParams(verifyParams);
    }

    public CertVerify(X509Certificate[] x509CertificateArr, X509CRL[] x509crlArr, VerifyParams verifyParams) {
        initObjects(x509CertificateArr, x509crlArr, (X509Certificate[]) null);
        debug("CertVerify(): setVerifyParams");
        setVerifyParams(verifyParams);
    }

    public CertVerify(X509Certificate[] x509CertificateArr, X509CRL[] x509crlArr, X509Certificate[] x509CertificateArr2, VerifyParams verifyParams) {
        initObjects(x509CertificateArr, x509crlArr, x509CertificateArr2);
        debug("CertVerify(): setVerifyParams");
        setVerifyParams(verifyParams);
    }

    private void addCRL(CRL crl) {
        if (crl instanceof OpenSSLX509CRL) {
            OpenSSLX509CRL openSSLX509CRL = (OpenSSLX509CRL) crl;
            this.opensslCrls.add(openSSLX509CRL);
            NativeCrypto.X509_STORE_add_crl(this.certStore.getNativeRef(), openSSLX509CRL.getContext());
        } else {
            OpenSSLCRLHolder cRLHolder = OpenSSLCRLHolder.getCRLHolder((X509CRL) crl);
            this.crls.add(cRLHolder);
            NativeCrypto.X509_STORE_add_crl(this.certStore.getNativeRef(), cRLHolder.getContext());
        }
    }

    private OpenSSLX509CertificateHolder addCertificate(Certificate certificate) {
        try {
            OpenSSLX509CertificateHolder certificateHolder = OpenSSLX509CertificateHolder.getCertificateHolder((X509Certificate) certificate);
            NativeCrypto.sk_X509_push(this.certStack.getNativeRef(), certificateHolder.getContext());
            this.certificates.add(certificateHolder);
            certificateHolder.dummyTouch();
            return certificateHolder;
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Can not parse certificate", e);
        }
    }

    private OpenSSLX509CertificateHolder addTrustedCert(Certificate certificate) {
        try {
            OpenSSLX509CertificateHolder certificateHolder = OpenSSLX509CertificateHolder.getCertificateHolder((X509Certificate) certificate);
            this.trustedCertificates.add(certificateHolder);
            NativeCrypto.X509_STORE_add_cert(this.certStore.getNativeRef(), certificateHolder.getContext());
            certificateHolder.dummyTouch();
            return certificateHolder;
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Can not parse certificate", e);
        }
    }

    private static void debug(String str) {
        AvProvider.debug("CertVerify: " + str);
    }

    private static void debug(String str, Throwable th) {
        AvProvider.debug("CertVerify: " + str, th);
    }

    private void dummyTouch() {
        List<OpenSSLX509CRL> list = this.opensslCrls;
        if (list != null) {
            Iterator<OpenSSLX509CRL> it = list.iterator();
            while (it.hasNext()) {
                it.next().dummyTouch();
            }
        }
        Set<OpenSSLX509CertificateHolder> set = this.certificates;
        if (set != null) {
            Iterator<OpenSSLX509CertificateHolder> it2 = set.iterator();
            while (it2.hasNext()) {
                it2.next().dummyTouch();
            }
        }
        Set<OpenSSLX509CertificateHolder> set2 = this.trustedCertificates;
        if (set2 != null) {
            Iterator<OpenSSLX509CertificateHolder> it3 = set2.iterator();
            while (it3.hasNext()) {
                it3.next().dummyTouch();
            }
        }
        this.certStack.dummyTouch();
        this.certStore.dummyTouch();
        this.storeCtx.dummyTouch();
    }

    private CertVerifyResult fillResult(CertVerifyResult certVerifyResult) throws CertificateException, NoSuchProviderException {
        int sk_X509_num;
        int i;
        ArrayList arrayList = new ArrayList();
        long X509_STORE_CTX_get_chain = NativeCrypto.X509_STORE_CTX_get_chain(this.storeCtx.getNativeRef());
        TrustAnchor trustAnchor = null;
        if (X509_STORE_CTX_get_chain != 0 && (sk_X509_num = NativeCrypto.sk_X509_num(X509_STORE_CTX_get_chain)) > 0) {
            int i2 = 0;
            while (true) {
                i = sk_X509_num - 1;
                if (i2 >= i) {
                    break;
                }
                OpenSSLX509Certificate openSSLX509Certificate = new OpenSSLX509Certificate(NativeCrypto.X509_dup(NativeCrypto.sk_X509_value(X509_STORE_CTX_get_chain, i2)));
                openSSLX509Certificate.dummyTouch();
                arrayList.add(openSSLX509Certificate);
                i2++;
            }
            OpenSSLX509Certificate openSSLX509Certificate2 = new OpenSSLX509Certificate(NativeCrypto.X509_dup(NativeCrypto.sk_X509_value(X509_STORE_CTX_get_chain, i)));
            openSSLX509Certificate2.dummyTouch();
            trustAnchor = new TrustAnchor(openSSLX509Certificate2, null);
        }
        certVerifyResult.setCertPath(CertificateFactory.getInstance("X.509", AvProvider.PROVIDER_NAME).generateCertPath(arrayList));
        certVerifyResult.setTrustAnchor(trustAnchor);
        return certVerifyResult;
    }

