package com.itextpdf.text.pdf.security;

import com.itextpdf.text.pdf.AcroFields;
import com.itextpdf.text.pdf.PRStream;
import com.itextpdf.text.pdf.PdfArray;
import com.itextpdf.text.pdf.PdfDictionary;
import com.itextpdf.text.pdf.PdfName;
import com.itextpdf.text.pdf.PdfObject;
import com.itextpdf.text.pdf.PdfReader;
import com.itextpdf.text.pdf.security.LtvVerification;
import f2.e;
import f2.f;
import java.io.ByteArrayInputStream;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import org.spongycastle.cert.ocsp.BasicOCSPResp;
import org.spongycastle.cert.ocsp.OCSPException;
import org.spongycastle.cert.ocsp.OCSPResp;

/* loaded from: classes2.dex */
public class LtvVerifier extends RootStoreVerifier {
    protected static final e LOGGER = f.a(LtvVerifier.class);
    protected PdfDictionary dss;
    protected AcroFields fields;
    protected boolean latestRevision;
    protected LtvVerification.CertificateOption option;
    protected PdfPKCS7 pkcs7;
    protected PdfReader reader;
    protected Date signDate;
    protected String signatureName;
    protected boolean verifyRootCertificate;

    public LtvVerifier(PdfReader pdfReader) {
        super(null);
        this.option = LtvVerification.CertificateOption.SIGNING_CERTIFICATE;
        this.verifyRootCertificate = true;
        this.latestRevision = true;
        this.reader = pdfReader;
        AcroFields acroFields = pdfReader.getAcroFields();
        this.fields = acroFields;
        ArrayList<String> signatureNames = acroFields.getSignatureNames();
        this.signatureName = signatureNames.get(signatureNames.size() - 1);
        this.signDate = new Date();
        PdfPKCS7 coversWholeDocument = coversWholeDocument();
        this.pkcs7 = coversWholeDocument;
        LOGGER.c(String.format("Checking %ssignature %s", coversWholeDocument.isTsp() ? "document-level timestamp " : PdfObject.NOTHING, this.signatureName));
    }

    public PdfPKCS7 coversWholeDocument() {
        PdfPKCS7 verifySignature = this.fields.verifySignature(this.signatureName);
        if (!this.fields.signatureCoversWholeDocument(this.signatureName)) {
            throw new VerificationException(null, "Signature doesn't cover whole document.");
        }
        e eVar = LOGGER;
        eVar.c("The timestamp covers whole document.");
        if (!verifySignature.verify()) {
            throw new VerificationException(null, "The document was altered after the final signature was applied.");
        }
        eVar.c("The signed document has not been modified.");
        return verifySignature;
    }

    public List<X509CRL> getCRLsFromDSS() {
        PdfArray asArray;
        ArrayList arrayList = new ArrayList();
        PdfDictionary pdfDictionary = this.dss;
        if (pdfDictionary == null || (asArray = pdfDictionary.getAsArray(PdfName.CRLS)) == null) {
            return arrayList;
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        for (int i4 = 0; i4 < asArray.size(); i4++) {
            arrayList.add((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(PdfReader.getStreamBytes((PRStream) asArray.getAsStream(i4)))));
        }
        return arrayList;
    }

    public List<BasicOCSPResp> getOCSPResponsesFromDSS() {
        PdfArray asArray;
        ArrayList arrayList = new ArrayList();
        PdfDictionary pdfDictionary = this.dss;
        if (pdfDictionary == null || (asArray = pdfDictionary.getAsArray(PdfName.OCSPS)) == null) {
            return arrayList;
        }
        for (int i4 = 0; i4 < asArray.size(); i4++) {
            OCSPResp oCSPResp = new OCSPResp(PdfReader.getStreamBytes((PRStream) asArray.getAsStream(i4)));
            if (oCSPResp.getStatus() == 0) {
                try {
                    arrayList.add((BasicOCSPResp) oCSPResp.getResponseObject());
                } catch (OCSPException e4) {
                    throw new GeneralSecurityException((Throwable) e4);
                }
            }
        }
        return arrayList;
    }

    public void setCertificateOption(LtvVerification.CertificateOption certificateOption) {
        this.option = certificateOption;
    }

    public void setVerifier(CertificateVerifier certificateVerifier) {
        this.verifier = certificateVerifier;
    }

    public void setVerifyRootCertificate(boolean z3) {
        this.verifyRootCertificate = z3;
    }

