package com.digitalpower.app.base.util.integritycheck;

import android.annotation.TargetApi;
import androidx.media.session.a;
import com.digitalpower.app.platform.energyaccount.bean.ModifyUserInfoParam;
import d30.b;
import g40.u;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CRLReason;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import k50.g0;
import k50.h0;
import k50.l2;
import k50.o0;
import k50.o2;
import k50.q2;
import k50.w0;
import kb0.c;
import kb0.m;
import org.bouncycastle.jce.provider.AnnotatedException;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import rj.e;
import u40.k;
import x20.i;
import x20.k0;
import z80.d0;
import z80.p;

/* loaded from: classes.dex */
public class CMSVerify {
    private static final String TAG = "CMSVerify";
    private String sigFile;
    private String srcFile;
    private List<String> crtFiles = new ArrayList();
    private List<byte[]> crtDatas = new ArrayList();
    private List<String> crlFiles = new ArrayList();
    private List<byte[]> crlDatas = new ArrayList();
    private boolean checkCRL = true;
    private Map<BigInteger, X509Certificate> certMap = new HashMap();
    private Map<X500Principal, X509CRL> crlMap = new HashMap();
    private Set<TrustAnchor> crts = new HashSet();

    static {
        Security.addProvider(new BouncyCastleProvider());
    }

    public CMSVerify(String str, String str2, String[] strArr, String[] strArr2) {
        this.sigFile = str;
        this.srcFile = str2;
        if (strArr != null) {
            this.crtFiles.addAll(Arrays.asList(strArr));
        }
        if (strArr2 != null) {
            this.crlFiles.addAll(Arrays.asList(strArr2));
        }
    }

    private void addCRL(X509CRL x509crl) {
        e.h(TAG, "addCRL");
        X500Principal issuerX500Principal = x509crl.getIssuerX500Principal();
        if (!this.crlMap.containsKey(issuerX500Principal)) {
            this.crlMap.put(x509crl.getIssuerX500Principal(), x509crl);
        } else if (x509crl.getThisUpdate().after(this.crlMap.get(issuerX500Principal).getThisUpdate())) {
            this.crlMap.remove(issuerX500Principal);
            this.crlMap.put(issuerX500Principal, x509crl);
        }
    }

    private void addCert(X509Certificate x509Certificate) throws AnnotatedException {
        CMSVerifyUtil.getInstance().checkAlgAlgorithm(x509Certificate.getSigAlgOID());
        CMSVerifyUtil.getInstance().checkCertHaveKeyUsage(x509Certificate);
        BigInteger serialNumber = x509Certificate.getSerialNumber();
        if (this.certMap.containsKey(serialNumber)) {
            if (this.certMap.get(serialNumber).equals(x509Certificate)) {
                return;
            }
            e.m(TAG, "Certificates has conflict");
            throw new AnnotatedException("Certificates has conflict.");
        }
        this.certMap.put(serialNumber, x509Certificate);
        if (CMSVerifyUtil.getInstance().isSelfIssued(x509Certificate)) {
            CMSVerifyUtil.getInstance().checkKeyUsage(x509Certificate, 5);
            CMSVerifyUtil.getInstance().checkBasicConstraints(x509Certificate);
            this.crts.add(new TrustAnchor(x509Certificate, null));
        }
    }

    private PKIXCertPathBuilderResult checkCertPath(nb0.e eVar, X509Certificate x509Certificate, Date date, String str) throws AnnotatedException, GeneralSecurityException {
        e.h(TAG, "checkCertPath");
        CMSVerifyUtil.getInstance().checkCertHaveKeyUsage(x509Certificate);
        CMSVerifyUtil.getInstance().checkKeyUsage(x509Certificate, 0);
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        Iterator it = eVar.iterator();
        while (it.hasNext()) {
            X509Certificate coverte = CMSVerifyUtil.getInstance().coverte((k) it.next());
            if (!CMSVerifyUtil.getInstance().isSelfIssued(coverte)) {
                addCert(coverte);
            }
        }
        e.h(TAG, "checkCertPath builder");
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.crts, x509CertSelector);
        ArrayList certAndCRLs = getCertAndCRLs();
        pKIXBuilderParameters.setMaxPathLength(certAndCRLs.size());
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certAndCRLs), "BC"));
        pKIXBuilderParameters.addCertPathChecker(new ExtendedKeyUsagePropertyChecker(str));
        pKIXBuilderParameters.setRevocationEnabled(this.checkCRL);
        if (date != null) {
            pKIXBuilderParameters.setDate(date);
        }
        return (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
    }