    private void initObjects(Collection<? extends Certificate> collection, Collection<? extends CRL> collection2, Collection<? extends Certificate> collection3) {
        if (collection != null) {
            debug("CertVerify(): setCertificates, size=" + collection.size());
            setCertificates(collection);
        }
        if (collection3 != null) {
            debug("CertVerify(): setTrustedCertificates, size=" + collection3.size());
            setTrustedCertificates(collection3);
        }
        if (collection2 != null) {
            debug("CertVerify(): setCRLs, size=" + collection2.size());
            setCRLs(collection2);
        }
    }

    private void initObjects(X509Certificate[] x509CertificateArr, X509CRL[] x509crlArr, X509Certificate[] x509CertificateArr2) {
        if (x509CertificateArr != null) {
            debug("CertVerify(): setCertificates, len=" + x509CertificateArr.length);
            setCertificates(x509CertificateArr);
        }
        if (x509CertificateArr2 != null) {
            debug("CertVerify(): setTrustedCertificates, len=" + x509CertificateArr2.length);
            setTrustedCertificates(x509CertificateArr2);
        }
        if (x509crlArr != null) {
            debug("CertVerify(): setCRLs, len=" + x509crlArr.length);
            setCRLs(x509crlArr);
        }
    }

    private void initWithPKIXParams(PKIXBuilderParameters pKIXBuilderParameters) throws CertStoreException {
        this.certPathBuildParams = (PKIXBuilderParameters) pKIXBuilderParameters.clone();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        debug("CertVerify(): certPathBuildParams.getCertStores() start");
        for (CertStore certStore : this.certPathBuildParams.getCertStores()) {
            debug("CertVerify(): certs.addAll");
            hashSet.addAll(certStore.getCertificates(null));
            debug("CertVerify(): crls.addAll");
            hashSet3.addAll(certStore.getCRLs(null));
        }
        debug("CertVerify(): certPathBuildParams.getCertStores() finish");
        debug("CertVerify(): certPathBuildParams.getTrustAnchors() start");
        Iterator<TrustAnchor> it = pKIXBuilderParameters.getTrustAnchors().iterator();
        while (it.hasNext()) {
            hashSet2.add(it.next().getTrustedCert());
        }
        debug("CertVerify(): certPathBuildParams.getTrustAnchors() finish");
        initObjects(hashSet, hashSet3, hashSet2);
    }

    private void setCRLs(Collection<? extends CRL> collection) {
        if (collection != null) {
            this.crls = new HashSet(collection.size());
            this.opensslCrls = new LinkedList();
            Iterator<? extends CRL> it = collection.iterator();
            while (it.hasNext()) {
                addCRL(it.next());
            }
        }
    }

    private void setCRLs(CRL[] crlArr) {
        if (crlArr != null) {
            this.crls = new HashSet(crlArr.length);
            this.opensslCrls = new LinkedList();
            for (CRL crl : crlArr) {
                addCRL(crl);
            }
        }
    }

    private void setCertificates(Collection<? extends Certificate> collection) {
        if (collection != null) {
            this.certificates = new HashSet(collection.size());
            Iterator<? extends Certificate> it = collection.iterator();
            while (it.hasNext()) {
                addCertificate(it.next());
            }
        }
    }

    private void setCertificates(Certificate[] certificateArr) {
        if (certificateArr != null) {
            this.certificates = new HashSet(certificateArr.length);
            for (Certificate certificate : certificateArr) {
                addCertificate(certificate);
            }
        }
    }

    private void setDirectoryCertPathParameters(DirectoryCertPathParameters directoryCertPathParameters) {
        DirectoryCertPathParameters clone = directoryCertPathParameters.clone();
        this.dirParameters = clone;
        if (clone == null || clone.getDirectories() == null) {
            return;
        }
        for (String str : this.dirParameters.getDirectories()) {
            NativeCrypto.X509_STORE_load_locations(this.certStore.getNativeRef(), null, str);
        }
    }

