package com.itextpdf.signatures;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ICertificateStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IRevokedStatus;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ISingleResp;
import com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException;
import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Deprecated
/* loaded from: input_file:com/itextpdf/signatures/OCSPVerifier.class */
public class OCSPVerifier extends RootStoreVerifier {
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    protected static final Logger LOGGER = LoggerFactory.getLogger(OCSPVerifier.class);
    protected static final String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
    protected List<IBasicOCSPResp> ocsps;
    private IOcspClient ocspClient;
    private ICrlClient crlClient;

    public OCSPVerifier(CertificateVerifier certificateVerifier, List<IBasicOCSPResp> list) {
        super(certificateVerifier);
        this.ocsps = list;
    }

    public void setOcspClient(IOcspClient iOcspClient) {
        this.ocspClient = iOcspClient;
    }

    public void setCrlClient(ICrlClient iCrlClient) {
        this.crlClient = iCrlClient;
    }

    @Override // com.itextpdf.signatures.RootStoreVerifier, com.itextpdf.signatures.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        if (this.ocsps != null) {
            Iterator<IBasicOCSPResp> it = this.ocsps.iterator();
            while (it.hasNext()) {
                if (verify(it.next(), x509Certificate, x509Certificate2, date)) {
                    i++;
                }
            }
        }
        boolean z = false;
        int i2 = 0;
        if (this.onlineCheckingAllowed && verify(getOcspResponse(x509Certificate, x509Certificate2), x509Certificate, x509Certificate2, date)) {
            i++;
            i2 = 0 + 1;
            z = true;
        }
        LOGGER.info("Valid OCSPs found: " + i);
        if (i > 0) {
            arrayList.add(new VerificationOK(x509Certificate, getClass(), "Valid OCSPs Found: " + i + (z ? " (" + i2 + " online)" : SignerProperties.IGNORED_ID)));
        }
        if (this.verifier != null) {
            arrayList.addAll(this.verifier.verify(x509Certificate, x509Certificate2, date));
        }
        return arrayList;
    }

    public boolean verify(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (iBasicOCSPResp == null) {
            return false;
        }
        for (ISingleResp iSingleResp : iBasicOCSPResp.getResponses()) {
            if (x509Certificate.getSerialNumber().equals(iSingleResp.getCertID().getSerialNumber())) {
                if (x509Certificate2 == null) {
                    x509Certificate2 = x509Certificate;
                }
                try {
                    if (!SignUtils.checkIfIssuersMatch(iSingleResp.getCertID(), x509Certificate2)) {
                        LOGGER.info("OCSP: Issuers doesn't match.");
                    } else if (iSingleResp.getNextUpdate() == null || !date.after(iSingleResp.getNextUpdate())) {
                        ICertificateStatus certStatus = iSingleResp.getCertStatus();
                        IRevokedStatus createRevokedStatus = BOUNCY_CASTLE_FACTORY.createRevokedStatus(certStatus);
                        boolean equals = BOUNCY_CASTLE_FACTORY.createCertificateStatus().getGood().equals(certStatus);
                        if (equals || (createRevokedStatus != null && date.before(createRevokedStatus.getRevocationTime()))) {
                            isValidResponse(iBasicOCSPResp, x509Certificate2, date);
                            if (equals) {
                                return true;
                            }
                            LOGGER.warn(MessageFormatUtil.format(SignLogMessageConstant.VALID_CERTIFICATE_IS_REVOKED, new Object[]{createRevokedStatus.getRevocationTime()}));
                            return true;
                        }
                    } else {
                        LOGGER.info(MessageFormatUtil.format("OCSP is no longer valid: {0} after {1}", new Object[]{date, iSingleResp.getNextUpdate()}));
                    }
                } catch (AbstractOCSPException | AbstractOperatorCreationException e) {
                } catch (IOException e2) {
                    throw new GeneralSecurityException(e2.getMessage());
                }
            }
        }
        return false;
    }

