package defpackage;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;

/* compiled from: :com.google.android.gms */
/* loaded from: classes2.dex */
public final class gto {
    public static final gzz a = new gzz("DeviceCertVerifier", (byte) 0);
    private gtr b;
    private Set c;
    private Set d;
    private boolean e;
    private gtv f;

    /* JADX INFO: Access modifiers changed from: package-private */
    public gto(gtr gtrVar, Set set, Set set2, boolean z, gtv gtvVar) {
        this.b = (gtr) a(gtrVar);
        this.c = (Set) a(set);
        this.d = (Set) a(set2);
        this.e = z;
        this.f = gtvVar;
    }

    public static gtq a() {
        return new gtq();
    }

    public static Object a(Object obj) {
        if (obj == null) {
            throw new NullPointerException();
        }
        return obj;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(boolean z, String str) {
        if (!z) {
            throw new gtp(str);
        }
    }

    public final gts a(byte[] bArr, long j) {
        try {
            ameo ameoVar = (ameo) asac.mergeFrom(new ameo(), bArr);
            a(ameoVar.a.length > 0, "Empty CRL bundle");
            for (amen amenVar : ameoVar.a) {
                a((amenVar.a == null || amenVar.b == null || amenVar.c == null) ? false : true, "CRL is missing a required field.");
                ameq ameqVar = (ameq) asac.mergeFrom(new ameq(), amenVar.a);
                if (ameqVar.a == 0) {
                    a(ameqVar.b > 0, new StringBuilder(47).append("Invalid CRL issuance time: ").append(ameqVar.b).toString());
                    if (ameqVar.b > j) {
                        this.b.a(new StringBuilder(89).append("CRL is not yet valid: issuanceTime=").append(ameqVar.b).append(", currentTime=").append(j).toString());
                        return null;
                    }
                    a(ameqVar.c > ameqVar.b, new StringBuilder(71).append("Invalid CRL validity period: ").append(ameqVar.b).append(", ").append(ameqVar.c).toString());
                    if (j > ameqVar.c) {
                        this.b.a(new StringBuilder(86).append("CRL has expired: expirationTime=").append(ameqVar.c).append(", currentTime=").append(j).toString());
                        return null;
                    }
                    a(amenVar.b != null, "CRL is missing a signer certificate.");
                    X509Certificate a2 = this.f.a(amenVar.b);
                    try {
                        X509Certificate trustedCert = this.f.a(this.f.a.generateCertPath(Arrays.asList(a2)), TimeUnit.SECONDS.toMillis(j), this.d).getTrustAnchor().getTrustedCert();
                        if (trustedCert == null) {
                            throw new AssertionError("Trust anchor missing a certificate. Unexpected failure because all CRL trust anchors are specified as certificates.");
                        }
                        Signature c = this.f.c();
                        c.initVerify(a2.getPublicKey());
                        c.update(amenVar.a);
                        if (!c.verify(amenVar.c)) {
                            this.b.a("CRL signature is invalid.");
                            return null;
                        }
                        gtr gtrVar = this.b;
                        gtv gtvVar = this.f;
                        this.f.b().digest(bArr);
                        return new gts(gtrVar, gtvVar, ameqVar, new gtu(ameqVar.b, ameqVar.c, a2, trustedCert));
                    } catch (InvalidAlgorithmParameterException | CertPathValidatorException e) {
                        this.b.a("CRL signer certificate path validation failed with exception.", e);
                        return null;
                    }
                }
                this.b.a(new StringBuilder(54).append("Skipping unsupported CRL version: ").append(ameqVar.a).toString());
            }
            this.b.a("No supported CRL version found in a CRL bundle. CRL verification failed.");
        } catch (asab | gtp | InvalidKeyException | SignatureException | CertificateException e2) {
            this.b.a("CRL verification failed due to an exception.", e2);
        }
        return null;
    }

    public final boolean a(List list, long j) {
        try {
            if (this.e) {
                this.b.a("Device certificate revocation check is required, but no CRL has been provided.");
                return false;
            }
            if (list.isEmpty()) {
                throw new IllegalArgumentException("Empty certificate path.");
            }
            CertPath a2 = this.f.a(list);
            PKIXCertPathValidatorResult a3 = this.f.a(a2, TimeUnit.SECONDS.toMillis(j), this.c);
            if (this.e) {
                gts gtsVar = null;
                if (!gtsVar.a(a2, a3.getTrustAnchor(), j)) {
                    return false;
                }
            }
            return true;
        } catch (InvalidAlgorithmParameterException | CertPathValidatorException | CertificateException e) {
            this.b.a("Device certificate verification failed due to exception.", e);
            return false;
        }
    }
}
