package ee.sk.digidoc.factory;

import ee.sk.digidoc.Base64Util;
import ee.sk.digidoc.CertID;
import ee.sk.digidoc.CertValue;
import ee.sk.digidoc.DigiDocException;
import ee.sk.digidoc.Notary;
import ee.sk.digidoc.Signature;
import ee.sk.digidoc.SignedDoc;
import ee.sk.digidoc.TimestampInfo;
import ee.sk.utils.ConfigManager;
import ee.sk.utils.ConvertUtils;
import ee.sk.xmlenc.EncryptedData;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.URL;
import java.net.URLConnection;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Random;
import java.util.Set;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:ee/sk/digidoc/factory/BouncyCastleNotaryFactory.class */
public class BouncyCastleNotaryFactory implements NotaryFactory {
    public static final String nonceOid = "1.3.6.1.5.5.7.48.1.2";
    private X509Certificate m_signCert = null;
    private PrivateKey m_signKey = null;
    private boolean m_bSignRequests = false;
    private Logger m_logger;
    private static final Random RANDOM_GENERATOR = new SecureRandom();
    private static final int V_ASN1_OCTET_STRING = 4;

    public BouncyCastleNotaryFactory() {
        this.m_logger = null;
        this.m_logger = Logger.getLogger(BouncyCastleNotaryFactory.class);
    }

    private byte[] createRandomBytes(int i) {
        byte[] bArr = new byte[i];
        RANDOM_GENERATOR.nextBytes(bArr);
        return bArr;
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public X509Certificate getNotaryCert(String str, String str2) {
        try {
            return ConfigManager.instance().getTslFactory().findOcspByCN(str, true);
        } catch (Exception e) {
            this.m_logger.error("Error searching responder cert for: " + str + " - " + e);
            return null;
        }
    }

    public X509Certificate[] getNotaryCerts(String str, String str2) {
        try {
            return ConfigManager.instance().getTslFactory().findOcspsByCNAndNr(str, true, str2);
        } catch (Exception e) {
            this.m_logger.error("Error searching responder cert for: " + str + " - " + e);
            return null;
        }
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public X509Certificate getCACert(String str) {
        try {
            TrustServiceFactory tslFactory = ConfigManager.instance().getTslFactory();
            X509Certificate findOcspByCN = tslFactory.findOcspByCN(str, true);
            if (findOcspByCN != null) {
                return tslFactory.findCaForCert(findOcspByCN, true, null);
            }
            return null;
        } catch (Exception e) {
            this.m_logger.error("Error searching responder ca cert for: " + str + " - " + e);
            return null;
        }
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public Notary getConfirmation(byte[] bArr, X509Certificate x509Certificate, String str, String str2) throws DigiDocException {
        TrustServiceFactory tslFactory = ConfigManager.instance().getTslFactory();
        return getConfirmation(bArr, x509Certificate, tslFactory.findCaForCert(x509Certificate, true, null), tslFactory.findOcspByCN(ConvertUtils.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())), true), str, str2);
    }

    public Notary getConfirmation(Signature signature, byte[] bArr, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, String str, String str2, String str3, String str4, String str5) throws DigiDocException {
        Notary notary = null;
        OCSPReq oCSPReq = null;
        OCSPResp oCSPResp = null;
        try {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("getConfirmation, nonce " + Base64Util.encode(bArr, 0) + " cert: " + (x509Certificate != null ? x509Certificate.getSerialNumber().toString() : "NULL") + " CA: " + (x509Certificate2 != null ? x509Certificate2.getSerialNumber().toString() : "NULL") + " responder: " + (x509Certificate3 != null ? x509Certificate3.getSerialNumber().toString() : "NULL") + " notId: " + str + " signRequest: " + this.m_bSignRequests + " url: " + str2);
            }
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Check cert: " + (x509Certificate != null ? x509Certificate.getSubjectDN().getName() : "NULL"));
                this.m_logger.debug("Check CA cert: " + (x509Certificate2 != null ? x509Certificate2.getSubjectDN().getName() : "NULL"));
            }
            oCSPReq = createOCSPRequest(bArr, x509Certificate, x509Certificate2, this.m_bSignRequests, signature != null && signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC));
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("REQUEST:\n" + Base64Util.encode(oCSPReq.getEncoded(), 0));
            }
            oCSPResp = sendRequestToUrl(oCSPReq, str2, str3, str4, str5);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("RESPONSE:\n" + (oCSPResp != null ? Base64Util.encode(oCSPResp.getEncoded(), 0) : "NULL"));
            }
            if (oCSPResp != null) {
                verifyRespStatus(oCSPResp);
            }
            notary = parseAndVerifyResponse(signature, str, x509Certificate, oCSPResp, bArr, x509Certificate3, x509Certificate2);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Confirmation OK!");
            }
        } catch (DigiDocException e) {
            this.m_logger.error("Error receiving OCSP confirmation: " + e + " nonce: " + ConvertUtils.bin2hex(bArr) + " len: " + bArr.length);
            try {
                byte[] encoded = oCSPReq.getEncoded();
                this.m_logger.error("OCSP req: " + ConvertUtils.bin2hex(encoded) + " len: " + encoded.length);
                byte[] encoded2 = oCSPResp.getEncoded();
                this.m_logger.error("OCSP req: " + ConvertUtils.bin2hex(encoded2) + " len: " + encoded2.length);
            } catch (Exception e2) {
                this.m_logger.error("Error converting OCSP info: " + e2);
            }
            throw e;
        } catch (Exception e3) {
            DigiDocException.handleException(e3, 66);
        }
        return notary;
    }