    @TargetApi(24)
    private void checkCertPathResult(PKIXCertPathBuilderResult pKIXCertPathBuilderResult) throws AnnotatedException {
        CRLReason revocationReason;
        Iterator<? extends Certificate> it = pKIXCertPathBuilderResult.getCertPath().getCertificates().iterator();
        while (it.hasNext()) {
            X509Certificate x509Certificate = (X509Certificate) it.next();
            X509CRL cRLofcert = getCRLofcert(x509Certificate);
            if (cRLofcert != null) {
                X509CRLEntry revokedCertificate = cRLofcert.getRevokedCertificate(x509Certificate);
                e.h(TAG, "checkCertPathResult");
                if (revokedCertificate != null && (revocationReason = revokedCertificate.getRevocationReason()) != CRLReason.AFFILIATION_CHANGED && revocationReason != CRLReason.SUPERSEDED && revocationReason != CRLReason.CESSATION_OF_OPERATION) {
                    throw new AnnotatedException("Certificate has revoked。");
                }
            }
        }
    }

    private Date checkTimeStamp(w0 w0Var, kb0.k kVar) throws AnnotatedException, IOException, d0, c, k50.d0, GeneralSecurityException {
        String str = TAG;
        e.h(str, "checkTimeStamp");
        nb0.e eVar = (nb0.e) kVar.c();
        m i11 = kVar.i();
        CMSVerifyUtil.getInstance().checkAlgAlgorithm(i11.f().W().R0());
        k signCert = getSignCert(eVar, kVar.f());
        Date d11 = i11.d();
        PKIXCertPathBuilderResult checkCertPath = checkCertPath(eVar, CMSVerifyUtil.getInstance().coverte(signCert), d11, ExtendedKeyUsagePropertyChecker.TIMESTAMPING_OID);
        e.h(str, "checkTimeStamp:" + d11.toString());
        if (this.checkCRL) {
            checkCertPathResult(checkCertPath);
        }
        q2 genVerifier = CMSVerifyUtil.getInstance().genVerifier(signCert);
        kVar.m(genVerifier);
        verifyTSPMatchCMS(genVerifier, w0Var, kVar);
        return d11;
    }

    private X509CRL getCRLofcert(X509Certificate x509Certificate) {
        e.h(TAG, "getCRLofcert");
        if (x509Certificate == null) {
            return null;
        }
        Iterator<Map.Entry<X500Principal, X509CRL>> it = this.crlMap.entrySet().iterator();
        while (it.hasNext()) {
            X509CRL value = it.next().getValue();
            if (value.getRevokedCertificate(x509Certificate) != null) {
                return value;
            }
        }
        return null;
    }

    private ArrayList getCertAndCRLs() {
        e.h(TAG, "getCertAndCRLs");
        ArrayList arrayList = new ArrayList();
        Iterator<Map.Entry<BigInteger, X509Certificate>> it = this.certMap.entrySet().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getValue());
        }
        Iterator<Map.Entry<X500Principal, X509CRL>> it2 = this.crlMap.entrySet().iterator();
        while (it2.hasNext()) {
            arrayList.add(it2.next().getValue());
        }
        return arrayList;
    }

    private k getSignCert(nb0.e eVar, l2 l2Var) throws GeneralSecurityException, IOException {
        e.h(TAG, "getSignCert");
        Iterator it = eVar.getMatches(l2Var).iterator();
        return it.hasNext() ? (k) it.next() : new k(this.certMap.get(l2Var.b()).getEncoded());
    }

    private q2 getVerifier(o2 o2Var, o0 o0Var) throws GeneralSecurityException, AnnotatedException, k50.d0, d0, c, IOException {
        Date date;
        k0 Y;
        i O0;
        String str = TAG;
        e.h(str, "getVerifier");
        CMSVerifyUtil.getInstance().checkAlgAlgorithm(o2Var.g());
        b r11 = o2Var.r();
        if (r11 == null || (Y = r11.d(u.J3).Y()) == null || (O0 = Y.O0(0)) == null) {
            date = null;
        } else {
            e.h(str, "getVerifier AttributeTable");
            date = checkTimeStamp(new g0(o2Var.n()), new kb0.k(new o0(O0.r().getEncoded())));
        }
        if (date == null) {
            e.m(str, "CMS signature does not have time stamp");
            throw new AnnotatedException("CMS signature does not have time stamp.");
        }
        nb0.e eVar = (nb0.e) o0Var.d();
        k signCert = getSignCert(eVar, o2Var.m());
        checkCertPath(eVar, CMSVerifyUtil.getInstance().coverte(signCert), date, ExtendedKeyUsagePropertyChecker.CODESIGNING_OID);
        return CMSVerifyUtil.getInstance().genVerifier(signCert);
    }

