package org.xipki.ocsp.client.impl;

import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.ocsp.CertID;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.OCSPRequest;
import org.bouncycastle.asn1.ocsp.Request;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.operator.ContentSigner;
import org.xipki.ocsp.client.api.InvalidOcspResponseException;
import org.xipki.ocsp.client.api.OcspNonceUnmatchedException;
import org.xipki.ocsp.client.api.OcspRequestor;
import org.xipki.ocsp.client.api.OcspRequestorException;
import org.xipki.ocsp.client.api.OcspResponseException;
import org.xipki.ocsp.client.api.OcspTargetUnmatchedException;
import org.xipki.ocsp.client.api.RequestOptions;
import org.xipki.ocsp.client.api.ResponderUnreachableException;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.HashAlgo;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignerConf;
import org.xipki.security.exception.NoIdleSignerException;
import org.xipki.security.util.X509Util;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.ParamUtil;
import org.xipki.util.ReqRespDebug;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/ocsp/client/impl/AbstractOcspRequestor.class */
public abstract class AbstractOcspRequestor implements OcspRequestor {
    private SecurityFactory securityFactory;
    private ConcurrentContentSigner signer;
    private String signerType;
    private String signerConf;
    private String signerCertFile;
    private final Object signerLock = new Object();
    private SecureRandom random = new SecureRandom();

    protected abstract byte[] send(byte[] bArr, URL url, RequestOptions requestOptions) throws IOException;

    public OCSPResp ask(X509Certificate x509Certificate, X509Certificate x509Certificate2, URL url, RequestOptions requestOptions, ReqRespDebug reqRespDebug) throws OcspResponseException, OcspRequestorException {
        ParamUtil.requireNonNull("issuerCert", x509Certificate);
        ParamUtil.requireNonNull("cert", x509Certificate2);
        try {
            if (X509Util.issues(x509Certificate, x509Certificate2)) {
                return ask(x509Certificate, new BigInteger[]{x509Certificate2.getSerialNumber()}, url, requestOptions, reqRespDebug);
            }
            throw new IllegalArgumentException("cert and issuerCert do not match");
        } catch (CertificateEncodingException e) {
            throw new OcspRequestorException(e.getMessage(), e);
        }
    }

    public OCSPResp ask(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, URL url, RequestOptions requestOptions, ReqRespDebug reqRespDebug) throws OcspResponseException, OcspRequestorException {
        ParamUtil.requireNonNull("issuerCert", x509Certificate);
        ParamUtil.requireNonNull("certs", x509CertificateArr);
        ParamUtil.requireMin("certs.length", x509CertificateArr.length, 1);
        BigInteger[] bigIntegerArr = new BigInteger[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            X509Certificate x509Certificate2 = x509CertificateArr[i];
            try {
                if (!X509Util.issues(x509Certificate, x509Certificate2)) {
                    throw new IllegalArgumentException("cert at index " + i + " and issuerCert do not match");
                }
                bigIntegerArr[i] = x509Certificate2.getSerialNumber();
            } catch (CertificateEncodingException e) {
                throw new OcspRequestorException(e.getMessage(), e);
            }
        }
        return ask(x509Certificate, bigIntegerArr, url, requestOptions, reqRespDebug);
    }

    public OCSPResp ask(X509Certificate x509Certificate, BigInteger bigInteger, URL url, RequestOptions requestOptions, ReqRespDebug reqRespDebug) throws OcspResponseException, OcspRequestorException {
        return ask(x509Certificate, new BigInteger[]{bigInteger}, url, requestOptions, reqRespDebug);
    }