    public Notary getConfirmation(byte[] bArr, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, String str, String str2) throws DigiDocException {
        return getConfirmation(null, bArr, x509Certificate, x509Certificate2, x509Certificate3, str, ConfigManager.instance().getProperty("DIGIDOC_OCSP_RESPONDER_URL"), str2, null, null);
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public Notary getConfirmation(Signature signature, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws DigiDocException {
        OCSPResp oCSPResp;
        Notary notary = null;
        if (signature == null) {
            throw new DigiDocException(DigiDocException.ERR_INPUT_VALUE, "Signature is NULL for ocsp request!", null);
        }
        try {
            String replace = signature.getId().replace('S', 'N');
            byte[] digestOfType = SignedDoc.digestOfType(signature.getSignatureValue().getValue(), signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) ? SignedDoc.SHA256_DIGEST_TYPE : SignedDoc.SHA1_DIGEST_TYPE);
            X509Certificate x509Certificate3 = null;
            if (signature.getUnsignedProperties() != null) {
                x509Certificate3 = signature.getUnsignedProperties().getRespondersCertificate();
            }
            notary = getConfirmation(signature, digestOfType, x509Certificate, x509Certificate2, x509Certificate3, replace, ConfigManager.instance().getProperty("DIGIDOC_OCSP_RESPONDER_URL"), signature.getHttpFrom(), signature.getSignedDoc().getFormat(), signature.getSignedDoc().getVersion());
            if (x509Certificate3 == null && signature != null && signature.getUnsignedProperties() != null && (oCSPResp = new OCSPResp(notary.getOcspResponseData())) != null && oCSPResp.getResponseObject() != null) {
                X509Certificate findOcspByCN = ConfigManager.instance().getTslFactory().findOcspByCN(SignedDoc.getCommonName(responderIDtoString((BasicOCSPResp) oCSPResp.getResponseObject())), true);
                if (findOcspByCN != null) {
                    signature.getUnsignedProperties().setRespondersCertificate(findOcspByCN);
                }
                CertID certID = new CertID(signature, findOcspByCN, 2);
                signature.addCertID(certID);
                certID.setUri("#" + signature.getId() + "-RESPONDER_CERT");
            }
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            DigiDocException.handleException(e2, 66);
        }
        return notary;
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public Notary getConfirmation(Signature signature, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, String str) throws DigiDocException {
        OCSPResp oCSPResp;
        Notary notary = null;
        if (signature == null) {
            throw new DigiDocException(DigiDocException.ERR_INPUT_VALUE, "Signature is NULL for ocsp request!", null);
        }
        try {
            String replace = signature.getId().replace('S', 'N');
            byte[] digestOfType = SignedDoc.digestOfType(signature.getSignatureValue().getValue(), signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) ? SignedDoc.SHA256_DIGEST_TYPE : SignedDoc.SHA1_DIGEST_TYPE);
            if (x509Certificate3 == null && signature.getUnsignedProperties() != null) {
                x509Certificate3 = signature.getUnsignedProperties().getRespondersCertificate();
            }
            notary = getConfirmation(signature, digestOfType, x509Certificate, x509Certificate2, x509Certificate3, replace, str, signature.getHttpFrom(), signature.getSignedDoc().getFormat(), signature.getSignedDoc().getVersion());
            if (notary != null && signature.getUnsignedProperties() != null) {
                signature.getUnsignedProperties().setNotary(notary);
            }
            if (x509Certificate3 == null && signature != null && signature.getUnsignedProperties() != null && signature.getUnsignedProperties().getNotary() != null && (oCSPResp = new OCSPResp(signature.getUnsignedProperties().getNotary().getOcspResponseData())) != null && oCSPResp.getResponseObject() != null && x509Certificate3 == null) {
                X509Certificate findOcspByCN = ConfigManager.instance().getTslFactory().findOcspByCN(ConvertUtils.getCommonName(responderIDtoString((BasicOCSPResp) oCSPResp.getResponseObject())), true);
                if (findOcspByCN != null) {
                    signature.getUnsignedProperties().setRespondersCertificate(findOcspByCN);
                    CertID certID = new CertID(signature, findOcspByCN, 2);
                    signature.addCertID(certID);
                    certID.setUri("#" + signature.getId() + "-RESPONDER_CERT");
                }
            }
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            DigiDocException.handleException(e2, 66);
        }
        return notary;
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public Notary getConfirmation(Signature signature, X509Certificate x509Certificate) throws DigiDocException {
        String replace = signature.getId().replace('S', 'N');
        byte[] digestOfType = SignedDoc.digestOfType(signature.getSignatureValue().getValue(), signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) ? SignedDoc.SHA256_DIGEST_TYPE : SignedDoc.SHA1_DIGEST_TYPE);
        TrustServiceFactory tslFactory = ConfigManager.instance().getTslFactory();
        return getConfirmation(digestOfType, x509Certificate, tslFactory.findCaForCert(x509Certificate, true, null), tslFactory.findOcspByCN(ConvertUtils.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())), true), replace, signature.getHttpFrom());
    }

