package org.keycloak.common.util;

import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.http.client.methods.HttpPost;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;

/* loaded from: input_file:WEB-INF/lib/keycloak-common.jar:org/keycloak/common/util/OCSPUtils.class */
public final class OCSPUtils {
    private static final Logger logger;
    private static int OCSP_CONNECT_TIMEOUT;
    private static final int TIME_SKEW = 900000;

    /* loaded from: input_file:WEB-INF/lib/keycloak-common.jar:org/keycloak/common/util/OCSPUtils$OCSPRevocationStatus.class */
    public interface OCSPRevocationStatus {
        RevocationStatus getRevocationStatus();

        Date getRevocationTime();

        CRLReason getRevocationReason();
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-common.jar:org/keycloak/common/util/OCSPUtils$RevocationStatus.class */
    public enum RevocationStatus {
        GOOD,
        REVOKED,
        UNKNOWN
    }

    public static OCSPRevocationStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2, URI uri, X509Certificate x509Certificate3, Date date) throws CertPathValidatorException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert cannot be null");
        }
        if (x509Certificate2 == null) {
            throw new IllegalArgumentException("issuerCertificate cannot be null");
        }
        if (uri == null) {
            throw new IllegalArgumentException("responderURI cannot be null");
        }
        return check(x509Certificate, x509Certificate2, (List<URI>) Collections.singletonList(uri), x509Certificate3, date);
    }

    public static OCSPRevocationStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date, X509Certificate x509Certificate3) throws CertPathValidatorException {
        try {
            List<String> responderURIs = getResponderURIs(x509Certificate);
            if (responderURIs.size() == 0) {
                logger.log(Level.INFO, "No OCSP responders in the specified certificate");
                throw new CertPathValidatorException("No OCSP Responder URI in certificate");
            }
            LinkedList linkedList = new LinkedList();
            for (String str : responderURIs) {
                try {
                    linkedList.add(URI.create(str));
                } catch (IllegalArgumentException e) {
                    logger.log(Level.FINE, "Malformed responder URI {0}", str);
                }
            }
            return check(x509Certificate, x509Certificate2, (List<URI>) Collections.unmodifiableList(linkedList), x509Certificate3, date);
        } catch (CertificateEncodingException e2) {
            logger.log(Level.FINE, "CertificateEncodingException: {0}", e2.getMessage());
            throw new CertPathValidatorException(e2.getMessage(), e2);
        }
    }

    public static OCSPRevocationStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException {
        return check(x509Certificate, x509Certificate2, null, null);
    }

    private static OCSPResp getResponse(OCSPReq oCSPReq, URI uri) throws IOException {
        DataOutputStream dataOutputStream = null;
        InputStream inputStream = null;
        try {
            byte[] encoded = oCSPReq.getEncoded();
            HttpURLConnection httpURLConnection = (HttpURLConnection) uri.toURL().openConnection();
            httpURLConnection.setRequestMethod(HttpPost.METHOD_NAME);
            httpURLConnection.setConnectTimeout(OCSP_CONNECT_TIMEOUT);
            httpURLConnection.setReadTimeout(OCSP_CONNECT_TIMEOUT);
            httpURLConnection.setRequestProperty("Content-type", "application/ocsp-request");
            httpURLConnection.setRequestProperty("Content-length", String.valueOf(encoded.length));
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setDoInput(true);
            DataOutputStream dataOutputStream2 = new DataOutputStream(new BufferedOutputStream(httpURLConnection.getOutputStream()));
            dataOutputStream2.write(encoded);
            dataOutputStream2.flush();
            if (httpURLConnection.getResponseCode() / 100 != 2) {
                throw new IOException(String.format("Connection error, unable to obtain certificate revocation status using OCSP responder \"%s\", code \"%d\"", uri.toString(), Integer.valueOf(httpURLConnection.getResponseCode())));
            }
            InputStream inputStream2 = httpURLConnection.getInputStream();
            if (httpURLConnection.getContentLength() == -1) {
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[2048];
            while (true) {
                int read = inputStream2.read(bArr, 0, bArr.length);
                if (read < 0) {
                    break;
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
            byteArrayOutputStream.flush();
            OCSPResp oCSPResp = new OCSPResp(byteArrayOutputStream.toByteArray());
            if (dataOutputStream2 != null) {
                dataOutputStream2.close();
            }
            if (inputStream2 != null) {
                inputStream2.close();
            }
            return oCSPResp;
        } catch (Throwable th) {
            if (0 != 0) {
                dataOutputStream.close();
            }
            if (0 != 0) {
                inputStream.close();
            }
            throw th;
        }
    }

