package etri.fido.auth.crypto;

import etri.fido.auth.common.AuthException;
import etri.fido.utility.Base64Helper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.spongycastle.a.az;
import org.spongycastle.a.bc;
import org.spongycastle.a.k;
import org.spongycastle.a.t;
import org.spongycastle.a.u.i;
import org.spongycastle.a.u.q;
import org.spongycastle.a.u.r;
import org.spongycastle.a.u.u;
import org.spongycastle.a.u.v;

/* loaded from: classes3.dex */
public class ETRICertPathValidator implements CertPathValidator {
    public static boolean checkCRL(X509Certificate x509Certificate) throws AuthException {
        try {
            Iterator<String> it2 = getCrlDPs(x509Certificate).iterator();
            while (it2.hasNext()) {
                if (downloadCRL(it2.next()).isRevoked(x509Certificate)) {
                    return false;
                }
            }
            return true;
        } catch (Exception e2) {
            throw new AuthException("can not check CRL for certificate: " + x509Certificate.getSubjectX500Principal());
        }
    }

    private static X509CRL downloadCRL(String str) throws AuthException {
        if (!str.startsWith("http://") && !str.startsWith("https://") && !str.startsWith("ftp://")) {
            return null;
        }
        try {
            InputStream openStream = new URL(str).openStream();
            try {
                return (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(openStream);
            } finally {
                openStream.close();
            }
        } catch (Exception e2) {
            throw new AuthException(e2.getMessage());
        }
    }

    public static List<String> getCrlDPs(X509Certificate x509Certificate) throws AuthException {
        ArrayList arrayList = new ArrayList();
        byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.31");
        if (extensionValue == null) {
            return arrayList;
        }
        k kVar = new k(new ByteArrayInputStream(extensionValue));
        try {
            try {
                t tVar = null;
                try {
                    tVar = new k(new ByteArrayInputStream(((bc) kVar.a()).c())).a();
                } catch (IOException e2) {
                    com.google.b.a.a.a.a.a.a(e2);
                }
                for (q qVar : i.a(tVar).a()) {
                    r rVar = qVar.f41105a;
                    if (rVar != null && rVar.f41109b == 0) {
                        u[] a2 = v.a(rVar.f41108a).a();
                        for (int i2 = 0; i2 < a2.length; i2++) {
                            if (a2[i2].f41124b == 6) {
                                arrayList.add(az.a(a2[i2].f41123a).b());
                            }
                        }
                    }
                }
                return arrayList;
            } catch (IOException e3) {
                com.google.b.a.a.a.a.a.a(e3);
                throw new AuthException(e3.getMessage());
            }
        } finally {
            try {
                kVar.close();
            } catch (IOException e4) {
            }
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws AuthException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e2) {
            return false;
        } catch (NoSuchAlgorithmException e3) {
            throw new AuthException(e3.getMessage());
        } catch (NoSuchProviderException e4) {
            throw new AuthException(e4.getMessage());
        } catch (SignatureException e5) {
            return false;
        } catch (CertificateException e6) {
            throw new AuthException(e6.getMessage());
        }
    }

    @Override // etri.fido.auth.crypto.CertPathValidator
    public boolean validate(String[] strArr, byte[][] bArr) throws AuthException {
        if (strArr == null) {
            throw new AuthException("strRootCerts is null");
        }
        if (bArr == null) {
            throw new AuthException("certs is null");
        }
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            hashSet.add(new TrustAnchor(CryptoHelper.getX509Certificate(Base64Helper.decode(str)), null));
        }
        X509Certificate x509Certificate = CryptoHelper.getX509Certificate(bArr[0]);
        HashSet hashSet2 = new HashSet();
        for (byte[] bArr2 : bArr) {
            hashSet2.add(CryptoHelper.getX509Certificate(bArr2));
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            try {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet2), "SC"));
                try {
                    PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", "SC").build(pKIXBuilderParameters);
                    return (pKIXCertPathBuilderResult == null || pKIXCertPathBuilderResult.getTrustAnchor() == null) ? false : true;
                } catch (InvalidAlgorithmParameterException e2) {
                    com.google.b.a.a.a.a.a.a(e2);
                    throw new AuthException(e2.getMessage());
                } catch (NoSuchAlgorithmException e3) {
                    com.google.b.a.a.a.a.a.a(e3);
                    throw new AuthException(e3.getMessage());
                } catch (NoSuchProviderException e4) {
                    com.google.b.a.a.a.a.a.a(e4);
                    throw new AuthException(e4.getMessage());
                } catch (CertPathBuilderException e5) {
                    return false;
                }
            } catch (InvalidAlgorithmParameterException e6) {
                com.google.b.a.a.a.a.a.a(e6);
                throw new AuthException(e6.getMessage());
            } catch (NoSuchAlgorithmException e7) {
                com.google.b.a.a.a.a.a.a(e7);
                throw new AuthException(e7.getMessage());
            } catch (NoSuchProviderException e8) {
                com.google.b.a.a.a.a.a.a(e8);
                throw new AuthException(e8.getMessage());
            }
        } catch (InvalidAlgorithmParameterException e9) {
            com.google.b.a.a.a.a.a.a(e9);
            throw new AuthException(e9.getMessage());
        }
    }
}
