package org.wso2.transport.http.netty.contractimpl.sender;

import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.ReferenceCountedOpenSslEngine;
import io.netty.handler.ssl.ocsp.OcspClientHandler;
import java.math.BigInteger;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.RevocationVerificationManager;

/* loaded from: input_file:WEB-INF/lib/org.wso2.transport.http.netty-6.3.51.jar:org/wso2/transport/http/netty/contractimpl/sender/OCSPStaplingHandler.class */
public class OCSPStaplingHandler extends OcspClientHandler {
    private static final Logger LOG = LoggerFactory.getLogger(OCSPStaplingHandler.class);

    public OCSPStaplingHandler(ReferenceCountedOpenSslEngine referenceCountedOpenSslEngine) {
        super(referenceCountedOpenSslEngine);
    }

    @Override // io.netty.handler.ssl.ocsp.OcspClientHandler
    protected boolean verify(ChannelHandlerContext channelHandlerContext, ReferenceCountedOpenSslEngine referenceCountedOpenSslEngine) throws Exception {
        byte[] ocspResponse = referenceCountedOpenSslEngine.getOcspResponse();
        if (ocspResponse == null) {
            return new RevocationVerificationManager(50, 15).verifyRevocationStatus(referenceCountedOpenSslEngine.getSession().getPeerCertificateChain());
        }
        OCSPResp oCSPResp = new OCSPResp(ocspResponse);
        if (oCSPResp.getStatus() != 0) {
            return false;
        }
        BigInteger serialNumber = referenceCountedOpenSslEngine.getSession().getPeerCertificateChain()[0].getSerialNumber();
        SingleResp singleResp = ((BasicOCSPResp) oCSPResp.getResponseObject()).getResponses()[0];
        CertificateStatus certStatus = singleResp.getCertStatus();
        BigInteger serialNumber2 = singleResp.getCertID().getSerialNumber();
        if (LOG.isDebugEnabled()) {
            LOG.debug("OCSP status of " + channelHandlerContext.channel().remoteAddress() + "\n  Status: " + (certStatus == CertificateStatus.GOOD ? "Good" : certStatus) + "\n  This Update: " + singleResp.getThisUpdate() + "\n  Next Update: " + singleResp.getNextUpdate() + "\n  Cert Serial: " + serialNumber + "\n  OCSP Serial: " + serialNumber2);
        }
        return certStatus == CertificateStatus.GOOD && serialNumber.equals(serialNumber2);
    }
}
