package com.ibm.security.cert;

import com.ibm.misc.Debug;
import com.ibm.security.x509.AccessDescription;
import com.ibm.security.x509.GeneralName;
import com.ibm.security.x509.X500Name;
import com.ibm.security.x509.X509CertImpl;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/ibm/security/cert/OCSPChecker.class */
public class OCSPChecker extends PKIXCertPathChecker {
    public static final String OCSP_ENABLE = "ocsp.enable";
    public static final String OCSP_URL = "ocsp.responderURL";
    public static final String OCSP_CERT_SUBJECT = "ocsp.responderCertSubjectName";
    public static final String OCSP_CERT_ISSUER = "ocsp.responderCertIssuerName";
    public static final String OCSP_CERT_SERIAL_NUMBER = "ocsp.responderCertSerialNumber";
    private URL responderURL;
    private String responderIssuerName;
    private String responderSubjectName;
    private BigInteger responderSerialNumber;
    private CertPath certPath;
    private int remainingCerts;
    private Set<TrustAnchor> trustAnchors;
    private List<CertStore> certStores;
    private static final Debug debug = Debug.getInstance("certpath");

    public OCSPChecker(String str, String str2, CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        try {
            this.responderURL = new URL(str);
        } catch (MalformedURLException e) {
            this.responderURL = null;
            if (debug != null) {
                System.out.println(e.getMessage());
            }
        }
        try {
            this.responderSubjectName = new X500Name(str2).getRFC2253Name();
            this.certPath = certPath;
            this.trustAnchors = pKIXParameters.getTrustAnchors();
            this.certStores = pKIXParameters.getCertStores();
        } catch (IOException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    public OCSPChecker(String str, String str2, BigInteger bigInteger, CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        try {
            this.responderURL = new URL(str);
        } catch (MalformedURLException e) {
            this.responderURL = null;
            if (debug != null) {
                System.out.println(e.getMessage());
            }
        }
        try {
            this.responderIssuerName = new X500Name(str2).getRFC2253Name();
            this.responderSerialNumber = bigInteger;
            this.certPath = certPath;
            this.trustAnchors = pKIXParameters.getTrustAnchors();
            this.certStores = pKIXParameters.getCertStores();
        } catch (IOException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("Forward checking not supported");
        }
        this.remainingCerts = this.certPath.getCertificates().size();
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        return Collections.EMPTY_SET;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        TrustAnchor trustAnchor = null;
        List<? extends Certificate> certificates = this.certPath.getCertificates();
        X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size()];
        certificates.toArray(x509CertificateArr);
        if (this.responderSubjectName != null) {
            trustAnchor = getResponderTA(this.responderSubjectName, x509CertificateArr);
            if (trustAnchor == null) {
                throw new CertPathValidatorException("Cannot find the responder's certificate (set using the OCSP security properties).");
            }
        } else if (this.responderIssuerName != null && this.responderSerialNumber != null) {
            trustAnchor = getResponderTA(this.responderSerialNumber, this.responderIssuerName, x509CertificateArr);
            if (trustAnchor == null) {
                throw new CertPathValidatorException("Cannot find the responder's certificate (set using the OCSP security properties).");
            }
        }
        internalCheck(x509CertificateArr, trustAnchor);
    }

    private TrustAnchor getResponderTA(String str, X509Certificate[] x509CertificateArr) throws CertPathValidatorException {
        for (TrustAnchor trustAnchor : this.trustAnchors) {
            String cAName = trustAnchor.getCAName();
            if (cAName == null) {
                X509CertImpl trustedCert = trustAnchor.getTrustedCert();
                if (trustedCert instanceof X509CertImpl) {
                    if (trustedCert.getSubjectDN().getRFC2253Name().equals(str)) {
                        return new TrustAnchor(trustedCert, null);
                    }
                } else if (trustedCert.getSubjectX500Principal().getName("RFC2253").equals(str)) {
                    return new TrustAnchor(trustedCert, null);
                }
            } else if (cAName.equals(str)) {
                return trustAnchor;
            }
        }
        if (x509CertificateArr != null) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                if (x509CertificateArr[i] instanceof X509CertImpl) {