    private String composeHttpFrom() {
        String str = null;
        try {
            NetworkInterface networkInterface = null;
            Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
            if (networkInterfaces != null && networkInterfaces.hasMoreElements()) {
                networkInterface = networkInterfaces.nextElement();
            }
            if (networkInterface != null) {
                InetAddress inetAddress = null;
                Enumeration<InetAddress> inetAddresses = networkInterface.getInetAddresses();
                if (inetAddresses != null && inetAddresses.hasMoreElements()) {
                    inetAddress = inetAddresses.nextElement();
                }
                if (inetAddress != null) {
                    str = inetAddress.getHostAddress();
                }
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("FROM: " + str);
                }
            }
        } catch (Exception e) {
            this.m_logger.error("Error finding ip-adr: " + e);
        }
        return str;
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public OCSPResp checkCertificate(X509Certificate x509Certificate) throws DigiDocException {
        return checkCertificate(x509Certificate, composeHttpFrom());
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public OCSPResp checkCertificate(X509Certificate x509Certificate, String str) throws DigiDocException {
        X509Certificate findCaForCert;
        byte[] digest;
        BasicOCSPResp basicOCSPResp;
        byte[] nonce;
        String responderIDtoString;
        X509Certificate notaryCert;
        OCSPResp oCSPResp = null;
        try {
            ConfigManager.instance().getDigiDocFactory();
            TrustServiceFactory tslFactory = ConfigManager.instance().getTslFactory();
            findCaForCert = tslFactory.findCaForCert(x509Certificate, true, null);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Find CA for: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())));
                this.m_logger.debug("Check cert: " + x509Certificate.getSubjectDN().getName());
                this.m_logger.debug("Check CA cert: " + findCaForCert.getSubjectDN().getName());
            }
            digest = SignedDoc.digest(createRandomBytes(32));
            OCSPReq createOCSPRequest = createOCSPRequest(digest, x509Certificate, findCaForCert, this.m_bSignRequests, false);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Sending ocsp request: " + createOCSPRequest.getEncoded().length + " bytes");
                this.m_logger.debug("REQUEST:\n" + Base64Util.encode(createOCSPRequest.getEncoded(), 0));
            }
            oCSPResp = sendRequestToUrl(createOCSPRequest, tslFactory.findOcspUrlForCert(x509Certificate, 0, true), str, null, null);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Got ocsp response: " + (oCSPResp != null ? oCSPResp.getEncoded().length : 0) + " bytes");
                if (oCSPResp != null) {
                    this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(oCSPResp.getEncoded(), 0));
                }
            }
            verifyRespStatus(oCSPResp);
            basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            nonce = getNonce(basicOCSPResp, null);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Nonce1: " + (digest != null ? ConvertUtils.bin2hex(digest) + " len: " + digest.length : "NULL") + " nonce2: " + (nonce != null ? ConvertUtils.bin2hex(nonce) + " len: " + nonce.length : "NULL"));
            }
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            DigiDocException.handleException(e2, 66);
        }
        if (!SignedDoc.compareDigests(digest, nonce)) {
            throw new DigiDocException(69, "Invalid nonce value! Possible replay attack!", null);
        }
        try {
            responderIDtoString = responderIDtoString(basicOCSPResp);
            notaryCert = getNotaryCert(ConvertUtils.getCommonName(responderIDtoString), null);
        } catch (Exception e3) {
            this.m_logger.error("OCSP Signature verification error!!!", e3);
            DigiDocException.handleException(e3, 70);
        }
        if (notaryCert == null) {
            throw new DigiDocException(70, "Responder cert not found for: " + responderIDtoString, null);
        }
        if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(new X509CertificateHolder(notaryCert.getEncoded())))) {
            throw new DigiDocException(70, "OCSP verification error!", null);
        }
        checkCertStatus(x509Certificate, basicOCSPResp, findCaForCert);
        return oCSPResp;
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public OCSPResp sendCertOcsp(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str, ByteArrayOutputStream byteArrayOutputStream, StringBuffer stringBuffer, ByteArrayOutputStream byteArrayOutputStream2, String str2) throws DigiDocException {
        String responderIDtoString;
        try {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Find CA for: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())));
                this.m_logger.debug("Check cert: " + x509Certificate.getSubjectDN().getName());
                this.m_logger.debug("Check CA cert: " + x509Certificate2.getSubjectDN().getName());
            }
            byte[] digest = SignedDoc.digest(createRandomBytes(32));
            byteArrayOutputStream.write(digest);
            OCSPReq createOCSPRequest = createOCSPRequest(digest, x509Certificate, x509Certificate2, false, false);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Sending ocsp request: " + createOCSPRequest.getEncoded().length + " bytes");
                this.m_logger.debug("REQUEST:\n" + Base64Util.encode(createOCSPRequest.getEncoded(), 0));
            }
            if (createOCSPRequest != null && byteArrayOutputStream2 != null) {
                byteArrayOutputStream2.write(createOCSPRequest.getEncoded());
            }
            OCSPResp sendRequestToUrl = sendRequestToUrl(createOCSPRequest, str, str2, null, null);
            if (sendRequestToUrl != null && (responderIDtoString = responderIDtoString((BasicOCSPResp) sendRequestToUrl.getResponseObject())) != null) {
                stringBuffer.append(responderIDtoString);
            }
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Got ocsp response: " + (sendRequestToUrl != null ? sendRequestToUrl.getEncoded().length : 0) + " bytes");
                if (sendRequestToUrl != null) {
                    this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(sendRequestToUrl.getEncoded(), 0));
                }
            }
            return sendRequestToUrl;
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            DigiDocException.handleException(e2, 66);
            return null;
        }
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public boolean checkCertOcsp(OCSPResp oCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, byte[] bArr, X509Certificate x509Certificate3) throws DigiDocException {
        try {
            verifyRespStatus(oCSPResp);
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            if (!SignedDoc.compareDigests(bArr, getNonce(basicOCSPResp, null))) {
                throw new DigiDocException(69, "Invalid nonce value! Possible replay attack!", null);
            }
            boolean z = false;
            try {
                z = basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(new X509CertificateHolder(x509Certificate2.getEncoded())));
            } catch (Exception e) {
                this.m_logger.error("OCSP Signature verification error!!!", e);
                DigiDocException.handleException(e, 70);
            }
            checkCertStatusWithCa(x509Certificate, basicOCSPResp, x509Certificate3);
            return z;
        } catch (DigiDocException e2) {
            throw e2;
        } catch (Exception e3) {
            DigiDocException.handleException(e3, 66);
            return false;
        }
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public void checkCertificateOcspOrCrl(X509Certificate x509Certificate, boolean z) throws DigiDocException {
        try {
            X509Certificate findCaForCert = ConfigManager.instance().getTslFactory().findCaForCert(x509Certificate, true, null);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Find CA for: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())));
                this.m_logger.debug("Check cert: " + x509Certificate.getSubjectDN().getName());
                this.m_logger.debug("Check CA cert: " + findCaForCert.getSubjectDN().getName());
            }
            byte[] digest = SignedDoc.digest(createRandomBytes(32));
            OCSPReq createOCSPRequest = createOCSPRequest(digest, x509Certificate, findCaForCert, this.m_bSignRequests, false);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Sending ocsp request: " + createOCSPRequest.getEncoded().length + " bytes");
                this.m_logger.debug("REQUEST:\n" + Base64Util.encode(createOCSPRequest.getEncoded(), 0));
            }
            OCSPResp sendRequest = sendRequest(createOCSPRequest, null, null, null);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Got ocsp response: " + sendRequest.getEncoded().length + " bytes");
                this.m_logger.debug("RESPONSE:\n" + Base64Util.encode(sendRequest.getEncoded(), 0));
            }
            verifyRespStatus(sendRequest);
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) sendRequest.getResponseObject();
            if (!SignedDoc.compareDigests(digest, getNonce(basicOCSPResp, null))) {
                throw new DigiDocException(69, "Invalid nonce value! Possible replay attack!", null);
            }
            try {
            } catch (Exception e) {
                this.m_logger.error("OCSP Signature verification error!!!", e);
                DigiDocException.handleException(e, 70);
            }
            if (basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(new X509CertificateHolder(getNotaryCert(SignedDoc.getCommonName(responderIDtoString(basicOCSPResp)), null).getEncoded())))) {
                checkCertStatus(x509Certificate, basicOCSPResp, findCaForCert);
            } else {
                this.m_logger.error("OCSP Signature verification error!!!");
                throw new DigiDocException(70, "OCSP Signature verification error!!!", null);
            }
        } catch (DigiDocException e2) {
            throw e2;
        } catch (Exception e3) {
            DigiDocException.handleException(e3, 66);
        }
    }

    private Notary parseAndVerifyResponse(Signature signature, OCSPResp oCSPResp, byte[] bArr) throws DigiDocException {
        return parseAndVerifyResponse(signature, signature.getId().replace('S', 'N'), signature.getKeyInfo().getSignersCertificate(), oCSPResp, bArr, null, null);
    }

