package asia.dbt.thundercrypt.core.utils;

import asia.dbt.thundercrypt.core.ProviderManager;
import asia.dbt.thundercrypt.core.exceptions.OcspException;
import asia.dbt.thundercrypt.core.exceptions.UnknownOcspAddressException;
import asia.dbt.thundercrypt.core.exceptions.verification.CertificateStatusException;
import asia.dbt.thundercrypt.core.log.LoggingPoint;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Hashtable;
import kz.gov.pki.kalkan.asn1.ASN1InputStream;
import kz.gov.pki.kalkan.asn1.DERObject;
import kz.gov.pki.kalkan.asn1.DEROctetString;
import kz.gov.pki.kalkan.asn1.ocsp.OCSPObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.x509.X509Extension;
import kz.gov.pki.kalkan.asn1.x509.X509Extensions;
import kz.gov.pki.kalkan.ocsp.BasicOCSPResp;
import kz.gov.pki.kalkan.ocsp.CertificateID;
import kz.gov.pki.kalkan.ocsp.CertificateStatus;
import kz.gov.pki.kalkan.ocsp.OCSPException;
import kz.gov.pki.kalkan.ocsp.OCSPReq;
import kz.gov.pki.kalkan.ocsp.OCSPReqGenerator;
import kz.gov.pki.kalkan.ocsp.OCSPResp;
import kz.gov.pki.kalkan.ocsp.RevokedStatus;
import kz.gov.pki.kalkan.ocsp.UnknownStatus;
import kz.gov.pki.kalkan.util.encoders.Base64;
import org.apache.log4j.helpers.FileWatchdog;

/* loaded from: input_file:asia/dbt/thundercrypt/core/utils/OCSPUtil.class */
public final class OCSPUtil {
    private final X509Certificate certificate;
    private final X509Certificate issuerCertificate;
    private final String serverUrl;
    private byte[] randomSecuredNumber;

    public OCSPUtil(X509Certificate x509Certificate) throws Exception {
        this.issuerCertificate = CertificateUtil.getIssuerCertificate(x509Certificate);
        this.serverUrl = CertificateUtil.getUrlToOcsp(x509Certificate);
        this.certificate = x509Certificate;
    }

    public OCSPUtil(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        this.issuerCertificate = x509Certificate2;
        this.serverUrl = str;
        this.certificate = x509Certificate;
    }

    public OCSPResp getOCSPResponse() throws OcspException {
        return sendRequest(createOCSPReq());
    }

    public byte[] getBinaryOCSPResponse() throws OcspException, IOException {
        return sendRequest(createOCSPReq()).getEncoded();
    }

    public static CertificateStatus getCertificateStatusFromResponse(OCSPResp oCSPResp) throws OCSPException {
        return (CertificateStatus) ((BasicOCSPResp) oCSPResp.getResponseObject()).getResponses()[0].getCertStatus();
    }

    public static X509Certificate getCertificateFromResponse(OCSPResp oCSPResp) throws OCSPException {
        try {
            return ((BasicOCSPResp) oCSPResp.getResponseObject()).getCerts(ProviderManager.getProviderName())[0];
        } catch (Exception e) {
            throw new OCSPException(e.getMessage());
        }
    }

    public static void validateCertificateAndResponseLink(X509Certificate x509Certificate, X509Certificate x509Certificate2, OCSPResp oCSPResp) throws OCSPException {
        try {
            if (((BasicOCSPResp) oCSPResp.getResponseObject()).getResponses()[0].getCertID().getSerialNumber().equals(x509Certificate.getSerialNumber())) {
            } else {
                throw new OCSPException("OCSP response is not for current certificate!");
            }
        } catch (Exception e) {
            throw new OCSPException(e.getMessage());
        } catch (OCSPException e2) {
            throw e2;
        }
    }

    public static void validateResponseDate(OCSPResp oCSPResp, Date date) throws OCSPException {
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
        if (Math.abs(basicOCSPResp.getProducedAt().getTime() - date.getTime()) > FileWatchdog.DEFAULT_DELAY * 5) {
            throw new OCSPException("OCSP response expired!");
        }
    }

    public static void validateStatus(OCSPResp oCSPResp) throws OCSPException, CertificateStatusException {
        CertificateStatus certificateStatusFromResponse = getCertificateStatusFromResponse(oCSPResp);
        if (certificateStatusFromResponse == CertificateStatus.GOOD) {
            return;
        }
        if (certificateStatusFromResponse instanceof RevokedStatus) {
            throw new CertificateStatusException(1);
        }
        if (certificateStatusFromResponse instanceof UnknownStatus) {
            throw new CertificateStatusException(2);
        }
    }

