package net.maritimeconnectivity.pki.ocsp;

import java.io.BufferedOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Arrays;
import java.util.Date;
import java.util.Optional;
import net.maritimeconnectivity.pki.PKIConstants;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.CertException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:net/maritimeconnectivity/pki/ocsp/OCSPClient.class */
public class OCSPClient {
    private static byte[] sentNonce;
    private final X509Certificate issuer;
    private final X509Certificate certificate;
    private URL url;
    private RevokedStatus revokedStatus = null;

    public OCSPClient(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        this.issuer = x509Certificate;
        this.certificate = x509Certificate2;
        this.url = getOcspUrlFromCertificate(x509Certificate2);
    }

    private OCSPReq generateOCSPRequest(X509Certificate x509Certificate, BigInteger bigInteger) throws CertificateEncodingException, OperatorCreationException, OCSPException, IOException {
        Security.addProvider(new BouncyCastleProvider());
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        oCSPReqBuilder.addRequest(new JcaCertificateID(new JcaDigestCalculatorProviderBuilder().setProvider(PKIConstants.BC_PROVIDER_NAME).build().get(CertificateID.HASH_SHA1), x509Certificate, bigInteger));
        Extension extension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(BigInteger.valueOf(System.currentTimeMillis()).toByteArray()));
        oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension[]{extension}));
        sentNonce = extension.getExtnId().getEncoded();
        return oCSPReqBuilder.build();
    }

    /* JADX WARN: Code restructure failed: missing block: B:14:0x0055, code lost:
    
        r6 = new java.net.URL(r0.getAccessLocation().getName().toString());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static java.net.URL getOcspUrlFromCertificate(java.security.cert.X509Certificate r4) {
        /*
            r0 = r4
            org.bouncycastle.asn1.ASN1ObjectIdentifier r1 = org.bouncycastle.asn1.x509.Extension.authorityInfoAccess
            java.lang.String r1 = r1.getId()
            byte[] r0 = r0.getExtensionValue(r1)
            r5 = r0
            r0 = 0
            r6 = r0
            r0 = 0
            r1 = r5
            if (r0 == r1) goto L75
            r0 = r5
            org.bouncycastle.asn1.ASN1Primitive r0 = org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils.parseExtensionValue(r0)     // Catch: java.io.IOException -> L74
            byte[] r0 = r0.getEncoded()     // Catch: java.io.IOException -> L74
            r7 = r0
            r0 = r7
            org.bouncycastle.asn1.ASN1Primitive r0 = org.bouncycastle.asn1.ASN1Primitive.fromByteArray(r0)     // Catch: java.io.IOException -> L74
            org.bouncycastle.asn1.ASN1Sequence r0 = org.bouncycastle.asn1.ASN1Sequence.getInstance(r0)     // Catch: java.io.IOException -> L74
            r8 = r0
            r0 = r8
            org.bouncycastle.asn1.x509.AuthorityInformationAccess r0 = org.bouncycastle.asn1.x509.AuthorityInformationAccess.getInstance(r0)     // Catch: java.io.IOException -> L74
            r9 = r0
            r0 = r9
            org.bouncycastle.asn1.x509.AccessDescription[] r0 = r0.getAccessDescriptions()     // Catch: java.io.IOException -> L74
            r10 = r0
            r0 = r10
            int r0 = r0.length     // Catch: java.io.IOException -> L74
            r11 = r0
            r0 = 0
            r12 = r0
        L39:
            r0 = r12
            r1 = r11
            if (r0 >= r1) goto L71
            r0 = r10
            r1 = r12
            r0 = r0[r1]     // Catch: java.io.IOException -> L74
            r13 = r0
            r0 = r13
            org.bouncycastle.asn1.ASN1ObjectIdentifier r0 = r0.getAccessMethod()     // Catch: java.io.IOException -> L74
            org.bouncycastle.asn1.ASN1ObjectIdentifier r1 = org.bouncycastle.asn1.x509.AccessDescription.id_ad_ocsp     // Catch: java.io.IOException -> L74
            boolean r0 = r0.equals(r1)     // Catch: java.io.IOException -> L74
            if (r0 == 0) goto L6b
            java.net.URL r0 = new java.net.URL     // Catch: java.io.IOException -> L74
            r1 = r0
            r2 = r13
            org.bouncycastle.asn1.x509.GeneralName r2 = r2.getAccessLocation()     // Catch: java.io.IOException -> L74
            org.bouncycastle.asn1.ASN1Encodable r2 = r2.getName()     // Catch: java.io.IOException -> L74
            java.lang.String r2 = r2.toString()     // Catch: java.io.IOException -> L74
            r1.<init>(r2)     // Catch: java.io.IOException -> L74
            r6 = r0
            goto L71
        L6b:
            int r12 = r12 + 1
            goto L39
        L71:
            goto L75
        L74:
            r7 = move-exception
        L75:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: net.maritimeconnectivity.pki.ocsp.OCSPClient.getOcspUrlFromCertificate(java.security.cert.X509Certificate):java.net.URL");
    }

