package com.airwatch.revocationcheck;

import android.text.TextUtils;
import com.airwatch.agent.condition.ui.ConditionFeedbackActivity;
import com.airwatch.app.OpenForTesting;
import com.airwatch.crypto.openssl.OpenSSLCryptUtil;
import com.airwatch.revocationcheck.CertificateUsagePolicy;
import com.airwatch.revocationcheck.RevocationCheckResponse;
import com.airwatch.util.CertificateUtils;
import com.airwatch.util.Logger;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import kotlin.Metadata;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Lambda;
import org.apache.tika.parser.external.ExternalParsersConfigReaderMetKeys;

@OpenForTesting
@Metadata(d1 = {"\u0000j\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\b\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0010\u0011\n\u0002\b\b\n\u0002\u0010\u000b\n\u0002\b\b\b\u0017\u0018\u0000 22\u00020\u0001:\u00012B1\b\u0000\u0012\u0018\u0010\u0002\u001a\u0014\u0012\u0004\u0012\u00020\u0004\u0012\n\u0012\b\u0012\u0004\u0012\u00020\u00060\u00050\u0003\u0012\u0006\u0010\u0007\u001a\u00020\b\u0012\u0006\u0010\t\u001a\u00020\n¢\u0006\u0002\u0010\u000bJ\u0018\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u00142\u0006\u0010\u0015\u001a\u00020\u0016H\u0002J\u0010\u0010\u0017\u001a\u00020\u00182\u0006\u0010\u0019\u001a\u00020\u0016H\u0017J,\u0010\u001a\u001a\u00020\u001b2\u0006\u0010\u001c\u001a\u00020\u001d2\b\b\u0002\u0010\u001e\u001a\u00020\u000e2\b\b\u0002\u0010\u0013\u001a\u00020\u00142\u0006\u0010\u001f\u001a\u00020\u0016H\u0002J%\u0010 \u001a\u00020\u001b2\f\u0010!\u001a\b\u0012\u0004\u0012\u00020\u00060\"2\b\u0010#\u001a\u0004\u0018\u00010\u001bH\u0016¢\u0006\u0002\u0010$J4\u0010%\u001a\u00020\u00142\u0006\u0010\u001c\u001a\u00020\u001d2\f\u0010&\u001a\b\u0012\u0004\u0012\u00020\u00060\u00052\f\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00060\u00052\u0006\u0010\u001f\u001a\u00020\u0016H\u0002J1\u0010'\u001a\n\u0012\u0004\u0012\u00020\u0006\u0018\u00010\u00052\f\u0010!\u001a\b\u0012\u0004\u0012\u00020\u00060\"2\f\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00060\u0005H\u0002¢\u0006\u0002\u0010(J\u0010\u0010)\u001a\u00020\u00122\u0006\u0010\f\u001a\u00020\u0004H\u0016J\b\u0010*\u001a\u00020+H\u0002J1\u0010,\u001a\u00020+2\f\u0010!\u001a\b\u0012\u0004\u0012\u00020\u00060\"2\f\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00060\u00052\u0006\u0010\u001f\u001a\u00020\u0016H\u0002¢\u0006\u0002\u0010-J\u0010\u0010.\u001a\u00020+2\u0006\u0010\u001f\u001a\u00020\u0016H\u0002J#\u0010/\u001a\u00020+2\f\u0010!\u001a\b\u0012\u0004\u0012\u00020\u00060\"2\u0006\u00100\u001a\u00020\u001bH\u0002¢\u0006\u0002\u00101R\u000e\u0010\t\u001a\u00020\nX\u0082\u0004¢\u0006\u0002\n\u0000R\u0010\u0010\f\u001a\u0004\u0018\u00010\u0004X\u0082\u000e¢\u0006\u0002\n\u0000R\u000e\u0010\u0007\u001a\u00020\bX\u0082\u0004¢\u0006\u0002\n\u0000R\u0014\u0010\r\u001a\u00020\u000e8RX\u0082\u0004¢\u0006\u0006\u001a\u0004\b\u000f\u0010\u0010R \u0010\u0002\u001a\u0014\u0012\u0004\u0012\u00020\u0004\u0012\n\u0012\b\u0012\u0004\u0012\u00020\u00060\u00050\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u00063"}, d2 = {"Lcom/airwatch/revocationcheck/OCSPChecker;", "Lcom/airwatch/revocationcheck/RevocationChecker;", "trustedCerts", "Lkotlin/Function1;", "Lcom/airwatch/revocationcheck/RevocationCheckConfig;", "", "Ljava/security/cert/X509Certificate;", "openSSLUtil", "Lcom/airwatch/crypto/openssl/OpenSSLCryptUtil;", "certUtils", "Lcom/airwatch/util/CertificateUtils;", "(Lkotlin/jvm/functions/Function1;Lcom/airwatch/crypto/openssl/OpenSSLCryptUtil;Lcom/airwatch/util/CertificateUtils;)V", "config", "optionsFlag", "", "getOptionsFlag", "()I", "appendEnvelopeErrors", "", "envelope", "Lcom/airwatch/revocationcheck/RevocationCheckResponse$Envelope;", "policyBuilder", "Lcom/airwatch/revocationcheck/CertificateUsagePolicy$Builder;", "buildPolicy", "Lcom/airwatch/revocationcheck/CertificateUsagePolicy;", ConditionFeedbackActivity.BUILDER, "buildResponse", "Lcom/airwatch/revocationcheck/RevocationCheckResponse;", "certSubject", "", "ttl", "usagePolicyBuilder", ExternalParsersConfigReaderMetKeys.CHECK_TAG, "chain", "", "previousResponse", "([Ljava/security/cert/X509Certificate;Lcom/airwatch/revocationcheck/RevocationCheckResponse;)Lcom/airwatch/revocationcheck/RevocationCheckResponse;", "executeRevocationCheck", "certChain", "getCertificateChainForRevocationCheck", "([Ljava/security/cert/X509Certificate;Ljava/util/List;)Ljava/util/List;", "init", "shouldDoRevocationCheck", "", "validateCertificateChain", "([Ljava/security/cert/X509Certificate;Ljava/util/List;Lcom/airwatch/revocationcheck/CertificateUsagePolicy$Builder;)Z", "validateConfig", "validateResponse", "response", "([Ljava/security/cert/X509Certificate;Lcom/airwatch/revocationcheck/RevocationCheckResponse;)Z", "Companion", "AWFramework_release"}, k = 1, mv = {1, 5, 1}, xi = 48)
/* loaded from: classes4.dex */
public class OCSPChecker implements RevocationChecker {
    public static final int CERT_OR_ISSUER_NULL = -1;
    public static final int CERT_REVOCATION_SET_METHOD_NFOUND = -5;
    private static final int ENABLE_NONCE = 1;
    private static final int ENABLE_VERIFICATION_OCSP_TRUST_OTHERS_FLAG = 8;
    public static final int GET_CERTIFICATE_METHOD_NFOUND = -10;
    public static final int GET_SIZE_METHOD_NFOUND = -9;
    public static final int INVALID_STATUS_TIME = -2;
    public static final int ISSUER_CERT_NOT_PRESENT = -3;
    public static final int MEM_ALLOC_FAIL = -7;
    public static final int MIN_CHAIN_LEN_FOR_OCSP_CHECK = 2;
    public static final int NONCE_STATUS_SET_METHOD_NFOUND = -12;
    public static final int NXT_UPDATE_SET_METHOD_NFOUND = -6;
    public static final int OCSP_REQUEST_PREPARE_FAILED = -4;
    public static final int OCSP_RESPONDER_NOT_REACHABLE = -16;
    public static final int OCSP_RESPONDER_RETURNED_FAILURE = -14;
    public static final int OCSP_RESPONDER_URL_INVALID = -15;
    public static final int RES_STATUS_SET_METHOD_NFOUND = -8;
    public static final int RET_OK = 0;
    public static final int REVOC_TIME_SET_METHOD_NFOUND = -11;
    private static final String TAG = "OCSPChecker";
    public static final int THIS_UPDATE_SET_METHOD_NFOUND = -13;
    private static final int USE_AIA_OCSP_URL = 2;
    private static final int VERIFY_ONLY_USER_CERT = 4;
    private final CertificateUtils certUtils;
    private RevocationCheckConfig config;
    private final OpenSSLCryptUtil openSSLUtil;
    private final Function1<RevocationCheckConfig, List<X509Certificate>> trustedCerts;

