package com.google.android.gms.org.conscrypt.ct;

import com.google.android.gms.org.conscrypt.NativeCrypto;
import com.google.android.gms.org.conscrypt.OpenSSLX509Certificate;
import com.google.android.gms.org.conscrypt.ct.SignedCertificateTimestamp;
import com.google.android.gms.org.conscrypt.ct.VerifiedSCT;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;

/* loaded from: classes.dex */
public class CTVerifier {
    private final CTLogStore store;

    public CTVerifier(CTLogStore cTLogStore) {
        this.store = cTLogStore;
    }

    private List getSCTsFromOCSPResponse(byte[] bArr, OpenSSLX509Certificate[] openSSLX509CertificateArr) {
        if (bArr == null || openSSLX509CertificateArr.length < 2) {
            return Collections.EMPTY_LIST;
        }
        byte[] bArr2 = NativeCrypto.get_ocsp_single_extension(bArr, CTConstants.OCSP_SCT_LIST_OID, openSSLX509CertificateArr[0].getContext(), openSSLX509CertificateArr[1].getContext());
        if (bArr2 == null) {
            return Collections.EMPTY_LIST;
        }
        try {
            return getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(bArr2)), SignedCertificateTimestamp.Origin.OCSP_RESPONSE);
        } catch (SerializationException e2) {
            return Collections.EMPTY_LIST;
        }
    }

    private List getSCTsFromSCTList(byte[] bArr, SignedCertificateTimestamp.Origin origin) {
        if (bArr == null) {
            return Collections.EMPTY_LIST;
        }
        try {
            byte[][] readList = Serialization.readList(bArr, 2, 2);
            ArrayList arrayList = new ArrayList();
            for (byte[] bArr2 : readList) {
                try {
                    arrayList.add(SignedCertificateTimestamp.decode(bArr2, origin));
                } catch (SerializationException e2) {
                }
            }
            return arrayList;
        } catch (SerializationException e3) {
            return Collections.EMPTY_LIST;
        }
    }

    private List getSCTsFromTLSExtension(byte[] bArr) {
        return getSCTsFromSCTList(bArr, SignedCertificateTimestamp.Origin.TLS_EXTENSION);
    }

    private List getSCTsFromX509Extension(OpenSSLX509Certificate openSSLX509Certificate) {
        byte[] extensionValue = openSSLX509Certificate.getExtensionValue(CTConstants.X509_SCT_LIST_OID);
        if (extensionValue == null) {
            return Collections.EMPTY_LIST;
        }
        try {
            return getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(extensionValue)), SignedCertificateTimestamp.Origin.EMBEDDED);
        } catch (SerializationException e2) {
            return Collections.EMPTY_LIST;
        }
    }

    private void markSCTsAsInvalid(List list, CTVerificationResult cTVerificationResult) {
        Iterator it = list.iterator();
        while (it.hasNext()) {
            cTVerificationResult.add(new VerifiedSCT((SignedCertificateTimestamp) it.next(), VerifiedSCT.Status.INVALID_SCT));
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:12:0x0019  */
    /* JADX WARN: Removed duplicated region for block: B:14:0x0020  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void verifyEmbeddedSCTs(java.util.List r6, com.google.android.gms.org.conscrypt.OpenSSLX509Certificate[] r7, com.google.android.gms.org.conscrypt.ct.CTVerificationResult r8) {
        /*
            r5 = this;
            boolean r0 = r6.isEmpty()
            if (r0 == 0) goto L7
        L6:
            return
        L7:
            r0 = 0
            int r1 = r7.length
            r2 = 2
            if (r1 < r2) goto L1e
            r1 = 0
            r1 = r7[r1]
            r2 = 1
            r2 = r7[r2]
            com.google.android.gms.org.conscrypt.ct.CertificateEntry r0 = com.google.android.gms.org.conscrypt.ct.CertificateEntry.createForPrecertificate(r1, r2)     // Catch: java.security.cert.CertificateException -> L1d
            r1 = r0
        L17:
            if (r1 != 0) goto L20
            r5.markSCTsAsInvalid(r6, r8)
            goto L6
        L1d:
            r1 = move-exception
        L1e:
            r1 = r0
            goto L17
        L20:
            java.util.Iterator r2 = r6.iterator()
        L24:
            boolean r0 = r2.hasNext()
            if (r0 == 0) goto L6
            java.lang.Object r0 = r2.next()
            com.google.android.gms.org.conscrypt.ct.SignedCertificateTimestamp r0 = (com.google.android.gms.org.conscrypt.ct.SignedCertificateTimestamp) r0
            com.google.android.gms.org.conscrypt.ct.VerifiedSCT$Status r3 = r5.verifySingleSCT(r0, r1)
            com.google.android.gms.org.conscrypt.ct.VerifiedSCT r4 = new com.google.android.gms.org.conscrypt.ct.VerifiedSCT
            r4.<init>(r0, r3)
            r8.add(r4)
            goto L24
        */
        throw new UnsupportedOperationException("Method not decompiled: com.google.android.gms.org.conscrypt.ct.CTVerifier.verifyEmbeddedSCTs(java.util.List, com.google.android.gms.org.conscrypt.OpenSSLX509Certificate[], com.google.android.gms.org.conscrypt.ct.CTVerificationResult):void");
    }

    private void verifyExternalSCTs(List list, OpenSSLX509Certificate openSSLX509Certificate, CTVerificationResult cTVerificationResult) {
        if (list.isEmpty()) {
            return;
        }
        try {
            CertificateEntry createForX509Certificate = CertificateEntry.createForX509Certificate(openSSLX509Certificate);
            Iterator it = list.iterator();
            while (it.hasNext()) {
                SignedCertificateTimestamp signedCertificateTimestamp = (SignedCertificateTimestamp) it.next();
                cTVerificationResult.add(new VerifiedSCT(signedCertificateTimestamp, verifySingleSCT(signedCertificateTimestamp, createForX509Certificate)));
            }
        } catch (CertificateException e2) {
            markSCTsAsInvalid(list, cTVerificationResult);
        }
    }

    private VerifiedSCT.Status verifySingleSCT(SignedCertificateTimestamp signedCertificateTimestamp, CertificateEntry certificateEntry) {
        CTLogInfo knownLog = this.store.getKnownLog(signedCertificateTimestamp.getLogID());
        return knownLog == null ? VerifiedSCT.Status.UNKNOWN_LOG : knownLog.verifySingleSCT(signedCertificateTimestamp, certificateEntry);
    }

    public CTVerificationResult verifySignedCertificateTimestamps(OpenSSLX509Certificate[] openSSLX509CertificateArr, byte[] bArr, byte[] bArr2) {
        if (openSSLX509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Chain of certificates mustn't be empty.");
        }
        OpenSSLX509Certificate openSSLX509Certificate = openSSLX509CertificateArr[0];
        CTVerificationResult cTVerificationResult = new CTVerificationResult();
        verifyExternalSCTs(getSCTsFromTLSExtension(bArr), openSSLX509Certificate, cTVerificationResult);
        verifyExternalSCTs(getSCTsFromOCSPResponse(bArr2, openSSLX509CertificateArr), openSSLX509Certificate, cTVerificationResult);
        verifyEmbeddedSCTs(getSCTsFromX509Extension(openSSLX509CertificateArr[0]), openSSLX509CertificateArr, cTVerificationResult);
        return cTVerificationResult;
    }
}