    public void switchToPreviousRevision() {
        e eVar = LOGGER;
        eVar.c("Switching to previous revision.");
        this.latestRevision = false;
        this.dss = this.reader.getCatalog().getAsDict(PdfName.DSS);
        Calendar timeStampDate = this.pkcs7.getTimeStampDate();
        if (timeStampDate == null) {
            timeStampDate = this.pkcs7.getSignDate();
        }
        this.signDate = timeStampDate.getTime();
        ArrayList<String> signatureNames = this.fields.getSignatureNames();
        if (signatureNames.size() <= 1) {
            eVar.c("No signatures in revision");
            this.pkcs7 = null;
            return;
        }
        this.signatureName = signatureNames.get(signatureNames.size() - 2);
        PdfReader pdfReader = new PdfReader(this.fields.extractRevision(this.signatureName));
        this.reader = pdfReader;
        AcroFields acroFields = pdfReader.getAcroFields();
        this.fields = acroFields;
        ArrayList<String> signatureNames2 = acroFields.getSignatureNames();
        this.signatureName = signatureNames2.get(signatureNames2.size() - 1);
        PdfPKCS7 coversWholeDocument = coversWholeDocument();
        this.pkcs7 = coversWholeDocument;
        eVar.c(String.format("Checking %ssignature %s", coversWholeDocument.isTsp() ? "document-level timestamp " : PdfObject.NOTHING, this.signatureName));
    }

    @Override // com.itextpdf.text.pdf.security.RootStoreVerifier, com.itextpdf.text.pdf.security.CertificateVerifier
    public List<VerificationOK> verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) {
        RootStoreVerifier rootStoreVerifier = new RootStoreVerifier(this.verifier);
        rootStoreVerifier.setRootStore(this.rootStore);
        CRLVerifier cRLVerifier = new CRLVerifier(rootStoreVerifier, getCRLsFromDSS());
        cRLVerifier.setRootStore(this.rootStore);
        boolean z3 = true;
        cRLVerifier.setOnlineCheckingAllowed(this.latestRevision || this.onlineCheckingAllowed);
        OCSPVerifier oCSPVerifier = new OCSPVerifier(cRLVerifier, getOCSPResponsesFromDSS());
        oCSPVerifier.setRootStore(this.rootStore);
        if (!this.latestRevision && !this.onlineCheckingAllowed) {
            z3 = false;
        }
        oCSPVerifier.setOnlineCheckingAllowed(z3);
        return oCSPVerifier.verify(x509Certificate, x509Certificate2, date);
    }

    public List<VerificationOK> verify(List<VerificationOK> list) {
        if (list == null) {
            list = new ArrayList<>();
        }
        while (this.pkcs7 != null) {
            list.addAll(verifySignature());
        }
        return list;
    }

    public void verifyChain(Certificate[] certificateArr) {
        for (int i4 = 0; i4 < certificateArr.length; i4++) {
            ((X509Certificate) certificateArr[i4]).checkValidity(this.signDate);
            if (i4 > 0) {
                certificateArr[i4 - 1].verify(certificateArr[i4].getPublicKey());
            }
        }
        LOGGER.c("All certificates are valid on " + this.signDate.toString());
    }

    public List<VerificationOK> verifySignature() {
        LOGGER.c("Verifying signature.");
        ArrayList arrayList = new ArrayList();
        Certificate[] signCertificateChain = this.pkcs7.getSignCertificateChain();
        verifyChain(signCertificateChain);
        int length = LtvVerification.CertificateOption.WHOLE_CHAIN.equals(this.option) ? signCertificateChain.length : 1;
        int i4 = 0;
        while (i4 < length) {
            int i5 = i4 + 1;
            X509Certificate x509Certificate = (X509Certificate) signCertificateChain[i4];
            X509Certificate x509Certificate2 = i5 < signCertificateChain.length ? (X509Certificate) signCertificateChain[i5] : null;
            LOGGER.c(x509Certificate.getSubjectDN().getName());
            List<VerificationOK> verify = verify(x509Certificate, x509Certificate2, this.signDate);
            if (verify.size() == 0) {
                try {
                    x509Certificate.verify(x509Certificate.getPublicKey());
                    if (this.latestRevision && signCertificateChain.length > 1) {
                        verify.add(new VerificationOK(x509Certificate, getClass(), "Root certificate in final revision"));
                    }
                    if (verify.size() == 0 && this.verifyRootCertificate) {
                        throw new GeneralSecurityException();
                    }
                    if (signCertificateChain.length > 1) {
                        verify.add(new VerificationOK(x509Certificate, getClass(), "Root certificate passed without checking"));
                    }
                } catch (GeneralSecurityException unused) {
                    throw new VerificationException(x509Certificate, "Couldn't verify with CRL or OCSP or trusted anchor");
                }
            }
            arrayList.addAll(verify);
            i4 = i5;
        }
        switchToPreviousRevision();
        return arrayList;
    }
}
