package zr;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.HashSet;
import org.conscrypt.NativeCrypto;
import org.conscrypt.OpenSSLX509Certificate;

/* compiled from: CertificateEntry.java */
/* loaded from: classes2.dex */
public final class d {
    public d(int i10, byte[] bArr) {
        if (i10 == 2 && bArr == null) {
            throw new IllegalArgumentException("issuerKeyHash missing for precert entry.");
        }
        if (i10 == 1 && bArr != null) {
            throw new IllegalArgumentException("unexpected issuerKeyHash for X509 entry.");
        }
        if (bArr != null && bArr.length != 32) {
            throw new IllegalArgumentException("issuerKeyHash must be 32 bytes long");
        }
    }

    public static d a(OpenSSLX509Certificate openSSLX509Certificate, OpenSSLX509Certificate openSSLX509Certificate2) throws CertificateException {
        try {
            if (!((HashSet) openSSLX509Certificate.getNonCriticalExtensionOIDs()).contains("1.3.6.1.4.1.11129.2.4.2")) {
                throw new CertificateException("Certificate does not contain embedded signed timestamps");
            }
            OpenSSLX509Certificate openSSLX509Certificate3 = new OpenSSLX509Certificate(NativeCrypto.X509_dup(openSSLX509Certificate.f61380c, openSSLX509Certificate), openSSLX509Certificate.f61382e, openSSLX509Certificate.f61383f);
            NativeCrypto.X509_delete_ext(openSSLX509Certificate3.f61380c, openSSLX509Certificate3, "1.3.6.1.4.1.11129.2.4.2");
            openSSLX509Certificate3.getTBSCertificate();
            byte[] encoded = openSSLX509Certificate2.getPublicKey().getEncoded();
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(encoded);
            return new d(2, messageDigest.digest());
        } catch (NoSuchAlgorithmException e10) {
            throw new RuntimeException(e10);
        }
    }
}
