package com.itextpdf.text.pdf.security;

import com.itextpdf.text.log.Logger;
import com.itextpdf.text.log.LoggerFactory;
import com.itextpdf.text.pdf.AcroFields;
import com.itextpdf.text.pdf.PRStream;
import com.itextpdf.text.pdf.PdfArray;
import com.itextpdf.text.pdf.PdfDictionary;
import com.itextpdf.text.pdf.PdfName;
import com.itextpdf.text.pdf.PdfReader;
import com.itextpdf.text.pdf.security.LtvVerification;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import org.spongycastle.cert.ocsp.BasicOCSPResp;
import org.spongycastle.cert.ocsp.OCSPException;
import org.spongycastle.cert.ocsp.OCSPResp;

/* loaded from: classes3.dex */
public class LtvVerifier extends RootStoreVerifier {

    /* renamed from: n, reason: collision with root package name */
    public static final Logger f13890n = LoggerFactory.getLogger((Class<?>) LtvVerifier.class);

    /* renamed from: e, reason: collision with root package name */
    public LtvVerification.CertificateOption f13891e;

    /* renamed from: f, reason: collision with root package name */
    public boolean f13892f;

    /* renamed from: g, reason: collision with root package name */
    public PdfReader f13893g;

    /* renamed from: h, reason: collision with root package name */
    public AcroFields f13894h;

    /* renamed from: i, reason: collision with root package name */
    public Date f13895i;

    /* renamed from: j, reason: collision with root package name */
    public String f13896j;

    /* renamed from: k, reason: collision with root package name */
    public PdfPKCS7 f13897k;

    /* renamed from: l, reason: collision with root package name */
    public boolean f13898l;

    /* renamed from: m, reason: collision with root package name */
    public PdfDictionary f13899m;

    public LtvVerifier(PdfReader pdfReader) throws GeneralSecurityException {
        super(null);
        this.f13891e = LtvVerification.CertificateOption.SIGNING_CERTIFICATE;
        this.f13892f = true;
        this.f13898l = true;
        this.f13893g = pdfReader;
        AcroFields acroFields = pdfReader.getAcroFields();
        this.f13894h = acroFields;
        ArrayList<String> signatureNames = acroFields.getSignatureNames();
        this.f13896j = (String) signatureNames.get(signatureNames.size() - 1);
        this.f13895i = new Date();
        PdfPKCS7 a2 = a();
        this.f13897k = a2;
        Logger logger = f13890n;
        Object[] objArr = new Object[2];
        objArr[0] = a2.isTsp() ? "document-level timestamp " : "";
        objArr[1] = this.f13896j;
        logger.info(String.format("Checking %ssignature %s", objArr));
    }

    public PdfPKCS7 a() throws GeneralSecurityException {
        PdfPKCS7 verifySignature = this.f13894h.verifySignature(this.f13896j);
        if (!this.f13894h.signatureCoversWholeDocument(this.f13896j)) {
            throw new VerificationException(null, "Signature doesn't cover whole document.");
        }
        Logger logger = f13890n;
        logger.info("The timestamp covers whole document.");
        if (!verifySignature.verify()) {
            throw new VerificationException(null, "The document was altered after the final signature was applied.");
        }
        logger.info("The signed document has not been modified.");
        return verifySignature;
    }

    public List<X509CRL> getCRLsFromDSS() throws GeneralSecurityException, IOException {
        PdfArray asArray;
        ArrayList arrayList = new ArrayList();
        PdfDictionary pdfDictionary = this.f13899m;
        if (pdfDictionary == null || (asArray = pdfDictionary.getAsArray(PdfName.CRLS)) == null) {
            return arrayList;
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        for (int i2 = 0; i2 < asArray.size(); i2++) {
            arrayList.add((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(PdfReader.getStreamBytes((PRStream) asArray.getAsStream(i2)))));
        }
        return arrayList;
    }

    public List<BasicOCSPResp> getOCSPResponsesFromDSS() throws IOException, GeneralSecurityException {
        PdfArray asArray;
        ArrayList arrayList = new ArrayList();
        PdfDictionary pdfDictionary = this.f13899m;
        if (pdfDictionary == null || (asArray = pdfDictionary.getAsArray(PdfName.OCSPS)) == null) {
            return arrayList;
        }
        for (int i2 = 0; i2 < asArray.size(); i2++) {
            OCSPResp oCSPResp = new OCSPResp(PdfReader.getStreamBytes((PRStream) asArray.getAsStream(i2)));
            if (oCSPResp.getStatus() == 0) {
                try {
                    arrayList.add((BasicOCSPResp) oCSPResp.getResponseObject());
                } catch (OCSPException e2) {
                    throw new GeneralSecurityException((Throwable) e2);
                }
            }
        }
        return arrayList;
    }

    public void setCertificateOption(LtvVerification.CertificateOption certificateOption) {
        this.f13891e = certificateOption;
    }

    public void setVerifier(CertificateVerifier certificateVerifier) {
        this.f13886a = certificateVerifier;
    }

