package ink.rayin.htmladapter.openhtmltopdf.signature.cert;

import ink.rayin.htmladapter.openhtmltopdf.signature.SigUtils;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.Random;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.operator.DigestCalculator;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;

/* loaded from: input_file:ink/rayin/htmladapter/openhtmltopdf/signature/cert/OcspHelper.class */
public class OcspHelper {
    private final X509Certificate issuerCertificate;
    private final Date signDate;
    private final X509Certificate certificateToCheck;
    private final Set<X509Certificate> additionalCerts;
    private final String ocspUrl;
    private DEROctetString encodedNonce;
    private X509Certificate ocspResponderCertificate;
    private final JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
    private static final Log LOG = LogFactory.getLog(OcspHelper.class);
    private static final Random RANDOM = new SecureRandom();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ink/rayin/htmladapter/openhtmltopdf/signature/cert/OcspHelper$SHA1DigestCalculator.class */
    public static class SHA1DigestCalculator implements DigestCalculator {
        private final ByteArrayOutputStream bOut;

        private SHA1DigestCalculator() {
            this.bOut = new ByteArrayOutputStream();
        }

        public AlgorithmIdentifier getAlgorithmIdentifier() {
            return new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
        }

        public OutputStream getOutputStream() {
            return this.bOut;
        }

        public byte[] getDigest() {
            byte[] byteArray = this.bOut.toByteArray();
            this.bOut.reset();
            try {
                return MessageDigest.getInstance("SHA-1").digest(byteArray);
            } catch (NoSuchAlgorithmException e) {
                OcspHelper.LOG.error("SHA-1 Algorithm not found", e);
                return new byte[0];
            }
        }
    }

    public OcspHelper(X509Certificate x509Certificate, Date date, X509Certificate x509Certificate2, Set<X509Certificate> set, String str) {
        this.certificateToCheck = x509Certificate;
        this.signDate = date;
        this.issuerCertificate = x509Certificate2;
        this.additionalCerts = set;
        this.ocspUrl = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Certificate getCertificateToCheck() {
        return this.certificateToCheck;
    }

    public OCSPResp getResponseOcsp() throws IOException, OCSPException, RevokedCertificateException {
        OCSPResp performRequest = performRequest();
        verifyOcspResponse(performRequest);
        return performRequest;
    }

    public X509Certificate getOcspResponderCertificate() {
        return this.ocspResponderCertificate;
    }

    private void verifyOcspResponse(OCSPResp oCSPResp) throws OCSPException, RevokedCertificateException, IOException {
        verifyRespStatus(oCSPResp);
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
        if (basicOCSPResp != null) {
            ResponderID aSN1Primitive = basicOCSPResp.getResponderId().toASN1Primitive();
            X500Name name = aSN1Primitive.getName();
            if (name != null) {
                findResponderCertificateByName(basicOCSPResp, name);
            } else {
                byte[] keyHash = aSN1Primitive.getKeyHash();
                if (keyHash == null) {
                    throw new OCSPException("OCSP: basic response must provide name or key hash");
                }
                findResponderCertificateByKeyHash(basicOCSPResp, keyHash);
            }
            if (this.ocspResponderCertificate == null) {
                throw new OCSPException("OCSP: certificate for responder " + name + " not found");
            }
            try {
                SigUtils.checkResponderCertificateUsage(this.ocspResponderCertificate);
            } catch (CertificateParsingException e) {
                LOG.error(e, e);
            }
            checkOcspSignature(this.ocspResponderCertificate, basicOCSPResp);
            boolean checkNonce = checkNonce(basicOCSPResp);
            SingleResp[] responses = basicOCSPResp.getResponses();
            if (responses.length != 1) {
                throw new OCSPException("OCSP: Received " + responses.length + " responses instead of 1!");
            }
            SingleResp singleResp = responses[0];
            RevokedStatus certStatus = singleResp.getCertStatus();
            if (!checkNonce) {
                checkOcspResponseFresh(singleResp);
            }
            if (!(certStatus instanceof RevokedStatus)) {
                if (certStatus != CertificateStatus.GOOD) {
                    throw new OCSPException("OCSP: Status of Cert is unknown");
                }
            } else {
                RevokedStatus revokedStatus = certStatus;
                if (revokedStatus.getRevocationTime().compareTo(this.signDate) <= 0) {
                    throw new RevokedCertificateException("OCSP: Certificate is revoked since " + revokedStatus.getRevocationTime(), revokedStatus.getRevocationTime());
                }
                LOG.info("The certificate was revoked after signing by OCSP " + this.ocspUrl + " on " + revokedStatus.getRevocationTime());
            }
        }
    }

