package org.cesecore.util;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Random;
import java.util.Set;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.output.NullOutputStream;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.cesecore.certificates.ocsp.SHA1DigestCalculator;

/* loaded from: input_file:org/cesecore/util/PKIXCertRevocationStatusChecker.class */
public class PKIXCertRevocationStatusChecker extends PKIXCertPathChecker {
    private final Logger log;
    private String ocspUrl;
    private String crlUrl;
    private X509Certificate issuerCert;
    private Collection<X509Certificate> caCerts;
    private SingleResp ocspResponse;
    private CRL crl;

    public PKIXCertRevocationStatusChecker(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        this.log = Logger.getLogger(PKIXCertRevocationStatusChecker.class);
        this.ocspResponse = null;
        this.crl = null;
        this.ocspUrl = null;
        this.crlUrl = null;
        this.issuerCert = x509Certificate;
        this.caCerts = collection;
    }

    public PKIXCertRevocationStatusChecker(String str, String str2, X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        this.log = Logger.getLogger(PKIXCertRevocationStatusChecker.class);
        this.ocspResponse = null;
        this.crl = null;
        this.ocspUrl = str;
        this.crlUrl = str2;
        this.issuerCert = x509Certificate;
        this.caCerts = collection;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return true;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Extension.cRLDistributionPoints.getId());
        arrayList.add(Extension.authorityInfoAccess.getId());
        return new HashSet(arrayList);
    }

    public SingleResp getOCSPResponse() {
        return this.ocspResponse;
    }

    public CRL getcrl() {
        return this.crl;
    }

    private void clearResult() {
        this.ocspResponse = null;
        this.crl = null;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        clearResult();
        X509Certificate caCert = getCaCert(certificate);
        if (caCert == null) {
            this.log.info("No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL");
            throw new CertPathValidatorException("No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL");
        }
        ArrayList<String> ocspUrls = getOcspUrls(certificate);
        if (ocspUrls.isEmpty()) {
            fallBackToCrl(certificate, CertTools.getSubjectDN(caCert));
            if (collection != null) {
                collection.remove(Extension.cRLDistributionPoints.getId());
                return;
            }
            return;
        }
        BigInteger serialNumber = CertTools.getSerialNumber(certificate);
        byte[] bArr = new byte[16];
        new Random().nextBytes(bArr);
        try {
            OCSPReq ocspRequest = getOcspRequest(caCert, serialNumber, bArr);
            SingleResp singleResp = null;
            Iterator<String> it = ocspUrls.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                singleResp = getOCSPResponse(next, ocspRequest, certificate, bArr, 0, 200);
                if (singleResp != null) {
                    this.log.info("Obtained OCSP response from " + next);
                    break;
                } else if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed to obtain an OCSP reponse from " + next);
                }
            }
            if (singleResp == null) {
                this.log.info("Failed to check certificate revocation status using OCSP. Falling back to check using CRL");
                fallBackToCrl(certificate, CertTools.getSubjectDN(caCert));
                return;
            }
            CertificateStatus certStatus = singleResp.getCertStatus();
            this.ocspResponse = singleResp;
            if (this.log.isDebugEnabled()) {
                this.log.debug("The certificate status is: " + (certStatus == null ? "Good" : certStatus.toString()));
            }
            if (certStatus != null) {
                throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(certificate) + " was revoked");
            }
            if (collection != null) {
                collection.remove(Extension.authorityInfoAccess.getId());
            }
        } catch (CertificateEncodingException | OCSPException e) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Failed to create OCSP request. " + e.getLocalizedMessage());
            }
            fallBackToCrl(certificate, CertTools.getSubjectDN(caCert));
        }
    }

    private void fallBackToCrl(Certificate certificate, String str) throws CertPathValidatorException {
        ArrayList<URL> crlUrl = getCrlUrl(certificate);
        if (crlUrl.isEmpty()) {
            this.log.info("Failed to verify certificate status using the fallback CRL method. Could not find a CRL URL");
            throw new CertPathValidatorException("Failed to verify certificate status using the fallback CRL method. Could not find a CRL URL");
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Found " + crlUrl.size() + " CRL URLs");
        }
        Iterator<URL> it = crlUrl.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            CRL crl = getCRL(it.next());
            if (crl != null && isCorrectCRL(crl, str)) {
                boolean isRevoked = crl.isRevoked(certificate);
                this.crl = crl;
                if (isRevoked) {
                    throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(certificate) + " was revoked");
                }
            }
        }
        if (this.crl == null) {
            throw new CertPathValidatorException("Failed to verify certificate status using CRL. Could not find a CRL issued by " + str + " reasonably lately");
        }
    }