    /* JADX INFO: Access modifiers changed from: package-private */
    @Metadata(d1 = {"\u0000\f\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0010\b\u0010\u0000\u001a\u00020\u00012\u0006\u0010\u0002\u001a\u00020\u0003H\n"}, d2 = {"<anonymous>", "", "e", ""}, k = 3, mv = {1, 5, 1}, xi = 48)
    /* loaded from: classes4.dex */
    public static final class a extends Lambda implements Function1<Integer, Boolean> {
        a() {
            super(1);
        }

        public final Boolean a(int i) {
            boolean z;
            if (i != 0) {
                RevocationCheckConfig revocationCheckConfig = OCSPChecker.this.config;
                Intrinsics.checkNotNull(revocationCheckConfig);
                if (revocationCheckConfig.getRevocationStrictness() != 0) {
                    z = false;
                    return Boolean.valueOf(z);
                }
            }
            z = true;
            return Boolean.valueOf(z);
        }

        @Override // kotlin.jvm.functions.Function1
        public /* synthetic */ Boolean invoke(Integer num) {
            return a(num.intValue());
        }
    }

    @Metadata(d1 = {"\u0000\f\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0010\b\u0010\u0000\u001a\u00020\u00012\u0006\u0010\u0002\u001a\u00020\u0003H\n"}, d2 = {"<anonymous>", "", "it", ""}, k = 3, mv = {1, 5, 1}, xi = 48)
    /* loaded from: classes4.dex */
    static final class b extends Lambda implements Function1<Integer, Boolean> {
        final /* synthetic */ RevocationCheckResponse a;

        /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
        b(RevocationCheckResponse revocationCheckResponse) {
            super(1);
            this.a = revocationCheckResponse;
        }

        public final Boolean a(int i) {
            return Boolean.valueOf(this.a.getUsagePolicy().getAllowUsage());
        }

        @Override // kotlin.jvm.functions.Function1
        public /* synthetic */ Boolean invoke(Integer num) {
            return a(num.intValue());
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public OCSPChecker(Function1<? super RevocationCheckConfig, ? extends List<? extends X509Certificate>> trustedCerts, OpenSSLCryptUtil openSSLUtil, CertificateUtils certUtils) {
        Intrinsics.checkNotNullParameter(trustedCerts, "trustedCerts");
        Intrinsics.checkNotNullParameter(openSSLUtil, "openSSLUtil");
        Intrinsics.checkNotNullParameter(certUtils, "certUtils");
        this.trustedCerts = trustedCerts;
        this.openSSLUtil = openSSLUtil;
        this.certUtils = certUtils;
    }

    private final void appendEnvelopeErrors(RevocationCheckResponse.Envelope envelope, CertificateUsagePolicy.Builder policyBuilder) {
        int i;
        Logger.d$default(TAG, Intrinsics.stringPlus("Revocation Status from Envelope: ", Integer.valueOf(envelope.getStatus())), null, 4, null);
        int status = envelope.getStatus();
        if (status != 0) {
            if (status == 1) {
                i = 32;
            } else if (status != 2) {
                return;
            } else {
                i = 16;
            }
            policyBuilder.appendError(i);
            return;
        }
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        if (revocationCheckConfig.getRevocationCheckNonceEnforced() == 1 && !envelope.getNonceVerified()) {
            Logger.d$default(TAG, "Nonce verification failed", null, 4, null);
            policyBuilder.appendError(8);
        }
        if (envelope.getVerified()) {
            return;
        }
        Logger.d$default(TAG, "Response verification failed", null, 4, null);
        policyBuilder.appendError(4);
    }

    private final RevocationCheckResponse buildResponse(String certSubject, int ttl, RevocationCheckResponse.Envelope envelope, CertificateUsagePolicy.Builder usagePolicyBuilder) {
        appendEnvelopeErrors(envelope, usagePolicyBuilder);
        return new RevocationCheckResponse(envelope, buildPolicy(usagePolicyBuilder), ttl);
    }

    static /* synthetic */ RevocationCheckResponse buildResponse$default(OCSPChecker oCSPChecker, String str, int i, RevocationCheckResponse.Envelope envelope, CertificateUsagePolicy.Builder builder, int i2, Object obj) {
        if (obj != null) {
            throw new UnsupportedOperationException("Super calls with default arguments not supported in this target, function: buildResponse");
        }
        if ((i2 & 2) != 0) {
            i = 7;
        }
        if ((i2 & 4) != 0) {
            envelope = new RevocationCheckResponse.Envelope(str);
        }
        return oCSPChecker.buildResponse(str, i, envelope, builder);
    }

