package com.rsa.cryptoj.c;

import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import com.rsa.jsafe.cert.Attribute;
import com.rsa.jsafe.cms.CMSException;
import com.rsa.jsafe.cms.SignedDataDecoder;
import com.rsa.jsafe.cms.SignerInfo;
import com.rsa.jsafe.provider.JsafeJCE;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes3.dex */
public final class jq extends SignedDataDecoder {

    /* renamed from: k, reason: collision with root package name */
    private static final String f10279k = "RSAPSS";
    private static final String l = "RSA";
    private String m;

    public jq(InputStream inputStream, InputStream inputStream2, cf cfVar) throws IOException {
        super(inputStream, inputStream2, cfVar);
        b();
    }

    private CertStore a(List<X509Certificate> list, List<X509CRL> list2) throws CMSException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        arrayList.addAll(list2);
        try {
            return CertStore.getInstance(JsafeJCE.COLLECTION, new CollectionCertStoreParameters(arrayList), new JsafeJCE());
        } catch (InvalidAlgorithmParameterException e2) {
            throw new CMSException(e2.getMessage());
        } catch (NoSuchAlgorithmException e3) {
            throw new CMSException(e3.getMessage());
        }
    }

    private X509Certificate a(jt jtVar, List<X509Certificate> list) throws CMSException {
        ij b2 = jtVar.b();
        for (X509Certificate x509Certificate : list) {
            if (b2.a(x509Certificate)) {
                return x509Certificate;
            }
        }
        throw new CMSException("Unable to find certificate to verify signature.");
    }

    private void a(int i2, ij ijVar) throws CMSException {
        if ((!ijVar.a() || i2 == 3) && (ijVar.a() || i2 == 1)) {
            return;
        }
        throw new CMSException("Unable to decode: Illegal SignerInfo version " + i2);
    }

    private void a(String str, boolean z) throws IOException {
        if (this.f12045d.a() == z) {
            return;
        }
        throw new CMSException("Unable to decode: Expected tag " + str);
    }

    private void a(List<String> list) throws IOException {
        iq iqVar;
        InputStream inputStream = this.f12047f;
        if (inputStream != null) {
            iqVar = new iq(inputStream, list, d(), this.f12046e);
        } else if (!this.f12045d.a()) {
            this.f12049h = new ji(d());
            return;
        } else {
            if (!a(0)) {
                throw new IOException("Unable to decode: Expected explicit tag value 0 for tag eContent.");
            }
            a("eContent", true);
            iqVar = new iq(new jl(this.f12045d, d()), list, (Closeable) null, this.f12046e);
        }
        this.f12049h = iqVar;
    }

    private void a(boolean z) throws IOException {
        byte[] bArr;
        byte[] bArr2;
        w wVar;
        if (z) {
            a("SignerInfos", true);
        }
        d a = a.a(au.a.b("SignerInfos"), this.f12045d);
        int c2 = a.c();
        if ((this.f12049h instanceof ji) && c2 > 0) {
            throw new IOException("Unable to decode: SignerInfo found with empty eContent.");
        }
        for (int i2 = 0; i2 < c2; i2++) {
            d a2 = a.a(i2);
            int i3 = ((w) a2.a("version")).i();
            ij b2 = b(a2);
            a(i3, b2);
            oc ocVar = new oc(a2.a("digestAlgorithm"));
            Attribute[] a3 = a(a2, "signedAttrs");
            PSSParameterSpec pSSParameterSpec = null;
            if (a3.length > 0) {
                d a4 = a2.a("signedAttrs");
                byte[] c3 = a.c(a4.d(17));
                bArr2 = a(a4);
                bArr = c3;
            } else {
                if (!this.f12048g.equals(ii.f10144b)) {
                    throw new CMSException("Signed attributes expected for contentTypes other than DATA. No signed attributes were present");
                }
                bArr = null;
                bArr2 = null;
            }
            oc ocVar2 = new oc(a2.a("signatureAlgorithm"));
            byte[] b3 = ocVar2.b();
            if (b3 != null && oo.a(ocVar2.d(), b3).endsWith("RSAPSS") && (wVar = (w) a.a("RSASSA-PSS-params", b3, 0).a("saltLength")) != null) {
                pSSParameterSpec = new PSSParameterSpec(wVar.i());
            }
            this.a.add(new jt(i3, b2, ocVar, a3, bArr, ((ae) a2.a("signature")).h(), ocVar2, pSSParameterSpec, a(a2, "unsignedAttrs"), bArr2));
        }
    }

