package eu.emi.security.authn.x509.helpers.ocsp;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.BinaryCertChainValidator;
import eu.emi.security.authn.x509.helpers.proxy.ProxyTracingExtension;
import eu.emi.security.authn.x509.helpers.ssl.DisabledNameMismatchCallback;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.FormatMode;
import eu.emi.security.authn.x509.impl.SocketFactoryCreator2;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Random;
import javax.net.ssl.HttpsURLConnection;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/ocsp/OCSPClientImpl.class */
public class OCSPClientImpl {
    private static final Charset ASCII = Charset.forName("US-ASCII");
    private static final int MAX_RESPONSE_SIZE = 20480;

    public OCSPResult queryForCertificate(URL url, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Credential x509Credential, boolean z, int i) throws IOException, OCSPException {
        OCSPReq createRequest = createRequest(x509Certificate, x509Certificate2, x509Credential, z);
        OCSPResp response = send(url, createRequest, i).getResponse();
        byte[] bArr = null;
        if (z) {
            bArr = extractNonce(createRequest);
        }
        return new OCSPResult(verifyResponse(response, x509Certificate, x509Certificate2, bArr));
    }

    public OCSPReq createRequest(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Credential x509Credential, boolean z) throws OCSPException {
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        try {
            oCSPReqBuilder.addRequest(new CertificateID(new BcDigestCalculatorProvider().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(x509Certificate2), x509Certificate.getSerialNumber()));
            if (z) {
                byte[] bArr = new byte[16];
                new Random().nextBytes(bArr);
                oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(bArr))));
            }
            if (x509Credential == null) {
                return oCSPReqBuilder.build();
            }
            oCSPReqBuilder.setRequestorName(new X500Name(x509Credential.getCertificate().getSubjectX500Principal().getName()));
            try {
                return oCSPReqBuilder.build(new JcaContentSignerBuilder(x509Credential.getCertificate().getSigAlgOID()).build(x509Credential.getKey()), (X509CertificateHolder[]) null);
            } catch (OperatorCreationException e) {
                throw new OCSPException("Unsupported signing algorithm when creating a OCSP request?", e);
            }
        } catch (CertificateEncodingException e2) {
            throw new OCSPException("Issuer certificate is unsupported ", e2);
        } catch (OperatorCreationException e3) {
            throw new OCSPException("Problem creating digester", e3);
        }
    }

    public OCSPResponseStructure send(URL url, OCSPReq oCSPReq, int i) throws IOException {
        HttpURLConnection httpURLConnection;
        InputStream inputStream = null;
        byte[] encoded = oCSPReq.getEncoded();
        try {
            String httpGetUrl = getHttpGetUrl(url, encoded);
            if (httpGetUrl == null) {
                httpURLConnection = doPost(url, encoded, i);
            } else {
                httpURLConnection = (HttpURLConnection) new URL(httpGetUrl).openConnection();
                configureHttpConnection(httpURLConnection, i);
            }
            InputStream inputStream2 = httpURLConnection.getInputStream();
            int contentLength = httpURLConnection.getContentLength();
            if (contentLength == -1 || contentLength > MAX_RESPONSE_SIZE) {
                contentLength = MAX_RESPONSE_SIZE;
            }
            Date nextUpdateFromCacheHeader = getNextUpdateFromCacheHeader(httpURLConnection.getHeaderField("cache-control"));
            byte[] bArr = new byte[contentLength];
            int i2 = 0;
            int i3 = 0;
            while (i2 < contentLength) {
                i3 = inputStream2.read(bArr, i2, bArr.length - i2);
                if (i3 < 0) {
                    break;
                }
                i2 += i3;
            }
            if (i3 >= 0 && inputStream2.read() >= 0) {
                throw new IOException("OCSP response size exceeded the upper limit of 20480");
            }
            if (i2 != contentLength) {
                bArr = Arrays.copyOf(bArr, i2);
            }
            if (inputStream2 != null) {
                try {
                    inputStream2.close();
                } catch (IOException e) {
                    throw e;
                }
            }
            return new OCSPResponseStructure(new OCSPResp(bArr), nextUpdateFromCacheHeader);
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                    throw e2;
                }
            }
            throw th;
        }
    }