    public void setVerifyRootCertificate(boolean z) {
        this.f13892f = z;
    }

    public void switchToPreviousRevision() throws IOException, GeneralSecurityException {
        Logger logger = f13890n;
        logger.info("Switching to previous revision.");
        this.f13898l = false;
        this.f13899m = this.f13893g.getCatalog().getAsDict(PdfName.DSS);
        Calendar timeStampDate = this.f13897k.getTimeStampDate();
        if (timeStampDate == null) {
            timeStampDate = this.f13897k.getSignDate();
        }
        this.f13895i = timeStampDate.getTime();
        ArrayList<String> signatureNames = this.f13894h.getSignatureNames();
        if (signatureNames.size() <= 1) {
            logger.info("No signatures in revision");
            this.f13897k = null;
            return;
        }
        this.f13896j = (String) signatureNames.get(signatureNames.size() - 2);
        PdfReader pdfReader = new PdfReader(this.f13894h.extractRevision(this.f13896j));
        this.f13893g = pdfReader;
        AcroFields acroFields = pdfReader.getAcroFields();
        this.f13894h = acroFields;
        ArrayList<String> signatureNames2 = acroFields.getSignatureNames();
        this.f13896j = (String) signatureNames2.get(signatureNames2.size() - 1);
        PdfPKCS7 a2 = a();
        this.f13897k = a2;
        Object[] objArr = new Object[2];
        objArr[0] = a2.isTsp() ? "document-level timestamp " : "";
        objArr[1] = this.f13896j;
        logger.info(String.format("Checking %ssignature %s", objArr));
    }

    @Override // com.itextpdf.text.pdf.security.RootStoreVerifier, com.itextpdf.text.pdf.security.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) throws GeneralSecurityException, IOException {
        RootStoreVerifier rootStoreVerifier = new RootStoreVerifier(this.f13886a);
        rootStoreVerifier.setRootStore(this.f13903c);
        CRLVerifier cRLVerifier = new CRLVerifier(rootStoreVerifier, getCRLsFromDSS());
        cRLVerifier.setRootStore(this.f13903c);
        cRLVerifier.setOnlineCheckingAllowed(this.f13898l || this.f13887b);
        OCSPVerifier oCSPVerifier = new OCSPVerifier(cRLVerifier, getOCSPResponsesFromDSS());
        oCSPVerifier.setRootStore(this.f13903c);
        oCSPVerifier.setOnlineCheckingAllowed(this.f13898l || this.f13887b);
        return oCSPVerifier.verify(x509Certificate, x509Certificate2, date);
    }

    public List<VerificationOK> verify(List<VerificationOK> list) throws IOException, GeneralSecurityException {
        if (list == null) {
            list = new ArrayList<>();
        }
        while (this.f13897k != null) {
            list.addAll(verifySignature());
        }
        return list;
    }

    public void verifyChain(Certificate[] certificateArr) throws GeneralSecurityException {
        for (int i2 = 0; i2 < certificateArr.length; i2++) {
            ((X509Certificate) certificateArr[i2]).checkValidity(this.f13895i);
            if (i2 > 0) {
                certificateArr[i2 - 1].verify(certificateArr[i2].getPublicKey());
            }
        }
        f13890n.info("All certificates are valid on " + this.f13895i.toString());
    }

    public List<VerificationOK> verifySignature() throws GeneralSecurityException, IOException {
        f13890n.info("Verifying signature.");
        ArrayList arrayList = new ArrayList();
        Certificate[] signCertificateChain = this.f13897k.getSignCertificateChain();
        verifyChain(signCertificateChain);
        int length = LtvVerification.CertificateOption.WHOLE_CHAIN.equals(this.f13891e) ? signCertificateChain.length : 1;
        int i2 = 0;
        while (i2 < length) {
            int i3 = i2 + 1;
            X509Certificate x509Certificate = (X509Certificate) signCertificateChain[i2];
            X509Certificate x509Certificate2 = i3 < signCertificateChain.length ? (X509Certificate) signCertificateChain[i3] : null;
            f13890n.info(x509Certificate.getSubjectDN().getName());
            List<VerificationOK> verify = verify(x509Certificate, x509Certificate2, this.f13895i);
            if (verify.size() == 0) {
                try {
                    x509Certificate.verify(x509Certificate.getPublicKey());
                    if (this.f13898l && signCertificateChain.length > 1) {
                        verify.add(new VerificationOK(x509Certificate, getClass(), "Root certificate in final revision"));
                    }
                    if (verify.size() == 0 && this.f13892f) {
                        throw new GeneralSecurityException();
                    }
                    if (signCertificateChain.length > 1) {
                        verify.add(new VerificationOK(x509Certificate, getClass(), "Root certificate passed without checking"));
                    }
                } catch (GeneralSecurityException unused) {
                    throw new VerificationException(x509Certificate, "Couldn't verify with CRL or OCSP or trusted anchor");
                }
            }
            arrayList.addAll(verify);
            i2 = i3;
        }
        switchToPreviousRevision();
        return arrayList;
    }
}
