package com.ibm.security.cert.deploy;

import com.ibm.misc.HexDumpEncoder;
import com.ibm.security.cert.deploy.OCSP;
import com.ibm.security.util.Debug;
import com.ibm.security.util.DerInputStream;
import com.ibm.security.util.DerValue;
import com.ibm.security.util.ObjectIdentifier;
import com.ibm.security.x509.AlgorithmId;
import com.ibm.security.x509.PKIXExtensions;
import com.ibm.security.x509.X500Name;
import com.ibm.security.x509.X509CertImpl;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CRLReason;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.Extension;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import sun.security.action.GetIntegerAction;

/* loaded from: input_file:jre/lib/ibmcertpathprovider.jar:com/ibm/security/cert/deploy/OCSPResponse.class */
public final class OCSPResponse {
    private static ResponseStatus[] rsvalues = ResponseStatus.values();
    private static final Debug DEBUG = Debug.getInstance("certpath");
    private static final boolean dump;
    private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID;
    private static final ObjectIdentifier OCSP_NONCE_EXTENSION_OID;
    private static final int CERT_STATUS_GOOD = 0;
    private static final int CERT_STATUS_REVOKED = 1;
    private static final int CERT_STATUS_UNKNOWN = 2;
    private static final int NAME_TAG = 1;
    private static final int KEY_TAG = 2;
    private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
    private final ResponseStatus responseStatus;
    private final Map<CertId, SingleResponse> singleResponseMap;
    private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
    private static final int MAX_CLOCK_SKEW;
    private static CRLReason[] values;

    /* loaded from: input_file:jre/lib/ibmcertpathprovider.jar:com/ibm/security/cert/deploy/OCSPResponse$ResponseStatus.class */
    public enum ResponseStatus {
        SUCCESSFUL,
        MALFORMED_REQUEST,
        INTERNAL_ERROR,
        TRY_LATER,
        UNUSED,
        SIG_REQUIRED,
        UNAUTHORIZED
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:jre/lib/ibmcertpathprovider.jar:com/ibm/security/cert/deploy/OCSPResponse$SingleResponse.class */
    public static final class SingleResponse implements OCSP.RevocationStatus {
        private final CertId certId;
        private final OCSP.RevocationStatus.CertStatus certStatus;
        private final Date thisUpdate;
        private final Date nextUpdate;
        private final Date revocationTime;
        private final CRLReason revocationReason;
        private final Map<String, Extension> singleExtensions;

        private SingleResponse(DerValue derValue) throws IOException {
            this(derValue, null);
        }

        private SingleResponse(DerValue derValue, Date date) throws IOException {
            if (derValue.getTag() != 48) {
                throw new IOException("Bad ASN.1 encoding in SingleResponse");
            }
            DerInputStream data = derValue.getData();
            this.certId = new CertId(data.getDerValue().getData());
            DerValue derValue2 = data.getDerValue();
            short tag = (byte) (derValue2.getTag() & 31);
            if (tag == 1) {
                this.certStatus = OCSP.RevocationStatus.CertStatus.REVOKED;
                this.revocationTime = derValue2.getData().getGeneralizedTime();
                if (derValue2.getData().available() != 0) {
                    DerValue derValue3 = derValue2.getData().getDerValue();
                    if (((byte) (derValue3.getTag() & 31)) == 0) {
                        int intValue = derValue3.getData().getEnumerated().intValue();
                        if (intValue < 0 || intValue >= OCSPResponse.values.length) {
                            this.revocationReason = CRLReason.UNSPECIFIED;
                        } else {
                            this.revocationReason = OCSPResponse.values[intValue];
                        }
                    } else {
                        this.revocationReason = CRLReason.UNSPECIFIED;
                    }
                } else {
                    this.revocationReason = CRLReason.UNSPECIFIED;
                }
                if (OCSPResponse.DEBUG != null) {
                    OCSPResponse.DEBUG.println("Revocation time: " + this.revocationTime);
                    OCSPResponse.DEBUG.println("Revocation reason: " + this.revocationReason);
                }
            } else {
                this.revocationTime = null;
                this.revocationReason = CRLReason.UNSPECIFIED;
                if (tag == 0) {
                    this.certStatus = OCSP.RevocationStatus.CertStatus.GOOD;
                } else {
                    if (tag != 2) {
                        throw new IOException("Invalid certificate status");
                    }
                    this.certStatus = OCSP.RevocationStatus.CertStatus.UNKNOWN;
                }
            }
            this.thisUpdate = data.getGeneralizedTime();
            if (data.available() == 0) {
                this.nextUpdate = null;
            } else {
                DerValue derValue4 = data.getDerValue();
                if (((byte) (derValue4.getTag() & 31)) == 0) {
                    this.nextUpdate = derValue4.getData().getGeneralizedTime();
                    if (data.available() != 0) {
                    }
                } else {
                    this.nextUpdate = null;
                }
            }
            if (data.available() > 0) {
                DerValue derValue5 = data.getDerValue();
                if (derValue5.isContextSpecific((byte) 1)) {
                    DerValue[] sequence = derValue5.getData().getSequence(3);
                    this.singleExtensions = new HashMap(sequence.length);
                    for (DerValue derValue6 : sequence) {
                        com.ibm.security.x509.Extension extension = new com.ibm.security.x509.Extension(derValue6);
                        if (OCSPResponse.DEBUG != null) {
                            OCSPResponse.DEBUG.println("OCSP single extension: " + extension);
                        }
                        if (extension.isCritical()) {
                            throw new IOException("Unsupported OCSP critical extension: " + extension.getExtensionId());
                        }
                        this.singleExtensions.put(extension.getId(), extension);
                    }
                } else {
                    this.singleExtensions = Collections.emptyMap();
                }
            } else {
                this.singleExtensions = Collections.emptyMap();
            }
            long currentTimeMillis = System.currentTimeMillis();
            Date date2 = new Date(currentTimeMillis + OCSPResponse.MAX_CLOCK_SKEW);
            Date date3 = new Date(currentTimeMillis - OCSPResponse.MAX_CLOCK_SKEW);
            if (OCSPResponse.DEBUG != null) {
                OCSPResponse.DEBUG.println("Response's validity interval is from " + this.thisUpdate + (this.nextUpdate != null ? " until " + this.nextUpdate : ""));
            }
            if ((this.thisUpdate == null || !date2.before(this.thisUpdate)) && (this.nextUpdate == null || !date3.after(this.nextUpdate))) {
                return;
            }
            if (OCSPResponse.DEBUG != null) {
                OCSPResponse.DEBUG.println("Response is unreliable: its validity interval is out-of-date");
            }
            throw new IOException("Response is unreliable: its validity interval is out-of-date");
        }