    private Notary parseAndVerifyResponse(Signature signature, String str, X509Certificate x509Certificate, OCSPResp oCSPResp, byte[] bArr, X509Certificate x509Certificate2, X509Certificate x509Certificate3) throws DigiDocException {
        BasicOCSPResp basicOCSPResp;
        String responderIDtoString;
        Notary notary = null;
        if (oCSPResp == null) {
            throw new DigiDocException(69, "OCSP response is null!", null);
        }
        if (oCSPResp.getStatus() != 0) {
            if (oCSPResp.getStatus() == 6) {
                throw new DigiDocException(DigiDocException.ERR_OCSP_UNAUTHORIZED, "OCSP response unauthorized! ", null);
            }
            throw new DigiDocException(69, "OCSP response unsuccessfull!", null);
        }
        try {
            basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            responderIDtoString = responderIDtoString(basicOCSPResp);
            if (x509Certificate2 == null) {
                String commonName = ConvertUtils.getCommonName(responderIDtoString);
                x509Certificate2 = getNotaryCert(commonName, null);
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("Find notary cert: " + commonName + " found: " + (x509Certificate2 != null ? "OK" : "NULL"));
                }
            }
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            DigiDocException.handleException(e2, 72);
        }
        if (x509Certificate2 == null) {
            throw new DigiDocException(70, "Notary cert not found for: " + responderIDtoString, null);
        }
        boolean z = false;
        try {
            z = basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(new X509CertificateHolder(x509Certificate2.getEncoded())));
        } catch (Exception e3) {
            this.m_logger.error("OCSP Signature verification error!!!", e3);
            DigiDocException.handleException(e3, 70);
        }
        if (!z) {
            this.m_logger.error("OCSP Signature verification error!!!");
            throw new DigiDocException(70, "OCSP Signature verification error!!!", null);
        }
        if (this.m_logger.isDebugEnabled() && x509Certificate2 != null) {
            this.m_logger.debug("Using responder cert: " + x509Certificate2.getSerialNumber().toString());
        }
        byte[] nonce = getNonce(basicOCSPResp, signature != null ? signature.getSignedDoc() : null);
        boolean z2 = (bArr == null || nonce == null || bArr.length != nonce.length) ? false : true;
        for (int i = 0; bArr != null && nonce != null && i < bArr.length; i++) {
            if (bArr[i] != nonce[i]) {
                z2 = false;
            }
        }
        if (this.m_logger.isDebugEnabled() && x509Certificate2 != null) {
            this.m_logger.debug("NONCE ddoc: " + (signature != null ? signature.getSignedDoc().getFormat() : "NULL") + " ok: " + z2);
        }
        if (!z2 && signature != null) {
            this.m_logger.error("DDOC ver: " + signature.getSignedDoc().getVersion() + " SIG: " + signature.getId() + " Real nonce: " + Base64Util.encode(nonce, 0) + " SigVal hash: " + Base64Util.encode(bArr, 0) + " SigVal hash hex: " + ConvertUtils.bin2hex(bArr));
            throw new DigiDocException(71, "OCSP response's nonce doesn't match the requests nonce!", null);
        }
        checkCertStatus(x509Certificate, basicOCSPResp, x509Certificate3);
        notary = new Notary(str, oCSPResp.getEncoded(), responderIDtoString, basicOCSPResp.getProducedAt());
        if (x509Certificate2 != null) {
            notary.setCertNr(x509Certificate2.getSerialNumber().toString());
        }
        return notary;
    }

    private void checkCertStatus(Signature signature, BasicOCSPResp basicOCSPResp) throws DigiDocException {
        checkCertStatus(signature.getKeyInfo().getSignersCertificate(), basicOCSPResp, null);
    }

    private void checkCertStatus(X509Certificate x509Certificate, BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate2) throws DigiDocException {
        try {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Checking response status, CERT: " + (x509Certificate != null ? x509Certificate.getSubjectDN().getName() : "NULL") + " SEARCH: " + (x509Certificate != null ? SignedDoc.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())) : "NULL"));
            }
            if (x509Certificate == null) {
                throw new DigiDocException(92, "No certificate to check! Error reading certificate from file?", null);
            }
            TrustServiceFactory tslFactory = ConfigManager.instance().getTslFactory();
            if (x509Certificate2 == null) {
                x509Certificate2 = tslFactory.findCaForCert(x509Certificate, true, null);
            }
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("CA cert: " + (x509Certificate2 != null ? x509Certificate2.getSubjectDN().getName() : "NULL"));
                this.m_logger.debug("RESP: " + basicOCSPResp);
                this.m_logger.debug("CERT: " + x509Certificate.getSubjectDN().getName() + " ISSUER: " + ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal()) + " nr: " + (x509Certificate2 != null ? ConvertUtils.bin2hex(x509Certificate2.getSerialNumber().toByteArray()) : "NULL"));
            }
            if (x509Certificate2 == null) {
                throw new DigiDocException(92, "Unknown CA cert: " + x509Certificate.getIssuerDN().getName(), null);
            }
            SingleResp[] responses = basicOCSPResp.getResponses();
            CertificateID creatCertReq = creatCertReq(x509Certificate, x509Certificate2);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Search alg: " + creatCertReq.getHashAlgOID() + " cert ser: " + x509Certificate.getSerialNumber().toString() + " serial: " + creatCertReq.getSerialNumber() + " issuer: " + Base64Util.encode(creatCertReq.getIssuerKeyHash()) + " subject: " + Base64Util.encode(creatCertReq.getIssuerNameHash()));
            }
            boolean z = false;
            int i = 0;
            while (true) {
                if (i >= responses.length) {
                    break;
                }
                CertificateID certID = responses[i].getCertID();
                if (certID != null) {
                    if (this.m_logger.isDebugEnabled()) {
                        this.m_logger.debug("Got alg: " + certID.getHashAlgOID() + " serial: " + certID.getSerialNumber() + " issuer: " + Base64Util.encode(certID.getIssuerKeyHash()) + " subject: " + Base64Util.encode(certID.getIssuerNameHash()));
                    }
                    if (creatCertReq.getHashAlgOID().equals(certID.getHashAlgOID()) && creatCertReq.getSerialNumber().equals(certID.getSerialNumber()) && SignedDoc.compareDigests(creatCertReq.getIssuerKeyHash(), certID.getIssuerKeyHash()) && SignedDoc.compareDigests(creatCertReq.getIssuerNameHash(), certID.getIssuerNameHash())) {
                        if (this.m_logger.isDebugEnabled()) {
                            this.m_logger.debug("Found it!");
                        }
                        z = true;
                        CertificateStatus certStatus = responses[i].getCertStatus();
                        if (certStatus != null) {
                            if (this.m_logger.isDebugEnabled()) {
                                this.m_logger.debug("CertStatus: " + certStatus.getClass().getName());
                            }
                            if (certStatus instanceof RevokedStatus) {
                                this.m_logger.error("Certificate has been revoked!");
                                throw new DigiDocException(91, "Certificate has been revoked!", null);
                            }
                            if (certStatus instanceof UnknownStatus) {
                                this.m_logger.error("Certificate status is unknown!");
                                throw new DigiDocException(92, "Certificate status is unknown!", null);
                            }
                        }
                    }
                }
                i++;
            }
            if (z) {
                return;
            }
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Error checkCertStatus - not found ");
            }
            throw new DigiDocException(88, "Bad OCSP response status!", null);
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            this.m_logger.error("Error checkCertStatus: " + e2);
            e2.printStackTrace();
            throw new DigiDocException(88, "Error checking OCSP response status!", null);
        }
    }

