package no.digipost.security.ocsp;

import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Optional;
import no.digipost.security.DigipostSecurity;
import no.digipost.security.DigipostSecurityException;
import no.digipost.security.Sha1Calculator;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/digipost/security/ocsp/OcspLookup.class */
public final class OcspLookup {
    static final String AUTHORITY_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
    private static final Logger LOG = LoggerFactory.getLogger(OcspLookup.class);
    public final String uri;
    public final CertificateID certificateId;

    public static Optional<OcspLookup> newLookup(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        byte[] extensionValue = x509Certificate.getExtensionValue(AUTHORITY_INFO_ACCESS_OID);
        if (extensionValue == null) {
            return Optional.empty();
        }
        try {
            try {
                return Optional.of(new OcspLookup(extractResponderUri(extensionValue), new CertificateID(new Sha1Calculator(), new X509CertificateHolder(x509Certificate2.getEncoded()), x509Certificate.getSerialNumber())));
            } catch (OCSPException | IOException | CertificateEncodingException e) {
                LOG.warn("Failed to create certificate ID from issuer " + x509Certificate2 + " and certificate " + DigipostSecurity.describe(x509Certificate), e);
                return Optional.empty();
            }
        } catch (RuntimeException e2) {
            LOG.warn("Failed to extract OCSP uri from " + DigipostSecurity.describe(x509Certificate), e2);
            return Optional.empty();
        }
    }

    private static String extractResponderUri(byte[] bArr) {
        try {
            Enumeration objects = ASN1Primitive.fromByteArray(ASN1Primitive.fromByteArray(bArr).getOctets()).getObjects();
            while (objects.hasMoreElements()) {
                Object nextElement = objects.nextElement();
                if (nextElement instanceof DLSequence) {
                    if (OCSPObjectIdentifiers.id_pkix_ocsp.equals(((DLSequence) nextElement).getObjectAt(0))) {
                        DERTaggedObject objectAt = ((DLSequence) nextElement).getObjectAt(1);
                        return new String(objectAt.getObjectParser(objectAt.getTagNo(), true).getOctets());
                    }
                }
            }
            throw new DigipostSecurityException("Object identifier " + OCSPObjectIdentifiers.id_pkix_ocsp + " not found");
        } catch (IOException e) {
            throw new DigipostSecurityException("Object identifier " + OCSPObjectIdentifiers.id_pkix_ocsp + " not found", e);
        }
    }

    private OcspLookup(String str, CertificateID certificateID) {
        this.certificateId = certificateID;
        this.uri = str;
    }

    public OcspResult executeUsing(CloseableHttpClient closeableHttpClient) {
        try {
            return new OcspResult(this.uri, closeableHttpClient.execute(RequestBuilder.post().setUri(this.uri).addHeader("Content-Type", "application/ocsp-request").setEntity(new ByteArrayEntity(new OCSPReqBuilder().addRequest(this.certificateId).build().getEncoded())).build()));
        } catch (OCSPException | IOException e) {
            throw new DigipostSecurityException((Throwable) e);
        }
    }

    public String toString() {
        return "OCSP-lookup to responder uri " + this.uri;
    }
}