        @Override // com.ibm.security.cert.deploy.OCSP.RevocationStatus
        public OCSP.RevocationStatus.CertStatus getCertStatus() {
            return this.certStatus;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public CertId getCertId() {
            return this.certId;
        }

        @Override // com.ibm.security.cert.deploy.OCSP.RevocationStatus
        public Date getRevocationTime() {
            return (Date) this.revocationTime.clone();
        }

        @Override // com.ibm.security.cert.deploy.OCSP.RevocationStatus
        public CRLReason getRevocationReason() {
            return this.revocationReason;
        }

        @Override // com.ibm.security.cert.deploy.OCSP.RevocationStatus
        public Map<String, Extension> getSingleExtensions() {
            return Collections.unmodifiableMap(this.singleExtensions);
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("SingleResponse:  \n");
            sb.append(this.certId);
            sb.append("\nCertStatus: " + this.certStatus + "\n");
            if (this.certStatus == OCSP.RevocationStatus.CertStatus.REVOKED) {
                sb.append("revocationTime is " + this.revocationTime + "\n");
                sb.append("revocationReason is " + this.revocationReason + "\n");
            }
            sb.append("thisUpdate is " + this.thisUpdate + "\n");
            if (this.nextUpdate != null) {
                sb.append("nextUpdate is " + this.nextUpdate + "\n");
            }
            return sb.toString();
        }
    }