                    if (((X509CertImpl) x509CertificateArr[i]).getSubjectDN().getRFC2253Name().equals(str)) {
                        return new TrustAnchor(x509CertificateArr[i], null);
                    }
                } else if (x509CertificateArr[i].getSubjectX500Principal().getName("RFC2253").equals(str)) {
                    return new TrustAnchor(x509CertificateArr[i], null);
                }
            }
        }
        Iterator<CertStore> it = this.certStores.iterator();
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(str);
            if (debug != null) {
                System.out.println("CERTPATH, get responder cert using selector-" + x509CertSelector);
            }
            while (it.hasNext()) {
                Iterator<? extends Certificate> it2 = it.next().getCertificates(x509CertSelector).iterator();
                if (it2.hasNext()) {
                    return new TrustAnchor((X509Certificate) it2.next(), null);
                }
            }
            return null;
        } catch (IOException e) {
            throw new CertPathValidatorException(e);
        } catch (CertStoreException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    private TrustAnchor getResponderTA(BigInteger bigInteger, String str, X509Certificate[] x509CertificateArr) throws CertPathValidatorException {
        Iterator<TrustAnchor> it = this.trustAnchors.iterator();
        while (it.hasNext()) {
            X509CertImpl trustedCert = it.next().getTrustedCert();
            if (trustedCert instanceof X509CertImpl) {
                if (trustedCert.getIssuerDN().getRFC2253Name().equals(str) && trustedCert.getSerialNumber().equals(bigInteger)) {
                    return new TrustAnchor(trustedCert, null);
                }
            } else if (trustedCert.getIssuerX500Principal().getName("RFC2253").equals(str) && trustedCert.getSerialNumber().equals(bigInteger)) {
                return new TrustAnchor(trustedCert, null);
            }
        }
        if (x509CertificateArr != null) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                if (x509CertificateArr[i] instanceof X509CertImpl) {
                    if (((X509CertImpl) x509CertificateArr[i]).getIssuerDN().getRFC2253Name().equals(str) && x509CertificateArr[i].getSerialNumber().equals(bigInteger)) {
                        return new TrustAnchor(x509CertificateArr[i], null);
                    }
                } else if (x509CertificateArr[i].getIssuerX500Principal().getName("RFC2253").equals(str) && x509CertificateArr[i].getSerialNumber().equals(bigInteger)) {
                    return new TrustAnchor(x509CertificateArr[i], null);
                }
            }
        }
        Iterator<CertStore> it2 = this.certStores.iterator();
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSerialNumber(bigInteger);
        try {
            x509CertSelector.setIssuer(str);
            if (debug != null) {
                System.out.println("CERTPATH: get responder cert using selector -" + x509CertSelector.toString());
            }
            while (it2.hasNext()) {
                Iterator<? extends Certificate> it3 = it2.next().getCertificates(x509CertSelector).iterator();
                if (it3.hasNext()) {
                    return new TrustAnchor((X509Certificate) it3.next(), null);
                }
            }
            return null;
        } catch (IOException e) {
            throw new CertPathValidatorException(e);
        } catch (CertStoreException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    private void internalCheck(X509Certificate[] x509CertificateArr, TrustAnchor trustAnchor) throws CertPathValidatorException {
        X509CertImpl x509CertImpl;
        URL url;
        CertID[] certIDArr = new CertID[x509CertificateArr.length];
        for (int length = x509CertificateArr.length - 1; length >= 0; length--) {
            if (length == x509CertificateArr.length - 1) {
                TrustAnchor trustAnchor2 = getTrustAnchor(x509CertificateArr[length], this.trustAnchors);
                if (trustAnchor2 == null) {
                    throw new CertPathValidatorException("Unable to find the issuer cert");
                }
                X509Certificate trustedCert = trustAnchor2.getTrustedCert();
                if (trustedCert != null) {
                    certIDArr[length] = new CertID(trustedCert, x509CertificateArr[length]);
                } else {
                    certIDArr[length] = new CertID(trustAnchor2.getCAName(), trustAnchor2.getCAPublicKey(), x509CertificateArr[length].getSerialNumber(), null);
                }
            } else {
                certIDArr[length] = new CertID(x509CertificateArr[length + 1], x509CertificateArr[length]);
            }
        }