    private final RevocationCheckResponse.Envelope executeRevocationCheck(String certSubject, List<? extends X509Certificate> certChain, List<? extends X509Certificate> trustedCerts, CertificateUsagePolicy.Builder usagePolicyBuilder) {
        String str;
        int i;
        String revocationCheckUrl;
        Logger.d$default(TAG, Intrinsics.stringPlus("executeRevocationCheck() ", certSubject), null, 4, null);
        CertificateChainAsList certificateChainAsList = new CertificateChainAsList(trustedCerts);
        RevocationCheckResponse.Envelope envelope = new RevocationCheckResponse.Envelope(certSubject);
        CertificateChainAsList certificateChainAsList2 = new CertificateChainAsList(certChain);
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        if (revocationCheckConfig.getRevocationCheckUseAia() != 2) {
            RevocationCheckConfig revocationCheckConfig2 = this.config;
            Intrinsics.checkNotNull(revocationCheckConfig2);
            if (TextUtils.isEmpty(revocationCheckConfig2.getRevocationCheckUrl())) {
                revocationCheckUrl = null;
            } else {
                RevocationCheckConfig revocationCheckConfig3 = this.config;
                Intrinsics.checkNotNull(revocationCheckConfig3);
                revocationCheckUrl = revocationCheckConfig3.getRevocationCheckUrl();
            }
            str = revocationCheckUrl;
        } else {
            str = null;
        }
        Logger.i$default(TAG, Intrinsics.stringPlus("executing ocsp check over: ", certSubject), null, 4, null);
        int doRevocationCheck = this.openSSLUtil.doRevocationCheck(certificateChainAsList2, getOptionsFlag(), str, envelope, certificateChainAsList);
        if (doRevocationCheck == 0) {
            Logger.d$default(TAG, "Revocation check result for " + envelope.getCertSubject() + ": " + doRevocationCheck, null, 4, null);
            return envelope;
        }
        Logger.w$default(TAG, "Revocation check failed for " + envelope.getCertSubject() + " with reason code: " + doRevocationCheck, null, 4, null);
        usagePolicyBuilder.appendError(2);
        if (doRevocationCheck != -16) {
            i = doRevocationCheck == -15 ? 256 : 128;
            return envelope;
        }
        usagePolicyBuilder.appendError(i);
        return envelope;
    }

    private final List<X509Certificate> getCertificateChainForRevocationCheck(X509Certificate[] chain, List<? extends X509Certificate> trustedCerts) {
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        if (revocationCheckConfig.getRevocationCheckType() == 0) {
            Logger.d$default(TAG, "Check type : entire chain", null, 4, null);
            return this.certUtils.getCertificateChainUptoRoot(chain, trustedCerts);
        }
        Logger.d$default(TAG, "Check type : leaf cert", null, 4, null);
        return chain.length < 2 ? this.certUtils.getChainWithIssuerCert(chain[0], trustedCerts) : Arrays.asList(Arrays.copyOf(chain, chain.length)).subList(0, 2);
    }

    private int getOptionsFlag() {
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        int i = revocationCheckConfig.getRevocationCheckNonceEnforced() == 1 ? 1 : 0;
        RevocationCheckConfig revocationCheckConfig2 = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig2);
        if (revocationCheckConfig2.getRevocationCheckUseAia() != 0) {
            i |= 2;
        }
        RevocationCheckConfig revocationCheckConfig3 = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig3);
        if (revocationCheckConfig3.getRevocationCheckType() == 1) {
            i |= 4;
        }
        RevocationCheckConfig revocationCheckConfig4 = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig4);
        return revocationCheckConfig4.getRevocationCheckResponseVerificationSetting() == 1 ? i | 8 : i;
    }

    private final boolean shouldDoRevocationCheck() {
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        return revocationCheckConfig.getRevocationCheckUsingOCSPEnabled() == 1;
    }

    private final boolean validateCertificateChain(X509Certificate[] chain, List<? extends X509Certificate> trustedCerts, CertificateUsagePolicy.Builder usagePolicyBuilder) {
        if (this.certUtils.isTrusted(chain, trustedCerts)) {
            return true;
        }
        usagePolicyBuilder.appendError(64);
        return false;
    }