    public OCSPResp ask(X509Certificate x509Certificate, BigInteger[] bigIntegerArr, URL url, RequestOptions requestOptions, ReqRespDebug reqRespDebug) throws OcspResponseException, OcspRequestorException {
        ParamUtil.requireNonNull("issuerCert", x509Certificate);
        ParamUtil.requireNonNull("requestOptions", requestOptions);
        ParamUtil.requireNonNull("responderUrl", url);
        byte[] nextNonce = requestOptions.isUseNonce() ? nextNonce(requestOptions.getNonceLen()) : null;
        OCSPRequest buildRequest = buildRequest(x509Certificate, bigIntegerArr, nextNonce, requestOptions);
        try {
            byte[] encoded = buildRequest.getEncoded();
            ReqRespDebug.ReqRespPair reqRespPair = null;
            if (reqRespDebug != null) {
                reqRespPair = new ReqRespDebug.ReqRespPair();
                reqRespDebug.add(reqRespPair);
                if (reqRespDebug.saveRequest()) {
                    reqRespPair.setRequest(encoded);
                }
            }
            try {
                byte[] send = send(encoded, url, requestOptions);
                if (reqRespPair != null && reqRespDebug.saveResponse()) {
                    reqRespPair.setResponse(send);
                }
                try {
                    OCSPResp oCSPResp = new OCSPResp(send);
                    try {
                        Object responseObject = oCSPResp.getResponseObject();
                        if (oCSPResp.getStatus() == 0 && (responseObject instanceof BasicOCSPResp)) {
                            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject;
                            if (nextNonce != null) {
                                Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
                                if (extension == null) {
                                    throw new OcspNonceUnmatchedException(nextNonce, (byte[]) null);
                                }
                                byte[] octets = extension.getExtnValue().getOctets();
                                if (!Arrays.equals(nextNonce, octets)) {
                                    throw new OcspNonceUnmatchedException(nextNonce, octets);
                                }
                            }
                            SingleResp[] responses = basicOCSPResp.getResponses();
                            if (responses == null || responses.length == 0) {
                                throw new OcspTargetUnmatchedException(StringUtil.concat("response with no singleResponse is returned, expected is ", new String[]{Integer.toString(bigIntegerArr.length)}));
                            }
                            int length = responses.length;
                            if (length != bigIntegerArr.length) {
                                String[] strArr = new String[5];
                                strArr[0] = Integer.toString(length);
                                strArr[1] = " singleResponse";
                                strArr[2] = length > 1 ? "s" : "";
                                strArr[3] = " is returned, expected is ";
                                strArr[4] = Integer.toString(bigIntegerArr.length);
                                throw new OcspTargetUnmatchedException(StringUtil.concat("response with ", strArr));
                            }
                            CertID reqCert = Request.getInstance(buildRequest.getTbsRequest().getRequestList().getObjectAt(0)).getReqCert();
                            ASN1ObjectIdentifier algorithm = reqCert.getHashAlgorithm().getAlgorithm();
                            byte[] octets2 = reqCert.getIssuerKeyHash().getOctets();
                            byte[] octets3 = reqCert.getIssuerNameHash().getOctets();
                            if (bigIntegerArr.length == 1) {
                                CertificateID certID = responses[0].getCertID();
                                if (!(algorithm.equals(certID.getHashAlgOID()) && Arrays.equals(octets2, certID.getIssuerKeyHash()) && Arrays.equals(octets3, certID.getIssuerNameHash()))) {
                                    throw new OcspTargetUnmatchedException("the issuer is not requested");
                                }
                                if (!bigIntegerArr[0].equals(certID.getSerialNumber())) {
                                    throw new OcspTargetUnmatchedException("the serialNumber is not requested");
                                }
                            } else {
                                List asList = Arrays.asList(bigIntegerArr);
                                ArrayList arrayList = new ArrayList(asList);
                                for (int i = 0; i < length; i++) {
                                    CertificateID certID2 = responses[i].getCertID();
                                    if (!(algorithm.equals(certID2.getHashAlgOID()) && Arrays.equals(octets2, certID2.getIssuerKeyHash()) && Arrays.equals(octets3, certID2.getIssuerNameHash()))) {
                                        throw new OcspTargetUnmatchedException("the issuer specified in singleResponse[" + i + "] is not requested");
                                    }
                                    BigInteger serialNumber = certID2.getSerialNumber();
                                    if (!arrayList.remove(serialNumber)) {
                                        if (asList.contains(serialNumber)) {
                                            throw new OcspTargetUnmatchedException("serialNumber " + LogUtil.formatCsn(serialNumber) + "is contained in at least two singleResponses");
                                        }
                                        throw new OcspTargetUnmatchedException("serialNumber " + LogUtil.formatCsn(serialNumber) + " specified in singleResponse[" + i + "] is not requested");
                                    }
                                }
                            }
                            return oCSPResp;
                        }
                        return oCSPResp;
                    } catch (OCSPException e) {
                        throw new InvalidOcspResponseException("responseObject is invalid");
                    }
                } catch (IOException e2) {
                    throw new InvalidOcspResponseException("IOException: " + e2.getMessage(), e2);
                }
            } catch (IOException e3) {
                throw new ResponderUnreachableException("IOException: " + e3.getMessage(), e3);
            }
        } catch (IOException e4) {
            throw new OcspRequestorException("could not encode OCSP request: " + e4.getMessage(), e4);
        }
    }