    public void isValidResponse(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, Date date) throws GeneralSecurityException {
        X509Certificate x509Certificate2 = null;
        if (isSignatureValid(iBasicOCSPResp, x509Certificate)) {
            x509Certificate2 = x509Certificate;
        }
        if (x509Certificate2 == null) {
            if (iBasicOCSPResp.getCerts().length > 0) {
                Iterator<X509Certificate> it = SignUtils.getCertsFromOcspResponse(iBasicOCSPResp).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    X509Certificate next = it.next();
                    try {
                        List<String> extendedKeyUsage = next.getExtendedKeyUsage();
                        if (extendedKeyUsage != null && extendedKeyUsage.contains("1.3.6.1.5.5.7.3.9") && isSignatureValid(iBasicOCSPResp, next)) {
                            x509Certificate2 = next;
                            break;
                        }
                    } catch (CertificateParsingException e) {
                    }
                }
                if (x509Certificate2 == null) {
                    throw new VerificationException(x509Certificate, "OCSP response could not be verified");
                }
                x509Certificate2.verify(x509Certificate.getPublicKey());
                x509Certificate2.checkValidity(iBasicOCSPResp.getProducedAt());
                if (SignUtils.getExtensionValueByOid(x509Certificate2, BOUNCY_CASTLE_FACTORY.createOCSPObjectIdentifiers().getIdPkixOcspNoCheck().getId()) != null) {
                    return;
                }
                if (this.ocspClient != null) {
                    IBasicOCSPResp iBasicOCSPResp2 = null;
                    byte[] encoded = this.ocspClient.getEncoded(x509Certificate2, x509Certificate, null);
                    if (encoded != null) {
                        try {
                            iBasicOCSPResp2 = BOUNCY_CASTLE_FACTORY.createBasicOCSPResp(BOUNCY_CASTLE_FACTORY.createBasicOCSPResponse(BOUNCY_CASTLE_FACTORY.createASN1Primitive(encoded)));
                        } catch (IOException e2) {
                        }
                    }
                    if (verifyOcsp(iBasicOCSPResp2, x509Certificate2, x509Certificate, iBasicOCSPResp.getProducedAt())) {
                        return;
                    }
                }
                if ((this.crlClient == null || !checkCrlResponses(this.crlClient, x509Certificate2, x509Certificate, iBasicOCSPResp.getProducedAt())) && !verifyOcsp(new OcspClientBouncyCastle().getBasicOCSPResp(x509Certificate2, x509Certificate, null), x509Certificate2, x509Certificate, iBasicOCSPResp.getProducedAt()) && !checkCrlResponses(new CrlClientOnline(), x509Certificate2, x509Certificate, iBasicOCSPResp.getProducedAt())) {
                    throw new VerificationException(x509Certificate2, "Authorized OCSP responder certificate revocation status cannot be checked");
                }
                return;
            }
            if (this.rootStore != null) {
                try {
                    Iterator<X509Certificate> it2 = SignUtils.getCertificates(this.rootStore).iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        X509Certificate next2 = it2.next();
                        if (isSignatureValid(iBasicOCSPResp, next2)) {
                            x509Certificate2 = next2;
                            break;
                        }
                    }
                } catch (Exception e3) {
                }
            }
            if (x509Certificate2 == null) {
                throw new VerificationException(x509Certificate, "OCSP response could not be verified: it does not contain certificate chain and response is not signed by issuer certificate or any from the root store.");
            }
        }
        x509Certificate2.checkValidity(iBasicOCSPResp.getProducedAt());
    }

    public boolean isSignatureValid(IBasicOCSPResp iBasicOCSPResp, Certificate certificate) {
        try {
            return SignUtils.isSignatureValid(iBasicOCSPResp, certificate, BOUNCY_CASTLE_FACTORY.getProviderName());
        } catch (Exception e) {
            return false;
        }
    }

    public IBasicOCSPResp getOcspResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (x509Certificate == null && x509Certificate2 == null) {
            return null;
        }
        return new OcspClientBouncyCastle().getBasicOCSPResp(x509Certificate, x509Certificate2, null);
    }

    private boolean verifyOcsp(IBasicOCSPResp iBasicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (iBasicOCSPResp == null) {
            return false;
        }
        return verify(iBasicOCSPResp, x509Certificate, x509Certificate2, date);
    }

    private boolean checkCrlResponses(ICrlClient iCrlClient, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        Iterator<byte[]> it = iCrlClient.getEncoded(x509Certificate, null).iterator();
        while (it.hasNext()) {
            if (verifyCrl(SignUtils.parseCrlFromStream(new ByteArrayInputStream(it.next())), x509Certificate, x509Certificate2, date)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyCrl(CRL crl, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException {
        if (!(crl instanceof X509CRL)) {
            return false;
        }
        CRLVerifier cRLVerifier = new CRLVerifier(null, null);
        cRLVerifier.setRootStore(this.rootStore);
        cRLVerifier.setOnlineCheckingAllowed(this.onlineCheckingAllowed);
        return cRLVerifier.verify((X509CRL) crl, x509Certificate, x509Certificate2, date);
    }
}
