package org.openoces.ooapi.validation;

import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.openoces.ooapi.certificate.ChainVerifier;
import org.openoces.ooapi.certificate.OcesCertificateFacade;
import org.openoces.ooapi.environment.Environments;
import org.openoces.ooapi.exceptions.InternalException;
import org.openoces.ooapi.ldap.LDAPFactory;
import org.openoces.ooapi.utils.HttpClient;

/* loaded from: input_file:org/openoces/ooapi/validation/OCSPCertificateRevocationChecker.class */
public class OCSPCertificateRevocationChecker implements RevocationChecker {
    private static final Logger log = Logger.getLogger(OCSPCertificateRevocationChecker.class);

    private boolean isIssuingCaRevoked(OcesCertificateFacade ocesCertificateFacade) {
        return FullCrlRevocationChecker.getInstance().isRevoked(ocesCertificateFacade.getSigningCA());
    }

    @Override // org.openoces.ooapi.validation.RevocationChecker
    public boolean isRevoked(OcesCertificateFacade ocesCertificateFacade) {
        return Environments.isInternalEnvironment(LDAPFactory.getEnvironmentFromCaCommonName(ocesCertificateFacade.getIssuerDn())) ? FullCrlRevocationChecker.getInstance().isRevoked(ocesCertificateFacade) : isIssuingCaRevoked(ocesCertificateFacade) || isCertificateRevoked(ocesCertificateFacade);
    }

    @Override // org.openoces.ooapi.validation.RevocationChecker
    public X509CRLEntry getRevocationDetails(OcesCertificateFacade ocesCertificateFacade) {
        throw new UnsupportedOperationException("getRevocationDetails is not implemented for OCSP.");
    }

    private boolean isCertificateRevoked(OcesCertificateFacade ocesCertificateFacade) {
        try {
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(ocesCertificateFacade.getSigningCA().getCertificate()), ocesCertificateFacade.getSerialNumber());
            oCSPReqBuilder.addRequest(certificateID);
            OCSPResp oCSPResp = new OCSPResp(HttpClient.doPostOCSPRequest(oCSPReqBuilder.build().getEncoded(), ocesCertificateFacade.getOcspUrl()));
            if (oCSPResp.getStatus() != 0) {
                throw new IllegalStateException("ocsp response status: " + oCSPResp.getStatus());
            }
            Object responseObject = oCSPResp.getResponseObject();
            if (!(responseObject instanceof BasicOCSPResp)) {
                throw new IllegalStateException("ocsp response is of unexcepted type");
            }
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject;
            SingleResp[] responses = basicOCSPResp.getResponses();
            if (responses.length != 1) {
                throw new IllegalStateException("unexpected number of responses received");
            }
            if (!certificateID.getSerialNumber().equals(responses[0].getCertID().getSerialNumber())) {
                throw new InternalException("Serial number mismatch problem");
            }
            X509Certificate findOcspClientCertificate = findOcspClientCertificate(basicOCSPResp.getCerts());
            if (!verifyOcspCertificateChain(ocesCertificateFacade, findOcspClientCertificate)) {
                throw new IllegalStateException("Certificate used to sign OCSP Response could not be verified");
            }
            if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(findOcspClientCertificate.getPublicKey()))) {
                throw new InternalException("signature validation failed for ocsp response");
            }
            if (!canSignOcspResponses(findOcspClientCertificate)) {
                throw new InternalException("ocsp signing certificate has not been cleared for ocsp response signing");
            }
            if (!certificateValid(findOcspClientCertificate)) {
                throw new IllegalStateException("ocsp signing certificate is not valid");
            }
            SingleResp singleResp = responses[0];
            if (singleResp.getThisUpdate().getTime() - new Date().getTime() > 60000) {
                throw new InternalException("ocsp response signature is from the future. Timestamp of thisUpdate field: " + new Date(singleResp.getThisUpdate().getTime()));
            }
            if (singleResp.getNextUpdate() != null && singleResp.getNextUpdate().before(new Date())) {
                throw new InternalException("ocsp response is no longer valid");
            }
            CertificateStatus certStatus = singleResp.getCertStatus();
            if (certStatus == null) {
                return false;
            }
            if (certStatus instanceof RevokedStatus) {
                return true;
            }
            if (certStatus instanceof UnknownStatus) {
                throw new InternalException("ocsp response indicates unknown certificate status");
            }
            throw new InternalException("unknown status");
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private boolean certificateValid(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
            return true;
        } catch (CertificateExpiredException e) {
            return false;
        } catch (CertificateNotYetValidException e2) {
            return false;
        }
    }

    private boolean canSignOcspResponses(X509Certificate x509Certificate) {
        try {
            return x509Certificate.getExtendedKeyUsage().contains(KeyPurposeId.id_kp_OCSPSigning.getId());
        } catch (CertificateParsingException e) {
            throw new RuntimeException("ocsp signing certificate has not been cleared for ocsp response signing");
        }
    }

    private boolean verifyOcspCertificateChain(OcesCertificateFacade ocesCertificateFacade, X509Certificate x509Certificate) {
        return ChainVerifier.verifyTrust(x509Certificate, ocesCertificateFacade.getSigningCA());
    }

    private X509Certificate findOcspClientCertificate(X509CertificateHolder[] x509CertificateHolderArr) throws CertificateException {
        X509Certificate x509Certificate = null;
        for (X509CertificateHolder x509CertificateHolder : x509CertificateHolderArr) {
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509CertificateHolder);
            boolean[] keyUsage = certificate.getKeyUsage();
            if (keyUsage != null && keyUsage[0] && null != certificate.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())) {
                x509Certificate = certificate;
            }
        }
        if (x509Certificate == null) {
            throw new RuntimeException("Could not find valid OCSP certificate");
        }
        return x509Certificate;
    }
}
