package com.wso2.openbanking.accelerator.gateway.executor.revocation;

import com.wso2.openbanking.accelerator.common.exception.CertificateValidationException;
import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.util.HTTPClientUtils;
import com.wso2.openbanking.accelerator.gateway.executor.model.RevocationStatus;
import com.wso2.openbanking.accelerator.gateway.executor.util.CertificateValidationUtils;
import com.wso2.openbanking.accelerator.gateway.internal.TPPCertValidatorDataHolder;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.HttpHost;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:com/wso2/openbanking/accelerator/gateway/executor/revocation/OCSPValidator.class */
public class OCSPValidator implements RevocationValidator {
    private static final Log log = LogFactory.getLog(OCSPValidator.class);
    private static final String BC = "BC";
    private final int retryCount;
    private static int httpConnectTimeout;
    private static int httpConnectionRequestTimeout;
    private static int httpSocketTimeout;

    public OCSPValidator(int i) {
        this.retryCount = i;
    }

    public OCSPValidator(int i, int i2, int i3, int i4) {
        this.retryCount = i;
        httpConnectTimeout = i2;
        httpConnectionRequestTimeout = i3;
        httpSocketTimeout = i4;
    }

    public static List<String> getAIALocations(X509Certificate x509Certificate) throws CertificateValidationException {
        byte[] aiaExtensionValue = getAiaExtensionValue(x509Certificate);
        if (aiaExtensionValue == null) {
            throw new CertificateValidationException("Certificate with serial num: " + x509Certificate.getSerialNumber() + " doesn't have Authority Information Access points");
        }
        List<String> ocspUrlsFromAuthorityInfoAccess = getOcspUrlsFromAuthorityInfoAccess(getAuthorityInformationAccess(aiaExtensionValue));
        if (ocspUrlsFromAuthorityInfoAccess.isEmpty()) {
            throw new CertificateValidationException("Cant get OCSP urls from certificate with serial num: " + x509Certificate.getSerialNumber());
        }
        return ocspUrlsFromAuthorityInfoAccess;
    }

    private static OCSPReq generateOCSPRequest(X509Certificate x509Certificate, BigInteger bigInteger) throws CertificateValidationException {
        Security.addProvider(new BouncyCastleProvider());
        try {
            CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider(BC).build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate.getEncoded()), bigInteger);
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.addRequest(certificateID);
            oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(BigInteger.valueOf(System.currentTimeMillis()).toByteArray()))));
            return oCSPReqBuilder.build();
        } catch (IOException | CertificateEncodingException | OCSPException | OperatorCreationException e) {
            throw new CertificateValidationException("Cannot generate OSCP Request with the given certificate with serial num: " + bigInteger, e);
        }
    }

    public static RevocationStatus getOCSPRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2, int i, List<String> list, boolean z, String str, int i2) throws CertificateValidationException {
        OCSPReq generateOCSPRequest = generateOCSPRequest(x509Certificate2, x509Certificate.getSerialNumber());
        for (String str2 : list) {
            try {
                if (log.isDebugEnabled()) {
                    log.debug("Trying to get OCSP Response from : " + str2);
                }
                OCSPResp oCSPResponse = getOCSPResponse(str2, generateOCSPRequest, i, z, str, i2);
                if (0 != oCSPResponse.getStatus()) {
                    log.debug("OCSP Response is not successfully received.");
                } else {
                    BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResponse.getResponseObject();
                    SingleResp[] responses = basicOCSPResp == null ? null : basicOCSPResp.getResponses();
                    if (responses != null && responses.length == 1) {
                        return getRevocationStatusFromOCSP(responses[0]);
                    }
                }
            } catch (OCSPException | CertificateValidationException e) {
                log.debug("Certificate revocation check failed due to an exception", e);
            }
        }
        throw new CertificateValidationException("Cant get Revocation Status from OCSP using any of the OCSP Urls for certificate with serial num:" + x509Certificate.getSerialNumber());
    }

    private static List<String> getOcspUrlsFromAuthorityInfoAccess(AuthorityInformationAccess authorityInformationAccess) {
        ArrayList arrayList = new ArrayList();
        if (authorityInformationAccess != null) {
            for (AccessDescription accessDescription : authorityInformationAccess.getAccessDescriptions()) {
                GeneralName accessLocation = accessDescription.getAccessLocation();
                if (accessLocation.getTagNo() == 6) {
                    arrayList.add(DERIA5String.getInstance(accessLocation.getName()).getString());
                }
            }
        }
        return arrayList;
    }

    private static AuthorityInformationAccess getAuthorityInformationAccess(byte[] bArr) throws CertificateValidationException {
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ASN1InputStream(new ByteArrayInputStream(bArr)).readObject().getOctets());
            Throwable th = null;
            try {
                try {
                    AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(aSN1InputStream.readObject());
                    if (aSN1InputStream != null) {
                        if (0 != 0) {
                            try {
                                aSN1InputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            aSN1InputStream.close();
                        }
                    }
                    return authorityInformationAccess;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new CertificateValidationException("Cannot read certificate to get OSCP urls", e);
        }
    }

    private static byte[] getAiaExtensionValue(X509Certificate x509Certificate) {
        return x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
    }

