package org.conscrypt.ct;

import com.qtt.perfmonitor.trace.core.MethodBeat;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.conscrypt.NativeCrypto;
import org.conscrypt.OpenSSLX509Certificate;
import org.conscrypt.ct.SignedCertificateTimestamp;
import org.conscrypt.ct.VerifiedSCT;

/* loaded from: classes3.dex */
public class CTVerifier {
    private final CTLogStore store;

    public CTVerifier(CTLogStore cTLogStore) {
        this.store = cTLogStore;
    }

    private List<SignedCertificateTimestamp> getSCTsFromOCSPResponse(byte[] bArr, OpenSSLX509Certificate[] openSSLX509CertificateArr) {
        MethodBeat.i(80600);
        if (bArr == null || openSSLX509CertificateArr.length < 2) {
            List<SignedCertificateTimestamp> emptyList = Collections.emptyList();
            MethodBeat.o(80600);
            return emptyList;
        }
        byte[] bArr2 = NativeCrypto.get_ocsp_single_extension(bArr, CTConstants.OCSP_SCT_LIST_OID, openSSLX509CertificateArr[0].getContext(), openSSLX509CertificateArr[0], openSSLX509CertificateArr[1].getContext(), openSSLX509CertificateArr[1]);
        if (bArr2 == null) {
            List<SignedCertificateTimestamp> emptyList2 = Collections.emptyList();
            MethodBeat.o(80600);
            return emptyList2;
        }
        try {
            List<SignedCertificateTimestamp> sCTsFromSCTList = getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(bArr2)), SignedCertificateTimestamp.Origin.OCSP_RESPONSE);
            MethodBeat.o(80600);
            return sCTsFromSCTList;
        } catch (SerializationException unused) {
            List<SignedCertificateTimestamp> emptyList3 = Collections.emptyList();
            MethodBeat.o(80600);
            return emptyList3;
        }
    }

    private List<SignedCertificateTimestamp> getSCTsFromSCTList(byte[] bArr, SignedCertificateTimestamp.Origin origin) {
        MethodBeat.i(80598);
        if (bArr == null) {
            List<SignedCertificateTimestamp> emptyList = Collections.emptyList();
            MethodBeat.o(80598);
            return emptyList;
        }
        try {
            byte[][] readList = Serialization.readList(bArr, 2, 2);
            ArrayList arrayList = new ArrayList();
            for (byte[] bArr2 : readList) {
                try {
                    arrayList.add(SignedCertificateTimestamp.decode(bArr2, origin));
                } catch (SerializationException unused) {
                }
            }
            MethodBeat.o(80598);
            return arrayList;
        } catch (SerializationException unused2) {
            List<SignedCertificateTimestamp> emptyList2 = Collections.emptyList();
            MethodBeat.o(80598);
            return emptyList2;
        }
    }

    private List<SignedCertificateTimestamp> getSCTsFromTLSExtension(byte[] bArr) {
        MethodBeat.i(80599);
        List<SignedCertificateTimestamp> sCTsFromSCTList = getSCTsFromSCTList(bArr, SignedCertificateTimestamp.Origin.TLS_EXTENSION);
        MethodBeat.o(80599);
        return sCTsFromSCTList;
    }

    private List<SignedCertificateTimestamp> getSCTsFromX509Extension(OpenSSLX509Certificate openSSLX509Certificate) {
        MethodBeat.i(80601);
        byte[] extensionValue = openSSLX509Certificate.getExtensionValue(CTConstants.X509_SCT_LIST_OID);
        if (extensionValue == null) {
            List<SignedCertificateTimestamp> emptyList = Collections.emptyList();
            MethodBeat.o(80601);
            return emptyList;
        }
        try {
            List<SignedCertificateTimestamp> sCTsFromSCTList = getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(extensionValue)), SignedCertificateTimestamp.Origin.EMBEDDED);
            MethodBeat.o(80601);
            return sCTsFromSCTList;
        } catch (SerializationException unused) {
            List<SignedCertificateTimestamp> emptyList2 = Collections.emptyList();
            MethodBeat.o(80601);
            return emptyList2;
        }
    }

    private void markSCTsAsInvalid(List<SignedCertificateTimestamp> list, CTVerificationResult cTVerificationResult) {
        MethodBeat.i(80597);
        Iterator<SignedCertificateTimestamp> it = list.iterator();
        while (it.hasNext()) {
            cTVerificationResult.add(new VerifiedSCT(it.next(), VerifiedSCT.Status.INVALID_SCT));
        }
        MethodBeat.o(80597);
    }