    private byte[] getKeyHashFromCertHolder(X509CertificateHolder x509CertificateHolder) {
        try {
            return MessageDigest.getInstance("SHA-1").digest(x509CertificateHolder.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
        } catch (NoSuchAlgorithmException e) {
            LOG.error("SHA-1 Algorithm not found", e);
            return new byte[0];
        }
    }

    private void findResponderCertificateByKeyHash(BasicOCSPResp basicOCSPResp, byte[] bArr) throws IOException {
        X509CertificateHolder[] certs = basicOCSPResp.getCerts();
        int length = certs.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            X509CertificateHolder x509CertificateHolder = certs[i];
            if (Arrays.equals(bArr, getKeyHashFromCertHolder(x509CertificateHolder))) {
                try {
                    this.ocspResponderCertificate = this.certificateConverter.getCertificate(x509CertificateHolder);
                    return;
                } catch (CertificateException e) {
                    LOG.error(e, e);
                    for (X509Certificate x509Certificate : this.additionalCerts) {
                        try {
                        } catch (CertificateEncodingException e2) {
                            LOG.error(e2, e2);
                        }
                        if (Arrays.equals(bArr, getKeyHashFromCertHolder(new X509CertificateHolder(x509Certificate.getEncoded())))) {
                            this.ocspResponderCertificate = x509Certificate;
                            return;
                        }
                        continue;
                    }
                    return;
                }
            }
            i++;
        }
    }

    private void findResponderCertificateByName(BasicOCSPResp basicOCSPResp, X500Name x500Name) {
        for (X509CertificateHolder x509CertificateHolder : basicOCSPResp.getCerts()) {
            if (x500Name.equals(x509CertificateHolder.getSubject())) {
                try {
                    this.ocspResponderCertificate = this.certificateConverter.getCertificate(x509CertificateHolder);
                    return;
                } catch (CertificateException e) {
                    LOG.error(e, e);
                }
            }
        }
        for (X509Certificate x509Certificate : this.additionalCerts) {
            if (new X500Name(x509Certificate.getSubjectX500Principal().getName()).equals(x500Name)) {
                this.ocspResponderCertificate = x509Certificate;
                return;
            }
        }
    }

    private void checkOcspResponseFresh(SingleResp singleResp) throws OCSPException {
        Date time = Calendar.getInstance().getTime();
        Date thisUpdate = singleResp.getThisUpdate();
        if (thisUpdate == null) {
            throw new OCSPException("OCSP: thisUpdate field is missing in response (RFC 5019 2.2.4.)");
        }
        Date nextUpdate = singleResp.getNextUpdate();
        if (nextUpdate == null) {
            throw new OCSPException("OCSP: nextUpdate field is missing in response (RFC 5019 2.2.4.)");
        }
        if (time.compareTo(thisUpdate) < 0) {
            LOG.error(time + " < " + thisUpdate);
            throw new OCSPException("OCSP: current date < thisUpdate field (RFC 5019 2.2.4.)");
        }
        if (time.compareTo(nextUpdate) > 0) {
            LOG.error(time + " > " + nextUpdate);
            throw new OCSPException("OCSP: current date > nextUpdate field (RFC 5019 2.2.4.)");
        }
        LOG.info("OCSP response is fresh");
    }

