package com.oracle.jipher.pki.ocsp;

import com.oracle.jipher.pki.internal.AlgIdException;
import com.oracle.jipher.pki.internal.AlgorithmId;
import com.oracle.jipher.pki.internal.Debug;
import com.oracle.jipher.pki.internal.Oids;
import com.oracle.jipher.pki.internal.RandBytes;
import com.oracle.jipher.pki.x509.AuthInfoAccess;
import com.oracle.jipher.pki.x509.GeneralName;
import com.oracle.jipher.tools.asn1.Asn1;
import com.oracle.jipher.tools.asn1.Asn1BerValue;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/* loaded from: input_file:com/oracle/jipher/pki/ocsp/OcspRequest.class */
public class OcspRequest {
    static final String NONCE_OID = "1.3.6.1.5.5.7.48.1.2";
    private static final String SERVICE_LOCATOR_OID = "1.3.6.1.5.5.7.48.1.7";
    private byte[] der;
    private byte[] nonce;
    private X509Certificate targetCert;
    private X509Certificate issuer;
    private Debug debug;

    /* loaded from: input_file:com/oracle/jipher/pki/ocsp/OcspRequest$Builder.class */
    public static class Builder {
        private static final int DEFAULT_NONCE_LEN = 16;
        private static final String DEFAULT_HASH_ALG = "SHA-1";
        private X509Certificate targetCert;
        private X509Certificate issuerCert;
        private boolean nonceEnabled;
        private boolean serviceLocatorEnabled;
        private String signAlg;
        private PrivateKey signKey;
        private List<X509Certificate> signCerts;
        private GeneralName requestor;
        private String hashAlg = DEFAULT_HASH_ALG;
        private Debug debug = Debug.getInstance("OCSP");

        public Builder(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
            this.targetCert = x509Certificate;
            this.issuerCert = x509Certificate2;
        }

        public Builder hashAlg(String str) {
            this.hashAlg = str;
            return this;
        }

        public Builder nonceEnabled(boolean z) {
            this.nonceEnabled = z;
            return this;
        }

        public Builder signInfo(String str, PrivateKey privateKey, X509Certificate... x509CertificateArr) {
            if (privateKey == null) {
                throw new IllegalArgumentException("Signing PrivateKey must be specified.");
            }
            this.signAlg = str == null ? defaultSignAlg(privateKey.getAlgorithm()) : str;
            this.signKey = privateKey;
            this.signCerts = x509CertificateArr == null ? null : Arrays.asList(x509CertificateArr);
            return this;
        }

        public Builder serviceLocatorEnabled(boolean z) {
            this.serviceLocatorEnabled = z;
            return this;
        }

        public Builder requestor(GeneralName generalName) {
            this.requestor = generalName;
            return this;
        }

        public OcspRequest build() throws NoSuchAlgorithmException, SignatureException, CertificateEncodingException, InvalidKeyException {
            try {
                byte[] generate = this.nonceEnabled ? RandBytes.generate(DEFAULT_NONCE_LEN) : null;
                Asn1BerValue buildAsn1BerValue = buildAsn1BerValue(generate);
                OcspRequest ocspRequest = new OcspRequest();
                ocspRequest.der = buildAsn1BerValue.encodeDerOctets();
                ocspRequest.targetCert = this.targetCert;
                ocspRequest.issuer = this.issuerCert;
                ocspRequest.nonce = generate;
                return ocspRequest;
            } catch (AlgIdException e) {
                throw new NoSuchAlgorithmException(e);
            }
        }

        private String defaultSignAlg(String str) {
            if ("EC".equalsIgnoreCase(str)) {
                return "SHA256withECDSA";
            }
            if ("RSA".equalsIgnoreCase(str)) {
                return "SHA256withRSA";
            }
            if ("DSA".equalsIgnoreCase(str)) {
                return "SHA256WithDSA";
            }
            throw new IllegalArgumentException("Unsupported PrivateKey for signing.");
        }

        private Asn1BerValue buildAsn1BerValue(byte[] bArr) throws AlgIdException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, InvalidKeyException {
            Asn1BerValue newSequence = Asn1.newSequence(getRequestor(), getRequestList(), getRequestExtensions(bArr));
            Asn1BerValue signature = getSignature(newSequence);
            return signature != null ? Asn1.newSequence(newSequence, Asn1.newExplicitTag(0, signature)) : Asn1.newSequence(newSequence);
        }

