package com.rsa.cryptoj.o;

import com.rsa.crypto.ParamNames;
import com.rsa.jsafe.cert.Attribute;
import com.rsa.jsafe.cms.CMSException;
import com.rsa.jsafe.cms.SignedDataDecoder;
import com.rsa.jsafe.cms.SignerInfo;
import com.rsa.jsafe.provider.JsafeJCE;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertStoreParameters;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/rsa/cryptoj/o/ct.class */
public final class ct extends SignedDataDecoder {
    private static final String k = "RSAPSS";
    private static final String l = "RSA";
    private String m;

    public ct(InputStream inputStream, InputStream inputStream2, gc gcVar) throws IOException {
        super(inputStream, inputStream2, gcVar);
        b();
    }

    private void b() throws IOException {
        try {
            if (!h()) {
                throw new CMSException("Unable to decode: Expected next sequence tag SignedData");
            }
            a("CMSVersion", true);
            mx mxVar = (mx) ir.a((pp) ek.a, this.d);
            if (mxVar.e() > 5) {
                throw new CMSException("Unable to decode: Unsupported SignedData version " + mxVar.e());
            }
            List<String> c = c();
            b("EncapsulatedContentInfo");
            a("EncapsulatedContent", true);
            this.g = (pt) ir.a((pp) fb.a, this.d);
            a(c);
        } catch (ey e) {
            throw new CMSException("Could not decode data, invalid encoding encountered." + e.getMessage());
        }
    }

    private List<String> c() throws IOException {
        c("DigestAlgorithmIdentifiers");
        ArrayList arrayList = new ArrayList();
        nj a = ir.a("DigestAlgorithmIdentifiers", this.d);
        int a2 = a.a();
        for (int i = 0; i < a2; i++) {
            arrayList.add(new ai(a.a(i)).c());
        }
        return arrayList;
    }

    private void a(List<String> list) throws IOException {
        if (this.f != null) {
            this.h = new ng(this.f, list, d(), this.e);
            return;
        }
        if (!this.d.a()) {
            this.h = new ih(d());
        } else {
            if (!a(0)) {
                throw new IOException("Unable to decode: Expected explicit tag value 0 for tag eContent.");
            }
            a("eContent", true);
            this.h = new ng(new gi(this.d, d()), list, (Closeable) null, this.e);
        }
    }

    private Closeable d() {
        return new Closeable() { // from class: com.rsa.cryptoj.o.ct.1
            @Override // java.io.Closeable, java.lang.AutoCloseable
            public void close() throws IOException {
                ct.this.e();
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void e() throws IOException {
        try {
            if (this.f == null && !(this.h instanceof ih)) {
                a("End eContent explicit 0", false);
            }
            if (!(this.h instanceof ih)) {
                a("End EncapsulatedContentInfo", false);
            }
            a("CertificateSet", true);
            if (f()) {
                a("RevocationInfoChoices", true);
            }
            a(g());
            a("End SignedData", false);
            if (this.c.read() != -1) {
                throw new CMSException("Unexpected value.");
            }
            this.c.close();
        } catch (ey e) {
            throw new CMSException("Could not decode data, invalid encoding encountered." + e.getMessage());
        }
    }

    private boolean f() throws IOException {
        if (!a(0)) {
            return false;
        }
        nj a = ir.a(bn.a.b("CertificateSet").f(ir.c(0)), this.d);
        int a2 = a.a();
        for (int i = 0; i < a2; i++) {
            nj a3 = a.a(i);
            if (a3.g().d() == 16) {
                try {
                    this.b.add(cd.a(this.e, ak.a, ByteBuffer.wrap(((oo) a3).e())));
                } catch (CertificateException e) {
                    throw new CMSException(e);
                }
            }
        }
        return true;
    }

    private boolean g() throws IOException {
        if (!a(1)) {
            return false;
        }
        nj a = ir.a(bn.a.b("RevocationInfoChoices").f(ir.c(1)), this.d);
        int a2 = a.a();
        for (int i = 0; i < a2; i++) {
            nj a3 = a.a(i);
            if (a3.g().d() != ir.c(1)) {
                try {
                    this.j.add(ef.a(this.e, ak.a, ByteBuffer.wrap(((oo) a3).e())));
                } catch (CRLException e) {
                    throw new CMSException(e);
                }
            }
        }
        return true;
    }