    private static int initializeClockSkew() {
        Integer num = (Integer) AccessController.doPrivileged(new GetIntegerAction("com.ibm.security.ocsp.clockSkew"));
        return (num == null || num.intValue() < 0) ? DEFAULT_MAX_CLOCK_SKEW : num.intValue() * 1000;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPResponse(byte[] bArr, Date date, List<X509Certificate> list) throws IOException, CertPathValidatorException {
        byte[] keyId;
        if (dump) {
            HexDumpEncoder hexDumpEncoder = new HexDumpEncoder();
            DEBUG.println("\nOCSPResponse bytes...");
            DEBUG.println(hexDumpEncoder.encode(bArr) + "\n");
        }
        DerValue derValue = new DerValue(bArr);
        if (derValue.getTag() != 48) {
            throw new IOException("Bad encoding in OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        DerInputStream data = derValue.getData();
        int intValue = data.getEnumerated().intValue();
        if (intValue < 0 || intValue >= rsvalues.length) {
            throw new IOException("Unknown OCSPResponse status: " + intValue);
        }
        this.responseStatus = rsvalues[intValue];
        if (DEBUG != null) {
            DEBUG.println("OCSP response status: " + this.responseStatus);
        }
        if (this.responseStatus != ResponseStatus.SUCCESSFUL) {
            this.singleResponseMap = Collections.emptyMap();
            return;
        }
        DerValue derValue2 = data.getDerValue();
        if (!derValue2.isContextSpecific((byte) 0)) {
            throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 context specific tag 0.");
        }
        DerValue derValue3 = derValue2.getData().getDerValue();
        if (derValue3.getTag() != 48) {
            throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        DerInputStream data2 = derValue3.getData();
        ObjectIdentifier oid = data2.getOID();
        if (!oid.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
            if (DEBUG != null) {
                DEBUG.println("OCSP response type: " + oid);
            }
            throw new IOException("Unsupported OCSP response type: " + oid);
        }
        if (DEBUG != null) {
            DEBUG.println("OCSP response type: basic");
        }
        DerValue[] sequence = new DerInputStream(data2.getOctetString()).getSequence(2);
        if (sequence.length < 3) {
            throw new IOException("Unexpected BasicOCSPResponse value");
        }
        DerValue derValue4 = sequence[0];
        byte[] byteArray = sequence[0].toByteArray();
        if (derValue4.getTag() != 48) {
            throw new IOException("Bad encoding in tbsResponseData element of OCSP response: expected ASN.1 SEQUENCE tag.");
        }
        DerInputStream data3 = derValue4.getData();
        DerValue derValue5 = data3.getDerValue();
        if (derValue5.isContextSpecific((byte) 0) && derValue5.isConstructed() && derValue5.isContextSpecific()) {
            DerValue derValue6 = derValue5.getData().getDerValue();
            derValue6.getInteger().intValue();
            if (derValue6.getData().available() != 0) {
                throw new IOException("Bad encoding in version  element of OCSP response: bad format");
            }
            derValue5 = data3.getDerValue();
        }
        short tag = (byte) (derValue5.getTag() & 31);
        if (tag != 1) {
            if (tag != 2) {
                throw new IOException("Bad encoding in responderID element of OCSP response: expected ASN.1 context specific tag 1 or 2");
            }
            DerValue derValue7 = derValue5.getData().getDerValue();
            if (DEBUG != null) {
                byte[] octetString = derValue7.getOctetString();
                DEBUG.println("OCSP Responder key ID: " + String.format("0x%0" + (octetString.length * 2) + "x", new BigInteger(1, octetString)));
            }
        } else if (DEBUG != null) {
            DEBUG.println("OCSP Responder name: " + new X500Name(derValue5.getData()));
        }
        DerValue derValue8 = data3.getDerValue();
        if (DEBUG != null) {
            DEBUG.println("OCSP response produced at: " + derValue8.getGeneralizedTime());
        }
        DerValue[] sequence2 = data3.getSequence(1);
        this.singleResponseMap = new HashMap(sequence2.length);
        if (DEBUG != null) {
            DEBUG.println("OCSP number of SingleResponses: " + sequence2.length);
        }
        for (DerValue derValue9 : sequence2) {
            SingleResponse singleResponse = new SingleResponse(derValue9, date);
            this.singleResponseMap.put(singleResponse.getCertId(), singleResponse);
        }
        if (data3.available() > 0) {
            DerValue derValue10 = data3.getDerValue();
            if (derValue10.isContextSpecific((byte) 1)) {
                for (DerValue derValue11 : derValue10.getData().getSequence(3)) {
                    com.ibm.security.x509.Extension extension = new com.ibm.security.x509.Extension(derValue11);
                    if (DEBUG != null) {
                        DEBUG.println("OCSP extension: " + extension);
                    }
                    if (!extension.getExtensionId().equals((Object) OCSP_NONCE_EXTENSION_OID) && extension.isCritical()) {
                        throw new IOException("Unsupported OCSP critical extension: " + extension.getExtensionId());
                    }
                }
            }
        }
        AlgorithmId parse = AlgorithmId.parse(sequence[1]);
        byte[] bitString = sequence[2].getBitString();
        X509CertImpl[] x509CertImplArr = null;
        if (sequence.length > 3) {
            DerValue derValue12 = sequence[3];
            if (!derValue12.isContextSpecific((byte) 0)) {
                throw new IOException("Bad encoding in certs element of OCSP response: expected ASN.1 context specific tag 0.");
            }
            DerValue[] sequence3 = derValue12.getData().getSequence(3);
            x509CertImplArr = new X509CertImpl[sequence3.length];
            for (int i = 0; i < sequence3.length; i++) {
                try {
                    x509CertImplArr[i] = new X509CertImpl(sequence3[i].toByteArray());
                } catch (CertificateException e) {
