package eu.emi.security.authn.x509.helpers.ocsp;

import eu.emi.security.authn.x509.OCSPParametes;
import eu.emi.security.authn.x509.OCSPResponder;
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.ValidationErrorCode;
import eu.emi.security.authn.x509.helpers.ObserversHandler;
import eu.emi.security.authn.x509.helpers.ocsp.OCSPResult;
import eu.emi.security.authn.x509.helpers.pkipath.SimpleValidationErrorException;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.ocsp.OCSPException;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/ocsp/OCSPVerifier.class */
public class OCSPVerifier {
    private OCSPParametes params;
    private ObserversHandler observers;
    public static String OCSP_CACHE_PFX = "ocspresp_";

    public OCSPVerifier(OCSPParametes oCSPParametes, ObserversHandler observersHandler) {
        this.params = oCSPParametes;
        this.observers = observersHandler;
    }

    public OCSPResult verify(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws SimpleValidationErrorException {
        OCSPResult queryForCertificate;
        List<OCSPResponder> oCSPUrls = getOCSPUrls(x509Certificate, x509Certificate2);
        OCSPResponder[] localResponders = this.params.getLocalResponders();
        ArrayList arrayList = new ArrayList();
        if (this.params.isPreferLocalResponders()) {
            Collections.addAll(arrayList, localResponders);
            arrayList.addAll(oCSPUrls);
        } else {
            arrayList.addAll(oCSPUrls);
            Collections.addAll(arrayList, localResponders);
        }
        if (arrayList.size() == 0) {
            throw new SimpleValidationErrorException(ValidationErrorCode.ocspNoResponder, new Object[0]);
        }
        OCSPCachingClient oCSPCachingClient = new OCSPCachingClient(this.params.getCacheTtl(), this.params.getDiskCachePath() == null ? null : new File(this.params.getDiskCachePath()), OCSP_CACHE_PFX);
        for (int i = 0; i < arrayList.size(); i++) {
            OCSPResponder oCSPResponder = (OCSPResponder) arrayList.get(i);
            if (i < arrayList.size() - 1) {
                try {
                    queryForCertificate = oCSPCachingClient.queryForCertificate(oCSPResponder.getAddress(), x509Certificate, oCSPResponder.getCertificate(), null, this.params.isUseNonce(), this.params.getConntectTimeout());
                } catch (Exception e) {
                    this.observers.notifyObservers(oCSPResponder.getAddress().toExternalForm(), StoreUpdateListener.OCSP, StoreUpdateListener.Severity.WARNING, e);
                }
            } else {
                try {
                    queryForCertificate = oCSPCachingClient.queryForCertificate(oCSPResponder.getAddress(), x509Certificate, oCSPResponder.getCertificate(), null, this.params.isUseNonce(), this.params.getConntectTimeout());
                } catch (IOException e2) {
                    this.observers.notifyObservers(oCSPResponder.getAddress().toExternalForm(), StoreUpdateListener.OCSP, StoreUpdateListener.Severity.WARNING, e2);
                    throw new SimpleValidationErrorException(ValidationErrorCode.ocspResponderQueryError, oCSPResponder.getAddress(), e2.getMessage());
                } catch (Exception e3) {
                    this.observers.notifyObservers(oCSPResponder.getAddress().toExternalForm(), StoreUpdateListener.OCSP, StoreUpdateListener.Severity.WARNING, e3);
                    throw new SimpleValidationErrorException(ValidationErrorCode.ocspOtherError, oCSPResponder.getAddress(), e3.toString());
                } catch (OCSPException e4) {
                    this.observers.notifyObservers(oCSPResponder.getAddress().toExternalForm(), StoreUpdateListener.OCSP, StoreUpdateListener.Severity.WARNING, e4);
                    throw new SimpleValidationErrorException(ValidationErrorCode.ocspResponseInvalid, oCSPResponder.getAddress(), e4.getMessage());
                }
            }
            if (queryForCertificate.getStatus() != OCSPResult.Status.unknown) {
                return queryForCertificate;
            }
        }
        return new OCSPResult(OCSPResult.Status.unknown);
    }

    protected List<OCSPResponder> getOCSPUrls(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws SimpleValidationErrorException {
        byte[] extensionValue = x509Certificate.getExtensionValue(X509Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            return new ArrayList();
        }
        ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
        try {
            ASN1OctetString readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            ASN1InputStream aSN1InputStream2 = new ASN1InputStream(readObject.getOctets());
            ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(aSN1InputStream2.readObject());
            aSN1InputStream2.close();
            AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(aSN1Sequence);
            ArrayList arrayList = new ArrayList();
            AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
            for (int i = 0; i < accessDescriptions.length; i++) {
                if (accessDescriptions[i].getAccessMethod().equals(AccessDescription.id_ad_ocsp)) {
                    GeneralName accessLocation = accessDescriptions[i].getAccessLocation();
                    if (accessLocation.getTagNo() == 6) {
                        String string = accessLocation.getName().getString();
                        try {
                            arrayList.add(new OCSPResponder(new URL(string), x509Certificate2));
                        } catch (MalformedURLException e) {
                            this.observers.notifyObservers(string, StoreUpdateListener.OCSP, StoreUpdateListener.Severity.ERROR, new Exception("OCSP responder address in certificate being checked is not a valid URL: " + e.getMessage(), e));
                        }
                    }
                }
            }
            return arrayList;
        } catch (IOException e2) {
            throw new SimpleValidationErrorException(ValidationErrorCode.ocspOtherError, "unknown", "Can't extract Authority Info Access extension: " + e2.toString());
        }
    }
}
