package sun.security.d.a;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import sun.security.d.a.d;
import sun.security.e.am;
import sun.security.e.bt;
import sun.security.e.bz;
import sun.security.util.o;

/* loaded from: classes.dex */
public final class f {
    private static final boolean c = false;
    private static final int f = 0;
    private static final int g = 1;
    private static final int h = 2;
    private static final int i = 1;
    private static final int j = 2;
    private static final String k = "1.3.6.1.5.5.7.3.9";
    private static final long n = 900000;
    private final a l;
    private final Map m;
    private static a[] a = a.values();
    private static final sun.security.util.e b = sun.security.util.e.a("certpath");
    private static final o d = o.a(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
    private static final o e = o.a(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 2});

    /* loaded from: classes.dex */
    public enum a {
        SUCCESSFUL,
        MALFORMED_REQUEST,
        INTERNAL_ERROR,
        TRY_LATER,
        UNUSED,
        SIG_REQUIRED,
        UNAUTHORIZED
    }

    /* loaded from: classes.dex */
    static final class b implements d.a {
        private static d.a.b[] f = d.a.b.values();
        private final c a;
        private final d.a.EnumC0252a b;
        private final Date c;
        private final Date d;
        private final Date e;
        private final d.a.b g;

        private b(sun.security.util.k kVar) throws IOException {
            if (kVar.e != 48) {
                throw new IOException("Bad ASN.1 encoding in SingleResponse");
            }
            sun.security.util.i iVar = kVar.g;
            this.a = new c(iVar.k().g);
            sun.security.util.k k = iVar.k();
            short s = (byte) (k.e & 31);
            if (s == 1) {
                this.b = d.a.EnumC0252a.REVOKED;
                this.e = k.g.s();
                if (k.g.x() != 0) {
                    sun.security.util.k k2 = k.g.k();
                    if (((byte) (k2.e & 31)) == 0) {
                        int e = k2.g.e();
                        if (e < 0 || e >= f.length) {
                            this.g = d.a.b.UNSPECIFIED;
                        } else {
                            this.g = f[e];
                        }
                    } else {
                        this.g = d.a.b.UNSPECIFIED;
                    }
                } else {
                    this.g = d.a.b.UNSPECIFIED;
                }
                if (f.b != null) {
                    f.b.c("Revocation time: " + this.e);
                    f.b.c("Revocation reason: " + this.g);
                }
            } else {
                this.e = null;
                this.g = d.a.b.UNSPECIFIED;
                if (s == 0) {
                    this.b = d.a.EnumC0252a.GOOD;
                } else {
                    if (s != 2) {
                        throw new IOException("Invalid certificate status");
                    }
                    this.b = d.a.EnumC0252a.UNKNOWN;
                }
            }
            this.c = iVar.s();
            if (iVar.x() == 0) {
                this.d = null;
            } else {
                sun.security.util.k k3 = iVar.k();
                if (((byte) (k3.e & 31)) == 0) {
                    this.d = k3.g.s();
                } else {
                    this.d = null;
                }
            }
            if (iVar.x() > 0) {
                sun.security.util.k k4 = iVar.k();
                if (k4.a((byte) 1)) {
                    sun.security.util.k[] a = k4.g.a(3);
                    for (sun.security.util.k kVar2 : a) {
                        am amVar = new am(kVar2);
                        if (f.b != null) {
                            f.b.c("OCSP single extension: " + amVar);
                        }
                        if (amVar.d()) {
                            throw new IOException("Unsupported OCSP critical extension: " + amVar.e());
                        }
                    }
                }
            }
            long currentTimeMillis = System.currentTimeMillis();
            Date date = new Date(currentTimeMillis + f.n);
            Date date2 = new Date(currentTimeMillis - f.n);
            if (f.b != null) {
                f.b.c("Response's validity interval is from " + this.c + (this.d != null ? " until " + this.d : ""));
            }
            if ((this.c == null || !date.before(this.c)) && (this.d == null || !date2.after(this.d))) {
                return;
            }
            if (f.b != null) {
                f.b.c("Response is unreliable: its validity interval is out-of-date");
            }
            throw new IOException("Response is unreliable: its validity interval is out-of-date");
        }

        /* JADX INFO: Access modifiers changed from: private */
        public c d() {
            return this.a;
        }

        @Override // sun.security.d.a.d.a
        public d.a.EnumC0252a a() {
            return this.b;
        }

        @Override // sun.security.d.a.d.a
        public Date b() {
            return (Date) this.e.clone();
        }