    private static OCSPRevocationStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2, List<URI> list, X509Certificate x509Certificate3, Date date) throws CertPathValidatorException {
        if (list == null || list.size() == 0) {
            throw new IllegalArgumentException("Need at least one responder");
        }
        try {
            JcaCertificateID jcaCertificateID = new JcaCertificateID(new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)), x509Certificate2, x509Certificate.getSerialNumber());
            BigInteger valueOf = BigInteger.valueOf(Math.abs(SecureRandom.getInstance("SHA1PRNG").nextInt()));
            OCSPReq build = new OCSPReqBuilder().addRequest(jcaCertificateID, new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, (ASN1OctetString) new DEROctetString(valueOf.toByteArray())))).build();
            URI uri = list.get(0);
            logger.log(Level.INFO, "OCSP Responder {0}", uri);
            try {
                OCSPResp response = getResponse(build, uri);
                logger.log(Level.FINE, "Received a response from OCSP responder {0}, the response status is {1}", new Object[]{uri, Integer.valueOf(response.getStatus())});
                switch (response.getStatus()) {
                    case 0:
                        if (response.getResponseObject() instanceof BasicOCSPResp) {
                            return processBasicOCSPResponse(x509Certificate2, x509Certificate3, date, jcaCertificateID, valueOf, (BasicOCSPResp) response.getResponseObject());
                        }
                        throw new CertPathValidatorException("OCSP responder returned an invalid or unknown OCSP response.");
                    case 1:
                    case 4:
                    default:
                        throw new CertPathValidatorException("OCSP request is malformed. OCSP response error: " + response.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED);
                    case 2:
                    case 3:
                        throw new CertPathValidatorException("Internal error/try later. OCSP response error: " + response.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                    case 5:
                        throw new CertPathValidatorException("Invalid or missing signature. OCSP response error: " + response.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.INVALID_SIGNATURE);
                    case 6:
                        throw new CertPathValidatorException("Unauthorized request. OCSP response error: " + response.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED);
                }
            } catch (IOException e) {
                logger.log(Level.FINE, "OCSP Responder \"{0}\" failed to return a valid OCSP response\n{1}", new Object[]{uri, e.getMessage()});
                throw new CertPathValidatorException("OCSP check failed", e);
            }
        } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException | CertificateExpiredException | CertificateNotYetValidException | OCSPException | OperatorCreationException e2) {
            logger.log(Level.FINE, e2.getMessage());
            throw new CertPathValidatorException(e2.getMessage(), e2);
        }
    }

    private static OCSPRevocationStatus processBasicOCSPResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date, JcaCertificateID jcaCertificateID, BigInteger bigInteger, BasicOCSPResp basicOCSPResp) throws OCSPException, NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException {
        SingleResp singleResp = null;
        SingleResp[] responses = basicOCSPResp.getResponses();
        int length = responses.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            SingleResp singleResp2 = responses[i];
            if (compareCertIDs(jcaCertificateID, singleResp2.getCertID())) {
                singleResp = singleResp2;
                break;
            }
            i++;
        }
        if (singleResp == null) {
            throw new CertPathValidatorException("OCSP response does not include a response for a certificate supplied in the OCSP request");
        }
        verifyResponse(basicOCSPResp, x509Certificate, x509Certificate2, bigInteger.toByteArray(), date);
        return singleResponseToRevocationStatus(singleResp);
    }

    private static boolean compareCertIDs(JcaCertificateID jcaCertificateID, CertificateID certificateID) {
        if (jcaCertificateID == certificateID) {
            return true;
        }
        return jcaCertificateID != null && certificateID != null && Arrays.equals(jcaCertificateID.getIssuerKeyHash(), certificateID.getIssuerKeyHash()) && Arrays.equals(jcaCertificateID.getIssuerNameHash(), certificateID.getIssuerNameHash()) && jcaCertificateID.getSerialNumber().equals(certificateID.getSerialNumber());
    }