    private boolean isCorrectCRL(CRL crl, String str) {
        if (!(crl instanceof X509CRL)) {
            return false;
        }
        X509CRL x509crl = (X509CRL) crl;
        if (!StringUtils.equals(str, CertTools.getIssuerDN(x509crl))) {
            return false;
        }
        Date date = new Date(System.currentTimeMillis());
        Date nextUpdate = x509crl.getNextUpdate();
        if (nextUpdate != null) {
            if (nextUpdate.after(date)) {
                return true;
            }
            if (!this.log.isDebugEnabled()) {
                return false;
            }
            this.log.debug("CRL issued by " + str + " is out of date");
            return false;
        }
        if (x509crl.getThisUpdate() == null) {
            if (!this.log.isDebugEnabled()) {
                return false;
            }
            this.log.debug("Could not check issuance time for CRL issued by " + str);
            return false;
        }
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        gregorianCalendar.setTime(date);
        gregorianCalendar.add(10, 1);
        if (!gregorianCalendar.getTime().before(date)) {
            this.log.warn("Could not find when CRL issued by " + str + " should be updated, but this CRL was issued less than an hour ago, so we are using it");
            return true;
        }
        if (!this.log.isDebugEnabled()) {
            return false;
        }
        this.log.debug("Could not find when CRL issued by " + str + " should be updated and this CRL is over one hour old. Not using it");
        return false;
    }

    private CRL getCRL(URL url) {
        CRL crl = null;
        try {
            InputStream inputStream = url.openConnection().getInputStream();
            crl = CertificateFactory.getInstance("X.509").generateCRL(inputStream);
            inputStream.close();
            this.log.info("Downloaded CRL from " + url);
        } catch (IOException | CRLException | CertificateException e) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Fetching CRL from " + url.toString() + " failed. " + e.getLocalizedMessage());
            }
        }
        return crl;
    }

    private OCSPReq getOcspRequest(Certificate certificate, BigInteger bigInteger, byte[] bArr) throws CertificateEncodingException, OCSPException {
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        oCSPReqBuilder.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), (X509Certificate) certificate, bigInteger));
        oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension[]{new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(bArr))}));
        return oCSPReqBuilder.build();
    }