    private void a(boolean z) throws IOException {
        mx mxVar;
        if (z) {
            a("SignerInfos", true);
        }
        nj a = ir.a(bn.a.b("SignerInfos"), this.d);
        int a2 = a.a();
        if ((this.h instanceof ih) && a2 > 0) {
            throw new IOException("Unable to decode: SignerInfo found with empty eContent.");
        }
        for (int i = 0; i < a2; i++) {
            nj a3 = a.a(i);
            int e = ((mx) a3.a(ParamNames.VERSION)).e();
            jg b = b(a3);
            a(e, b);
            ai aiVar = new ai(a3.a("digestAlgorithm"));
            Attribute[] a4 = a(a3, "signedAttrs");
            byte[] bArr = null;
            byte[] bArr2 = null;
            if (a4.length > 0) {
                nj a5 = a3.a("signedAttrs");
                bArr = ir.c(a5.e(17));
                bArr2 = a(a5);
            } else if (!this.g.equals(br.b)) {
                throw new CMSException("Signed attributes expected for contentTypes other than DATA. No signed attributes were present");
            }
            ai aiVar2 = new ai(a3.a("signatureAlgorithm"));
            byte[] b2 = aiVar2.b();
            PSSParameterSpec pSSParameterSpec = null;
            if (b2 != null && jn.a(aiVar2.d(), b2).endsWith("RSAPSS") && (mxVar = (mx) ir.a("RSASSA-PSS-params", b2, 0).a("saltLength")) != null) {
                pSSParameterSpec = new PSSParameterSpec(mxVar.e());
            }
            this.a.add(new my(e, b, aiVar, a4, bArr, ((mw) a3.a("signature")).d(), aiVar2, pSSParameterSpec, a(a3, "unsignedAttrs"), bArr2));
        }
    }

    private byte[] a(nj njVar) throws CMSException {
        for (int i = 0; i < njVar.a(); i++) {
            nj a = njVar.a(i);
            if (a.a(0).toString().equals(br.i)) {
                return ((mw) ir.a((pp) fp.a, ((oo) a.a(1).a(0)).e())).b();
            }
        }
        return null;
    }

    private jg b(nj njVar) {
        jg jgVar;
        nj a = njVar.a("sid");
        if (ir.f(a.g().g()) == 0) {
            jgVar = new jg(((mw) a).b());
        } else {
            jgVar = new jg(new X500Principal(ir.a(a.a("issuer"))), ((mx) a.a("serialNumber")).b());
        }
        return jgVar;
    }

    private void a(int i, jg jgVar) throws CMSException {
        if ((jgVar.a() && i != 3) || (!jgVar.a() && i != 1)) {
            throw new CMSException("Unable to decode: Illegal SignerInfo version " + i);
        }
    }

    private Attribute[] a(nj njVar, String str) throws CMSException {
        nj a = njVar.a(str);
        return a == null ? new Attribute[0] : km.a(a);
    }

    @Override // com.rsa.jsafe.cms.SignedDataDecoder
    public boolean verify(SignerInfo signerInfo, CertStore certStore) throws CMSException {
        this.m = null;
        return a((my) signerInfo, (CertStore) null, certStore, false);
    }

    @Override // com.rsa.jsafe.cms.SignedDataDecoder
    public boolean verify(SignerInfo signerInfo, CertStore certStore, CertStore certStore2, boolean z) throws CMSException {
        this.m = null;
        if (certStore != null) {
            return a((my) signerInfo, certStore, certStore2, z);
        }
        this.m = "Trust store cannot be null.";
        throw new IllegalArgumentException("Trust store cannot be null.");
    }