    private static void verifyResponse(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, byte[] bArr, Date date) throws NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException {
        List<String> extendedKeyUsage;
        X509Certificate certificate;
        SubjectKeyIdentifier fromExtensions;
        X509Certificate certificate2;
        ArrayList arrayList = new ArrayList(Arrays.asList(basicOCSPResp.getCerts()));
        X509Certificate x509Certificate3 = null;
        try {
            arrayList.add(new JcaX509CertificateHolder(x509Certificate));
            if (x509Certificate2 != null) {
                arrayList.add(new JcaX509CertificateHolder(x509Certificate2));
            }
        } catch (CertificateEncodingException e) {
            e.printStackTrace();
        }
        if (arrayList.size() > 0) {
            X500Name name = basicOCSPResp.getResponderId().toASN1Primitive().getName();
            byte[] keyHash = basicOCSPResp.getResponderId().toASN1Primitive().getKeyHash();
            if (name != null) {
                logger.log(Level.INFO, "Responder Name: {0}", name.toString());
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    try {
                        certificate2 = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder) it2.next());
                    } catch (CertificateException e2) {
                        logger.log(Level.FINE, e2.getMessage());
                    }
                    if (name.equals(new X500Name(certificate2.getSubjectX500Principal().getName()))) {
                        x509Certificate3 = certificate2;
                        logger.log(Level.INFO, "Found a certificate whose principal \"{0}\" matches the responder name \"{1}\"", new Object[]{certificate2.getSubjectDN().getName(), name.toString()});
                        break;
                    }
                    continue;
                }
            } else if (keyHash != null) {
                SubjectKeyIdentifier subjectKeyIdentifier = new SubjectKeyIdentifier(keyHash);
                logger.log(Level.INFO, "Responder Key: {0}", Arrays.toString(keyHash));
                Iterator it3 = arrayList.iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) it3.next();
                    try {
                        certificate = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(x509CertificateHolder);
                        fromExtensions = x509CertificateHolder.getExtensions() != null ? SubjectKeyIdentifier.fromExtensions(x509CertificateHolder.getExtensions()) : null;
                        if (fromExtensions != null) {
                            logger.log(Level.INFO, "Certificate: {0}\nSubject Key Id: {1}", new Object[]{certificate.getSubjectDN().getName(), Arrays.toString(fromExtensions.getKeyIdentifier())});
                        }
                    } catch (CertificateException e3) {
                        logger.log(Level.FINE, e3.getMessage());
                    }
                    if (fromExtensions == null || !subjectKeyIdentifier.equals(fromExtensions)) {
                        if (subjectKeyIdentifier.equals(new JcaX509ExtensionUtils().createSubjectKeyIdentifier(certificate.getPublicKey()))) {
                            x509Certificate3 = certificate;
                            logger.log(Level.INFO, "Found a certificate \"{0}\" with the subject key matching the OCSP responder key", x509Certificate3.getSubjectDN().getName());
                            break;
                        }
                    } else {
                        x509Certificate3 = certificate;
                        logger.log(Level.INFO, "Found a signer certificate \"{0}\" with the subject key extension value matching the responder key", x509Certificate3.getSubjectDN().getName());
                        break;
                    }
                }
            }
        }
        if (x509Certificate3 != null) {
            if (x509Certificate3.equals(x509Certificate)) {
                logger.log(Level.INFO, "OCSP response is signed by the target's Issuing CA");
            } else if (x509Certificate2 != null && x509Certificate3.equals(x509Certificate2)) {
                logger.log(Level.INFO, "OCSP response is signed by an authorized responder certificate");
            } else {
                if (!x509Certificate3.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                    logger.log(Level.INFO, "Signer certificate's Issuer: {0}\nIssuer certificate's Subject: {1}", new Object[]{x509Certificate3.getIssuerX500Principal().getName(), x509Certificate.getSubjectX500Principal().getName()});
                    throw new CertPathValidatorException("Responder's certificate is not authorized to sign OCSP responses");
                }
                try {
                    extendedKeyUsage = x509Certificate3.getExtendedKeyUsage();
                } catch (CertificateParsingException e4) {
                    logger.log(Level.FINE, "Failed to get certificate's extended key usage extension\n{0}", e4.getMessage());
                }
                if (extendedKeyUsage != null && !extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) {
                    logger.log(Level.INFO, "OCSPSigning extended usage is not set");
                    throw new CertPathValidatorException("Responder's certificate not valid for signing OCSP responses");
                }
                if (date == null) {
                    x509Certificate3.checkValidity();
                } else {
                    x509Certificate3.checkValidity(date);
                }
                try {
                    logger.log(Level.INFO, "OCSP no-check extension is {0} present", new JcaX509CertificateHolder(x509Certificate3).getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck) == null ? "not" : "");
                } catch (CertificateEncodingException e5) {
                    logger.log(Level.FINE, "Certificate encoding exception: {0}", e5.getMessage());
                }
                try {
                    x509Certificate3.verify(x509Certificate.getPublicKey());
                    logger.log(Level.INFO, "OCSP response is signed by an Authorized Responder");
                } catch (GeneralSecurityException e6) {
                    x509Certificate3 = null;
                }
            }
        }
        if (x509Certificate3 == null) {
            throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
        }
        if (!verifySignature(basicOCSPResp, x509Certificate3)) {
            throw new CertPathValidatorException("Error verifying OCSP Response's signature");
        }
        Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension != null && bArr != null && !Arrays.equals(bArr, extension.getExtnValue().getOctets())) {
            throw new CertPathValidatorException("Nonces do not match.");
        }
        long currentTimeMillis = date == null ? System.currentTimeMillis() : date.getTime();
        Date date2 = new Date(currentTimeMillis + 900000);
        Date date3 = new Date(currentTimeMillis - 900000);
        for (SingleResp singleResp : Arrays.asList(basicOCSPResp.getResponses())) {
            if (!date2.before(singleResp.getThisUpdate())) {
                if (date3.after(singleResp.getNextUpdate() != null ? singleResp.getNextUpdate() : singleResp.getThisUpdate())) {
                }
            }
            throw new CertPathValidatorException("Response is unreliable: its validity interval is out-of-date");
        }
    }