    /* JADX WARN: Failed to calculate best type for var: r14v2 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r14v2 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x01d9: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:47:0x01d9 */
    /* JADX WARN: Not initialized variable reg: 15, insn: 0x01de: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r15 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:49:0x01de */
    /* JADX WARN: Type inference failed for: r14v2, types: [org.apache.http.impl.client.CloseableHttpClient] */
    /* JADX WARN: Type inference failed for: r15v0, types: [java.lang.Throwable] */
    private static OCSPResp getOCSPResponse(String str, OCSPReq oCSPReq, int i, boolean z, String str2, int i2) throws CertificateValidationException {
        ?? r14;
        ?? r15;
        if (log.isDebugEnabled()) {
            log.debug("Certificate revocation check proxy enabled: " + z);
        }
        try {
            try {
                CloseableHttpClient httpsClient = HTTPClientUtils.getHttpsClient();
                Throwable th = null;
                HttpPost httpPost = new HttpPost(str);
                if (z) {
                    log.debug("Setting certificate revocation proxy started.");
                    if (str2 == null || str2.trim().isEmpty()) {
                        log.error("Certificate revocation proxy server host is not configured. Please do set the 'CertificateManagement -> CertificateRevocationProxy -> ProxyHost' file");
                        throw new CertificateValidationException("Certificate revocation proxy server host is not configured. Please do set the 'CertificateManagement -> CertificateRevocationProxy -> ProxyHost' file");
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Certificate revocation proxy: " + str2 + ":" + i2);
                    }
                    httpPost.setConfig(RequestConfig.custom().setProxy(new HttpHost(str2, i2)).build());
                    log.debug("Setting certificate revocation proxy finished.");
                }
                if (httpPost.getConfig() == null) {
                    httpPost.setConfig(RequestConfig.custom().build());
                }
                httpPost.setConfig(RequestConfig.copy(httpPost.getConfig()).setConnectTimeout(httpConnectTimeout).setConnectionRequestTimeout(httpConnectionRequestTimeout).setSocketTimeout(httpSocketTimeout).build());
                if (log.isDebugEnabled()) {
                    log.debug("OCSP request timeout configurations: httpConnectTimeout: " + httpConnectTimeout + ", httpConnectionRequestTimeout: " + httpConnectionRequestTimeout + ", httpSocketTimeout: " + httpSocketTimeout);
                }
                setRequestProperties(oCSPReq.getEncoded(), httpPost);
                CloseableHttpResponse execute = httpsClient.execute(httpPost);
                if (execute.getStatusLine().getStatusCode() / 100 != 2) {
                    throw new CertificateValidationException("Error getting ocsp response.Response code is " + execute.getStatusLine().getStatusCode());
                }
                OCSPResp oCSPResp = new OCSPResp(execute.getEntity().getContent());
                if (httpsClient != null) {
                    if (0 != 0) {
                        try {
                            httpsClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        httpsClient.close();
                    }
                }
                return oCSPResp;
            } catch (Throwable th3) {
                if (r14 != 0) {
                    if (r15 != 0) {
                        try {
                            r14.close();
                        } catch (Throwable th4) {
                            r15.addSuppressed(th4);
                        }
                    } else {
                        r14.close();
                    }
                }
                throw th3;
            }
        } catch (OpenBankingException e) {
            throw new CertificateValidationException("Error when creating http client.", e);
        } catch (IOException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Certificate revocation check failed due to an exception", e2);
            }
            if (i == 0) {
                throw new CertificateValidationException("Cannot get ocspResponse from url: " + str, e2);
            }
            log.info("Cant reach URI: " + str + ". Retrying to connect - attempt " + i);
            return getOCSPResponse(str, oCSPReq, i - 1, z, str2, i2);
        }
    }

    private static void setRequestProperties(byte[] bArr, HttpPost httpPost) {
        httpPost.addHeader("Content-Type", CertificateValidationUtils.HTTP_CONTENT_TYPE_OCSP);
        httpPost.addHeader("Accept", CertificateValidationUtils.HTTP_ACCEPT_OCSP);
        httpPost.setEntity(new ByteArrayEntity(bArr, ContentType.create("application/json")));
    }

    private static RevocationStatus getRevocationStatusFromOCSP(SingleResp singleResp) throws CertificateValidationException {
        CertificateStatus certStatus = singleResp.getCertStatus();
        if (certStatus == CertificateStatus.GOOD) {
            return RevocationStatus.GOOD;
        }
        if (certStatus instanceof RevokedStatus) {
            return RevocationStatus.REVOKED;
        }
        if (certStatus instanceof UnknownStatus) {
            return RevocationStatus.UNKNOWN;
        }
        throw new CertificateValidationException("Cant recognize Certificate Status");
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.revocation.RevocationValidator
    public RevocationStatus checkRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateValidationException {
        if (x509Certificate2 == null) {
            throw new CertificateValidationException("Issuer Certificate is not available for OCSP validation");
        }
        List<String> aIALocations = getAIALocations(x509Certificate);
        if (log.isDebugEnabled()) {
            log.debug("Peer certificate AIA locations: " + aIALocations);
        }
        TPPCertValidatorDataHolder tPPCertValidatorDataHolder = TPPCertValidatorDataHolder.getInstance();
        return getOCSPRevocationStatus(x509Certificate, x509Certificate2, this.retryCount, aIALocations, tPPCertValidatorDataHolder.isCertificateRevocationProxyEnabled(), tPPCertValidatorDataHolder.getCertificateRevocationProxyHost(), tPPCertValidatorDataHolder.getCertificateRevocationProxyPort());
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.revocation.RevocationValidator
    public int getRetryCount() {
        return this.retryCount;
    }
}