    private void checkOcspSignature(X509Certificate x509Certificate, BasicOCSPResp basicOCSPResp) throws OCSPException, IOException {
        try {
            if (basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(SecurityProvider.getProvider()).build(x509Certificate))) {
            } else {
                throw new OCSPException("OCSP-Signature is not valid!");
            }
        } catch (OperatorCreationException e) {
            throw new OCSPException("Error checking Ocsp-Signature", e);
        }
    }

    private boolean checkNonce(BasicOCSPResp basicOCSPResp) throws OCSPException {
        Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension == null) {
            return false;
        }
        if (!extension.getExtnValue().equals(this.encodedNonce)) {
            throw new OCSPException("Different nonce found in response!");
        }
        LOG.info("Nonce is good");
        return true;
    }

    private OCSPResp performRequest() throws IOException, OCSPException {
        OCSPReq generateOCSPRequest = generateOCSPRequest();
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.ocspUrl).openConnection();
        try {
            httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
            httpURLConnection.setDoOutput(true);
            OutputStream outputStream = httpURLConnection.getOutputStream();
            Throwable th = null;
            try {
                try {
                    outputStream.write(generateOCSPRequest.getEncoded());
                    if (outputStream != null) {
                        if (0 != 0) {
                            try {
                                outputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            outputStream.close();
                        }
                    }
                    if (httpURLConnection.getResponseCode() != 200) {
                        throw new IOException("OCSP: Could not access url, ResponseCode: " + httpURLConnection.getResponseCode());
                    }
                    InputStream inputStream = (InputStream) httpURLConnection.getContent();
                    Throwable th3 = null;
                    try {
                        try {
                            OCSPResp oCSPResp = new OCSPResp(inputStream);
                            if (inputStream != null) {
                                if (0 != 0) {
                                    try {
                                        inputStream.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    inputStream.close();
                                }
                            }
                            return oCSPResp;
                        } finally {
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            httpURLConnection.disconnect();
        }
    }

    public void verifyRespStatus(OCSPResp oCSPResp) throws OCSPException {
        String str = "";
        if (oCSPResp != null) {
            int status = oCSPResp.getStatus();
            switch (status) {
                case 0:
                    break;
                case 1:
                    str = "MALFORMED_REQUEST";
                    LOG.error("Your request did not fit the RFC 2560 syntax!");
                    break;
                case 2:
                    str = "INTERNAL_ERROR";
                    LOG.error("An internal error occurred in the OCSP Server!");
                    break;
                case 3:
                    str = "TRY_LATER";
                    LOG.error("The server was too busy to answer you!");
                    break;
                case 4:
                default:
                    str = "UNKNOWN";
                    LOG.error("Unknown OCSPResponse status code! " + status);
                    break;
                case 5:
                    str = "SIG_REQUIRED";
                    LOG.error("Your request was not signed!");
                    break;
                case 6:
                    str = "UNAUTHORIZED";
                    LOG.error("The server could not authenticate you!");
                    break;
            }
        }
        if (oCSPResp == null || oCSPResp.getStatus() != 0) {
            throw new OCSPException("OCSP response unsuccessful, status: " + str);
        }
    }

    private OCSPReq generateOCSPRequest() throws OCSPException, IOException {
        Security.addProvider(SecurityProvider.getProvider());
        try {
            CertificateID certificateID = new CertificateID(new SHA1DigestCalculator(), new JcaX509CertificateHolder(this.issuerCertificate), this.certificateToCheck.getSerialNumber());
            Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response, false, new DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
            this.encodedNonce = new DEROctetString(new DEROctetString(create16BytesNonce()));
            Extension extension2 = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, this.encodedNonce);
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension[]{extension, extension2}));
            oCSPReqBuilder.addRequest(certificateID);
            return oCSPReqBuilder.build();
        } catch (CertificateEncodingException e) {
            throw new IOException("Error creating CertificateID with the Certificate encoding", e);
        }
    }

    private byte[] create16BytesNonce() {
        byte[] bArr = new byte[16];
        RANDOM.nextBytes(bArr);
        return bArr;
    }
}
