package net.netca.pki.impl.jce;

import java.util.ArrayList;
import java.util.Date;
import net.netca.pki.PkiException;
import net.netca.pki.encoding.asn1.SetOf;
import net.netca.pki.encoding.asn1.pki.Attribute;
import net.netca.pki.encoding.asn1.pki.Attributes;
import net.netca.pki.encoding.asn1.pki.JCEHasher;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.encoding.asn1.pki.cms.CertificateSet;
import net.netca.pki.encoding.asn1.pki.cms.SignedData;
import net.netca.pki.encoding.asn1.pki.cms.SignerInfo;
import net.netca.pki.global.ISignedDataDetachedVerify;

/* loaded from: classes3.dex */
public class JCESignedDataDetachedVerify implements ISignedDataDetachedVerify {
    private boolean first;
    private SignedDataVerifyInfo info;
    private JCEPki pki;
    private SignedData signedData;
    private JCEX509Certificate[] signerCerts;
    private ArrayList<SignerInfo> signerInfos;
    private VerifyHandle[] verifyHandles;
    private ArrayList<X509Certificate> certs = new ArrayList<>();
    private Date tsaTime = null;

    public JCESignedDataDetachedVerify(JCEPki jCEPki, SignedDataVerifyInfo signedDataVerifyInfo) {
        this.info = signedDataVerifyInfo;
        this.pki = jCEPki;
    }

    private void checkValidity(Date date, JCEX509Certificate[] jCEX509CertificateArr) throws PkiException {
        Date date2 = new Date();
        if (date == null) {
            date = date2;
        }
        if (!jCEX509CertificateArr[0].isInValidity(date)) {
            throw new PkiException("sign cert not in validity");
        }
        for (int i2 = 1; i2 < jCEX509CertificateArr.length; i2++) {
            if (!jCEX509CertificateArr[0].isInValidity(date2)) {
                throw new PkiException("sign cert not in validity");
            }
        }
    }

    private JCEX509Certificate[] getSignCerts() throws PkiException {
        int size = this.signerInfos.size();
        JCEX509Certificate[] jCEX509CertificateArr = new JCEX509Certificate[size];
        JCEHasher jCEHasher = new JCEHasher();
        CertificateSet certificates = this.signedData.getCertificates();
        for (int i2 = 0; i2 < size; i2++) {
            X509Certificate signCert = this.signerInfos.get(i2).getSignCert(jCEHasher, certificates, this.certs.iterator());
            if (signCert == null) {
                throw new PkiException("sign cert #" + i2 + " not found");
            }
            jCEX509CertificateArr[i2] = new JCEX509Certificate(this.pki, signCert.derEncode());
        }
        return jCEX509CertificateArr;
    }

    private VerifyHandle[] getVerifyHandles() throws PkiException {
        int size = this.signerInfos.size();
        VerifyHandle[] verifyHandleArr = new VerifyHandle[size];
        for (int i2 = 0; i2 < size; i2++) {
            verifyHandleArr[i2] = new VerifyHandle(this.pki, this.signerInfos.get(i2), this.signerCerts[i2]);
        }
        return verifyHandleArr;
    }

    public static Date verifySignatureTimeStamp(JCEPki jCEPki, SignerInfo signerInfo) throws PkiException {
        Attribute attribute;
        Attributes unsignedAttrs = signerInfo.getUnsignedAttrs();
        if (unsignedAttrs == null || (attribute = unsignedAttrs.get(Attribute.SIGNATURE_TIMESTAMP)) == null) {
            return null;
        }
        SetOf value = attribute.getValue();
        if (value.size() != 1) {
            return null;
        }
        return jCEPki.verifyTimeStamp(signerInfo.getSignature(), value.get(0).encode());
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public void addCert(net.netca.pki.global.X509Certificate x509Certificate) throws PkiException {
        this.certs.add(new X509Certificate(x509Certificate.derEncode()));
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public byte[] attachSignatureTimeStamp() throws PkiException {
        SignedData signedData = this.signedData;
        if (signedData == null) {
            throw new PkiException("must verify first");
        }
        this.tsaTime = JCESignedDataDetachedSign.attachSignatureTimeStamp(this.pki, signedData);
        SignedData signedData2 = this.signedData;
        return signedData2.encode(signedData2.isContentInfo());
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public void detachedVerifyFinal() throws PkiException {
        SignedData signedData = this.signedData;
        if (signedData == null) {
            throw new PkiException("not call detachedVerifyInit first");
        }
        if (this.verifyHandles == null) {
            throw new PkiException("not call detachedVerifyUpdate first");
        }
        String contentType = signedData.getEncapContentInfo().getContentType();
        int i2 = 0;
        while (true) {
            VerifyHandle[] verifyHandleArr = this.verifyHandles;
            if (i2 >= verifyHandleArr.length) {
                break;
            }
            verifyHandleArr[i2].verify(this.signerInfos.get(i2), this.signerCerts[i2], contentType);
            i2++;
        }
        for (int i3 = 0; i3 < this.signerInfos.size(); i3++) {
            JCESignedDataVerify.matchSignerInfo(this.signerInfos.get(i3), this.info);
        }
        Date verifySignatureTimeStamp = verifySignatureTimeStamp(this.pki, this.signedData.getSignerInfos().get(0));
        this.tsaTime = verifySignatureTimeStamp;
        checkValidity(verifySignatureTimeStamp, this.signerCerts);
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public void detachedVerifyInit(byte[] bArr, int i2, int i3) throws PkiException {
        this.first = true;
        SignedData signedData = new SignedData(bArr, i2, i3);
        this.signedData = signedData;
        if (!signedData.isDetached()) {
            throw new PkiException("signeddata is not detached");
        }
        if (this.signedData.getSignerInfoCount() == 0) {
            throw new PkiException("no signerinfo");
        }
        if (this.info.isContentInfo != null) {
            if (this.signedData.isContentInfo()) {
                if (!this.info.isContentInfo.booleanValue()) {
                    throw new PkiException("signeddata break contentinfo constraint");
                }
            } else if (this.info.isContentInfo.booleanValue()) {
                throw new PkiException("signeddata break contentinfo constraint");
            }
        }
        this.signerInfos = this.signedData.getSignerInfos();
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public void detachedVerifyUpdate(byte[] bArr, int i2, int i3) throws PkiException {
        if (this.signedData == null) {
            throw new PkiException("not call detachedVerifyInit first");
        }
        int i4 = 0;
        if (this.first) {
            this.signerCerts = getSignCerts();
            this.verifyHandles = getVerifyHandles();
            this.first = false;
        }
        while (true) {
            VerifyHandle[] verifyHandleArr = this.verifyHandles;
            if (i4 >= verifyHandleArr.length) {
                return;
            }
            verifyHandleArr[i4].update(bArr, i2, i3);
            i4++;
        }
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public net.netca.pki.global.X509Certificate getSignCert() throws PkiException {
        JCEX509Certificate[] jCEX509CertificateArr = this.signerCerts;
        if (jCEX509CertificateArr != null && jCEX509CertificateArr.length >= 1) {
            return jCEX509CertificateArr[0];
        }
        return null;
    }

    @Override // net.netca.pki.global.ISignedDataDetachedVerify
    public Date getSignatureTimeStampTime() throws PkiException {
        return this.tsaTime;
    }
}
