package org.apache.synapse.transport.certificatevalidation.ocsp;

import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
import org.apache.synapse.transport.certificatevalidation.RevocationStatus;
import org.apache.synapse.transport.certificatevalidation.RevocationVerifier;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:WEB-INF/lib/synapse-nhttp-transport-2.1.7-wso2v302.jar:org/apache/synapse/transport/certificatevalidation/ocsp/OCSPVerifier.class */
public class OCSPVerifier implements RevocationVerifier {
    private OCSPCache cache;
    private static final Log log = LogFactory.getLog(OCSPVerifier.class);
    private static final String BC = "BC";

    public OCSPVerifier(OCSPCache oCSPCache) {
        this.cache = oCSPCache;
    }

    @Override // org.apache.synapse.transport.certificatevalidation.RevocationVerifier
    public RevocationStatus checkRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateVerificationException {
        SingleResp cacheValue;
        if (this.cache != null && (cacheValue = this.cache.getCacheValue(x509Certificate.getSerialNumber())) != null) {
            RevocationStatus revocationStatus = getRevocationStatus(cacheValue);
            log.info("OCSP response taken from cache....");
            return revocationStatus;
        }
        OCSPReq generateOCSPRequest = generateOCSPRequest(x509Certificate2, x509Certificate.getSerialNumber());
        for (String str : getAIALocations(x509Certificate)) {
            try {
                OCSPResp oCSPResponce = getOCSPResponce(str, generateOCSPRequest);
                if (0 == oCSPResponce.getStatus()) {
                    BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResponce.getResponseObject();
                    SingleResp[] responses = basicOCSPResp == null ? null : basicOCSPResp.getResponses();
                    if (responses != null && responses.length == 1) {
                        SingleResp singleResp = responses[0];
                        RevocationStatus revocationStatus2 = getRevocationStatus(singleResp);
                        if (this.cache != null) {
                            this.cache.setCacheValue(x509Certificate.getSerialNumber(), singleResp, generateOCSPRequest, str);
                        }
                        return revocationStatus2;
                    }
                }
            } catch (Exception e) {
            }
        }
        throw new CertificateVerificationException("Cant get Revocation Status from OCSP.");
    }

    private RevocationStatus getRevocationStatus(SingleResp singleResp) throws CertificateVerificationException {
        CertificateStatus certStatus = singleResp.getCertStatus();
        if (certStatus == CertificateStatus.GOOD) {
            return RevocationStatus.GOOD;
        }
        if (certStatus instanceof RevokedStatus) {
            return RevocationStatus.REVOKED;
        }
        if (certStatus instanceof UnknownStatus) {
            return RevocationStatus.UNKNOWN;
        }
        throw new CertificateVerificationException("Cant recognize Certificate Status");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OCSPResp getOCSPResponce(String str, OCSPReq oCSPReq) throws CertificateVerificationException {
        try {
            byte[] encoded = oCSPReq.getEncoded();
            if (!str.startsWith("http")) {
                throw new CertificateVerificationException("Only http is supported for ocsp calls");
            }
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
            httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
            httpURLConnection.setDoOutput(true);
            DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(httpURLConnection.getOutputStream()));
            dataOutputStream.write(encoded);
            dataOutputStream.flush();
            dataOutputStream.close();
            if (httpURLConnection.getResponseCode() / 100 != 2) {
                throw new CertificateVerificationException("Error getting ocsp response.Response code is " + httpURLConnection.getResponseCode());
            }
            return new OCSPResp((InputStream) httpURLConnection.getContent());
        } catch (IOException e) {
            throw new CertificateVerificationException("Cannot get ocspResponse from url: " + str, e);
        }
    }

    private OCSPReq generateOCSPRequest(X509Certificate x509Certificate, BigInteger bigInteger) throws CertificateVerificationException {
        Security.addProvider(new BouncyCastleProvider());
        try {
            CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate.getEncoded()), bigInteger);
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.addRequest(certificateID);
            oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, (ASN1OctetString) new DEROctetString(BigInteger.valueOf(System.currentTimeMillis()).toByteArray()))));
            return oCSPReqBuilder.build();
        } catch (Exception e) {
            throw new CertificateVerificationException("Cannot generate OSCP Request with the given certificate", e);
        }
    }

    private List<String> getAIALocations(X509Certificate x509Certificate) throws CertificateVerificationException {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            throw new CertificateVerificationException("Certificate Doesn't have Authority Information Access points");
        }
        try {
            AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(new ASN1InputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject());
            ArrayList arrayList = new ArrayList();
            for (AccessDescription accessDescription : authorityInformationAccess.getAccessDescriptions()) {
                GeneralName accessLocation = accessDescription.getAccessLocation();
                if (accessLocation.getTagNo() == 6) {
                    arrayList.add(DERIA5String.getInstance(accessLocation.getName()).getString());
                }
            }
            if (arrayList.isEmpty()) {
                throw new CertificateVerificationException("Cant get OCSP urls from certificate");
            }
            return arrayList;
        } catch (IOException e) {
            throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e);
        }
    }
}
