package com.oracle.jipher.pki.ocsp;

import com.oracle.jipher.pki.internal.AlgIdException;
import com.oracle.jipher.pki.internal.AlgorithmId;
import com.oracle.jipher.pki.internal.Debug;
import com.oracle.jipher.pki.internal.ExtensionHelper;
import com.oracle.jipher.pki.internal.Util;
import com.oracle.jipher.tools.asn1.Asn1;
import com.oracle.jipher.tools.asn1.Asn1BerValue;
import com.oracle.jipher.tools.asn1.Asn1Exception;
import com.oracle.jipher.tools.asn1.UniversalTag;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/oracle/jipher/pki/ocsp/OcspClient.class */
public class OcspClient {
    private static final String OID_BASIC_RESPONSE = "1.3.6.1.5.5.7.48.1.1";
    private X509Certificate responderCert;
    private boolean allowNonceIgnore;
    private boolean allowUnsupportedCritical;
    private Debug debug;

    /* loaded from: input_file:com/oracle/jipher/pki/ocsp/OcspClient$Flag.class */
    public enum Flag {
        IGNORE_NONCE,
        IGNORE_UNSUPPORTED_CRITICAL_EXT
    }

    public OcspClient() {
        this.debug = Debug.getInstance("ocsp");
    }

    public OcspClient(Flag... flagArr) {
        this.debug = Debug.getInstance("ocsp");
        for (Flag flag : flagArr) {
            if (flag == Flag.IGNORE_NONCE) {
                this.allowNonceIgnore = true;
            } else if (flag == Flag.IGNORE_UNSUPPORTED_CRITICAL_EXT) {
                this.allowUnsupportedCritical = true;
            }
        }
    }

    public OcspClient(X509Certificate x509Certificate, Flag... flagArr) {
        this(flagArr);
        this.responderCert = x509Certificate;
    }

    public OcspResponse queryResponse(HttpURLConnection httpURLConnection, OcspRequest ocspRequest) throws IOException, OcspException {
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
        httpURLConnection.setDoOutput(true);
        OutputStream outputStream = null;
        InputStream inputStream = null;
        try {
            OutputStream outputStream2 = httpURLConnection.getOutputStream();
            outputStream2.write(ocspRequest.getEncoded());
            this.debug.println(() -> {
                return "Sent request bytes to  " + httpURLConnection;
            });
            int responseCode = httpURLConnection.getResponseCode();
            if (responseCode != 200) {
                throw new OcspException("HTTP response was " + responseCode);
            }
            InputStream inputStream2 = httpURLConnection.getInputStream();
            byte[] readFromStream = readFromStream(inputStream2);
            this.debug.println(() -> {
                return "Received response from " + httpURLConnection;
            });
            if (outputStream2 != null) {
                outputStream2.close();
            }
            if (inputStream2 != null) {
                inputStream2.close();
            }
            return processResponse(readFromStream, ocspRequest.getNonce());
        } catch (Throwable th) {
            if (0 != 0) {
                outputStream.close();
            }
            if (0 != 0) {
                inputStream.close();
            }
            throw th;
        }
    }

    public OcspResponse processResponse(byte[] bArr, byte[] bArr2) throws OcspException {
        try {
            List<Asn1BerValue> sequence = Asn1.decodeOne(ByteBuffer.wrap(decodeBasicResponse(Asn1.decodeOne(bArr))), true).tag(UniversalTag.SEQUENCE).count(3, 4).sequence();
            Asn1BerValue asn1BerValue = sequence.get(0);
            AlgorithmId decode = AlgorithmId.decode(sequence.get(1));
            byte[] bitStringOctets = sequence.get(2).getBitStringOctets();
            List<X509Certificate> processCerts = sequence.size() == 4 ? processCerts(sequence.get(3)) : null;
            checkSignature(decode, processCerts, asn1BerValue.encodeDerOctets(), bitStringOctets);
            OcspResponse processTbsResponseData = processTbsResponseData(asn1BerValue, bArr2);
            processTbsResponseData.certs = processCerts;
            return processTbsResponseData;
        } catch (AlgIdException | Asn1Exception e) {
            throw new OcspException("Invalid response received", e);
        }
    }