    private void configureHttpConnection(HttpURLConnection httpURLConnection, int i) {
        if (httpURLConnection instanceof HttpsURLConnection) {
            ((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(new SocketFactoryCreator2(new BinaryCertChainValidator(true), new DisabledNameMismatchCallback()).getSocketFactory());
        }
        httpURLConnection.setConnectTimeout(i);
        httpURLConnection.setReadTimeout(i);
    }

    private String getHttpGetUrl(URL url, byte[] bArr) {
        if (url.toExternalForm().length() + bArr.length > 255) {
            return null;
        }
        try {
            String encode = URLEncoder.encode(new String(Base64.encode(bArr), ASCII), ASCII.name());
            String externalForm = url.toExternalForm();
            String str = externalForm.endsWith("/") ? externalForm + encode : externalForm + "/" + encode;
            if (str.length() > 255) {
                return null;
            }
            return str;
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("US-ASCII encoding is not known?", e);
        }
    }

    private HttpURLConnection doPost(URL url, byte[] bArr, int i) throws IOException {
        HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
        configureHttpConnection(httpURLConnection, i);
        OutputStream outputStream = null;
        try {
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setRequestProperty("Content-type", "application/ocsp-request");
            httpURLConnection.setRequestProperty("Content-length", String.valueOf(bArr.length));
            outputStream = httpURLConnection.getOutputStream();
            outputStream.write(bArr);
            outputStream.flush();
            if (outputStream != null) {
                try {
                    outputStream.close();
                } catch (IOException e) {
                    throw e;
                }
            }
            return httpURLConnection;
        } catch (Throwable th) {
            if (outputStream != null) {
                try {
                    outputStream.close();
                } catch (IOException e2) {
                    throw e2;
                }
            }
            throw th;
        }
    }

    public static Date getNextUpdateFromCacheHeader(String str) {
        if (str == null) {
            return null;
        }
        int indexOf = str.indexOf("max-age=");
        if (indexOf == -1) {
            return null;
        }
        int indexOf2 = str.indexOf(",", indexOf + 8);
        if (indexOf2 == -1) {
            indexOf2 = str.length();
        }
        try {
            return new Date(System.currentTimeMillis() + (Integer.parseInt(str.substring(r10, indexOf2).trim()) * 1000));
        } catch (NumberFormatException e) {
            return null;
        }
    }

    private static String getResponderErrorDesc(int i) {
        switch (i) {
            case ProxyTracingExtension.ISSUER_EXTENSION /* 1 */:
                return "malformed request";
            case ProxyTracingExtension.SUBJECT_EXTENSION /* 2 */:
                return "internal server error";
            case 3:
                return "try again later";
            case 4:
            default:
                return "unknown error";
            case 5:
                return "request is required to be signed";
            case 6:
                return "request was not authorized";
        }
    }

    public SingleResp verifyResponse(OCSPResp oCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, byte[] bArr) throws OCSPException {
        if (oCSPResp.getStatus() != 0) {
            throw new OCSPException("Responder returned an error: " + getResponderErrorDesc(oCSPResp.getStatus()));
        }
        Object responseObject = oCSPResp.getResponseObject();
        if (!(responseObject instanceof BasicOCSPResp)) {
            throw new OCSPException("Only Basic OCSP response type is supported");
        }
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject;
        if (bArr != null) {
            try {
                byte[] encoded = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnValue().getEncoded();
                if (encoded == null) {
                    throw new OCSPException("Nonce was sent and is required but did not get it in reply");
                }
                try {
                    byte[] octets = ASN1Primitive.fromByteArray(encoded).getOctets();
                    if (!Arrays.equals(octets, bArr)) {
                        throw new OCSPException("Received nonce doesn't match the one sent to the server. Sent: " + Arrays.toString(bArr) + " received: " + Arrays.toString(octets));
                    }
                } catch (Exception e) {
                    throw new OCSPException("Nonce received with the reply is invalid, unable to parse it", e);
                }
            } catch (IOException e2) {
                throw new OCSPException("Can't parse OCSP nonce extension", e2);
            }
        }
        try {
            if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().build(establishResponsePubKey(basicOCSPResp, x509Certificate2)))) {
                throw new OCSPException("Failed to verify the OCSP response signature. It is corrupted or faked");
            }
            if (basicOCSPResp.getCriticalExtensionOIDs().size() > 0) {
                throw new OCSPException("OCSP contains unsupported critical extensions: " + basicOCSPResp.getCriticalExtensionOIDs());
            }
            for (SingleResp singleResp : basicOCSPResp.getResponses()) {
                if (singleResp.getCriticalExtensionOIDs().size() > 0) {
                    throw new OCSPException("OCSP SingleResponse contains unsupported critical extensions: " + singleResp.getCriticalExtensionOIDs());
                }
                if (checkCertIDMatching(x509Certificate, x509Certificate2, singleResp.getCertID())) {
                    verifyTimeRange(singleResp.getThisUpdate(), singleResp.getNextUpdate());
                    return singleResp;
                }
            }
            throw new OCSPException("Received a correct answer from OCSP responder, but it didn't contain any information on the certificate being checked");
        } catch (OperatorCreationException e3) {
            throw new OCSPException("The OCSP is signed with unsupported key: can not verify its signature", e3);
        }
    }

