package dev.sigstore.encryption.certificates.transparency;

import dev.sigstore.encryption.certificates.transparency.SignedCertificateTimestamp;
import dev.sigstore.encryption.certificates.transparency.VerifiedSCT;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:dev/sigstore/encryption/certificates/transparency/CTVerifier.class */
public class CTVerifier {
    private final CTLogStore store;

    public CTVerifier(CTLogStore cTLogStore) {
        this.store = cTLogStore;
    }

    public CTVerificationResult verifySignedCertificateTimestamps(List<X509Certificate> list, byte[] bArr, byte[] bArr2) throws CertificateEncodingException {
        if (list.size() == 0) {
            throw new IllegalArgumentException("Chain of certificates mustn't be empty.");
        }
        X509Certificate x509Certificate = list.get(0);
        CTVerificationResult cTVerificationResult = new CTVerificationResult();
        verifyEmbeddedSCTs(getSCTsFromX509Extension(x509Certificate), list, cTVerificationResult);
        return cTVerificationResult;
    }

    private void verifyEmbeddedSCTs(List<SignedCertificateTimestamp> list, List<X509Certificate> list2, CTVerificationResult cTVerificationResult) {
        if (list.isEmpty()) {
            return;
        }
        CertificateEntry certificateEntry = null;
        if (list2.size() >= 2) {
            try {
                certificateEntry = CertificateEntry.createForPrecertificate(list2.get(0), list2.get(1));
            } catch (CertificateException e) {
            }
        }
        if (certificateEntry == null) {
            markSCTsAsInvalid(list, cTVerificationResult);
            return;
        }
        for (SignedCertificateTimestamp signedCertificateTimestamp : list) {
            cTVerificationResult.add(new VerifiedSCT(signedCertificateTimestamp, verifySingleSCT(signedCertificateTimestamp, certificateEntry)));
        }
    }

    public VerifiedSCT.Status verifySingleSCT(SignedCertificateTimestamp signedCertificateTimestamp, CertificateEntry certificateEntry) {
        CTLogInfo knownLog = this.store.getKnownLog(signedCertificateTimestamp.getLogID());
        return knownLog == null ? VerifiedSCT.Status.UNKNOWN_LOG : knownLog.verifySingleSCT(signedCertificateTimestamp, certificateEntry);
    }

    private void markSCTsAsInvalid(List<SignedCertificateTimestamp> list, CTVerificationResult cTVerificationResult) {
        Iterator<SignedCertificateTimestamp> it = list.iterator();
        while (it.hasNext()) {
            cTVerificationResult.add(new VerifiedSCT(it.next(), VerifiedSCT.Status.INVALID_SCT));
        }
    }

    private static List<SignedCertificateTimestamp> getSCTsFromSCTList(byte[] bArr, SignedCertificateTimestamp.Origin origin) {
        if (bArr == null) {
            return Collections.emptyList();
        }
        try {
            byte[][] readList = Serialization.readList(bArr, 2, 2);
            ArrayList arrayList = new ArrayList();
            for (byte[] bArr2 : readList) {
                try {
                    arrayList.add(SignedCertificateTimestamp.decode(bArr2, origin));
                } catch (SerializationException e) {
                }
            }
            return arrayList;
        } catch (SerializationException e2) {
            return Collections.emptyList();
        }
    }

    private List<SignedCertificateTimestamp> getSCTsFromX509Extension(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(CTConstants.X509_SCT_LIST_OID);
        if (extensionValue == null) {
            return Collections.emptyList();
        }
        try {
            return getSCTsFromSCTList(Serialization.readDEROctetString(Serialization.readDEROctetString(extensionValue)), SignedCertificateTimestamp.Origin.EMBEDDED);
        } catch (SerializationException e) {
            return Collections.emptyList();
        }
    }
}