    private static boolean verifySignature(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate) {
        try {
            return basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build(x509Certificate.getPublicKey()));
        } catch (OCSPException e) {
            logger.log(Level.FINE, "Unable to validate OCSP response signature\n{0}", e.getMessage());
            return false;
        } catch (OperatorCreationException e2) {
            logger.log(Level.FINE, "Unable to construct OCSP content signature verifier\n{0}", e2.getMessage());
            return false;
        }
    }

    private static OCSPRevocationStatus unknownStatus() {
        return new OCSPRevocationStatus() { // from class: org.keycloak.common.util.OCSPUtils.1
            @Override // org.keycloak.common.util.OCSPUtils.OCSPRevocationStatus
            public RevocationStatus getRevocationStatus() {
                return RevocationStatus.UNKNOWN;
            }

            @Override // org.keycloak.common.util.OCSPUtils.OCSPRevocationStatus
            public Date getRevocationTime() {
                return new Date(System.currentTimeMillis());
            }

            @Override // org.keycloak.common.util.OCSPUtils.OCSPRevocationStatus
            public CRLReason getRevocationReason() {
                return CRLReason.lookup(0);
            }
        };
    }

    private static OCSPRevocationStatus singleResponseToRevocationStatus(SingleResp singleResp) throws CertPathValidatorException {
        RevocationStatus revocationStatus;
        CertificateStatus certStatus = singleResp.getCertStatus();
        int i = 0;
        Date date = null;
        RevocationStatus revocationStatus2 = RevocationStatus.UNKNOWN;
        if (certStatus == CertificateStatus.GOOD) {
            revocationStatus = RevocationStatus.GOOD;
        } else if (certStatus instanceof RevokedStatus) {
            RevokedStatus revokedStatus = (RevokedStatus) certStatus;
            date = revokedStatus.getRevocationTime();
            revocationStatus = RevocationStatus.REVOKED;
            if (revokedStatus.hasRevocationReason()) {
                i = revokedStatus.getRevocationReason();
            }
        } else {
            if (!(certStatus instanceof UnknownStatus)) {
                throw new CertPathValidatorException("Unrecognized revocation status received from OCSP.");
            }
            revocationStatus = RevocationStatus.UNKNOWN;
        }
        final RevocationStatus revocationStatus3 = revocationStatus;
        final Date date2 = date;
        final int i2 = i;
        return new OCSPRevocationStatus() { // from class: org.keycloak.common.util.OCSPUtils.2
            @Override // org.keycloak.common.util.OCSPUtils.OCSPRevocationStatus
            public RevocationStatus getRevocationStatus() {
                return RevocationStatus.this;
            }

            @Override // org.keycloak.common.util.OCSPUtils.OCSPRevocationStatus
            public Date getRevocationTime() {
                return date2;
            }

            @Override // org.keycloak.common.util.OCSPUtils.OCSPRevocationStatus
            public CRLReason getRevocationReason() {
                return CRLReason.lookup(i2);
            }
        };
    }

    private static List<String> getResponderURIs(X509Certificate x509Certificate) throws CertificateEncodingException {
        LinkedList linkedList = new LinkedList();
        Extension extension = new JcaX509CertificateHolder(x509Certificate).getExtension(Extension.authorityInfoAccess);
        if (extension != null) {
            try {
                for (AccessDescription accessDescription : AuthorityInformationAccess.getInstance((ASN1Sequence) new ASN1InputStream(extension.getExtnValue().getOctetStream()).readObject()).getAccessDescriptions()) {
                    if (accessDescription.getAccessMethod().equals(AccessDescription.id_ad_ocsp) && accessDescription.getAccessLocation().getTagNo() == 6) {
                        linkedList.add(DERIA5String.getInstance(accessDescription.getAccessLocation().getName()).getString());
                    }
                }
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        return linkedList;
    }

    static {
        BouncyIntegration.init();
        logger = Logger.getLogger("" + OCSPUtils.class);
        OCSP_CONNECT_TIMEOUT = 10000;
    }
}