    private void checkCertStatusWithCa(X509Certificate x509Certificate, BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate2) throws DigiDocException {
        try {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Checking response status, CERT: " + x509Certificate.getSubjectDN().getName() + " SEARCH: " + SignedDoc.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())));
            }
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("CA cert: " + (x509Certificate2 == null ? "NULL" : "OK"));
                this.m_logger.debug("RESP: " + basicOCSPResp);
                this.m_logger.debug("CERT: " + x509Certificate.getSubjectDN().getName() + " ISSUER: " + ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal()));
                if (x509Certificate2 != null) {
                    this.m_logger.debug("CA CERT: " + x509Certificate2.getSubjectDN().getName());
                }
            }
            SingleResp[] responses = basicOCSPResp.getResponses();
            CertificateID certificateID = null;
            if (x509Certificate != null && x509Certificate2 != null) {
                certificateID = creatCertReq(x509Certificate, x509Certificate2);
            }
            if (this.m_logger.isDebugEnabled() && certificateID != null) {
                this.m_logger.debug("Search alg: " + certificateID.getHashAlgOID() + " serial: " + certificateID.getSerialNumber() + " issuer: " + Base64Util.encode(certificateID.getIssuerKeyHash()) + " subject: " + Base64Util.encode(certificateID.getIssuerNameHash()));
            }
            boolean z = false;
            int i = 0;
            while (true) {
                if (i >= responses.length) {
                    break;
                }
                CertificateID certID = responses[i].getCertID();
                if (certID != null) {
                    if (this.m_logger.isDebugEnabled()) {
                        this.m_logger.debug("Got alg: " + certID.getHashAlgOID() + " serial: " + certID.getSerialNumber() + " issuer: " + Base64Util.encode(certID.getIssuerKeyHash()) + " subject: " + Base64Util.encode(certID.getIssuerNameHash()));
                    }
                    if (certificateID != null && certificateID.getHashAlgOID().equals(certID.getHashAlgOID()) && certificateID.getSerialNumber().equals(certID.getSerialNumber()) && SignedDoc.compareDigests(certificateID.getIssuerKeyHash(), certID.getIssuerKeyHash()) && SignedDoc.compareDigests(certificateID.getIssuerNameHash(), certID.getIssuerNameHash())) {
                        if (this.m_logger.isDebugEnabled()) {
                            this.m_logger.debug("Found it!");
                        }
                        z = true;
                        CertificateStatus certStatus = responses[i].getCertStatus();
                        if (certStatus != null) {
                            if (this.m_logger.isDebugEnabled()) {
                                this.m_logger.debug("CertStatus: " + certStatus.getClass().getName());
                            }
                            if (certStatus instanceof RevokedStatus) {
                                this.m_logger.error("Certificate has been revoked!");
                                throw new DigiDocException(88, "Certificate has been revoked!", null);
                            }
                            if (certStatus instanceof UnknownStatus) {
                                this.m_logger.error("Certificate status is unknown!");
                                throw new DigiDocException(88, "Certificate status is unknown!", null);
                            }
                        }
                    }
                }
                i++;
            }
            if (z) {
                return;
            }
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Error checkCertStatus - not found ");
            }
            throw new DigiDocException(88, "Bad OCSP response status!", null);
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            this.m_logger.error("Error checkCertStatus: " + e2);
            e2.printStackTrace();
            throw new DigiDocException(88, "Error checking OCSP response status!", null);
        }
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public Notary parseAndVerifyResponse(Signature signature, Notary notary) throws DigiDocException {
        BasicOCSPResp basicOCSPResp;
        X509Certificate[] x509CertificateArr;
        String responderIDtoString;
        CertValue certValueOfType;
        X509Certificate cert;
        try {
            OCSPResp oCSPResp = new OCSPResp(notary.getOcspResponseData());
            basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            x509CertificateArr = null;
            try {
                responderIDtoString = responderIDtoString(basicOCSPResp);
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("SIG: " + (signature == null ? "NULL" : signature.getId()));
                    this.m_logger.debug("UP: " + (signature.getUnsignedProperties() == null ? "NULL" : "OK: " + signature.getUnsignedProperties().getNotary().getId()));
                    this.m_logger.debug("RESP-CERT: " + (signature.getUnsignedProperties().getRespondersCertificate() == null ? "NULL" : "OK"));
                    this.m_logger.debug("RESP-ID: " + responderIDtoString);
                    CertID certID = signature.getCertID(2);
                    if (certID != null) {
                        this.m_logger.debug("CID: " + certID.getType() + " id: " + certID.getId() + ", " + certID.getSerial() + " issuer: " + certID.getIssuer());
                    }
                    this.m_logger.debug("RESP: " + Base64Util.encode(oCSPResp.getEncoded()));
                }
                if (0 == 0 && signature != null) {
                    String str = responderIDtoString;
                    if (str.indexOf("CN") != -1) {
                        str = ConvertUtils.getCommonName(responderIDtoString);
                    }
                    if (str.startsWith("byKey: ")) {
                        str = str.substring("byKey: ".length());
                    }
                    int indexOf = str.indexOf(44);
                    if (indexOf > 0) {
                        str = str.substring(0, indexOf);
                    }
                    if (this.m_logger.isDebugEnabled()) {
                        this.m_logger.debug("Search not cert by: " + str);
                    }
                    x509CertificateArr = getNotaryCerts(str, null);
                }
            } catch (Exception e) {
                this.m_logger.error("Signature verification error: " + e);
                e.printStackTrace();
                DigiDocException.handleException(e, 70);
            }
        } catch (DigiDocException e2) {
            throw e2;
        } catch (Exception e3) {
            DigiDocException.handleException(e3, 72);
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new DigiDocException(DigiDocException.ERR_OCSP_RECPONDER_NOT_TRUSTED, "No certificate for responder: '" + responderIDtoString + "' found in local certificate store!", null);
        }
        boolean z = false;
        for (int i = 0; x509CertificateArr != null && i < x509CertificateArr.length && !z; i++) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Verify using responders cert: " + (x509Certificate != null ? ConvertUtils.getCommonName(x509Certificate.getSubjectDN().getName()) + " nr: " + x509Certificate.getSerialNumber().toString() : "NULL"));
            }
            z = x509Certificate != null ? basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(new X509CertificateHolder(x509Certificate.getEncoded()))) : false;
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("OCSP resp: " + (basicOCSPResp != null ? responderIDtoString(basicOCSPResp) : "NULL") + " verify using: " + (x509Certificate != null ? ConvertUtils.getCommonName(x509Certificate.getSubjectDN().getName()) : "NULL") + " verify: " + z);
            }
        }
        if (z && (certValueOfType = signature.getCertValueOfType(2)) != null && (cert = certValueOfType.getCert()) != null) {
            z = basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(new X509CertificateHolder(cert.getEncoded())));
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("OCSP resp: " + (basicOCSPResp != null ? responderIDtoString(basicOCSPResp) : "NULL") + " verify using cert in xml: " + ConvertUtils.getCommonName(cert.getSubjectDN().getName()) + " verify: " + z);
            }
        }
        if (!z) {
            throw new DigiDocException(70, "OCSP verification error!", null);
        }
        if (this.m_logger.isDebugEnabled()) {
            this.m_logger.debug("Verif sig: " + signature.getId() + " format: " + signature.getSignedDoc().getFormat() + " nonce policy: " + signature.hasBdoc2NoncePolicy());
        }
        if (signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_SK_XML) || signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_DIGIDOC_XML) || (signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) && signature.hasBdoc2NoncePolicy())) {
            byte[] digestOfType = SignedDoc.digestOfType(signature.getSignatureValue().getValue(), signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) ? SignedDoc.SHA256_DIGEST_TYPE : SignedDoc.SHA1_DIGEST_TYPE);
            byte[] nonce = getNonce(basicOCSPResp, signature.getSignedDoc());
            boolean z2 = (digestOfType == null || nonce == null || digestOfType.length != nonce.length) ? false : true;
            for (int i2 = 0; digestOfType != null && nonce != null && i2 < digestOfType.length && i2 < nonce.length; i2++) {
                if (digestOfType[i2] != nonce[i2]) {
                    z2 = false;
                }
            }
            if (!z2 && signature.getSignedDoc() != null) {
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("SigVal\n---\n" + Base64Util.encode(signature.getSignatureValue().getValue()) + "\n---\nOCSP\n---\n" + Base64Util.encode(notary.getOcspResponseData()) + "\n---\n");
                    this.m_logger.debug("DDOC ver: " + signature.getSignedDoc().getVersion() + " SIG: " + signature.getId() + " NOT: " + notary.getId() + " Real nonce: " + (nonce != null ? Base64Util.encode(nonce, 0) : "NULL") + " noncelen: " + (nonce != null ? nonce.length : 0) + " SigVal hash: " + (digestOfType != null ? Base64Util.encode(digestOfType, 0) : "NULL") + " SigVal hash hex: " + (digestOfType != null ? ConvertUtils.bin2hex(digestOfType) : "NULL") + " svlen: " + (digestOfType != null ? digestOfType.length : 0));
                }
                throw new DigiDocException(71, "OCSP response's nonce doesn't match the requests nonce!", null);
            }
        }
        if (this.m_logger.isDebugEnabled()) {
            this.m_logger.debug("Verify not: " + notary.getId());
        }
        checkCertStatus(signature, basicOCSPResp);
        notary.setProducedAt(basicOCSPResp.getProducedAt());
        notary.setResponderId(responderIDtoString(basicOCSPResp));
        return notary;
    }

