package com.itextpdf.signatures;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import com.itextpdf.signatures.validation.TrustedCertificatesStore;
import com.itextpdf.styledxmlparser.resolver.resource.DefaultResourceRetriever;
import com.itextpdf.styledxmlparser.resolver.resource.IResourceRetriever;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/itextpdf/signatures/IssuingCertificateRetriever.class */
public class IssuingCertificateRetriever implements IIssuingCertificateRetriever {
    private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
    private static final Logger LOGGER = LoggerFactory.getLogger(IssuingCertificateRetriever.class);
    private final TrustedCertificatesStore trustedCertificatesStore;
    private final Map<String, List<Certificate>> knownCertificates;
    private final IResourceRetriever resourceRetriever;

    public IssuingCertificateRetriever() {
        this.trustedCertificatesStore = new TrustedCertificatesStore();
        this.knownCertificates = new HashMap();
        this.resourceRetriever = new DefaultResourceRetriever();
    }

    public IssuingCertificateRetriever(IResourceRetriever iResourceRetriever) {
        this.trustedCertificatesStore = new TrustedCertificatesStore();
        this.knownCertificates = new HashMap();
        this.resourceRetriever = iResourceRetriever;
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public Certificate[] retrieveMissingCertificates(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        arrayList.add(x509Certificate);
        int i = 1;
        X509Certificate x509Certificate2 = x509Certificate;
        while (true) {
            X509Certificate x509Certificate3 = x509Certificate2;
            if (CertificateUtil.isSelfSigned(x509Certificate3)) {
                return (Certificate[]) arrayList.toArray(new Certificate[0]);
            }
            if (i >= certificateArr.length || !CertificateUtil.isIssuerCertificate(x509Certificate3, (X509Certificate) certificateArr[i])) {
                Collection<Certificate> processCertificatesFromAIA = processCertificatesFromAIA(CertificateUtil.getIssuerCertURL(x509Certificate3));
                if (processCertificatesFromAIA != null) {
                    addKnownCertificates(processCertificatesFromAIA);
                }
                Certificate issuerFromCertificateSet = getIssuerFromCertificateSet(x509Certificate3, this.trustedCertificatesStore.getKnownCertificates(x509Certificate3.getIssuerX500Principal().getName()));
                if (issuerFromCertificateSet == null || !isSignedBy(x509Certificate3, issuerFromCertificateSet)) {
                    issuerFromCertificateSet = getIssuerFromCertificateSet(x509Certificate3, this.knownCertificates.get(x509Certificate3.getIssuerX500Principal().getName()));
                    if (issuerFromCertificateSet == null) {
                        while (i < certificateArr.length) {
                            arrayList.add(certificateArr[i]);
                            i++;
                        }
                        return (Certificate[]) arrayList.toArray(new Certificate[0]);
                    }
                }
                arrayList.add(issuerFromCertificateSet);
            } else {
                arrayList.add(certificateArr[i]);
                i++;
            }
            x509Certificate2 = (X509Certificate) arrayList.get(arrayList.size() - 1);
        }
    }

    public List<X509Certificate[]> buildCertificateChains(X509Certificate x509Certificate) {
        return buildCertificateChains(new X509Certificate[]{x509Certificate});
    }

    public List<X509Certificate[]> buildCertificateChains(X509Certificate[] x509CertificateArr) {
        List<List<X509Certificate>> buildCertificateChainsList = buildCertificateChainsList(x509CertificateArr);
        ArrayList arrayList = new ArrayList(buildCertificateChainsList.size() * 5);
        for (List<X509Certificate> list : buildCertificateChainsList) {
            Collections.reverse(list);
            arrayList.add(list.toArray(new X509Certificate[0]));
        }
        return arrayList;
    }

    private List<List<X509Certificate>> buildCertificateChainsList(X509Certificate[] x509CertificateArr) {
        ArrayList<List> arrayList = new ArrayList(buildCertificateChainsList(x509CertificateArr[x509CertificateArr.length - 1]));
        for (List list : arrayList) {
            for (int length = x509CertificateArr.length - 2; length >= 0; length--) {
                list.add(x509CertificateArr[length]);
            }
        }
        return arrayList;
    }

    private List<List<X509Certificate>> buildCertificateChainsList(X509Certificate x509Certificate) {
        if (CertificateUtil.isSelfSigned(x509Certificate)) {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(x509Certificate);
            arrayList.add(arrayList2);
            return arrayList;
        }
        ArrayList arrayList3 = new ArrayList();
        Collection<Certificate> processCertificatesFromAIA = processCertificatesFromAIA(CertificateUtil.getIssuerCertURL(x509Certificate));
        if (processCertificatesFromAIA != null) {
            addKnownCertificates(processCertificatesFromAIA);
        }
        Set<Certificate> knownCertificates = this.trustedCertificatesStore.getKnownCertificates(x509Certificate.getIssuerX500Principal().getName());
        if (this.knownCertificates.get(x509Certificate.getIssuerX500Principal().getName()) != null) {
            knownCertificates.addAll(this.knownCertificates.get(x509Certificate.getIssuerX500Principal().getName()));
        }
        if (knownCertificates.isEmpty()) {
            ArrayList arrayList4 = new ArrayList();
            ArrayList arrayList5 = new ArrayList();
            arrayList5.add(x509Certificate);
            arrayList4.add(arrayList5);
            return arrayList4;
        }
        Iterator<Certificate> it = knownCertificates.iterator();
        while (it.hasNext()) {
            for (List<X509Certificate> list : buildCertificateChainsList((X509Certificate) it.next())) {
                list.add(x509Certificate);
                arrayList3.add(list);
            }
        }
        return arrayList3;
    }