    private boolean a(int i2) {
        return this.f12045d.e() == a.c(i2);
    }

    private boolean a(jt jtVar, CertStore certStore, CertStore certStore2, boolean z) throws CMSException {
        List<X509Certificate> arrayList;
        List<X509CRL> arrayList2;
        String str;
        String str2;
        AlgorithmParameterSpec k2;
        if (this.f12049h.a()) {
            this.m = "The content stream has not been closed.";
            throw new CMSException(this.m);
        }
        if (this.f12049h instanceof ji) {
            return true;
        }
        if (jtVar == null) {
            this.m = "Signer info cannot be null.";
            throw new IllegalArgumentException(this.m);
        }
        if (certStore2 != null) {
            try {
                Collection<? extends Certificate> certificates = certStore2.getCertificates(new X509CertSelector());
                Collection<? extends CRL> cRLs = certStore2.getCRLs(new X509CRLSelector());
                arrayList = new ArrayList<>((Collection<? extends X509Certificate>) certificates);
                arrayList.addAll(this.f12062b);
                arrayList2 = new ArrayList<>((Collection<? extends X509CRL>) cRLs);
                arrayList2.addAll(this.f12063j);
            } catch (CertStoreException e2) {
                this.m = e2.getMessage();
                throw new CMSException(this.m);
            }
        } else {
            arrayList = this.f12062b;
            arrayList2 = this.f12063j;
        }
        byte[] i2 = jtVar.i();
        CertStore a = a(arrayList, arrayList2);
        String e3 = jtVar.e();
        byte[] a2 = ((iq) this.f12049h).a(jtVar.e());
        if (a2 == null) {
            this.m = "Could not verify signer, digest algorithm " + e3 + " is not supported";
            throw new CMSException(this.m);
        }
        String str3 = "RSAPSS";
        boolean endsWith = jtVar.g().endsWith("RSAPSS");
        if (endsWith) {
            str = JsonPOJOBuilder.DEFAULT_WITH_PREFIX + e3;
        } else {
            str3 = jtVar.f();
            str = "";
        }
        if (jtVar.getSignedAttributes().length <= 0) {
            if (jtVar.f().equals("RSA") && !endsWith) {
                try {
                    ly b2 = kf.b(e3, this.f12046e, kb.a);
                    byte[] bArr = new byte[b2.a()];
                    b2.a(a2, 0, bArr, 0);
                    a2 = bArr;
                } catch (NoSuchAlgorithmException unused) {
                }
            }
            str2 = "NONEwith" + str3 + str;
        } else {
            if (!Arrays.equals(a2, jtVar.j())) {
                throw new CMSException("Signer verification failed: signed message digest attribute did not match computed message digest.");
            }
            a2 = jtVar.h();
            str2 = e3 + JsonPOJOBuilder.DEFAULT_WITH_PREFIX + str3;
        }
        ny nyVar = null;
        try {
            try {
                ny c2 = kf.c(str2, this.f12046e, kb.a);
                X509Certificate a3 = a(jtVar, arrayList);
                c2.engineInitVerify(a3.getPublicKey());
                if (endsWith && (k2 = jtVar.k()) != null) {
                    c2.setParameter(k2);
                }
                c2.engineUpdate(a2, 0, a2.length);
                if (c2.engineVerify(i2)) {
                    boolean a4 = a(a3, certStore, a, z);
                    if (c2 != null) {
                        c2.c();
                    }
                    return a4;
                }
                this.m = "Signature on CMS Message did not verify.";
                if (c2 != null) {
                    c2.c();
                }
                return false;
            } catch (Exception e4) {
                this.m = "Signer verification failed: " + e4;
                throw new CMSException(this.m);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                nyVar.c();
            }
            throw th;
        }
    }

    private boolean a(X509Certificate x509Certificate, CertStore certStore, CertStore certStore2, boolean z) throws CMSException {
        if (certStore == null) {
            return true;
        }
        HashSet hashSet = new HashSet();
        try {
            Iterator<? extends Certificate> it = certStore.getCertificates(new X509CertSelector()).iterator();
            while (it.hasNext()) {
                hashSet.add(new TrustAnchor((X509Certificate) it.next(), null));
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal().getEncoded());
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore2);
            pKIXBuilderParameters.setRevocationEnabled(z);
            try {
                new pv(this.f12046e, kb.a).engineBuild(pKIXBuilderParameters);
                return true;
            } catch (Exception e2) {
                this.m = e2.getMessage();
                return false;
            }
        } catch (Exception e3) {
            this.m = e3.getMessage();
            throw new CMSException(this.m);
        }
    }

    private byte[] a(d dVar) throws CMSException {
        for (int i2 = 0; i2 < dVar.c(); i2++) {
            d a = dVar.a(i2);
            if (a.a(0).toString().equals(ii.f10151i)) {
                return ((ae) a.a((c) ad.a, ((f) a.a(1).a(0)).i())).g();
            }
        }
        return null;
    }

    private Attribute[] a(d dVar, String str) throws CMSException {
        d a = dVar.a(str);
        return a == null ? new Attribute[0] : im.b(a);
    }