    private String responderIDtoString(BasicOCSPResp basicOCSPResp) {
        if (basicOCSPResp == null) {
            return null;
        }
        DEROctetString object = basicOCSPResp.getResponderId().toASN1Object().toASN1Object().getObject();
        if (object instanceof DEROctetString) {
            return "byKey: " + SignedDoc.bin2hex(object.getOctets());
        }
        return "byName: " + new X509Name((ASN1Sequence) object).toString();
    }

    private byte[] getNonce(BasicOCSPResp basicOCSPResp, SignedDoc signedDoc) {
        Extension extension;
        if (basicOCSPResp == null) {
            return null;
        }
        try {
            byte[] bArr = null;
            Set nonCriticalExtensionOIDs = basicOCSPResp.getNonCriticalExtensionOIDs();
            boolean z = false;
            String str = null;
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Nonce exts: " + nonCriticalExtensionOIDs.size());
            }
            if (nonCriticalExtensionOIDs.size() >= 1 && (extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce)) != null) {
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("Ext: " + extension.getExtnId() + " val-len: " + (extension.getExtnValue() != null ? extension.getExtnValue().getOctets().length : 0));
                }
                if (extension.getExtnValue() == null || extension.getExtnValue().getOctets() == null || extension.getExtnValue().getOctets().length != 20) {
                    bArr = extension.getParsedValue().toASN1Primitive().getEncoded();
                } else {
                    bArr = extension.getExtnValue().getOctets();
                    this.m_logger.debug("Raw nonce len: " + (bArr != null ? bArr.length : 0));
                }
            }
            boolean booleanProperty = ConfigManager.instance().getBooleanProperty("CHECK_OCSP_NONCE", false);
            if (signedDoc != null && signedDoc.getFormat() != null && signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) {
                booleanProperty = true;
            }
            if (signedDoc != null && signedDoc.getFormat() != null && signedDoc.getFormat().equals(SignedDoc.FORMAT_SK_XML)) {
                booleanProperty = false;
            }
            if (this.m_logger.isDebugEnabled() && bArr != null) {
                this.m_logger.debug("Nonce hex: " + ConvertUtils.bin2hex(bArr) + " b64: " + Base64Util.encode(bArr) + " len: " + bArr.length + " asn1: false");
            }
            if (((signedDoc != null && signedDoc.getFormat() != null && signedDoc.getFormat().equals(SignedDoc.FORMAT_DIGIDOC_XML)) || signedDoc == null) && bArr != null && bArr.length == 22) {
                byte[] bArr2 = new byte[20];
                System.arraycopy(bArr, bArr.length - 20, bArr2, 0, 20);
                bArr = bArr2;
                z = true;
                str = "ASN1-NONCE";
            }
            if (signedDoc != null && signedDoc.getFormat() != null && signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && bArr != null) {
                str = ConvertUtils.findDigType(bArr);
                if (str != null) {
                    bArr = ConvertUtils.removePrefix(bArr);
                }
                z = str != null;
            }
            if (!this.m_logger.isDebugEnabled() || bArr == null) {
                this.m_logger.debug("No nonce");
            } else {
                this.m_logger.debug("Nonce hex: " + ConvertUtils.bin2hex(bArr) + " b64: " + Base64Util.encode(bArr) + " len: " + bArr.length + " type: " + str);
            }
            if (z || !booleanProperty) {
                return bArr;
            }
            throw new DigiDocException(71, "Invalid nonce: " + (bArr != null ? ConvertUtils.bin2hex(bArr) + " length: " + bArr.length : "NO-NONCE") + "!", null);
        } catch (Exception e) {
            this.m_logger.error("Error reading ocsp nonce: " + e);
            e.printStackTrace();
            return null;
        }
    }