        SingleRequest[] singleRequestArr = new SingleRequest[certIDArr.length];
        for (int i = 0; i < certIDArr.length; i++) {
            singleRequestArr[i] = new SingleRequest(certIDArr[i], null);
        }
        CertStatus[] certStatusArr = new CertStatus[certIDArr.length];
        if (this.responderURL != null) {
            try {
                HttpURLConnection httpURLConnection = (HttpURLConnection) this.responderURL.openConnection();
                try {
                    sendRequest(httpURLConnection, new OCSPRequest(singleRequestArr).encode());
                    certStatusArr = checkResponse(httpURLConnection, certIDArr, trustAnchor);
                } catch (IOException e) {
                    if (debug != null) {
                        e.printStackTrace();
                    }
                    throw new CertPathValidatorException(e);
                }
            } catch (IOException e2) {
                throw new CertPathValidatorException(e2);
            }
        } else {
            for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
                try {
                    if (x509CertificateArr[i2] instanceof X509CertImpl) {
                        x509CertImpl = (X509CertImpl) x509CertificateArr[i2];
                    } else {
                        try {
                            x509CertImpl = new X509CertImpl(x509CertificateArr[i2].getEncoded());
                        } catch (CertificateException e3) {
                            throw new CertPathValidatorException(e3);
                        }
                    }
                    url = null;
                    for (AccessDescription accessDescription : x509CertImpl.getAuthorityInformationAccess()) {
                        if (accessDescription.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id)) {
                            GeneralName accessLocation = accessDescription.getAccessLocation();
                            if (accessLocation.getType() == 6) {
                                try {
                                    url = new URL(accessLocation.getName().getName());
                                } catch (MalformedURLException e4) {
                                    if (debug != null) {
                                        e4.printStackTrace();
                                    }
                                }
                            }
                        }
                    }
                } catch (IOException e5) {
                    if (debug != null) {
                        System.out.println("CERTPATH: internal error 2, " + e5.getMessage());
                    }
                    certStatusArr[i2] = null;
                } catch (CertPathValidatorException e6) {
                    if (debug != null) {
                        System.out.println("CERTPATH: internal error 3, " + e6.getMessage());
                    }
                    certStatusArr[i2] = null;
                } catch (CertificateException e7) {
                    if (debug != null) {
                        System.out.println("CERTPATH: internal error 1 , " + e7.getMessage());
                    }
                    certStatusArr[i2] = null;
                }
                if (url == null) {
                    throw new IOException("Can't get the responder URL");
                }
                HttpURLConnection httpURLConnection2 = (HttpURLConnection) url.openConnection();
                sendRequest(httpURLConnection2, new OCSPRequest(new SingleRequest[]{singleRequestArr[i2]}).encode());
                CertStatus[] certStatusArr2 = {checkResponse(httpURLConnection2, new CertID[]{certIDArr[i2]}, trustAnchor)[0]};
                if (certStatusArr2[0] != null && certStatusArr2[0].getStatus() == 1) {
                    throw new CertPathValidatorException("certificate is revoked", new OCSPCertRevokedException(this.certPath, i2));
                }
                certStatusArr[i2] = certStatusArr2[0];
            }
        }
        for (int i3 = 0; i3 < certStatusArr.length; i3++) {
            if (certStatusArr[i3] == null) {
                if (debug != null) {
                    System.out.println("CERTPATH: error getting cert status for certificate, serial number is " + x509CertificateArr[i3].getSerialNumber() + ", subject is " + x509CertificateArr[i3].getSubjectDN().getName());
                }
                throw new CertPathValidatorException("certificate status undetermined", new OCSPCertPathStatusUnknownException(certStatusArr, x509CertificateArr, this.certPath));
            }
            switch (certStatusArr[i3].getStatus()) {
                case 0:
                    if (debug != null) {