    private SingleResp getOCSPResponse(String str, OCSPReq oCSPReq, Certificate certificate, byte[] bArr, int i, int i2) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Sending OCSP request to " + str + " regarding certificate with SubjectDN: " + CertTools.getSubjectDN(certificate) + " - IssuerDN: " + CertTools.getIssuerDN(certificate));
        }
        HttpURLConnection httpURLConnection = null;
        try {
            HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL(str).openConnection();
            httpURLConnection2.setDoOutput(true);
            httpURLConnection2.setRequestMethod("POST");
            httpURLConnection2.setRequestProperty("Content-Type", "application/ocsp-request");
            OutputStream outputStream = httpURLConnection2.getOutputStream();
            outputStream.write(oCSPReq.getEncoded());
            outputStream.close();
            int responseCode = httpURLConnection2.getResponseCode();
            if (responseCode != i2) {
                this.log.info("HTTP response from OCSP request was " + responseCode + ". Expected " + i2);
                handleContentOfErrorStream(httpURLConnection2.getErrorStream());
                return null;
            }
            InputStream inputStream = httpURLConnection2.getInputStream();
            OCSPResp oCSPResp = new OCSPResp(IOUtils.toByteArray(inputStream));
            inputStream.close();
            try {
                BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                if (i != 0 && basicOCSPResp != null) {
                    this.log.warn("According to RFC 2560, responseBytes are not set on error, but we got some.");
                    return null;
                }
                if (basicOCSPResp == null) {
                    this.log.warn("Cannot extract OCSP response object. OCSP response status: " + oCSPResp.getStatus());
                    return null;
                }
                if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(basicOCSPResp.getCerts()[0]))) {
                    this.log.warn("OCSP response signature was not valid");
                    return null;
                }
                try {
                    byte[] encoded = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnValue().getEncoded();
                    if (encoded == null) {
                        this.log.warn("Sent an OCSP request containing a nonce, but the OCSP response does not contain a nonce");
                        return null;
                    }
                    try {
                        ASN1InputStream aSN1InputStream = new ASN1InputStream(encoded);
                        ASN1OctetString aSN1OctetString = ASN1OctetString.getInstance(aSN1InputStream.readObject());
                        aSN1InputStream.close();
                        if (!Arrays.equals(bArr, aSN1OctetString.getOctets())) {
                            this.log.warn("The nonce in the OCSP request and the OCSP response do not match");
                            return null;
                        }
                        SingleResp[] responses = basicOCSPResp.getResponses();
                        if (responses == null || responses.length == 0) {
                            if (!this.log.isDebugEnabled()) {
                                return null;
                            }
                            this.log.debug("The OCSP response object contained no responses.");
                            return null;
                        }
                        SingleResp singleResp = responses[0];
                        if (singleResp.getCertID().getSerialNumber().equals(CertTools.getSerialNumber(certificate))) {
                            return singleResp;
                        }
                        if (!this.log.isDebugEnabled()) {
                            return null;
                        }
                        this.log.debug("Certificate serialnumber in response does not match certificate serialnumber in request.");
                        return null;
                    } catch (IOException e) {
                        if (!this.log.isDebugEnabled()) {
                            return null;
                        }
                        this.log.debug("Failed to read extension from OCSP response. " + e.getLocalizedMessage());
                        return null;
                    }
                } catch (IOException e2) {
                    if (!this.log.isDebugEnabled()) {
                        return null;
                    }
                    this.log.debug("Failed to read extension from OCSP response. " + e2.getLocalizedMessage());
                    return null;
                }
            } catch (OCSPException | OperatorCreationException | CertificateException e3) {
                if (!this.log.isDebugEnabled()) {
                    return null;
                }
                this.log.debug("Failed to obtain or verify OCSP response. " + e3.getLocalizedMessage());
                return null;
            }
        } catch (IOException e4) {
            this.log.info("Unable to get an OCSP response. " + e4.getLocalizedMessage());
            if (0 == 0) {
                return null;
            }
            handleContentOfErrorStream(httpURLConnection.getErrorStream());
            return null;
        }
    }

    private void handleContentOfErrorStream(InputStream inputStream) {
        if (inputStream != null) {
            try {
                NullOutputStream nullOutputStream = new NullOutputStream();
                IOUtils.copy(inputStream, nullOutputStream);
                inputStream.close();
                nullOutputStream.close();
            } catch (IOException e) {
            }
        }
    }

    private ArrayList<String> getOcspUrls(Certificate certificate) {
        ArrayList<String> arrayList = new ArrayList<>();
        if (StringUtils.isNotEmpty(this.ocspUrl)) {
            arrayList.add(this.ocspUrl);
        }
        arrayList.addAll(CertTools.getAuthorityInformationAccessOcspUrls((X509Certificate) certificate));
        return arrayList;
    }

    private ArrayList<URL> getCrlUrl(Certificate certificate) {
        ArrayList<URL> arrayList = new ArrayList<>();
        if (StringUtils.isNotEmpty(this.crlUrl)) {
            try {
                arrayList.add(new URL(this.crlUrl));
            } catch (MalformedURLException e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed to parse '" + this.crlUrl + "' as a URL. " + e.getLocalizedMessage());
                }
            }
        }
        arrayList.addAll(CertTools.getCrlDistributionPoints((X509Certificate) certificate));
        return arrayList;
    }

    private X509Certificate getCaCert(Certificate certificate) {
        if (this.issuerCert != null) {
            return this.issuerCert;
        }
        if (this.caCerts == null) {
            return null;
        }
        for (X509Certificate x509Certificate : this.caCerts) {
            if (isIssuerCA(certificate, x509Certificate)) {
                return x509Certificate;
            }
        }
        return null;
    }

    private boolean isIssuerCA(Certificate certificate, Certificate certificate2) {
        if (!StringUtils.equals(CertTools.getIssuerDN(certificate), CertTools.getSubjectDN(certificate2))) {
            return false;
        }
        try {
            certificate.verify(certificate2.getPublicKey());
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            return false;
        }
    }
}