    private void verifyRespStatus(OCSPResp oCSPResp) throws DigiDocException {
        if (oCSPResp == null || oCSPResp.getStatus() != 0) {
            throw new DigiDocException(69, "OCSP response unsuccessfull! ", null);
        }
        int status = oCSPResp.getStatus();
        switch (status) {
            case 0:
                return;
            case 1:
                this.m_logger.error("Your request did not fit the RFC 2560 syntax!");
                return;
            case 2:
                this.m_logger.error("An internal error occured in the OCSP Server!");
                return;
            case 3:
                this.m_logger.error("The server was too busy to answer you!");
                return;
            case 4:
            default:
                this.m_logger.error("Unknown OCSPResponse status code! " + status);
                return;
            case 5:
                this.m_logger.error("Your request was not signed!");
                return;
            case TimestampInfo.TIMESTAMP_TYPE_ARCHIVE /* 6 */:
                this.m_logger.error("The server could not authenticate you!");
                return;
        }
    }

    private CertificateID creatCertReq(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, DigiDocException, Exception {
        DigestCalculatorProvider build = new JcaDigestCalculatorProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build();
        return new CertificateID(build.get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate2.getEncoded()), x509Certificate.getSerialNumber());
    }

    private OCSPReq createOCSPRequest(byte[] bArr, X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z, boolean z2) throws DigiDocException {
        GeneralName generalName;
        OCSPReq oCSPReq = null;
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        try {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Request for: " + (x509Certificate != null ? ConvertUtils.getCommonName(ConvertUtils.convX509Name(x509Certificate.getSubjectX500Principal())) : "NULL") + " CA: " + (x509Certificate2 != null ? ConvertUtils.getCommonName(ConvertUtils.convX509Name(x509Certificate2.getSubjectX500Principal())) : "NULL"));
            }
        } catch (Exception e) {
            DigiDocException.handleException(e, 65);
        }
        if (x509Certificate == null) {
            throw new DigiDocException(65, "Missing signers cert for ocsp request", null);
        }
        if (x509Certificate2 == null) {
            throw new DigiDocException(65, "Missing CA cert for ocsp request", null);
        }
        CertificateID creatCertReq = creatCertReq(x509Certificate, x509Certificate2);
        if (this.m_logger.isDebugEnabled()) {
            this.m_logger.debug("Request for: " + creatCertReq.getHashAlgOID() + " serial: " + creatCertReq.getSerialNumber() + " issuer: " + ConvertUtils.bin2hex(creatCertReq.getIssuerKeyHash()) + " subject: " + ConvertUtils.bin2hex(creatCertReq.getIssuerNameHash()) + " nonce: " + ConvertUtils.bin2hex(bArr) + " len: " + bArr.length);
        }
        oCSPReqBuilder.addRequest(creatCertReq);
        if (bArr != null && ConvertUtils.findDigType(bArr) == null && z2) {
            byte[] addDigestAsn1Prefix = ConvertUtils.addDigestAsn1Prefix(bArr);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Nonce in: " + ConvertUtils.bin2hex(bArr) + " in-len: " + bArr.length + " with-asn1: " + ConvertUtils.bin2hex(addDigestAsn1Prefix) + " out-len: " + (addDigestAsn1Prefix != null ? addDigestAsn1Prefix.length : 0) + " out-pref: " + ConvertUtils.findDigType(addDigestAsn1Prefix));
            }
            bArr = addDigestAsn1Prefix;
        }
        if (bArr != null) {
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            if (z2) {
                extensionsGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, bArr);
            } else {
                extensionsGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(bArr));
            }
            oCSPReqBuilder.setRequestExtensions(extensionsGenerator.generate());
        }
        if (z) {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("SignCert: " + (this.m_signCert != null ? this.m_signCert.toString() : "NULL"));
            }
            if (this.m_signCert == null) {
                throw new DigiDocException(17, "Invalid config file! Attempting to sign ocsp request but PKCS#12 token not configured!", null);
            }
            generalName = new GeneralName(PrincipalUtil.getSubjectX509Principal(this.m_signCert));
        } else {
            if (x509Certificate == null) {
                throw new DigiDocException(68, "Signature owners certificate is NULL!", null);
            }
            generalName = new GeneralName(PrincipalUtil.getSubjectX509Principal(x509Certificate));
        }
        oCSPReqBuilder.setRequestorName(generalName);
        if (z) {
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Signing ocsp request with: " + (this.m_signCert != null ? this.m_signCert.getSubjectX500Principal().getName() : "NULL"));
            }
            X509CertificateHolder[] x509CertificateHolderArr = {new X509CertificateHolder(this.m_signCert.getEncoded())};
            oCSPReq = oCSPReqBuilder.build(new JcaContentSignerBuilder("SHA1withRSA").setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(this.m_signKey), x509CertificateHolderArr);
            if (!oCSPReq.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME).build(x509CertificateHolderArr[0]))) {
                this.m_logger.error("Verify failed");
            }
        } else {
            oCSPReq = oCSPReqBuilder.build();
        }
        return oCSPReq;
    }

    private OCSPResp sendRequest(OCSPReq oCSPReq, String str, String str2, String str3) throws DigiDocException {
        return sendRequestToUrl(oCSPReq, ConfigManager.instance().getProperty("DIGIDOC_OCSP_RESPONDER_URL"), str, str2, str3);
    }