    private void setTrustedCertificates(Collection<? extends Certificate> collection) {
        if (collection != null) {
            this.trustedCertificates = new HashSet(collection.size());
            Iterator<? extends Certificate> it = collection.iterator();
            while (it.hasNext()) {
                addTrustedCert(it.next());
            }
        }
    }

    private void setTrustedCertificates(Certificate[] certificateArr) {
        if (certificateArr != null) {
            this.trustedCertificates = new HashSet(certificateArr.length);
            for (Certificate certificate : certificateArr) {
                addTrustedCert(certificate);
            }
        }
    }

    private void setVerifyParams(VerifyParams verifyParams) {
        if (verifyParams == null) {
            throw new IllegalArgumentException("VerifyParams == null");
        }
        this.verifyParams = verifyParams;
        NativeCrypto.X509_STORE_set1_param(this.certStore.getNativeRef(), verifyParams.ctx);
    }

    private CertVerifyResult verifyAttrCertPath(X509AttributeCertificate x509AttributeCertificate, Date date) throws InvalidAlgorithmParameterException {
        int X509AT_isNotRevoked;
        try {
            x509AttributeCertificate.checkValidity(date);
            int sk_X509_num = NativeCrypto.sk_X509_num(this.certStack.getNativeRef());
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setAttributeCertificate(x509AttributeCertificate);
            X509Certificate x509Certificate = null;
            OpenSSLX509Certificate openSSLX509Certificate = null;
            for (int i = 0; i < sk_X509_num; i++) {
                OpenSSLX509Certificate openSSLX509Certificate2 = new OpenSSLX509Certificate(NativeCrypto.X509_dup(NativeCrypto.sk_X509_value(this.certStack.getNativeRef(), i)));
                if (x509Certificate == null && x509CertSelector.matchAttributeCertificate(openSSLX509Certificate2)) {
                    x509Certificate = openSSLX509Certificate2;
                }
                if (openSSLX509Certificate == null && x509CertSelector.matchAttributeCertificateIssuer(openSSLX509Certificate2)) {
                    openSSLX509Certificate = openSSLX509Certificate2;
                }
            }
            if (x509Certificate == null || openSSLX509Certificate == null) {
                return new CertVerifyResult(2, date);
            }
            CertVerifyResult verify = verify(x509Certificate);
            if (!verify.isCertValid()) {
                return verify;
            }
            CertVerifyResult verify2 = verify(openSSLX509Certificate);
            if (!verify2.isCertValid()) {
                return verify2;
            }
            if (isRevocationEnabled() && (X509AT_isNotRevoked = NativeCrypto.X509AT_isNotRevoked(this.certStore.getNativeRef(), openSSLX509Certificate.getContext(), x509AttributeCertificate.getContext())) <= 0) {
                int i2 = -X509AT_isNotRevoked;
                NativeCrypto.X509_verify_cert_error_string(i2);
                return new CertVerifyResult(i2, date);
            }
            try {
                x509AttributeCertificate.verify(openSSLX509Certificate.getPublicKey());
                openSSLX509Certificate.dummyTouch();
                dummyTouch();
                this.verifyParams.dummyTouch();
                return new CertVerifyResult(0, new Date());
            } catch (Exception e) {
                return new CertVerifyResult(0, date, e);
            }
        } catch (CertificateExpiredException e2) {
            return new CertVerifyResult(10, date, e2);
        } catch (CertificateNotYetValidException e3) {
            return new CertVerifyResult(9, date, e3);
        }
    }

    public Collection<? extends X509CRL> getCRLs() {
        Set<OpenSSLCRLHolder> set = this.crls;
        if (set == null) {
            return null;
        }
        return Collections.unmodifiableCollection(set);
    }

    public PKIXBuilderParameters getCertPathBuildParams() {
        PKIXBuilderParameters pKIXBuilderParameters = this.certPathBuildParams;
        if (pKIXBuilderParameters == null) {
            return null;
        }
        return (PKIXBuilderParameters) pKIXBuilderParameters.clone();
    }

    public DirectoryCertPathParameters getDirectoryCertPathParameters() {
        DirectoryCertPathParameters directoryCertPathParameters = this.dirParameters;
        if (directoryCertPathParameters == null) {
            return null;
        }
        return directoryCertPathParameters.clone();
    }