    private OCSPRequest buildRequest(X509Certificate x509Certificate, BigInteger[] bigIntegerArr, byte[] bArr, RequestOptions requestOptions) throws OcspRequestorException {
        HashAlgo hashAlgo = HashAlgo.getInstance(requestOptions.getHashAlgorithmId());
        if (hashAlgo == null) {
            throw new OcspRequestorException("unknown HashAlgo " + requestOptions.getHashAlgorithmId().getId());
        }
        List preferredSignatureAlgorithms = requestOptions.getPreferredSignatureAlgorithms();
        XiOCSPReqBuilder xiOCSPReqBuilder = new XiOCSPReqBuilder();
        LinkedList linkedList = new LinkedList();
        if (bArr != null) {
            linkedList.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(bArr)));
        }
        if (preferredSignatureAlgorithms != null && preferredSignatureAlgorithms.size() > 0) {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            Iterator it = preferredSignatureAlgorithms.iterator();
            while (it.hasNext()) {
                aSN1EncodableVector.add(new DERSequence((AlgorithmIdentifier) it.next()));
            }
            try {
                linkedList.add(new Extension(ObjectIdentifiers.id_pkix_ocsp_prefSigAlgs, false, new DEROctetString(new DERSequence(aSN1EncodableVector))));
            } catch (IOException e) {
                throw new OcspRequestorException(e.getMessage(), e);
            }
        }
        if (CollectionUtil.isNonEmpty(linkedList)) {
            xiOCSPReqBuilder.setRequestExtensions(new Extensions((Extension[]) linkedList.toArray(new Extension[0])));
        }
        try {
            DEROctetString dEROctetString = new DEROctetString(hashAlgo.hash(x509Certificate.getSubjectX500Principal().getEncoded()));
            try {
                DEROctetString dEROctetString2 = new DEROctetString(hashAlgo.hash(TBSCertificate.getInstance(x509Certificate.getTBSCertificate()).getSubjectPublicKeyInfo().getPublicKeyData().getOctets()));
                for (BigInteger bigInteger : bigIntegerArr) {
                    xiOCSPReqBuilder.addRequest(new CertID(hashAlgo.getAlgorithmIdentifier(), dEROctetString, dEROctetString2, new ASN1Integer(bigInteger)));
                }
                if (!requestOptions.isSignRequest()) {
                    return xiOCSPReqBuilder.build();
                }
                synchronized (this.signerLock) {
                    if (this.signer == null) {
                        if (StringUtil.isBlank(this.signerType)) {
                            throw new OcspRequestorException("signerType is not configured");
                        }
                        if (StringUtil.isBlank(this.signerConf)) {
                            throw new OcspRequestorException("signerConf is not configured");
                        }
                        X509Certificate x509Certificate2 = null;
                        if (StringUtil.isNotBlank(this.signerCertFile)) {
                            try {
                                x509Certificate2 = X509Util.parseCert(new File(this.signerCertFile));
                            } catch (CertificateException e2) {
                                throw new OcspRequestorException("could not parse certificate " + this.signerCertFile + ": " + e2.getMessage());
                            }
                        }
                        try {
                            this.signer = getSecurityFactory().createSigner(this.signerType, new SignerConf(this.signerConf), x509Certificate2);
                        } catch (Exception e3) {
                            throw new OcspRequestorException("could not create signer: " + e3.getMessage());
                        }
                    }
                }
                xiOCSPReqBuilder.setRequestorName(this.signer.getBcCertificate().getSubject());
                X509CertificateHolder[] bcCertificateChain = this.signer.getBcCertificateChain();
                Certificate[] certificateArr = new Certificate[bcCertificateChain.length];
                for (int i = 0; i < certificateArr.length; i++) {
                    certificateArr[i] = bcCertificateChain[i].toASN1Structure();
                }
                try {
                    ConcurrentBagEntrySigner borrowSigner = this.signer.borrowSigner();
                    try {
                        OCSPRequest build = xiOCSPReqBuilder.build((ContentSigner) borrowSigner.value(), certificateArr);
                        this.signer.requiteSigner(borrowSigner);
                        return build;
                    } catch (Throwable th) {
                        this.signer.requiteSigner(borrowSigner);
                        throw th;
                    }
                } catch (NoIdleSignerException e4) {
                    throw new OcspRequestorException("NoIdleSignerException: " + e4.getMessage());
                }
            } catch (CertificateEncodingException e5) {
                throw new OcspRequestorException(e5);
            }
        } catch (OCSPException | IOException e6) {
            throw new OcspRequestorException(e6.getMessage(), e6);
        }
    }

    private byte[] nextNonce(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return bArr;
    }

    public String getSignerConf() {
        return this.signerConf;
    }

    public void setSignerConf(String str) {
        this.signer = null;
        this.signerConf = str;
    }

    public String getSignerCertFile() {
        return this.signerCertFile;
    }

    public void setSignerCertFile(String str) {
        if (StringUtil.isNotBlank(str)) {
            this.signer = null;
            this.signerCertFile = str;
        }
    }

    public String getSignerType() {
        return this.signerType;
    }

    public void setSignerType(String str) {
        this.signer = null;
        this.signerType = str;
    }

    public SecurityFactory getSecurityFactory() {
        return this.securityFactory;
    }

    public void setSecurityFactory(SecurityFactory securityFactory) {
        this.securityFactory = securityFactory;
    }
}