    private final boolean validateConfig(CertificateUsagePolicy.Builder usagePolicyBuilder) {
        if (this.config == null) {
            throw new CheckerInitializationException();
        }
        if (!shouldDoRevocationCheck()) {
            Logger.d$default(TAG, "Revocation check not setup/enabled, returning", null, 4, null);
            return false;
        }
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        if (revocationCheckConfig.getRevocationCheckUseAia() != 0) {
            return true;
        }
        RevocationCheckConfig revocationCheckConfig2 = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig2);
        if (!TextUtils.isEmpty(revocationCheckConfig2.getRevocationCheckUrl())) {
            return true;
        }
        Logger.d$default(TAG, "Revocation check URL not available", null, 4, null);
        usagePolicyBuilder.appendError(256);
        return false;
    }

    private final boolean validateResponse(X509Certificate[] chain, RevocationCheckResponse response) {
        return Intrinsics.areEqual(response.getCertSubject(), chain[0].getSubjectDN().getName()) && response.getTtl() > System.currentTimeMillis();
    }

    public CertificateUsagePolicy buildPolicy(CertificateUsagePolicy.Builder builder) {
        Intrinsics.checkNotNullParameter(builder, "builder");
        return builder.build(new a());
    }

    @Override // com.airwatch.revocationcheck.RevocationChecker
    public RevocationCheckResponse check(X509Certificate[] chain, RevocationCheckResponse previousResponse) throws CheckerInitializationException, EmptyCertificateChainException {
        Intrinsics.checkNotNullParameter(chain, "chain");
        Logger.d$default(TAG, "check() called", null, 4, null);
        if (chain.length == 0) {
            throw new EmptyCertificateChainException();
        }
        String certSubject = chain[0].getSubjectDN().getName();
        CertificateUsagePolicy.Builder builder = new CertificateUsagePolicy.Builder();
        if (!validateConfig(builder)) {
            Intrinsics.checkNotNullExpressionValue(certSubject, "certSubject");
            return buildResponse$default(this, certSubject, 0, null, builder, 6, null);
        }
        Function1<RevocationCheckConfig, List<X509Certificate>> function1 = this.trustedCerts;
        RevocationCheckConfig revocationCheckConfig = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig);
        List<X509Certificate> invoke = function1.invoke(revocationCheckConfig);
        List<X509Certificate> certificateChainForRevocationCheck = getCertificateChainForRevocationCheck(chain, invoke);
        List<X509Certificate> list = certificateChainForRevocationCheck;
        if (list == null || list.isEmpty()) {
            builder.appendError(64);
            builder.appendError(1);
            Intrinsics.checkNotNullExpressionValue(certSubject, "certSubject");
            return buildResponse$default(this, certSubject, 0, null, builder, 6, null);
        }
        validateCertificateChain(chain, invoke, builder);
        if (previousResponse != null && validateResponse(chain, previousResponse)) {
            Logger.d$default(TAG, Intrinsics.stringPlus("Using cache response for ", previousResponse.getCertSubject()), null, 4, null);
            Intrinsics.checkNotNullExpressionValue(certSubject, "certSubject");
            return buildResponse(certSubject, 0, previousResponse.getEnvelope$AWFramework_release(), builder);
        }
        Intrinsics.checkNotNullExpressionValue(certSubject, "certSubject");
        RevocationCheckResponse.Envelope executeRevocationCheck = executeRevocationCheck(certSubject, certificateChainForRevocationCheck, invoke, builder);
        if (previousResponse != null && builder.containsError(128)) {
            RevocationCheckConfig revocationCheckConfig2 = this.config;
            Intrinsics.checkNotNull(revocationCheckConfig2);
            if (revocationCheckConfig2.getRevocationStrictness() == 1) {
                return new RevocationCheckResponse(previousResponse.getCertSubject(), previousResponse.getTtl(), previousResponse.getRevokedAt(), previousResponse.getStatus(), previousResponse.getVerified(), previousResponse.getNonceVerified(), new CertificateUsagePolicy.Builder().appendError(previousResponse.getUsagePolicy().getError()).appendError(128).build(new b(previousResponse)));
            }
        }
        RevocationCheckConfig revocationCheckConfig3 = this.config;
        Intrinsics.checkNotNull(revocationCheckConfig3);
        return buildResponse(certSubject, revocationCheckConfig3.getRevocationStatusTtl(), executeRevocationCheck, builder);
    }

    @Override // com.airwatch.revocationcheck.RevocationChecker
    public void init(RevocationCheckConfig config) {
        Intrinsics.checkNotNullParameter(config, "config");
        this.config = config;
    }
}