    public OcspResponse processResponse(byte[] bArr) throws OcspException {
        return processResponse(bArr, null);
    }

    private byte[] decodeBasicResponse(Asn1BerValue asn1BerValue) throws OcspException {
        List<Asn1BerValue> sequence = asn1BerValue.count(1, 2).sequence();
        BigInteger enumerated = sequence.get(0).getEnumerated();
        if (!enumerated.equals(BigInteger.ZERO)) {
            throw new OcspException("Responder error received: " + getErrorMessage(enumerated));
        }
        List<Asn1BerValue> sequence2 = sequence.get(1).tag(0).explicit().tag(UniversalTag.SEQUENCE).count(2).sequence();
        String oid = sequence2.get(0).getOid();
        if (oid.equals(OID_BASIC_RESPONSE)) {
            return sequence2.get(1).getOctetString();
        }
        throw new OcspException("Unsupported response type: " + oid);
    }

    private OcspResponse processTbsResponseData(Asn1BerValue asn1BerValue, byte[] bArr) throws OcspException, AlgIdException {
        OcspResponse ocspResponse = new OcspResponse();
        Iterator<Asn1BerValue> it = asn1BerValue.count(3, 5).tag(UniversalTag.SEQUENCE).sequence().iterator();
        Asn1BerValue next = it.next();
        if (next.hasTag(0)) {
            BigInteger integer = next.explicit().tag(UniversalTag.INTEGER).getInteger();
            next = it.next();
            if (!integer.equals(BigInteger.ZERO)) {
                throw new OcspException("OCSP response version (" + integer + ") not supported.");
            }
        }
        processResponderId(ocspResponse, next);
        ocspResponse.producedAt = it.next().tag(UniversalTag.GeneralizedTime).getGeneralizedTime();
        processResponses(ocspResponse, it.next());
        processResponseExtns(ocspResponse, it.hasNext() ? it.next().explicit().tag(UniversalTag.SEQUENCE).sequence() : null, bArr);
        return ocspResponse;
    }

    private List<X509Certificate> processCerts(Asn1BerValue asn1BerValue) throws OcspException {
        ArrayList arrayList = new ArrayList();
        Iterator<Asn1BerValue> it = asn1BerValue.tag(0).explicit().tag(UniversalTag.SEQUENCE).sequence().iterator();
        while (it.hasNext()) {
            arrayList.add(readCert(it.next()));
        }
        return arrayList;
    }

    private void processResponses(OcspResponse ocspResponse, Asn1BerValue asn1BerValue) throws AlgIdException {
        List<Asn1BerValue> sequence = asn1BerValue.tag(UniversalTag.SEQUENCE).sequence();
        ArrayList arrayList = new ArrayList();
        Iterator<Asn1BerValue> it = sequence.iterator();
        while (it.hasNext()) {
            CertResponse decode = CertResponse.decode(it.next());
            this.debug.println(() -> {
                return "CertResponse " + decode.getStatus() + ": id=(" + decode.certId + ")";
            });
            arrayList.add(decode);
        }
        ocspResponse.responses = arrayList;
    }

    private void processResponderId(OcspResponse ocspResponse, Asn1BerValue asn1BerValue) throws OcspException {
        if (asn1BerValue.hasTag(1)) {
            ocspResponse.responderName = new X500Principal(asn1BerValue.explicit().encodeDerOctets());
            this.debug.println(() -> {
                return "Response from responderId: name=" + ocspResponse.responderName;
            });
        } else {
            if (!asn1BerValue.hasTag(2)) {
                throw new OcspException("Invalid responderId content in response");
            }
            ocspResponse.responderKeyHash = asn1BerValue.explicit().getOctetString();
            this.debug.println(() -> {
                return "Response from responderId: keyHash=0x" + Util.toHex(ocspResponse.responderKeyHash);
            });
        }
    }