    private ij b(d dVar) {
        d a = dVar.a("sid");
        if (a.f(a.b().e()) == 0) {
            return new ij(((ae) a).g());
        }
        return new ij(new X500Principal(a.a(a.a("issuer"))), ((w) a.a("serialNumber")).g());
    }

    private void b() throws IOException {
        try {
            if (!h()) {
                throw new CMSException("Unable to decode: Expected next sequence tag SignedData");
            }
            a("CMSVersion", true);
            w wVar = (w) a.a((c) v.a, this.f12045d);
            if (wVar.i() > 5) {
                throw new CMSException("Unable to decode: Unsupported SignedData version " + wVar.i());
            }
            List<String> c2 = c();
            b("EncapsulatedContentInfo");
            a("EncapsulatedContent", true);
            this.f12048g = (ab) a.a((c) aa.a, this.f12045d);
            a(c2);
        } catch (b e2) {
            throw new CMSException("Could not decode data, invalid encoding encountered." + e2.getMessage());
        }
    }

    private void b(String str) throws IOException {
        a(str, true);
        if (h()) {
            return;
        }
        throw new CMSException("Unable to decode: Expected sequence tag " + str);
    }

    private List<String> c() throws IOException {
        c("DigestAlgorithmIdentifiers");
        ArrayList arrayList = new ArrayList();
        d a = a.a("DigestAlgorithmIdentifiers", this.f12045d);
        int c2 = a.c();
        for (int i2 = 0; i2 < c2; i2++) {
            arrayList.add(new oc(a.a(i2)).c());
        }
        return arrayList;
    }

    private void c(String str) throws IOException {
        a(str, true);
        if (i()) {
            return;
        }
        throw new CMSException("Unable to decode: Expected set tag " + str);
    }

    private Closeable d() {
        return new Closeable() { // from class: com.rsa.cryptoj.c.jq.1
            @Override // java.io.Closeable, java.lang.AutoCloseable
            public void close() throws IOException {
                jq.this.e();
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void e() throws IOException {
        try {
            if (this.f12047f == null && !(this.f12049h instanceof ji)) {
                a("End eContent explicit 0", false);
            }
            if (!(this.f12049h instanceof ji)) {
                a("End EncapsulatedContentInfo", false);
            }
            a("CertificateSet", true);
            if (f()) {
                a("RevocationInfoChoices", true);
            }
            a(g());
            a("End SignedData", false);
            if (this.f12044c.read() != -1) {
                throw new CMSException("Unexpected value.");
            }
            this.f12044c.close();
        } catch (b e2) {
            throw new CMSException("Could not decode data, invalid encoding encountered." + e2.getMessage());
        }
    }

    private boolean f() throws IOException {
        if (!a(0)) {
            return false;
        }
        d a = a.a(au.a.b("CertificateSet").c(a.c(0)), this.f12045d);
        int c2 = a.c();
        for (int i2 = 0; i2 < c2; i2++) {
            d a2 = a.a(i2);
            if (a2.b().a() == 16) {
                try {
                    this.f12062b.add(pg.a(this.f12046e, kb.a, ByteBuffer.wrap(((f) a2).i())));
                } catch (CertificateException e2) {
                    throw new CMSException(e2);
                }
            }
        }
        return true;
    }

    private boolean g() throws IOException {
        if (!a(1)) {
            return false;
        }
        d a = a.a(au.a.b("RevocationInfoChoices").c(a.c(1)), this.f12045d);
        int c2 = a.c();
        for (int i2 = 0; i2 < c2; i2++) {
            d a2 = a.a(i2);
            if (a2.b().a() != a.c(1)) {
                try {
                    this.f12063j.add(qs.a(this.f12046e, kb.a, ByteBuffer.wrap(((f) a2).i())));
                } catch (CRLException e2) {
                    throw new CMSException(e2);
                }
            }
        }
        return true;
    }

    private boolean h() {
        return this.f12045d.e() == 16;
    }

    private boolean i() {
        return this.f12045d.e() == 17;
    }

    @Override // com.rsa.jsafe.cms.SignedDataDecoder
    public String getReason() {
        return this.m;
    }

    @Override // com.rsa.jsafe.cms.SignedDataDecoder
    public boolean verify(SignerInfo signerInfo, CertStore certStore) throws CMSException {
        this.m = null;
        return a((jt) signerInfo, (CertStore) null, certStore, false);
    }

    @Override // com.rsa.jsafe.cms.SignedDataDecoder
    public boolean verify(SignerInfo signerInfo, CertStore certStore, CertStore certStore2, boolean z) throws CMSException {
        this.m = null;
        if (certStore != null) {
            return a((jt) signerInfo, certStore, certStore2, z);
        }
        this.m = "Trust store cannot be null.";
        throw new IllegalArgumentException("Trust store cannot be null.");
    }
}
