package net.netca.pki.encoding.asn1.pki.ocsp;

import java.util.Arrays;
import java.util.Date;
import net.netca.pki.UnsupportedException;
import net.netca.pki.encoding.asn1.ASN1Data;
import net.netca.pki.encoding.asn1.ASN1Object;
import net.netca.pki.encoding.asn1.ASN1TypeManager;
import net.netca.pki.encoding.asn1.BitString;
import net.netca.pki.encoding.asn1.GeneralizedTime;
import net.netca.pki.encoding.asn1.Integer;
import net.netca.pki.encoding.asn1.Sequence;
import net.netca.pki.encoding.asn1.SequenceOf;
import net.netca.pki.encoding.asn1.SequenceType;
import net.netca.pki.encoding.asn1.TaggedValue;
import net.netca.pki.encoding.asn1.pki.AlgorithmIdentifier;
import net.netca.pki.encoding.asn1.pki.BasicConstraintsExtension;
import net.netca.pki.encoding.asn1.pki.ExtKeyUsageExtension;
import net.netca.pki.encoding.asn1.pki.Extension;
import net.netca.pki.encoding.asn1.pki.Extensions;
import net.netca.pki.encoding.asn1.pki.Hashable;
import net.netca.pki.encoding.asn1.pki.NamedBitStringExtension;
import net.netca.pki.encoding.asn1.pki.Verifible;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.u;

/* loaded from: classes.dex */
public final class BasicOCSPResponse {
    public static final int V1 = 0;
    private static final SequenceType type = (SequenceType) ASN1TypeManager.getInstance().get("BasicOCSPResponse");
    private X509Certificate cert;
    private ASN1Data resp;

    public BasicOCSPResponse(Sequence sequence) {
        this.cert = null;
        if (!type.match(sequence)) {
            throw new u("not BasicOCSPResponse");
        }
        this.resp = new ASN1Data("BasicOCSPResponse", sequence);
    }

    public BasicOCSPResponse(byte[] bArr) {
        this(bArr, 0, bArr.length);
    }

    public BasicOCSPResponse(byte[] bArr, int i, int i2) {
        this.cert = null;
        ASN1Object decode = ASN1Object.decode(bArr, i, i2, type);
        if (decode == null) {
            throw new u("not BasicOCSPResponse");
        }
        this.resp = new ASN1Data("BasicOCSPResponse", decode);
    }

    private static void checkCACert(X509Certificate x509Certificate) {
        Extensions extensions = x509Certificate.getExtensions();
        if (extensions != null) {
            Extension extension = extensions.get(Extension.KEYUSAGE_OID);
            if (extension != null) {
                NamedBitStringExtension namedBitStringExtension = (NamedBitStringExtension) extension.getExtensionObject();
                if (!namedBitStringExtension.isSet(0) && !namedBitStringExtension.isSet(1)) {
                    throw new u("ca cert digitalSignature or nonRepudiation not set");
                }
                if (!namedBitStringExtension.isSet(5)) {
                    throw new u("ca cert keyCertSign not set");
                }
            }
            Extension extension2 = extensions.get(Extension.BASIC_CONSTRAINTS_OID);
            if (extension2 == null) {
                throw new u("ca cert no basic constraint");
            }
            if (!((BasicConstraintsExtension) extension2.getExtensionObject()).isCA()) {
                throw new u("not ca cert");
            }
        }
    }

    private static void checkDelegationOCSPCert(X509Certificate x509Certificate, X509Certificate x509Certificate2, Verifible verifible) {
        boolean z;
        if (!x509Certificate.verifySignature(verifible, x509Certificate2.getSubjectPublicKeyInfo().getPublicKey())) {
            throw new u("not delegation cert,verify signature fail");
        }
        Extensions extensions = x509Certificate.getExtensions();
        if (extensions == null) {
            throw new u("delegation cert no extension");
        }
        Extension extension = extensions.get(Extension.EXTKEYUSAGE_OID);
        if (extension == null) {
            throw new u("delegation cert no extkeyusage extension");
        }
        ExtKeyUsageExtension extKeyUsageExtension = (ExtKeyUsageExtension) extension.getExtensionObject();
        int size = extKeyUsageExtension.size();
        int i = 0;
        while (true) {
            if (i >= size) {
                z = false;
                break;
            } else {
                if (extKeyUsageExtension.get(i).equals(ExtKeyUsageExtension.OCSPSIGNING_OID)) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        if (!z) {
            throw new u("delegation cert no ocspsigning in extkeyusage extension");
        }
        Extension extension2 = extensions.get(Extension.OCSP_NOCHECK_OID);
        if (extension2 == null) {
            throw new UnsupportedException("delegation cert no ocsp nocheck extension");
        }
        extension2.getExtensionObject();
        Extension extension3 = extensions.get(Extension.KEYUSAGE_OID);
        if (extension3 != null) {
            NamedBitStringExtension namedBitStringExtension = (NamedBitStringExtension) extension3.getExtensionObject();
            if (!namedBitStringExtension.isSet(0) && !namedBitStringExtension.isSet(1)) {
                throw new u("ocsp cert digitalSignature or nonRepudiation not set");
            }
        }
    }