    public List<X509Certificate> retrieveIssuerCertificate(Certificate certificate) {
        ArrayList arrayList = new ArrayList();
        for (X509Certificate[] x509CertificateArr : buildCertificateChains((X509Certificate) certificate)) {
            if (x509CertificateArr.length > 1) {
                arrayList.add(x509CertificateArr[1]);
            }
        }
        return arrayList;
    }

    public Set<Certificate> retrieveOCSPResponderByNameCertificate(IBasicOCSPResp iBasicOCSPResp) {
        String name = FACTORY.createX500Name(FACTORY.createASN1Sequence(iBasicOCSPResp.getResponderId().toASN1Primitive().getName().toASN1Primitive())).getName();
        for (X509Certificate x509Certificate : SignUtils.getCertsFromOcspResponse(iBasicOCSPResp)) {
            if (name.equals(x509Certificate.getSubjectX500Principal().getName())) {
                return Collections.singleton(x509Certificate);
            }
            continue;
        }
        return this.trustedCertificatesStore.getKnownCertificates(name);
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public Certificate[] getCrlIssuerCertificates(CRL crl) {
        Certificate[][] crlIssuerCertificatesGeneric = getCrlIssuerCertificatesGeneric(crl, true);
        return crlIssuerCertificatesGeneric.length == 0 ? new Certificate[0] : crlIssuerCertificatesGeneric[0];
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public Certificate[][] getCrlIssuerCertificatesByName(CRL crl) {
        return getCrlIssuerCertificatesGeneric(crl, false);
    }

    /* JADX WARN: Type inference failed for: r0v33, types: [java.security.cert.Certificate[], java.security.cert.Certificate[][]] */
    private Certificate[][] getCrlIssuerCertificatesGeneric(CRL crl, boolean z) {
        ArrayList arrayList = new ArrayList();
        List list = (List) processCertificatesFromAIA(CertificateUtil.getIssuerCertURL(crl));
        if (list != null) {
            addKnownCertificates(list);
        }
        Set<Certificate> knownCertificates = this.trustedCertificatesStore.getKnownCertificates(((X509CRL) crl).getIssuerX500Principal().getName());
        if (knownCertificates == null) {
            knownCertificates = new HashSet();
        }
        List<Certificate> crlIssuersFromKnownCertificates = getCrlIssuersFromKnownCertificates((X509CRL) crl);
        if (crlIssuersFromKnownCertificates != null) {
            knownCertificates.addAll(crlIssuersFromKnownCertificates);
        }
        if (knownCertificates.isEmpty()) {
            return new Certificate[0];
        }
        for (Certificate certificate : knownCertificates) {
            if (!z || isSignedBy((X509CRL) crl, certificate)) {
                arrayList.addAll(buildCertificateChains((X509Certificate) certificate));
            }
        }
        return (Certificate[][]) arrayList.toArray(new Certificate[0]);
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public void setTrustedCertificates(Collection<Certificate> collection) {
        addTrustedCertificates(collection);
    }

    public void addTrustedCertificates(Collection<Certificate> collection) {
        this.trustedCertificatesStore.addGenerallyTrustedCertificates(collection);
    }

    public void addKnownCertificates(Collection<Certificate> collection) {
        for (Certificate certificate : collection) {
            this.knownCertificates.computeIfAbsent(((X509Certificate) certificate).getSubjectX500Principal().getName(), str -> {
                return new ArrayList();
            }).add(certificate);
        }
    }

    public TrustedCertificatesStore getTrustedCertificatesStore() {
        return this.trustedCertificatesStore;
    }

    public boolean isCertificateTrusted(Certificate certificate) {
        return this.trustedCertificatesStore.isCertificateGenerallyTrusted(certificate);
    }

    protected InputStream getIssuerCertByURI(String str) throws IOException {
        return this.resourceRetriever.getInputStreamByUrl(new URL(str));
    }

    protected Collection<Certificate> parseCertificates(InputStream inputStream) throws CertificateException {
        return SignUtils.readAllCerts(inputStream, null);
    }

    private Collection<Certificate> processCertificatesFromAIA(String str) {
        if (str == null) {
            return null;
        }
        try {
            InputStream issuerCertByURI = getIssuerCertByURI(str);
            Throwable th = null;
            try {
                try {
                    Collection<Certificate> parseCertificates = parseCertificates(issuerCertByURI);
                    if (issuerCertByURI != null) {
                        if (0 != 0) {
                            try {
                                issuerCertByURI.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            issuerCertByURI.close();
                        }
                    }
                    return parseCertificates;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            LOGGER.warn(SignLogMessageConstant.UNABLE_TO_PARSE_AIA_CERT);
            return null;
        }
    }

    private static boolean isSignedBy(X509Certificate x509Certificate, Certificate certificate) {
        try {
            x509Certificate.verify(certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private static boolean isSignedBy(X509CRL x509crl, Certificate certificate) {
        try {
            x509crl.verify(certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private static Certificate getIssuerFromCertificateSet(X509Certificate x509Certificate, Collection<Certificate> collection) {
        if (collection == null) {
            return null;
        }
        for (Certificate certificate : collection) {
            if (isSignedBy(x509Certificate, certificate)) {
                return certificate;
            }
        }
        return null;
    }

    private List<Certificate> getCrlIssuersFromKnownCertificates(X509CRL x509crl) {
        return this.knownCertificates.get(x509crl.getIssuerX500Principal().getName());
    }
}