                    throw new IOException("Bad encoding in X509 Certificate", e);
                }
            }
        }
        X509Certificate x509Certificate = list.get(0);
        if (x509CertImplArr != null && x509CertImplArr[0] != null) {
            X509CertImpl x509CertImpl = x509CertImplArr[0];
            if (DEBUG != null) {
                DEBUG.println("Signer certificate name: " + x509CertImpl.getSubjectX500Principal());
                byte[] subjectKeyIdentifier = x509CertImpl.getSubjectKeyIdentifier();
                if (subjectKeyIdentifier != null) {
                    DEBUG.println("Signer certificate key ID: " + String.format("0x%0" + (subjectKeyIdentifier.length * 2) + "x", new BigInteger(1, subjectKeyIdentifier)));
                }
            }
            byte[] bArr2 = null;
            Iterator<X509Certificate> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                X509Certificate next2 = it.next2();
                if (x509CertImpl.equals(next2)) {
                    x509Certificate = next2;
                    if (DEBUG != null) {
                        DEBUG.println("Signer certificate is a trusted responder");
                    }
                } else if (x509CertImpl.getIssuerX500Principal().equals(next2.getSubjectX500Principal())) {
                    if (bArr2 == null) {
                        bArr2 = x509CertImpl.getIssuerKeyIdentifier();
                        if (bArr2 == null && DEBUG != null) {
                            DEBUG.println("No issuer key identifier (AKID) in the signer certificate");
                        }
                    }
                    if (bArr2 != null && (keyId = OCSPChecker.getKeyId(next2)) != null) {
                        if (!Arrays.equals(bArr2, keyId)) {
                            continue;
                        } else if (DEBUG != null) {
                            DEBUG.println("Issuer certificate key ID: " + String.format("0x%0" + (bArr2.length * 2) + "x", new BigInteger(1, bArr2)));
                        }
                    }
                    try {
                        List extendedKeyUsage = x509CertImpl.getExtendedKeyUsage();
                        if (extendedKeyUsage != null && extendedKeyUsage.contains(KP_OCSP_SIGNING_OID)) {
                            AlgorithmChecker algorithmChecker = new AlgorithmChecker(new TrustAnchor(next2, null));
                            algorithmChecker.init(false);
                            algorithmChecker.check(x509CertImpl, Collections.emptySet());
                            if (date == null) {
                                try {
                                    x509CertImpl.checkValidity();
                                } catch (GeneralSecurityException e2) {
                                    if (DEBUG != null) {
                                        DEBUG.println("Responder's certificate not within the validity period " + e2);
                                    }
                                }
                            } else {
                                x509CertImpl.checkValidity(date);
                            }
                            if (x509CertImpl.getExtension(PKIXExtensions.OCSPNoCheck_Id) != null && DEBUG != null) {
                                DEBUG.println("Responder's certificate includes the extension id-pkix-ocsp-nocheck.");
                            }
                            try {
                                x509CertImpl.verify(next2.getPublicKey());
                                x509Certificate = x509CertImpl;
                                if (DEBUG == null) {
                                    break;
                                }
                                DEBUG.println("Signer certificate was issued by a trusted responder");
                                break;
                            } catch (GeneralSecurityException e3) {
                                x509Certificate = null;
                            }
                        }
                    } catch (CertificateParsingException e4) {
                    }
                }
            }
        }
        if (x509Certificate == null) {
            throw new CertPathValidatorException("Responder's certificate is not trusted for signing OCSP responses");
        }
        AlgorithmChecker.check(x509Certificate.getPublicKey(), parse);
        if (!verifyResponse(byteArray, x509Certificate, parse, bitString)) {
            throw new CertPathValidatorException("Error verifying OCSP Responder's signature");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ResponseStatus getResponseStatus() {
        return this.responseStatus;
    }

    private boolean verifyResponse(byte[] bArr, X509Certificate x509Certificate, AlgorithmId algorithmId, byte[] bArr2) throws CertPathValidatorException {
        try {
            Signature signature = Signature.getInstance(algorithmId.getName());
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(bArr);
            if (signature.verify(bArr2)) {
                if (DEBUG == null) {
                    return true;
                }
                DEBUG.println("Verified signature of OCSP Responder");
                return true;
            }
            if (DEBUG == null) {
                return false;
            }
            DEBUG.println("Error verifying signature of OCSP Responder");
            return false;
        } catch (InvalidKeyException e) {
            throw new CertPathValidatorException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertPathValidatorException(e2);
        } catch (SignatureException e3) {
            throw new CertPathValidatorException(e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SingleResponse getSingleResponse(CertId certId) {
        return this.singleResponseMap.get(certId);
    }

    static {
        Debug debug = DEBUG;
        dump = Debug.isOn("ocsp");
        OCSP_BASIC_RESPONSE_OID = ObjectIdentifier.newInternal(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
        OCSP_NONCE_EXTENSION_OID = ObjectIdentifier.newInternal(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 2});
        MAX_CLOCK_SKEW = initializeClockSkew();
        values = CRLReason.values();
    }
}