    private boolean a(my myVar, CertStore certStore, CertStore certStore2, boolean z) throws CMSException {
        List<X509Certificate> arrayList;
        List<X509CRL> arrayList2;
        String str;
        String str2;
        AlgorithmParameterSpec k2;
        if (this.h.a()) {
            this.m = "The content stream has not been closed.";
            throw new CMSException(this.m);
        }
        if (this.h instanceof ih) {
            return true;
        }
        if (myVar == null) {
            this.m = "Signer info cannot be null.";
            throw new IllegalArgumentException(this.m);
        }
        if (certStore2 != null) {
            try {
                Collection<? extends Certificate> certificates = certStore2.getCertificates(new X509CertSelector());
                Collection<? extends CRL> cRLs = certStore2.getCRLs(new X509CRLSelector());
                arrayList = new ArrayList((Collection<? extends X509Certificate>) certificates);
                arrayList.addAll(this.b);
                arrayList2 = new ArrayList((Collection<? extends X509CRL>) cRLs);
                arrayList2.addAll(this.j);
            } catch (CertStoreException e) {
                this.m = e.getMessage();
                throw new CMSException(this.m);
            }
        } else {
            arrayList = this.b;
            arrayList2 = this.j;
        }
        byte[] i = myVar.i();
        CertStore a = a(arrayList, arrayList2);
        String e2 = myVar.e();
        byte[] a2 = ((ng) this.h).a(myVar.e());
        if (a2 == null) {
            this.m = "Could not verify signer, digest algorithm " + e2 + " is not supported";
            throw new CMSException(this.m);
        }
        String str3 = "";
        boolean endsWith = myVar.g().endsWith("RSAPSS");
        if (endsWith) {
            str = "RSAPSS";
            str3 = "with" + e2;
        } else {
            str = myVar.f();
        }
        if (myVar.getSignedAttributes().length <= 0) {
            if (myVar.f().equals("RSA") && !endsWith) {
                try {
                    bs b = da.b(e2, this.e, ak.a);
                    byte[] bArr = new byte[b.a()];
                    b.a(a2, 0, bArr, 0);
                    a2 = bArr;
                } catch (NoSuchAlgorithmException e3) {
                }
            }
            str2 = "NONEwith" + str + str3;
        } else {
            if (!Arrays.equals(a2, myVar.j())) {
                throw new CMSException("Signer verification failed: signed message digest attribute did not match computed message digest.");
            }
            a2 = myVar.h();
            str2 = e2 + "with" + str;
        }
        k kVar = null;
        try {
            try {
                k c = da.c(str2, this.e, ak.a);
                X509Certificate a3 = a(myVar, arrayList);
                c.engineInitVerify(a3.getPublicKey());
                if (endsWith && (k2 = myVar.k()) != null) {
                    c.setParameter(k2);
                }
                c.engineUpdate(a2, 0, a2.length);
                if (c.engineVerify(i)) {
                    boolean a4 = a(a3, certStore, a, z);
                    if (c != null) {
                        c.c();
                    }
                    return a4;
                }
                this.m = "Signature on CMS Message did not verify.";
                if (c != null) {
                    c.c();
                }
                return false;
            } catch (Exception e4) {
                this.m = "Signer verification failed: " + e4;
                throw new CMSException(this.m);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                kVar.c();
            }
            throw th;
        }
    }

    private X509Certificate a(my myVar, List<X509Certificate> list) throws CMSException {
        jg b = myVar.b();
        for (X509Certificate x509Certificate : list) {
            if (b.a(x509Certificate)) {
                return x509Certificate;
            }
        }
        throw new CMSException("Unable to find certificate to verify signature.");
    }

    private CertStore a(List<X509Certificate> list, List<X509CRL> list2) throws CMSException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        arrayList.addAll(list2);
        try {
            return CertStore.getInstance("Collection", (CertStoreParameters) new CollectionCertStoreParameters(arrayList), (Provider) new JsafeJCE());
        } catch (InvalidAlgorithmParameterException e) {
            throw new CMSException(e.getMessage());
        } catch (NoSuchAlgorithmException e2) {
            throw new CMSException(e2.getMessage());
        }
    }

    private boolean a(X509Certificate x509Certificate, CertStore certStore, CertStore certStore2, boolean z) throws CMSException {
        if (certStore == null) {
            return true;
        }
        HashSet hashSet = new HashSet();
        try {
            Iterator<? extends Certificate> it = certStore.getCertificates(new X509CertSelector()).iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor((X509Certificate) it.next(), null));
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal().getEncoded());
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore2);
            pKIXBuilderParameters.setRevocationEnabled(z);
            try {
                new ew(this.e, ak.a).engineBuild(pKIXBuilderParameters);
                return true;
            } catch (Exception e) {
                this.m = e.getMessage();
                return false;
            }
        } catch (Exception e2) {
            this.m = e2.getMessage();
            throw new CMSException(this.m);
        }
    }

    private void b(String str) throws IOException {
        a(str, true);
        if (!h()) {
            throw new CMSException("Unable to decode: Expected sequence tag " + str);
        }
    }

    private void c(String str) throws IOException {
        a(str, true);
        if (!i()) {
            throw new CMSException("Unable to decode: Expected set tag " + str);
        }
    }

    private void a(String str, boolean z) throws IOException {
        if (this.d.a() != z) {
            throw new CMSException("Unable to decode: Expected tag " + str);
        }
    }

    private boolean h() {
        return this.d.e() == 16;
    }

    private boolean i() {
        return this.d.e() == 17;
    }

    private boolean a(int i) {
        return this.d.e() == ir.c(i);
    }

    @Override // com.rsa.jsafe.cms.SignedDataDecoder
    public String getReason() {
        return this.m;
    }
}