    private void loadCRL() throws GeneralSecurityException, IOException, AnnotatedException {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        e.u(TAG, a.a(this.crlFiles, new StringBuilder("loadCRL size:")));
        Iterator<String> it = this.crlFiles.iterator();
        while (it.hasNext()) {
            CMSVerifyUtil.getInstance().readCRLs(it.next(), arrayList, arrayList2);
        }
        Iterator<byte[]> it2 = this.crlDatas.iterator();
        while (it2.hasNext()) {
            CMSVerifyUtil.getInstance().readCRLBuf(it2.next(), arrayList, arrayList2);
        }
        Iterator it3 = arrayList.iterator();
        while (it3.hasNext()) {
            addCRL((X509CRL) it3.next());
        }
        Iterator it4 = arrayList2.iterator();
        while (it4.hasNext()) {
            addCert((X509Certificate) it4.next());
        }
        e.h(TAG, "loadCRL end");
    }

    private void loadCert() throws GeneralSecurityException, IOException, AnnotatedException {
        e.u(TAG, a.a(this.crlFiles, new StringBuilder("loadCert size:")));
        Iterator<String> it = this.crtFiles.iterator();
        while (it.hasNext()) {
            addCert(CMSVerifyUtil.getInstance().readCert(it.next()));
        }
        Iterator<byte[]> it2 = this.crtDatas.iterator();
        while (it2.hasNext()) {
            addCert(CMSVerifyUtil.getInstance().readCertBuf(it2.next()));
        }
    }

    private void verifyTSPMatchCMS(q2 q2Var, w0 w0Var, kb0.k kVar) throws AnnotatedException, d0, k50.d0, IOException {
        byte[] bArr;
        if (w0Var != null) {
            p c11 = q2Var.c(kVar.i().f());
            OutputStream b11 = c11.b();
            e.m(TAG, "verifyTSPMatchCMS");
            if (b11 != null) {
                try {
                    w0Var.i(b11);
                    bArr = c11.getDigest();
                    try {
                        b11.close();
                    } catch (IOException unused) {
                        e.m(TAG, "Close output stream failed");
                    }
                    if (bArr == null && nb0.a.I(bArr, kVar.i().h())) {
                        return;
                    }
                    e.m(TAG, "MessageImprint digest value does not match calculated value");
                    throw new AnnotatedException("MessageImprint digest value does not match calculated value.");
                } catch (Throwable th2) {
                    try {
                        b11.close();
                    } catch (IOException unused2) {
                        e.m(TAG, "Close output stream failed");
                    }
                    throw th2;
                }
            }
        }
        bArr = null;
        if (bArr == null) {
        }
        e.m(TAG, "MessageImprint digest value does not match calculated value");
        throw new AnnotatedException("MessageImprint digest value does not match calculated value.");
    }

    public String getSigFile() {
        return this.sigFile;
    }

    public void reSet() {
        this.crtFiles.clear();
        this.crtDatas.clear();
        this.crlFiles.clear();
        this.crlDatas.clear();
        this.certMap.clear();
        this.crlMap.clear();
        this.crts.clear();
        this.checkCRL = true;
        this.sigFile = null;
        this.srcFile = null;
    }

    public void setCheckCRL(boolean z11) {
        this.checkCRL = z11;
    }

    public void setSigFile(String str) {
        this.sigFile = str;
    }

    public void setSrcFile(String str) {
        this.srcFile = str;
    }

    public boolean verify() throws GeneralSecurityException, AnnotatedException, k50.d0, d0, c, IOException {
        String str = TAG;
        e.u(str, ModifyUserInfoParam.RESET_TYPE_VERIFY_CODE);
        this.certMap.clear();
        this.crlMap.clear();
        this.crts.clear();
        try {
            byte[] readPEM = CMSVerifyUtil.getInstance().readPEM(this.sigFile);
            if (readPEM == null) {
                readPEM = CMSVerifyUtil.getInstance().readbuf(this.sigFile);
            }
            try {
                loadCert();
                if (this.checkCRL) {
                    try {
                        loadCRL();
                    } catch (IOException e11) {
                        e.h(TAG, "ex.getMessage = " + e11.getMessage() + " ex = " + e11);
                        throw new AnnotatedException("Read CRL files fail.");
                    }
                }
                e.u(str, ModifyUserInfoParam.RESET_TYPE_VERIFY_CODE + this.checkCRL);
                o0 o0Var = new o0(new h0(new File(this.srcFile)), readPEM);
                Iterator<o2> it = o0Var.k().iterator();
                if (it.hasNext()) {
                    o2 next = it.next();
                    return next.w(getVerifier(next, o0Var));
                }
                e.u(str, "verifyCMS signature does not have signer information");
                throw new AnnotatedException("CMS signature does not have signer information.");
            } catch (IOException e12) {
                e.h(TAG, "ex.getMessage = " + e12.getMessage() + " ex = " + e12);
                throw new AnnotatedException("Read certificate files fail.");
            }
        } catch (IOException e13) {
            e.m(TAG, "verify IOException:" + e13.toString());
            throw new AnnotatedException("Read signature file fail.");
        }
    }
}
