package com.itextpdf.signatures.validation.v1;

import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.signatures.ICrlClient;
import com.itextpdf.signatures.IOcspClient;
import com.itextpdf.signatures.IssuingCertificateRetriever;
import com.itextpdf.signatures.validation.v1.context.CertificateSource;
import com.itextpdf.signatures.validation.v1.context.ValidationContext;
import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
import com.itextpdf.signatures.validation.v1.extensions.CertificateExtension;
import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
import com.itextpdf.signatures.validation.v1.report.ReportItem;
import com.itextpdf.signatures.validation.v1.report.ValidationReport;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;

/* loaded from: classes3.dex */
public class CertificateChainValidator {
    static final String CERTIFICATE_CHECK = "Certificate check.";
    static final String CERTIFICATE_TRUSTED = "Certificate {0} is trusted, revocation data checks are not required.";
    static final String EXPIRED_CERTIFICATE = "Certificate {0} is expired.";
    static final String EXTENSIONS_CHECK = "Required certificate extensions check.";
    static final String EXTENSION_MISSING = "Required extension {0} is missing or incorrect.";
    static final String ISSUER_CANNOT_BE_VERIFIED = "Issuer certificate {0} for subject certificate {1} cannot be mathematically verified.";
    static final String ISSUER_MISSING = "Certificate {0} isn't trusted and issuer certificate isn't provided.";
    static final String NOT_YET_VALID_CERTIFICATE = "Certificate {0} is not yet valid.";
    static final String VALIDITY_CHECK = "Certificate validity period check.";
    private final IssuingCertificateRetriever certificateRetriever;
    private final SignatureValidationProperties properties;
    private final RevocationDataValidator revocationDataValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateChainValidator(ValidatorChainBuilder validatorChainBuilder) {
        this.certificateRetriever = validatorChainBuilder.getCertificateRetriever();
        this.properties = validatorChainBuilder.getProperties();
        this.revocationDataValidator = validatorChainBuilder.getRevocationDataValidator();
    }

    private boolean stopValidation(ValidationReport validationReport, ValidationContext validationContext) {
        return (this.properties.getContinueAfterFailure(validationContext) || validationReport.getValidationResult() == ValidationReport.ValidationResult.VALID) ? false : true;
    }

    private void validateChain(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        X509Certificate x509Certificate2 = (X509Certificate) this.certificateRetriever.retrieveIssuerCertificate(x509Certificate);
        if (x509Certificate2 == null) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(ISSUER_MISSING, x509Certificate.getSubjectX500Principal()), ReportItem.ReportItemStatus.INDETERMINATE));
            return;
        }
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            validate(validationReport, validationContext.setCertificateSource(CertificateSource.CERT_ISSUER), x509Certificate2, date);
        } catch (GeneralSecurityException e) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(ISSUER_CANNOT_BE_VERIFIED, x509Certificate2.getSubjectX500Principal(), x509Certificate.getSubjectX500Principal()), e, ReportItem.ReportItemStatus.INVALID));
        }
    }

    private void validateRequiredExtensions(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate) {
        List<CertificateExtension> requiredExtensions = this.properties.getRequiredExtensions(validationContext);
        if (requiredExtensions != null) {
            for (CertificateExtension certificateExtension : requiredExtensions) {
                if (!certificateExtension.existsInCertificate(x509Certificate)) {
                    validationReport.addReportItem(new CertificateReportItem(x509Certificate, EXTENSIONS_CHECK, MessageFormatUtil.format(EXTENSION_MISSING, certificateExtension.getExtensionOid()), ReportItem.ReportItemStatus.INVALID));
                }
            }
        }
    }

    private void validateRevocationData(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        this.revocationDataValidator.validate(validationReport, validationContext, x509Certificate, date);
    }

    private void validateValidityPeriod(ValidationReport validationReport, X509Certificate x509Certificate, Date date) {
        try {
            x509Certificate.checkValidity(date);
        } catch (CertificateExpiredException e) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, VALIDITY_CHECK, MessageFormatUtil.format(EXPIRED_CERTIFICATE, x509Certificate.getSubjectX500Principal()), e, ReportItem.ReportItemStatus.INVALID));
        } catch (CertificateNotYetValidException e2) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, VALIDITY_CHECK, MessageFormatUtil.format(NOT_YET_VALID_CERTIFICATE, x509Certificate.getSubjectX500Principal()), e2, ReportItem.ReportItemStatus.INVALID));
        }
    }

    public CertificateChainValidator addCrlClient(ICrlClient iCrlClient) {
        this.revocationDataValidator.addCrlClient(iCrlClient);
        return this;
    }

    public CertificateChainValidator addOcspClient(IOcspClient iOcspClient) {
        this.revocationDataValidator.addOcspClient(iOcspClient);
        return this;
    }

    public ValidationReport validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        ValidationContext validatorContext = validationContext.setValidatorContext(ValidatorContext.CERTIFICATE_CHAIN_VALIDATOR);
        validateValidityPeriod(validationReport, x509Certificate, date);
        validateRequiredExtensions(validationReport, validationContext, x509Certificate);
        if (stopValidation(validationReport, validationContext)) {
            return validationReport;
        }
        if (this.certificateRetriever.isCertificateTrusted(x509Certificate)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, x509Certificate.getSubjectX500Principal()), ReportItem.ReportItemStatus.INFO));
            return validationReport;
        }
        validateRevocationData(validationReport, validatorContext, x509Certificate, date);
        if (stopValidation(validationReport, validatorContext)) {
            return validationReport;
        }
        validateChain(validationReport, validationContext, x509Certificate, date);
        return validationReport;
    }

    public ValidationReport validateCertificate(ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        return validate(new ValidationReport(), validationContext, x509Certificate, date);
    }
}
