package com.itextpdf.signatures;

import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import com.itextpdf.signatures.validation.v1.TrustedCertificatesStore;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes2.dex */
public class IssuingCertificateRetriever implements IIssuingCertificateRetriever {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) IssuingCertificateRetriever.class);
    private final TrustedCertificatesStore trustedCertificatesStore = new TrustedCertificatesStore();
    private final Map<String, Certificate> knownCertificates = new HashMap();

    private Collection<Certificate> processCertificatesFromAIA(String str) {
        if (str == null) {
            return null;
        }
        try {
            InputStream issuerCertByURI = getIssuerCertByURI(str);
            try {
                Collection<Certificate> parseCertificates = parseCertificates(issuerCertByURI);
                if (issuerCertByURI != null) {
                    issuerCertByURI.close();
                }
                return parseCertificates;
            } finally {
            }
        } catch (Exception unused) {
            LOGGER.warn(SignLogMessageConstant.UNABLE_TO_PARSE_AIA_CERT);
            return null;
        }
    }

    public void addKnownCertificates(Collection<Certificate> collection) {
        for (Certificate certificate : collection) {
            this.knownCertificates.put(((X509Certificate) certificate).getSubjectX500Principal().getName(), certificate);
        }
    }

    public void addTrustedCertificates(Collection<Certificate> collection) {
        this.trustedCertificatesStore.addGenerallyTrustedCertificates(collection);
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public Certificate[] getCrlIssuerCertificates(CRL crl) {
        List list = (List) processCertificatesFromAIA(CertificateUtil.getIssuerCertURL(crl));
        if (list != null) {
            return retrieveMissingCertificates((Certificate[]) list.toArray(new Certificate[0]));
        }
        X509CRL x509crl = (X509CRL) crl;
        Certificate knownCertificate = this.trustedCertificatesStore.getKnownCertificate(x509crl.getIssuerX500Principal().getName());
        return (knownCertificate == null && (knownCertificate = this.knownCertificates.get(x509crl.getIssuerX500Principal().getName())) == null) ? new Certificate[0] : retrieveMissingCertificates(new Certificate[]{knownCertificate});
    }

    protected InputStream getIssuerCertByURI(String str) throws IOException {
        return SignUtils.getHttpResponse(new URL(str));
    }

    public TrustedCertificatesStore getTrustedCertificatesStore() {
        return this.trustedCertificatesStore;
    }

    public boolean isCertificateTrusted(Certificate certificate) {
        return this.trustedCertificatesStore.isCertificateGenerallyTrusted(certificate);
    }

    protected Collection<Certificate> parseCertificates(InputStream inputStream) throws CertificateException {
        return SignUtils.readAllCerts(inputStream, null);
    }

    public Certificate retrieveIssuerCertificate(Certificate certificate) {
        Certificate[] retrieveMissingCertificates = retrieveMissingCertificates(new Certificate[]{certificate});
        if (retrieveMissingCertificates.length > 1) {
            return retrieveMissingCertificates[1];
        }
        return null;
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public Certificate[] retrieveMissingCertificates(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
        arrayList.add(x509Certificate);
        int i = 1;
        while (!CertificateUtil.isSelfSigned(x509Certificate)) {
            if (i >= certificateArr.length || !CertificateUtil.isIssuerCertificate(x509Certificate, (X509Certificate) certificateArr[i])) {
                Collection<Certificate> processCertificatesFromAIA = processCertificatesFromAIA(CertificateUtil.getIssuerCertURL(x509Certificate));
                if (processCertificatesFromAIA == null || processCertificatesFromAIA.isEmpty()) {
                    Certificate knownCertificate = this.trustedCertificatesStore.getKnownCertificate(x509Certificate.getIssuerX500Principal().getName());
                    if (knownCertificate == null && (knownCertificate = this.knownCertificates.get(x509Certificate.getIssuerX500Principal().getName())) == null) {
                        while (i < certificateArr.length) {
                            arrayList.add(certificateArr[i]);
                            i++;
                        }
                        return (Certificate[]) arrayList.toArray(new Certificate[0]);
                    }
                    arrayList.add(knownCertificate);
                } else {
                    arrayList.addAll(processCertificatesFromAIA);
                }
            } else {
                arrayList.add(certificateArr[i]);
                i++;
            }
            x509Certificate = (X509Certificate) arrayList.get(arrayList.size() - 1);
        }
        return (Certificate[]) arrayList.toArray(new Certificate[0]);
    }

    public Certificate retrieveOCSPResponderCertificate(IBasicOCSPResp iBasicOCSPResp) {
        for (X509Certificate x509Certificate : SignUtils.getCertsFromOcspResponse(iBasicOCSPResp)) {
            if (CertificateUtil.isSignatureValid(iBasicOCSPResp, x509Certificate)) {
                return x509Certificate;
            }
        }
        try {
            for (Certificate certificate : this.trustedCertificatesStore.getAllTrustedCertificates()) {
                if (CertificateUtil.isSignatureValid(iBasicOCSPResp, certificate)) {
                    return certificate;
                }
            }
            return null;
        } catch (Exception unused) {
            return null;
        }
    }

    @Override // com.itextpdf.signatures.IIssuingCertificateRetriever
    public void setTrustedCertificates(Collection<Certificate> collection) {
        addTrustedCertificates(collection);
    }
}