    public static void checkOCSPCert(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, Verifible verifible) {
        if (x509Certificate3 == null || !Arrays.equals(x509Certificate.derEncode(), x509Certificate3.derEncode())) {
            if (Arrays.equals(x509Certificate.derEncode(), x509Certificate2.derEncode())) {
                checkCACert(x509Certificate);
            } else {
                if (!Arrays.equals(x509Certificate.getIssuer().getASN1Object().encode(), x509Certificate2.getSubject().getASN1Object().encode())) {
                    throw new u("bad ocsp cert");
                }
                checkDelegationOCSPCert(x509Certificate, x509Certificate2, verifible);
            }
        }
    }

    public static BasicOCSPResponse decode(byte[] bArr) {
        return new BasicOCSPResponse((Sequence) ASN1Object.decode(bArr, type));
    }

    public static SequenceType getASN1Type() {
        return type;
    }

    public ASN1Object getASN1Object() {
        return this.resp.getValue();
    }

    public Extensions getExtensions() {
        ASN1Object value = this.resp.getValue("tbsResponseData.responseExtensions.value");
        if (value == null) {
            return null;
        }
        return new Extensions((SequenceOf) value);
    }

    public X509Certificate getOptionalSignCert(int i) {
        ASN1Object value = this.resp.getValue("certs.value");
        if (value != null) {
            return new X509Certificate((Sequence) ((SequenceOf) value).get(i));
        }
        throw new u("get Optional Sign Cert fail");
    }

    public int getOptionalSignCertCount() {
        ASN1Object value = this.resp.getValue("certs.value");
        if (value != null) {
            return ((SequenceOf) value).size();
        }
        throw new u("get Optional Sign Cert Count fail");
    }

    public Date getProducedAt() {
        ASN1Object value = this.resp.getValue("tbsResponseData.producedAt");
        if (value != null) {
            return ((GeneralizedTime) value).getTime();
        }
        throw new u("get producedAt fail");
    }

    public ResponderID getResponderID() {
        ASN1Object value = this.resp.getValue("tbsResponseData.responderID");
        if (value != null) {
            return new ResponderID((TaggedValue) value);
        }
        throw new u("get responderID fail");
    }

    public Responses getResponses() {
        ASN1Object value = this.resp.getValue("tbsResponseData.responses");
        if (value != null) {
            return new Responses((SequenceOf) value);
        }
        throw new u("get responses fail");
    }

    public byte[] getSignature() {
        ASN1Object value = this.resp.getValue("signature");
        if (value == null) {
            throw new u("get signature fail");
        }
        BitString bitString = (BitString) value;
        if (bitString.getUnusedBits() == 0) {
            return bitString.getValue();
        }
        throw new u("signature's unusedBits is not zeor " + bitString.getUnusedBits());
    }

    public AlgorithmIdentifier getSignatureAlgorithmIdentifier() {
        ASN1Object value = this.resp.getValue("signatureAlgorithm");
        if (value != null) {
            return new AlgorithmIdentifier((Sequence) value);
        }
        throw new u("get signature algorithm fail");
    }

    public X509Certificate getSignatureCert() {
        return this.cert;
    }

    public SingleResponse getSingleResponse(Hashable hashable, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Responses responses = getResponses();
        int size = responses.size();
        for (int i = 0; i < size; i++) {
            SingleResponse singleResponse = responses.get(i);
            CertID certID = singleResponse.getCertID();
            if (certID.match(CertID.CreateCertID(hashable, certID.getHashAlgorithm(), x509Certificate, x509Certificate2))) {
                return singleResponse;
            }
        }
        return null;
    }

    public SingleResponse getSingleResponse(CertID certID) {
        Responses responses = getResponses();
        int size = responses.size();
        for (int i = 0; i < size; i++) {
            SingleResponse singleResponse = responses.get(i);
            if (singleResponse.getCertID().match(certID)) {
                return singleResponse;
            }
        }
        return null;
    }

    public byte[] getTbs() {
        ASN1Object value = this.resp.getValue("tbsResponseData");
        if (value != null) {
            return value.encode();
        }
        throw new u("get tbsResponseData fail");
    }

    public int getVersion() {
        ASN1Object value = this.resp.getValue("tbsResponseData.version.value");
        if (value != null) {
            return ((Integer) value).getIntegerValue();
        }
        throw new u("get version fail");
    }

    public boolean verifySignature(Verifible verifible, X509Certificate x509Certificate, Hashable hashable) {
        AlgorithmIdentifier signatureAlgorithmIdentifier = getSignatureAlgorithmIdentifier();
        byte[] tbs = getTbs();
        byte[] signature = getSignature();
        ResponderID responderID = getResponderID();
        if (x509Certificate != null && responderID.match(x509Certificate, hashable)) {
            if (!verifible.verify(x509Certificate.getSubjectPublicKeyInfo().getPublicKey(), signatureAlgorithmIdentifier, tbs, 0, tbs.length, signature)) {
                return false;
            }
            this.cert = x509Certificate;
            return true;
        }
        int optionalSignCertCount = getOptionalSignCertCount();
        for (int i = 0; i < optionalSignCertCount; i++) {
            X509Certificate optionalSignCert = getOptionalSignCert(i);
            if (responderID.match(optionalSignCert, hashable)) {
                if (!verifible.verify(optionalSignCert.getSubjectPublicKeyInfo().getPublicKey(), signatureAlgorithmIdentifier, tbs, 0, tbs.length, signature)) {
                    return false;
                }
                this.cert = optionalSignCert;
                return true;
            }
        }
        return false;
    }
}