    public Collection<? extends X509Certificate> getTrustedCertificates() {
        Set<OpenSSLX509CertificateHolder> set = this.trustedCertificates;
        if (set == null) {
            return null;
        }
        return Collections.unmodifiableCollection(set);
    }

    public VerifyParams getVerifyParams() {
        return this.verifyParams;
    }

    public boolean isRevocationEnabled() {
        return this.revocationEnabled;
    }

    public void setRevocationEnabled(boolean z) {
        this.revocationEnabled = z;
    }

    public CertVerifyResult verify(X509AttributeCertificate x509AttributeCertificate) throws InvalidAlgorithmParameterException {
        if (x509AttributeCertificate != null) {
            return verifyAttrCertPath(x509AttributeCertificate, new Date());
        }
        throw new NullPointerException("X509Certificate certificate cannot be null.");
    }

    public CertVerifyResult verify(X509AttributeCertificate x509AttributeCertificate, Date date) throws InvalidAlgorithmParameterException {
        if (x509AttributeCertificate != null) {
            return verifyAttrCertPath(x509AttributeCertificate, date);
        }
        throw new NullPointerException("X509Certificate certificate cannot be null.");
    }

    public CertVerifyResult verify(X509Certificate x509Certificate) throws InvalidAlgorithmParameterException {
        return verify(x509Certificate, (PKCS7) null);
    }

    public CertVerifyResult verify(X509Certificate x509Certificate, PKCS7 pkcs7) throws InvalidAlgorithmParameterException {
        CertVerifyResult certVerifyResult;
        if (x509Certificate == null) {
            throw new IllegalArgumentException("X509Certificate certificate cannot be null.");
        }
        long sk_X509_new = NativeCrypto.sk_X509_new();
        try {
            try {
                OpenSSLX509CertificateHolder certificateHolder = OpenSSLX509CertificateHolder.getCertificateHolder(x509Certificate);
                int sk_X509_num = NativeCrypto.sk_X509_num(this.certStack.getNativeRef());
                for (int i = 0; i < sk_X509_num; i++) {
                    NativeCrypto.sk_X509_push(sk_X509_new, NativeCrypto.sk_X509_value(this.certStack.getNativeRef(), i));
                }
                if (pkcs7 != null) {
                    long PKCS7_get_certificates = NativeCrypto.PKCS7_get_certificates(pkcs7.getPKCS7Context());
                    int sk_X509_num2 = NativeCrypto.sk_X509_num(PKCS7_get_certificates);
                    for (int i2 = 0; i2 < sk_X509_num2; i2++) {
                        NativeCrypto.sk_X509_push(sk_X509_new, NativeCrypto.sk_X509_value(PKCS7_get_certificates, i2));
                    }
                }
                int X509_STORE_CTX_init = NativeCrypto.X509_STORE_CTX_init(this.storeCtx.getNativeRef(), this.certStore.getNativeRef(), certificateHolder.getContext(), sk_X509_new);
                if (X509_STORE_CTX_init <= 0) {
                    certVerifyResult = new CertVerifyResult(X509_STORE_CTX_init, new Date());
                } else if (NativeCrypto.X509_verify_cert(this.storeCtx.getNativeRef()) <= 0) {
                    int X509_STORE_CTX_get_error = NativeCrypto.X509_STORE_CTX_get_error(this.storeCtx.getNativeRef());
                    NativeCrypto.X509_verify_cert_error_string(X509_STORE_CTX_get_error);
                    certVerifyResult = fillResult(new CertVerifyResult(X509_STORE_CTX_get_error, new Date()));
                } else {
                    if (pkcs7 != null) {
                        pkcs7.getPKCS7Context().dummyTouch();
                    }
                    certificateHolder.dummyTouch();
                    if (certificateHolder.getVersion() == 999) {
                        certVerifyResult = new CertVerifyResult(999, new Date());
                    } else {
                        certVerifyResult = new CertVerifyResult(0, new Date());
                        fillResult(certVerifyResult);
                        this.verifyParams.dummyTouch();
                    }
                }
                return certVerifyResult;
            } catch (NoSuchProviderException e) {
                throw new IllegalArgumentException("Can not find registered AvProvider", e);
            } catch (CertificateEncodingException e2) {
                throw new IllegalArgumentException("Can not parse certificate", e2);
            } catch (CertificateException e3) {
                throw new IllegalArgumentException("Can not prepare certification path", e3);
            }
        } finally {
            NativeCrypto.X509_STORE_CTX_cleanup(this.storeCtx.getNativeRef());
            dummyTouch();
            NativeCrypto.sk_X509_free(sk_X509_new);
        }
    }
}