    private void processResponseExtns(OcspResponse ocspResponse, List<Asn1BerValue> list, byte[] bArr) throws OcspException {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Map<String, byte[]> processExtns = ExtensionHelper.processExtns(list, hashSet, hashSet2);
        if (!processExtns.isEmpty()) {
            ocspResponse.extns = processExtns;
            ocspResponse.nonCriticalExtOids = hashSet;
            ocspResponse.criticalExtOids = hashSet2;
        }
        verifyNonce(processExtns.get("1.3.6.1.5.5.7.48.1.2"), bArr);
        if (ocspResponse.hasUnsupportedCriticalExtension()) {
            if (this.allowUnsupportedCritical) {
                this.debug.println("Ignoring unsupported critical extensions");
            } else {
                this.debug.println(() -> {
                    HashSet hashSet3 = new HashSet(ocspResponse.getCriticalExtensionOIDs());
                    hashSet3.remove("1.3.6.1.5.5.7.48.1.2");
                    return "Unsupported critical extensions in response: " + hashSet3;
                });
                throw new OcspException("Response contains unsupported critical extensions.");
            }
        }
    }

    private void verifyNonce(byte[] bArr, byte[] bArr2) throws OcspException {
        if (bArr2 == null) {
            return;
        }
        if (this.allowNonceIgnore) {
            this.debug.println("Skipping nonce check as per IGNORE_NONCE flag");
        } else {
            if (bArr == null) {
                throw new OcspException("Response did not contain expected nonce.");
            }
            byte[] octetString = Asn1.decodeOne(Asn1.decodeOne(bArr).tag(UniversalTag.OCTET_STRING).getOctetString()).tag(UniversalTag.OCTET_STRING).getOctetString();
            if (Arrays.equals(octetString, bArr2)) {
                return;
            }
            this.debug.println(() -> {
                return "Actual nonce (0x" + Util.toHex(octetString) + ") != expected (0x" + Util.toHex(bArr2) + ")";
            });
            throw new OcspException("Response did not contain expected nonce.");
        }
    }

    private void checkSignature(AlgorithmId algorithmId, List<X509Certificate> list, byte[] bArr, byte[] bArr2) throws OcspException {
        if (this.responderCert == null && (list == null || list.isEmpty())) {
            throw new OcspException("No responder cert specified, and response did not contain certificates");
        }
        X509Certificate x509Certificate = this.responderCert != null ? this.responderCert : list.get(0);
        try {
            Signature signature = Signature.getInstance(algorithmId.getAlg());
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            if (signature.verify(bArr2)) {
            } else {
                throw new OcspException("Signature verification failed.");
            }
        } catch (GeneralSecurityException e) {
            throw new OcspException("Failed to verify signature", e);
        }
    }

    private X509Certificate readCert(Asn1BerValue asn1BerValue) throws OcspException {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(asn1BerValue.encodeDerOctets()));
        } catch (CertificateException e) {
            throw new OcspException("Could not read certificate in response", e);
        }
    }

    private static String getErrorMessage(BigInteger bigInteger) {
        switch (bigInteger.intValueExact()) {
            case 1:
                return "Malformed request";
            case 2:
                return "Internal error";
            case 3:
                return "Try later";
            case 4:
            default:
                return "Unknown error";
            case 5:
                return "Signature required";
            case 6:
                return "Request unauthorized";
        }
    }

    private static byte[] readFromStream(InputStream inputStream) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] bArr = new byte[1024];
        while (true) {
            int read = inputStream.read(bArr);
            if (read == -1) {
                return byteArrayOutputStream.toByteArray();
            }
            byteArrayOutputStream.write(bArr, 0, read);
        }
    }
}
