package io.jans.as.common.cert.validation;

import io.jans.as.common.cert.validation.model.ValidationStatus;
import io.jans.as.model.util.SecurityProviderUtility;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/as/common/cert/validation/OCSPCertificateVerifier.class */
public class OCSPCertificateVerifier implements CertificateVerifier {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OCSPCertificateVerifier.class);

    public OCSPCertificateVerifier() {
        SecurityProviderUtility.installBCProvider(true);
    }

    @Override // io.jans.as.common.cert.validation.CertificateVerifier
    public ValidationStatus validate(X509Certificate x509Certificate, List<X509Certificate> list, Date date) {
        X500Principal subjectX500Principal;
        String oCSPUrl;
        ValidationStatus validationStatus = new ValidationStatus(x509Certificate, list.get(0), date, ValidationStatus.ValidatorSourceType.OCSP, ValidationStatus.CertificateValidity.UNKNOWN);
        try {
            subjectX500Principal = x509Certificate.getSubjectX500Principal();
            oCSPUrl = getOCSPUrl(x509Certificate);
        } catch (Exception e) {
            log.error("OCSP exception: ", (Throwable) e);
        }
        if (oCSPUrl == null) {
            log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
            return validationStatus;
        }
        log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + oCSPUrl + "'");
        CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(x509Certificate), x509Certificate.getSerialNumber());
        OCSPResp requestOCSPResponse = requestOCSPResponse(oCSPUrl, generateOCSPRequest(certificateID));
        if (requestOCSPResponse.getStatus() != 0) {
            log.error("OCSP response is invalid!");
            validationStatus.setValidity(ValidationStatus.CertificateValidity.INVALID);
            return validationStatus;
        }
        boolean z = false;
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) requestOCSPResponse.getResponseObject();
        for (SingleResp singleResp : basicOCSPResp.getResponses()) {
            if (certificateID.equals(singleResp.getCertID())) {
                z = true;
                log.debug("OCSP validationDate: " + date);
                log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
                log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
                validationStatus.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
                if (singleResp.getCertStatus() == CertificateStatus.GOOD) {
                    log.debug("OCSP status is valid for '" + x509Certificate.getSubjectX500Principal() + "'");
                    validationStatus.setValidity(ValidationStatus.CertificateValidity.VALID);
                } else if (singleResp.getCertStatus() instanceof RevokedStatus) {
                    log.warn("OCSP status is revoked for: " + subjectX500Principal);
                    if (date.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
                        log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + date);
                        validationStatus.setValidity(ValidationStatus.CertificateValidity.VALID);
                    } else {
                        Date revocationTime = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
                        log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationTime);
                        validationStatus.setRevocationDate(revocationTime);
                        validationStatus.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
                        validationStatus.setValidity(ValidationStatus.CertificateValidity.REVOKED);
                    }
                }
            }
        }
        if (!z) {
            log.error("There is no matching OCSP response entries");
        }
        return validationStatus;
    }

    private OCSPReq generateOCSPRequest(CertificateID certificateID) throws OCSPException, OperatorCreationException, CertificateEncodingException {
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        oCSPReqBuilder.addRequest(certificateID);
        return oCSPReqBuilder.build();
    }

    private String getOCSPUrl(X509Certificate x509Certificate) throws IOException {
        try {
            ASN1Primitive extensionValue = getExtensionValue(x509Certificate, Extension.authorityInfoAccess.getId());
            if (extensionValue == null) {
                return null;
            }
            for (AccessDescription accessDescription : AuthorityInformationAccess.getInstance(extensionValue).getAccessDescriptions()) {
                if (accessDescription.getAccessMethod().equals((ASN1Primitive) X509ObjectIdentifiers.ocspAccessMethod)) {
                    GeneralName accessLocation = accessDescription.getAccessLocation();
                    if (accessLocation.getTagNo() == 6) {
                        return DERIA5String.getInstance((ASN1TaggedObject) accessLocation.toASN1Primitive(), false).getString();
                    }
                }
            }
            return null;
        } catch (IOException e) {
            log.error("Failed to get OCSP URL", (Throwable) e);
            return null;
        }
    }

    public OCSPResp requestOCSPResponse(String str, OCSPReq oCSPReq) throws IOException, MalformedURLException {
        byte[] encoded = oCSPReq.getEncoded();
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
        try {
            httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
            httpURLConnection.setDoInput(true);
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setUseCaches(false);
            OutputStream outputStream = httpURLConnection.getOutputStream();
            try {
                IOUtils.write(encoded, outputStream);
                outputStream.flush();
                IOUtils.closeQuietly(outputStream);
                OCSPResp oCSPResp = new OCSPResp(IOUtils.toByteArray(httpURLConnection.getInputStream()));
                if (httpURLConnection != null) {
                    httpURLConnection.disconnect();
                }
                return oCSPResp;
            } catch (Throwable th) {
                IOUtils.closeQuietly(outputStream);
                throw th;
            }
        } catch (Throwable th2) {
            if (httpURLConnection != null) {
                httpURLConnection.disconnect();
            }
            throw th2;
        }
    }

    private static ASN1Primitive getExtensionValue(X509Certificate x509Certificate, String str) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(str);
        if (extensionValue == null) {
            return null;
        }
        return new ASN1InputStream(new ByteArrayInputStream(((ASN1OctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets())).readObject();
    }

    @Override // io.jans.as.common.cert.validation.CertificateVerifier
    public void destroy() {
    }
}