        private Asn1BerValue getRequestList() throws AlgIdException, NoSuchAlgorithmException {
            return Asn1.newSequence(getRequest(this.targetCert, this.issuerCert));
        }

        private Asn1BerValue getRequestor() {
            if (this.requestor == null) {
                return null;
            }
            return Asn1.newExplicitTag(1, Asn1.decodeOne(this.requestor.getEncoded()));
        }

        private Asn1BerValue getRequestExtensions(byte[] bArr) {
            if (bArr == null) {
                return null;
            }
            return Asn1.explicit(2).newSequence(Asn1.newSequence(Asn1.newOid(OcspRequest.NONCE_OID), Asn1.newOctetString(Asn1.newOctetString(bArr).encodeDerOctets())));
        }

        private Asn1BerValue getRequest(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws AlgIdException, NoSuchAlgorithmException {
            CertId create = CertId.create(AlgorithmId.newInstance(this.hashAlg), x509Certificate, x509Certificate2);
            this.debug.println(() -> {
                return "Request for cert [" + x509Certificate.getSubjectX500Principal() + "] (id=" + create + ")";
            });
            return Asn1.newSequence(create.toAsn1BerValue(), getSingleRequestExtensions(x509Certificate));
        }

        private Asn1BerValue getSingleRequestExtensions(X509Certificate x509Certificate) {
            if (!this.serviceLocatorEnabled) {
                return null;
            }
            byte[] extensionValue = x509Certificate.getExtensionValue(Oids.EXTN_AIA);
            if (extensionValue == null) {
                this.debug.println("No ServiceLocator extension added to request (AIA not present in cert)");
                return null;
            }
            Asn1BerValue newSequence = Asn1.newSequence(Asn1.decodeOne(x509Certificate.getIssuerX500Principal().getEncoded()), Asn1.decodeOne(Asn1.decodeOne(extensionValue).getOctetString()));
            this.debug.println(() -> {
                return "Adding ServiceLocator extension: " + AuthInfoAccess.decode(x509Certificate);
            });
            return Asn1.explicit(0).newSequence(Asn1.newSequence(Asn1.newOid(OcspRequest.SERVICE_LOCATOR_OID), Asn1.newOctetString(newSequence.encodeDerOctets())));
        }

        private Asn1BerValue getSignature(Asn1BerValue asn1BerValue) throws AlgIdException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, CertificateEncodingException {
            if (this.signKey == null) {
                this.debug.println("Sign request = false.");
                return null;
            }
            byte[] sign = sign(asn1BerValue.encodeDerOctets());
            AlgorithmId newInstance = AlgorithmId.newInstance(this.signAlg);
            this.debug.println(() -> {
                return "Sign request = true (alg=" + this.signAlg + ")";
            });
            ArrayList arrayList = new ArrayList();
            arrayList.add(newInstance.toAsn1Value());
            arrayList.add(Asn1.newBitString(sign));
            if (this.signCerts != null && !this.signCerts.isEmpty()) {
                ArrayList arrayList2 = new ArrayList();
                for (X509Certificate x509Certificate : this.signCerts) {
                    arrayList2.add(Asn1.decodeOne(x509Certificate.getEncoded()));
                    this.debug.println(() -> {
                        return "Including sign cert [" + x509Certificate.getSubjectX500Principal() + "]";
                    });
                }
                arrayList.add(Asn1.explicit(0).newSequence(arrayList2));
            }
            return Asn1.newSequence(arrayList);
        }

        private byte[] sign(byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
            Signature signature = Signature.getInstance(this.signAlg);
            signature.initSign(this.signKey);
            signature.update(bArr);
            return signature.sign();
        }
    }

    private OcspRequest() {
        this.debug = Debug.getInstance("ocsp");
    }

    public X509Certificate getTarget() {
        return this.targetCert;
    }

    public X509Certificate getIssuer() {
        return this.issuer;
    }

    public byte[] getEncoded() {
        return Arrays.copyOf(this.der, this.der.length);
    }

    public byte[] getNonce() {
        if (this.nonce == null) {
            return null;
        }
        return (byte[]) this.nonce.clone();
    }
}