                        System.out.println("CERTPATH: cert status is " + certStatusArr[i3].toString() + " for certificate " + x509CertificateArr[i3].getSerialNumber() + ", subject is " + x509CertificateArr[i3].getSubjectDN().getName());
                        break;
                    } else {
                        break;
                    }
                case 1:
                    if (debug != null) {
                        System.out.println("CERTPATH: cert status is " + certStatusArr[i3].toString() + " for certificate " + x509CertificateArr[i3].getSerialNumber() + ", subject is " + x509CertificateArr[i3].getSubjectDN().getName());
                    }
                    throw new CertPathValidatorException("certificate is revoked", new OCSPCertRevokedException(this.certPath, i3));
                case 2:
                    if (debug != null) {
                        System.out.println("CERTPATH: cert status is " + certStatusArr[i3].toString() + " for certificate serial number " + x509CertificateArr[i3].getSerialNumber() + ", subject is " + x509CertificateArr[i3].getSubjectDN().getName());
                    }
                    throw new CertPathValidatorException("certificate status unknown", new OCSPCertPathStatusUnknownException(certStatusArr, x509CertificateArr, this.certPath));
            }
        }
    }

    private CertStatus[] checkResponse(HttpURLConnection httpURLConnection, CertID[] certIDArr, TrustAnchor trustAnchor) throws CertPathValidatorException {
        if (debug != null) {
            try {
                if (httpURLConnection.getResponseCode() != 200) {
                    throw new CertPathValidatorException("Received HTTP error: " + httpURLConnection.getResponseCode() + " - " + httpURLConnection.getResponseMessage());
                }
            } catch (IOException e) {
                if (debug != null) {
                    e.printStackTrace();
                }
            }
        }
        try {
            InputStream inputStream = httpURLConnection.getInputStream();
            int contentLength = httpURLConnection.getContentLength();
            if (contentLength == -1) {
                contentLength = Integer.MAX_VALUE;
            }
            byte[] bArr = new byte[contentLength];
            int i = 0;
            int i2 = 0;
            while (i2 != -1 && i < contentLength) {
                try {
                    i2 = inputStream.read(bArr, i, bArr.length - i);
                    i += i2;
                } catch (IOException e2) {
                    if (debug != null) {
                        e2.printStackTrace();
                    }
                }
            }
            inputStream.close();
            try {
                OCSPResponse oCSPResponse = new OCSPResponse(bArr);
                if (oCSPResponse.getResponseStatus().getStatus() != 0) {
                    throw ((CertPathValidatorException) new CertPathValidatorException("Unsuccessful OCSP response").initCause(new OCSPException(OCSPException.setResponseErrorMsg(oCSPResponse.getResponseStatus().getStatus()))));
                }
                if (oCSPResponse.getResponseData() == null) {
                    throw new CertPathValidatorException("No response data");
                }
                try {
                    if (debug != null) {
                        System.out.println("Get response type: " + oCSPResponse.getResponseType());
                    }
                    BasicOCSPResponse basicOCSPResponse = new BasicOCSPResponse(oCSPResponse.getResponseData());
                    HashSet hashSet = new HashSet();
                    if (trustAnchor == null) {
                        for (int i3 = 0; i3 < certIDArr.length; i3++) {
                            TrustAnchor trustAnchor2 = new TrustAnchor(certIDArr[i3].getIssuerName(), certIDArr[i3].getIssuerPublicKey(), (byte[]) null);
                            if (!hashSet.contains(trustAnchor2)) {
                                hashSet.add(trustAnchor2);
                            }
                        }
                    } else {
                        hashSet.add(trustAnchor);
                    }
                    try {
                        basicOCSPResponse.verify(hashSet);
                        CertStatus[] certStatusArr = new CertStatus[certIDArr.length];
                        for (int i4 = 0; i4 < certIDArr.length; i4++) {
                            SingleResponse singleResponse = basicOCSPResponse.getSingleResponse(certIDArr[i4]);
                            if (singleResponse == null) {
                                certStatusArr[i4] = null;
                            } else {
                                Date thisUpdate = singleResponse.getThisUpdate();
                                Date date = new Date();
                                Date nextUpdate = singleResponse.getNextUpdate();
                                if (nextUpdate != null && nextUpdate.before(date)) {