    private void verifyTimeRange(Date date, Date date2) throws OCSPException {
        Date date3 = new Date();
        if (date == null) {
            throw new OCSPException("Malformed OCSP response, no thisUpdate time");
        }
        if (date2 == null) {
            throw new OCSPException("Unsupported OCSP response, no nextUpdate time (required by RFC 5019)");
        }
        Date date4 = new Date(date3.getTime() + 120000);
        Date date5 = new Date(date3.getTime() - 120000);
        if (date4.before(date)) {
            throw new OCSPException("Response is not yet valid, will be from: " + date);
        }
        if (date5.after(date2)) {
            throw new OCSPException("Response has expired on: " + date2);
        }
    }

    private boolean checkCertIDMatching(X509Certificate x509Certificate, X509Certificate x509Certificate2, CertificateID certificateID) throws OCSPException {
        try {
            CertificateID certificateID2 = new CertificateID(new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(certificateID.getHashAlgOID())), new JcaX509CertificateHolder(x509Certificate2), x509Certificate.getSerialNumber());
            if (certificateID2.getHashAlgOID().equals(certificateID.getHashAlgOID()) && Arrays.equals(certificateID2.getIssuerKeyHash(), certificateID.getIssuerKeyHash())) {
                if (Arrays.equals(certificateID2.getIssuerNameHash(), certificateID.getIssuerNameHash())) {
                    return true;
                }
            }
            return false;
        } catch (OperatorCreationException e) {
            throw new OCSPException("Cant get digester for the checked certificate, the algorithm is: " + certificateID.getHashAlgOID(), e);
        } catch (CertificateEncodingException e2) {
            throw new OCSPException("Issuer certificate is unsupported", e2);
        }
    }

    private PublicKey establishResponsePubKey(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate) throws OCSPException {
        X509CertificateHolder[] certs = basicOCSPResp.getCerts();
        if (certs == null || certs.length == 0) {
            return x509Certificate.getPublicKey();
        }
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certs[0]);
            if (certificate.equals(x509Certificate)) {
                return x509Certificate.getPublicKey();
            }
            if (!x509Certificate.getSubjectX500Principal().equals(certificate.getIssuerX500Principal())) {
                throw new OCSPException("Response is signed by an untrusted/invalid entity: " + CertificateUtils.format(certificate, FormatMode.COMPACT_ONE_LINE));
            }
            try {
                List<String> extendedKeyUsage = certificate.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) {
                    throw new OCSPException("Response is signed by an entity which does not have the OCSP delegation from the CA (no flag in ExtendedKeyUsage)");
                }
                try {
                    certificate.verify(x509Certificate.getPublicKey(), "BC");
                    return certificate.getPublicKey();
                } catch (Exception e) {
                    throw new OCSPException("Response contains a certificate which is improperly signed, it is faked or corrupted: " + e.getMessage(), e);
                }
            } catch (CertificateParsingException e2) {
                throw new OCSPException("Response contains an unparsable certificate (ExtendedKeyUsage)", e2);
            }
        } catch (CertificateException e3) {
            throw new OCSPException("Can't unwrap signer's certificate from the BasicOCSPResp", e3);
        }
    }

    public static byte[] extractNonce(OCSPReq oCSPReq) throws IOException {
        byte[] encoded;
        Extension extension = oCSPReq.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension == null || (encoded = extension.getExtnValue().getEncoded()) == null) {
            return null;
        }
        try {
            return ASN1Primitive.fromByteArray(encoded).getOctets();
        } catch (Exception e) {
            throw new IllegalStateException("Can't decode nonce encoded in request", e);
        }
    }
}