    /* JADX WARN: Removed duplicated region for block: B:12:0x0023  */
    /* JADX WARN: Removed duplicated region for block: B:14:0x002a  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void verifyEmbeddedSCTs(java.util.List<org.conscrypt.ct.SignedCertificateTimestamp> r5, org.conscrypt.OpenSSLX509Certificate[] r6, org.conscrypt.ct.CTVerificationResult r7) {
        /*
            r4 = this;
            r0 = 80594(0x13ad2, float:1.12936E-40)
            com.qtt.perfmonitor.trace.core.MethodBeat.i(r0)
            boolean r1 = r5.isEmpty()
            if (r1 == 0) goto L10
            com.qtt.perfmonitor.trace.core.MethodBeat.o(r0)
            return
        L10:
            r1 = 0
            int r2 = r6.length
            r3 = 2
            if (r2 < r3) goto L20
            r2 = 0
            r2 = r6[r2]
            r3 = 1
            r6 = r6[r3]
            org.conscrypt.ct.CertificateEntry r6 = org.conscrypt.ct.CertificateEntry.createForPrecertificate(r2, r6)     // Catch: java.security.cert.CertificateException -> L20
            goto L21
        L20:
            r6 = r1
        L21:
            if (r6 != 0) goto L2a
            r4.markSCTsAsInvalid(r5, r7)
            com.qtt.perfmonitor.trace.core.MethodBeat.o(r0)
            return
        L2a:
            java.util.Iterator r5 = r5.iterator()
        L2e:
            boolean r1 = r5.hasNext()
            if (r1 == 0) goto L47
            java.lang.Object r1 = r5.next()
            org.conscrypt.ct.SignedCertificateTimestamp r1 = (org.conscrypt.ct.SignedCertificateTimestamp) r1
            org.conscrypt.ct.VerifiedSCT$Status r2 = r4.verifySingleSCT(r1, r6)
            org.conscrypt.ct.VerifiedSCT r3 = new org.conscrypt.ct.VerifiedSCT
            r3.<init>(r1, r2)
            r7.add(r3)
            goto L2e
        L47:
            com.qtt.perfmonitor.trace.core.MethodBeat.o(r0)
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: org.conscrypt.ct.CTVerifier.verifyEmbeddedSCTs(java.util.List, org.conscrypt.OpenSSLX509Certificate[], org.conscrypt.ct.CTVerificationResult):void");
    }

    private void verifyExternalSCTs(List<SignedCertificateTimestamp> list, OpenSSLX509Certificate openSSLX509Certificate, CTVerificationResult cTVerificationResult) {
        MethodBeat.i(80595);
        if (list.isEmpty()) {
            MethodBeat.o(80595);
            return;
        }
        try {
            CertificateEntry createForX509Certificate = CertificateEntry.createForX509Certificate(openSSLX509Certificate);
            for (SignedCertificateTimestamp signedCertificateTimestamp : list) {
                cTVerificationResult.add(new VerifiedSCT(signedCertificateTimestamp, verifySingleSCT(signedCertificateTimestamp, createForX509Certificate)));
            }
            MethodBeat.o(80595);
        } catch (CertificateException unused) {
            markSCTsAsInvalid(list, cTVerificationResult);
            MethodBeat.o(80595);
        }
    }

    private VerifiedSCT.Status verifySingleSCT(SignedCertificateTimestamp signedCertificateTimestamp, CertificateEntry certificateEntry) {
        MethodBeat.i(80596);
        CTLogInfo knownLog = this.store.getKnownLog(signedCertificateTimestamp.getLogID());
        if (knownLog == null) {
            VerifiedSCT.Status status = VerifiedSCT.Status.UNKNOWN_LOG;
            MethodBeat.o(80596);
            return status;
        }
        VerifiedSCT.Status verifySingleSCT = knownLog.verifySingleSCT(signedCertificateTimestamp, certificateEntry);
        MethodBeat.o(80596);
        return verifySingleSCT;
    }

    public CTVerificationResult verifySignedCertificateTimestamps(List<X509Certificate> list, byte[] bArr, byte[] bArr2) throws CertificateEncodingException {
        MethodBeat.i(80592);
        OpenSSLX509Certificate[] openSSLX509CertificateArr = new OpenSSLX509Certificate[list.size()];
        Iterator<X509Certificate> it = list.iterator();
        int i = 0;
        while (it.hasNext()) {
            openSSLX509CertificateArr[i] = OpenSSLX509Certificate.fromCertificate(it.next());
            i++;
        }
        CTVerificationResult verifySignedCertificateTimestamps = verifySignedCertificateTimestamps(openSSLX509CertificateArr, bArr, bArr2);
        MethodBeat.o(80592);
        return verifySignedCertificateTimestamps;
    }

    public CTVerificationResult verifySignedCertificateTimestamps(OpenSSLX509Certificate[] openSSLX509CertificateArr, byte[] bArr, byte[] bArr2) throws CertificateEncodingException {
        MethodBeat.i(80593);
        if (openSSLX509CertificateArr.length == 0) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException("Chain of certificates mustn't be empty.");
            MethodBeat.o(80593);
            throw illegalArgumentException;
        }
        OpenSSLX509Certificate openSSLX509Certificate = openSSLX509CertificateArr[0];
        CTVerificationResult cTVerificationResult = new CTVerificationResult();
        verifyExternalSCTs(getSCTsFromTLSExtension(bArr), openSSLX509Certificate, cTVerificationResult);
        verifyExternalSCTs(getSCTsFromOCSPResponse(bArr2, openSSLX509CertificateArr), openSSLX509Certificate, cTVerificationResult);
        verifyEmbeddedSCTs(getSCTsFromX509Extension(openSSLX509CertificateArr[0]), openSSLX509CertificateArr, cTVerificationResult);
        MethodBeat.o(80593);
        return cTVerificationResult;
    }
}