                                    certStatusArr[i4] = null;
                                }
                                if (thisUpdate.after(date)) {
                                    certStatusArr[i4] = null;
                                }
                                certStatusArr[i4] = singleResponse.getCertStatus();
                            }
                        }
                        return certStatusArr;
                    } catch (OCSPException e3) {
                        if (debug != null) {
                            e3.printStackTrace();
                        }
                        throw new CertPathValidatorException(e3);
                    }
                } catch (IOException e4) {
                    if (debug != null) {
                        e4.printStackTrace();
                    }
                    throw new CertPathValidatorException(e4);
                }
            } catch (IOException e5) {
                throw new CertPathValidatorException(e5);
            }
        } catch (IOException e6) {
            throw new CertPathValidatorException(e6);
        }
    }

    private void sendRequest(HttpURLConnection httpURLConnection, byte[] bArr) throws IOException {
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setDoInput(true);
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Content-type", "application/ocsp-request");
        httpURLConnection.setRequestProperty("Content-length", String.valueOf(bArr));
        OutputStream outputStream = httpURLConnection.getOutputStream();
        outputStream.write(bArr);
        outputStream.flush();
        outputStream.close();
    }

    private TrustAnchor getTrustedCert(X509Certificate x509Certificate, List list) {
        Iterator it = list.iterator();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        while (it.hasNext()) {
            CertStore certStore = (CertStore) it.next();
            X509CertSelector x509CertSelector = new X509CertSelector();
            try {
                x509CertSelector.setSubject(issuerX500Principal.getName("RFC2253"));
                try {
                    Collection<? extends Certificate> certificates = certStore.getCertificates(x509CertSelector);
                    if (certificates.size() > 0) {
                        certificates.iterator();
                        if (it.hasNext()) {
                            X509Certificate x509Certificate2 = (X509Certificate) it.next();
                            try {
                                x509Certificate.verify(x509Certificate2.getPublicKey());
                            } catch (Exception e) {
                                if (debug != null) {
                                    System.out.println("CERTPATH: can not verify the signature" + e.getMessage());
                                }
                            }
                            return new TrustAnchor(x509Certificate2, null);
                        }
                    } else {
                        continue;
                    }
                } catch (CertStoreException e2) {
                    if (debug != null) {
                        System.out.println(e2.getMessage());
                    }
                }
            } catch (IOException e3) {
                if (debug != null) {
                    System.out.println(e3.getMessage());
                }
            }
        }
        return null;
    }

    private TrustAnchor getTrustAnchor(X509Certificate x509Certificate, Set set) {
        Iterator it = set.iterator();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        while (it.hasNext()) {
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            X509Certificate trustedCert = trustAnchor.getTrustedCert();
            if (trustedCert == null) {
                String cAName = trustAnchor.getCAName();
                PublicKey cAPublicKey = trustAnchor.getCAPublicKey();
                if (cAName.equals(issuerX500Principal.getName("RFC2253"))) {
                    try {
                        x509Certificate.verify(cAPublicKey);
                        return trustAnchor;
                    } catch (Exception e) {
                        if (debug != null) {
                            System.out.println("CERTPATH: try to find the trust anchor of the cert chain " + e.getMessage());
                        }
                    }
                } else {
                    continue;
                }
            } else if (trustedCert.getSubjectX500Principal().equals(issuerX500Principal)) {
                return trustAnchor;
            }
        }
        if (debug == null) {
            return null;
        }
        System.out.println("CERTPATH: failed to find the trust anchor");
        return null;
    }
}