    private static CertificateID createCertificateID(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws OCSPException {
        String principal = x509Certificate2.getIssuerDN().toString();
        return principal.contains("GOST") ? new CertificateID(CertificateID.HASH_GOST34311, x509Certificate2, x509Certificate.getSerialNumber(), "KALKAN") : principal.contains("RSA") ? new CertificateID(CertificateID.HASH_GOST34311GT, x509Certificate2, x509Certificate.getSerialNumber(), "KALKAN") : new CertificateID(new GostCertID(x509Certificate2, x509Certificate.getSerialNumber()).toASN1Object());
    }

    private static CertificateID createCertificateID(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) throws OCSPException {
        return new CertificateID(str, x509Certificate2, x509Certificate.getSerialNumber(), "KALKAN");
    }

    private X509Extensions generateNonce() {
        SecureRandom secureRandom = new SecureRandom();
        this.randomSecuredNumber = new byte[16];
        secureRandom.nextBytes(this.randomSecuredNumber);
        Hashtable hashtable = new Hashtable();
        hashtable.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, new X509Extension(false, new DEROctetString(new DEROctetString(this.randomSecuredNumber))));
        return new X509Extensions(hashtable);
    }

    private OCSPReq createOCSPReq() throws OcspException {
        try {
            CertificateID createCertificateID = createCertificateID(this.certificate, this.issuerCertificate);
            OCSPReqGenerator oCSPReqGenerator = new OCSPReqGenerator();
            oCSPReqGenerator.addRequest(createCertificateID);
            oCSPReqGenerator.setRequestExtensions(generateNonce());
            return oCSPReqGenerator.generate();
        } catch (Exception e) {
            throw new OcspException(OcspException.UNKNOWN_CAUSE, e);
        }
    }

    private OCSPResp sendRequest(OCSPReq oCSPReq) throws OcspException {
        LoggingPoint.log("Start send OCSP request");
        try {
            try {
                try {
                    byte[] encoded = oCSPReq.getEncoded();
                    try {
                        OCSPResp sendGetRequest = encoded.length < 256 ? sendGetRequest(encoded) : sendPostRequest(encoded);
                        validationResponse(sendGetRequest);
                        OCSPResp oCSPResp = sendGetRequest;
                        LoggingPoint.log("Finish sent OCSP request");
                        return oCSPResp;
                    } catch (UnknownHostException e) {
                        throw new UnknownOcspAddressException(this.serverUrl);
                    }
                } catch (Exception e2) {
                    throw new OcspException(OcspException.UNKNOWN_CAUSE, e2);
                }
            } catch (OcspException e3) {
                throw e3;
            }
        } catch (Throwable th) {
            LoggingPoint.log("Finish sent OCSP request");
            throw th;
        }
    }

    private OCSPResp sendGetRequest(byte[] bArr) throws IOException {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.serverUrl + "/" + Base64.encodeStr(bArr)).openConnection();
        httpURLConnection.setRequestMethod("GET");
        InputStream inputStream = httpURLConnection.getInputStream();
        OCSPResp oCSPResp = new OCSPResp(inputStream);
        inputStream.close();
        httpURLConnection.disconnect();
        return oCSPResp;
    }

    private OCSPResp sendPostRequest(byte[] bArr) throws IOException {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.serverUrl).openConnection();
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
        OutputStream outputStream = httpURLConnection.getOutputStream();
        outputStream.write(bArr);
        outputStream.close();
        InputStream inputStream = httpURLConnection.getInputStream();
        OCSPResp oCSPResp = new OCSPResp(inputStream);
        inputStream.close();
        httpURLConnection.disconnect();
        return oCSPResp;
    }

    private boolean verifySecuredNumber(BasicOCSPResp basicOCSPResp) throws IOException {
        byte[] extensionValue = basicOCSPResp.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId());
        if (extensionValue == null) {
            return true;
        }
        ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
        DERObject readObject = aSN1InputStream.readObject();
        aSN1InputStream.close();
        ASN1InputStream aSN1InputStream2 = new ASN1InputStream(DEROctetString.getInstance(readObject).getOctets());
        DERObject readObject2 = aSN1InputStream2.readObject();
        aSN1InputStream2.close();
        return Arrays.equals(this.randomSecuredNumber, DEROctetString.getInstance(readObject2).getOctets());
    }

    private void validationResponse(OCSPResp oCSPResp) throws OCSPException, IOException, SecurityException {
        if (oCSPResp.getStatus() != 0) {
            throw new OCSPException("Unsuccessful request! Status: " + oCSPResp.getStatus());
        }
        if (!verifySecuredNumber((BasicOCSPResp) oCSPResp.getResponseObject())) {
            throw new SecurityException("Receive fake response!");
        }
    }
}