    public Optional<RevokedStatus> getRevokedStatus() {
        return Optional.ofNullable(this.revokedStatus);
    }

    public CertStatus getCertificateStatus() throws OCSPValidationException {
        try {
            if (null == this.url) {
                throw new OCSPValidationException("Certificate not validated by OCSP");
            }
            byte[] encoded = generateOCSPRequest(this.issuer, this.certificate.getSerialNumber()).getEncoded();
            HttpURLConnection httpURLConnection = (HttpURLConnection) this.url.openConnection();
            httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
            httpURLConnection.setDoOutput(true);
            DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(httpURLConnection.getOutputStream()));
            Throwable th = null;
            try {
                dataOutputStream.write(encoded);
                dataOutputStream.flush();
                if (dataOutputStream != null) {
                    if (0 != 0) {
                        try {
                            dataOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        dataOutputStream.close();
                    }
                }
                InputStream inputStream = (InputStream) httpURLConnection.getContent();
                if (httpURLConnection.getResponseCode() != 200) {
                    throw new OCSPValidationException("Received HTTP code != 200 [" + httpURLConnection.getResponseCode() + "]");
                }
                BasicOCSPResp basicOCSPResp = (BasicOCSPResp) new OCSPResp(inputStream).getResponseObject();
                if (!Arrays.equals(basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnId().getEncoded(), sentNonce)) {
                    throw new OCSPValidationException("Nonce in ocsp response does not match nonce of ocsp request");
                }
                X509CertificateHolder x509CertificateHolder = basicOCSPResp.getCerts()[0];
                if (basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(PKIConstants.BC_PROVIDER_NAME).build(this.issuer))) {
                    if (!x509CertificateHolder.isValidOn(Date.from(Instant.now()))) {
                        throw new OCSPValidationException("Certificate is not valid today!");
                    }
                } else {
                    if (!x509CertificateHolder.isValidOn(Date.from(Instant.now()))) {
                        throw new OCSPValidationException("Certificate is not valid today!");
                    }
                    if (!ExtendedKeyUsage.fromExtensions(x509CertificateHolder.getExtensions()).hasKeyPurposeId(KeyPurposeId.id_kp_OCSPSigning)) {
                        throw new OCSPValidationException("Certificate does not contain required extension (id_kp_OCSPSigning)");
                    }
                    if (!x509CertificateHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(PKIConstants.BC_PROVIDER_NAME).build(this.issuer))) {
                        throw new OCSPValidationException("Certificate is not signed by the same issuer");
                    }
                    if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(PKIConstants.BC_PROVIDER_NAME).build(x509CertificateHolder))) {
                        throw new OCSPValidationException("Could not validate OCSP response!");
                    }
                }
                SingleResp[] responses = basicOCSPResp.getResponses();
                if (!responses[0].getCertID().getSerialNumber().equals(this.certificate.getSerialNumber())) {
                    throw new OCSPValidationException("Serial number of certificate in response ocsp does not match certificate serial number");
                }
                RevokedStatus certStatus = responses[0].getCertStatus();
                if (certStatus == CertificateStatus.GOOD) {
                    return CertStatus.GOOD;
                }
                if (!(certStatus instanceof RevokedStatus)) {
                    return CertStatus.UNKNOWN;
                }
                this.revokedStatus = certStatus;
                return CertStatus.REVOKED;
            } catch (Throwable th3) {
                if (dataOutputStream != null) {
                    if (0 != 0) {
                        try {
                            dataOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        dataOutputStream.close();
                    }
                }
                throw th3;
            }
        } catch (OperatorCreationException | OCSPException | IOException | CertException | CertificateException e) {
            throw new OCSPValidationException("Unable to perform validation through OCSP (" + this.certificate.getSubjectX500Principal().getName() + ")", e);
        }
    }

    public boolean checkOCSP() throws OCSPValidationException {
        try {
            return getCertificateStatus() == CertStatus.GOOD;
        } catch (OCSPValidationException e) {
            return false;
        }
    }
}