        @Override // sun.security.d.a.d.a
        public d.a.b c() {
            return this.g;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("SingleResponse:  \n");
            sb.append(this.a);
            sb.append("\nCertStatus: " + this.b + "\n");
            if (this.b == d.a.EnumC0252a.REVOKED) {
                sb.append("revocationTime is " + this.e + "\n");
                sb.append("revocationReason is " + this.g + "\n");
            }
            sb.append("thisUpdate is " + this.c + "\n");
            if (this.d != null) {
                sb.append("nextUpdate is " + this.d + "\n");
            }
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public f(byte[] bArr, Date date, X509Certificate x509Certificate) throws IOException, CertPathValidatorException {
        sun.security.util.k kVar = new sun.security.util.k(bArr);
        if (kVar.e != 48) {
            throw new IOException("Bad encoding in OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        sun.security.util.i f2 = kVar.f();
        int e2 = f2.e();
        if (e2 < 0 || e2 >= a.length) {
            throw new IOException("Unknown OCSPResponse status: " + e2);
        }
        this.l = a[e2];
        if (b != null) {
            b.c("OCSP response status: " + this.l);
        }
        if (this.l != a.SUCCESSFUL) {
            this.m = Collections.emptyMap();
            return;
        }
        sun.security.util.k k2 = f2.k();
        if (!k2.a((byte) 0)) {
            throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 context specific tag 0.");
        }
        sun.security.util.k k3 = k2.g.k();
        if (k3.e != 48) {
            throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        sun.security.util.i iVar = k3.g;
        o j2 = iVar.j();
        if (!j2.b(d)) {
            if (b != null) {
                b.c("OCSP response type: " + j2);
            }
            throw new IOException("Unsupported OCSP response type: " + j2);
        }
        if (b != null) {
            b.c("OCSP response type: basic");
        }
        sun.security.util.k[] a2 = new sun.security.util.i(iVar.h()).a(2);
        if (a2.length < 3) {
            throw new IOException("Unexpected BasicOCSPResponse value");
        }
        sun.security.util.k kVar2 = a2[0];
        byte[] A = a2[0].A();
        if (kVar2.e != 48) {
            throw new IOException("Bad encoding in tbsResponseData element of OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        sun.security.util.i iVar2 = kVar2.g;
        sun.security.util.k k4 = iVar2.k();
        if (k4.a((byte) 0) && k4.e() && k4.c()) {
            sun.security.util.k k5 = k4.g.k();
            k5.k();
            if (k5.g.x() != 0) {
                throw new IOException("Bad encoding in version  element of OCSP response: bad format");
            }
            k4 = iVar2.k();
        }
        short s = (byte) (k4.e & 31);
        if (s == 1) {
            if (b != null) {
                b.c("OCSP Responder name: " + new bt(k4.f()));
            }
        } else if (s != 2) {
            throw new IOException("Bad encoding in responderID element of OCSP response: expected ASN.1 context specific tag 0 or 1");
        }
        sun.security.util.k k6 = iVar2.k();
        if (b != null) {
            b.c("OCSP response produced at: " + k6.z());
        }
        sun.security.util.k[] a3 = iVar2.a(1);
        this.m = new HashMap(a3.length);
        if (b != null) {
            b.c("OCSP number of SingleResponses: " + a3.length);
        }
        for (sun.security.util.k kVar3 : a3) {
            b bVar = new b(kVar3);
            this.m.put(bVar.d(), bVar);
        }
        if (iVar2.x() > 0) {
            sun.security.util.k k7 = iVar2.k();
            if (k7.a((byte) 1)) {
                sun.security.util.k[] a4 = k7.g.a(3);
                for (sun.security.util.k kVar4 : a4) {
                    am amVar = new am(kVar4);
                    if (b != null) {
                        b.c("OCSP extension: " + amVar);
                    }
                    if (!amVar.e().b(e) && amVar.d()) {
                        throw new IOException("Unsupported OCSP critical extension: " + amVar.e());
                    }
                }
            }
        }
        sun.security.e.f a5 = sun.security.e.f.a(a2[1]);
        sun.security.d.a.a.a(a5);
        byte[] o = a2[2].o();
        bz[] bzVarArr = null;
        if (a2.length > 3) {
            sun.security.util.k kVar5 = a2[3];
            if (!kVar5.a((byte) 0)) {
                throw new IOException("Bad encoding in certs element of OCSP response: expected ASN.1 context specific tag 0.");
            }
            sun.security.util.k[] a6 = kVar5.f().a(3);
            bzVarArr = new bz[a6.length];
            for (int i2 = 0; i2 < a6.length; i2++) {
                try {
                    bzVarArr[i2] = new bz(a6[i2].A());
                } catch (CertificateException e3) {
                    throw new IOException("Bad encoding in X509 Certificate", e3);
                }
            }
        }
        if (bzVarArr != null && bzVarArr[0] != null) {
            bz bzVar = bzVarArr[0];
            if (!bzVar.equals(x509Certificate) && bzVar.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                sun.security.d.a.a.a(bzVar);
                try {
                    List<String> extendedKeyUsage = bzVar.getExtendedKeyUsage();
                    if (extendedKeyUsage == null || !extendedKeyUsage.contains(k)) {
                        throw new CertPathValidatorException("Responder's certificate not valid for signing OCSP responses");
                    }
                    try {
                        bzVar.verify(x509Certificate.getPublicKey());
                        x509Certificate = bzVar;
                    } catch (GeneralSecurityException e4) {
                        x509Certificate = null;
                    }
                } catch (CertificateParsingException e5) {
                    throw new CertPathValidatorException("Responder's certificate not valid for signing OCSP responses", e5);
                }
            }
        }
        if (x509Certificate == null) {
            throw new CertPathValidatorException("Unable to verify OCSP Responder's signature");
        }
        if (!a(A, x509Certificate, a5, o)) {
            throw new CertPathValidatorException("Error verifying OCSP Responder's signature");
        }
    }

    private boolean a(byte[] bArr, X509Certificate x509Certificate, sun.security.e.f fVar, byte[] bArr2) throws CertPathValidatorException {
        try {
            Signature signature = Signature.getInstance(fVar.a());
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            if (signature.verify(bArr2)) {
                if (b != null) {
                    b.c("Verified signature of OCSP Responder");
                }
                return true;
            }
            if (b != null) {
                b.c("Error verifying signature of OCSP Responder");
            }
            return false;
        } catch (InvalidKeyException e2) {
            throw new CertPathValidatorException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertPathValidatorException(e3);
        } catch (SignatureException e4) {
            throw new CertPathValidatorException(e4);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public a a() {
        return this.l;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public b a(c cVar) {
        return (b) this.m.get(cVar);
    }
}