    private String getUserInfo(String str, String str2) {
        StringBuffer stringBuffer = null;
        try {
            stringBuffer = new StringBuffer("LIB ");
            stringBuffer.append("JDigiDoc");
            stringBuffer.append("/");
            stringBuffer.append("3.12.0-785");
            if (str != null && str2 != null) {
                stringBuffer.append(" format: ");
                stringBuffer.append(str);
                stringBuffer.append("/");
                stringBuffer.append(str2);
            }
            stringBuffer.append(" Java: ");
            stringBuffer.append(System.getProperty("java.version"));
            stringBuffer.append("/");
            stringBuffer.append(System.getProperty("java.vendor"));
            stringBuffer.append(" OS: ");
            stringBuffer.append(System.getProperty("os.name"));
            stringBuffer.append("/");
            stringBuffer.append(System.getProperty("os.arch"));
            stringBuffer.append("/");
            stringBuffer.append(System.getProperty("os.version"));
            stringBuffer.append(" JVM: ");
            stringBuffer.append(System.getProperty("java.vm.name"));
            stringBuffer.append("/");
            stringBuffer.append(System.getProperty("java.vm.vendor"));
            stringBuffer.append("/");
            stringBuffer.append(System.getProperty("java.vm.version"));
        } catch (Throwable th) {
            this.m_logger.error("Error reading java system properties: " + th);
        }
        if (stringBuffer != null) {
            return stringBuffer.toString();
        }
        return null;
    }

    private OCSPResp sendRequestToUrl(OCSPReq oCSPReq, String str, String str2, String str3, String str4) throws DigiDocException {
        OCSPResp oCSPResp = null;
        try {
            byte[] encoded = oCSPReq.getEncoded();
            URL url = new URL(str);
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Connecting to ocsp url: " + str);
            }
            URLConnection openConnection = url.openConnection();
            int connectTimeout = openConnection.getConnectTimeout();
            if (this.m_logger.isDebugEnabled()) {
                this.m_logger.debug("Default connection timeout: " + connectTimeout + " [ms]");
            }
            int intProperty = ConfigManager.instance().getIntProperty("OCSP_TIMEOUT", -1);
            if (intProperty >= 0) {
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("Setting connection and read timeout to: " + intProperty + " [ms]");
                }
                openConnection.setConnectTimeout(intProperty);
                openConnection.setReadTimeout(intProperty);
            }
            openConnection.setAllowUserInteraction(false);
            openConnection.setUseCaches(false);
            openConnection.setDoOutput(true);
            openConnection.setDoInput(true);
            openConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            String userInfo = getUserInfo(str3, str4);
            if (userInfo != null) {
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("User-Agent: " + userInfo);
                }
                openConnection.setRequestProperty("User-Agent", userInfo);
            }
            if (str2 != null && str2.trim().length() > 0) {
                if (this.m_logger.isDebugEnabled()) {
                    this.m_logger.debug("X-Forwarded-For: " + str2);
                }
                openConnection.setRequestProperty("X-Forwarded-For", str2);
            }
            OutputStream outputStream = openConnection.getOutputStream();
            outputStream.write(encoded);
            outputStream.close();
            InputStream inputStream = openConnection.getInputStream();
            int contentLength = openConnection.getContentLength();
            byte[] bArr = null;
            if (contentLength > 0) {
                do {
                    byte[] bArr2 = new byte[inputStream.available()];
                    int read = inputStream.read(bArr2);
                    if (bArr == null) {
                        bArr = new byte[read];
                        System.arraycopy(bArr2, 0, bArr, 0, read);
                    } else {
                        byte[] bArr3 = new byte[bArr.length + read];
                        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
                        System.arraycopy(bArr2, 0, bArr3, bArr.length, read);
                        bArr = bArr3;
                    }
                    contentLength -= read;
                } while (contentLength > 0);
            }
            inputStream.close();
            if (bArr != null) {
                oCSPResp = new OCSPResp(bArr);
            }
        } catch (Exception e) {
            DigiDocException.handleException(e, 65);
        }
        return oCSPResp;
    }

    @Override // ee.sk.digidoc.factory.NotaryFactory
    public void init() throws DigiDocException {
        FileInputStream fileInputStream = null;
        try {
            try {
                String property = ConfigManager.instance().getProperty("DIGIDOC_PROXY_HOST");
                String property2 = ConfigManager.instance().getProperty("DIGIDOC_PROXY_PORT");
                if (property != null && property2 != null) {
                    System.setProperty("http.proxyHost", property);
                    System.setProperty("http.proxyPort", property2);
                }
                String property3 = ConfigManager.instance().getProperty("SIGN_OCSP_REQUESTS");
                this.m_bSignRequests = property3 != null && property3.equals("true");
                Security.addProvider((Provider) Class.forName(ConfigManager.instance().getProperty("DIGIDOC_SECURITY_PROVIDER")).newInstance());
                if (this.m_bSignRequests) {
                    String property4 = ConfigManager.instance().getProperty("DIGIDOC_PKCS12_CONTAINER");
                    String property5 = ConfigManager.instance().getProperty("DIGIDOC_PKCS12_PASSWD");
                    String property6 = ConfigManager.instance().getProperty("DIGIDOC_OCSP_SIGN_CERT_SERIAL");
                    if (property4 != null && property5 != null) {
                        fileInputStream = new FileInputStream(property4);
                        KeyStore keyStore = KeyStore.getInstance(SignatureFactory.SIGFAC_TYPE_PKCS12, EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME);
                        keyStore.load(fileInputStream, property5.toCharArray());
                        Enumeration<String> aliases = keyStore.aliases();
                        String str = null;
                        while (aliases.hasMoreElements()) {
                            String nextElement = aliases.nextElement();
                            if (keyStore.isKeyEntry(nextElement)) {
                                str = nextElement;
                            }
                        }
                        this.m_signKey = (PrivateKey) keyStore.getKey(str, null);
                        Certificate[] certificateChain = keyStore.getCertificateChain(str);
                        int i = 0;
                        while (certificateChain != null) {
                            if (i >= certificateChain.length) {
                                break;
                            }
                            X509Certificate x509Certificate = (X509Certificate) certificateChain[i];
                            if (this.m_logger.isInfoEnabled()) {
                                this.m_logger.info("Cert " + i + " subject: " + ConvertUtils.convX509Name(x509Certificate.getSubjectX500Principal()));
                                this.m_logger.info("Cert " + i + " issuer: " + ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal()));
                                this.m_logger.info("Cert " + i + " serial: " + x509Certificate.getSerialNumber());
                                this.m_logger.info("Cert " + i + " is-ca: " + ConvertUtils.isCACert(x509Certificate));
                            }
                            if (property6 != null && x509Certificate != null && x509Certificate.getSerialNumber().equals(new BigInteger(property6))) {
                                this.m_signCert = (X509Certificate) certificateChain[i];
                            }
                            i++;
                        }
                    }
                }
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e) {
                        this.m_logger.error("Error closing input stream: " + e);
                    }
                }
            } catch (Throwable th) {
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e2) {
                        this.m_logger.error("Error closing input stream: " + e2);
                    }
                }
                throw th;
            }
        } catch (Exception e3) {
            DigiDocException.handleException(e3, 67);
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e4) {
                    this.m_logger.error("Error closing input stream: " + e4);
                }
            }
        }
    }
}
