package org.xipki.ocsp.server;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ocsp.OCSPRequest;
import org.bouncycastle.asn1.ocsp.OCSPResponse;
import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
import org.bouncycastle.asn1.ocsp.ResponseBytes;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.datasource.DataAccessException;
import org.xipki.datasource.DataSourceConf;
import org.xipki.datasource.DataSourceFactory;
import org.xipki.datasource.DataSourceWrapper;
import org.xipki.ocsp.api.CertStatusInfo;
import org.xipki.ocsp.api.OcspRespWithCacheInfo;
import org.xipki.ocsp.api.OcspServer;
import org.xipki.ocsp.api.OcspStore;
import org.xipki.ocsp.api.OcspStoreException;
import org.xipki.ocsp.api.RequestIssuer;
import org.xipki.ocsp.api.Responder;
import org.xipki.ocsp.api.ResponderAndPath;
import org.xipki.ocsp.server.OcspServerConf;
import org.xipki.ocsp.server.ResponderOption;
import org.xipki.ocsp.server.store.CaDbCertStatusStore;
import org.xipki.ocsp.server.store.CrlDbCertStatusStore;
import org.xipki.ocsp.server.store.DbCertStatusStore;
import org.xipki.ocsp.server.store.ResponseCacher;
import org.xipki.ocsp.server.store.ejbca.EjbcaCertStatusStore;
import org.xipki.ocsp.server.type.CertID;
import org.xipki.ocsp.server.type.EncodingException;
import org.xipki.ocsp.server.type.ExtendedExtension;
import org.xipki.ocsp.server.type.Extensions;
import org.xipki.ocsp.server.type.OID;
import org.xipki.ocsp.server.type.OcspRequest;
import org.xipki.ocsp.server.type.WritableOnlyExtension;
import org.xipki.password.PasswordResolverException;
import org.xipki.security.AlgorithmCode;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.CertpathValidationModel;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.HashAlgo;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignerConf;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.FileOrBinary;
import org.xipki.util.FileOrValue;
import org.xipki.util.HealthCheckResult;
import org.xipki.util.Hex;
import org.xipki.util.InvalidConfException;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.StringUtil;
import org.xipki.util.Validity;

/* loaded from: input_file:WEB-INF/lib/ocsp-server-5.3.1.jar:org/xipki/ocsp/server/OcspServerImpl.class */
public class OcspServerImpl implements OcspServer {
    public static final long DFLT_CACHE_MAX_AGE = 60;
    private static final String STORE_TYPE_XIPKI_DB = "xipki-db";
    private static final String STORE_TYPE_XIPKI_CA_DB = "xipki-ca-db";
    private static final String STORE_TYPE_CRL = "crl";
    private static final String STORE_TYPE_EJBCA_DB = "ejbca-db";
    private static final WritableOnlyExtension extension_pkix_ocsp_extendedRevoke;
    private SecurityFactory securityFactory;
    private String confFile;
    private boolean master;
    private ResponseCacher responseCacher;
    private static final byte[] DERNullBytes = {5, 0};
    private static final byte[] bytes_certstatus_good = {Byte.MIN_VALUE, 0};
    private static final byte[] bytes_certstatus_unknown = {-126, 0};
    private static final byte[] bytes_certstatus_rfc6960_unknown = Hex.decode("a116180f31393730303130313030303030305aa0030a0106");
    private static final Logger LOG = LoggerFactory.getLogger(OcspServerImpl.class);
    private static final Map<OcspResponseStatus, OcspRespWithCacheInfo> unsuccesfulOCSPRespMap = new HashMap(10);
    private CertStatusInfo.UnknownIssuerBehaviour unknownIssuerBehaviour = CertStatusInfo.UnknownIssuerBehaviour.unknown;
    private Map<String, ResponderImpl> responders = new HashMap();
    private Map<String, ResponseSigner> signers = new HashMap();
    private Map<String, RequestOption> requestOptions = new HashMap();
    private Map<String, OcspServerConf.ResponseOption> responseOptions = new HashMap();
    private Map<String, OcspStore> stores = new HashMap();
    private List<String> servletPaths = new ArrayList();
    private Map<String, ResponderImpl> path2responderMap = new HashMap();
    private AtomicBoolean initialized = new AtomicBoolean(false);
    private final DataSourceFactory datasourceFactory = new DataSourceFactory();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/ocsp-server-5.3.1.jar:org/xipki/ocsp/server/OcspServerImpl$OcspRespControl.class */
    public static class OcspRespControl {
        boolean canCacheInfo;
        boolean includeExtendedRevokeExtension = false;
        long cacheThisUpdate = 0;
        long cacheNextUpdate = Long.MAX_VALUE;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/ocsp-server-5.3.1.jar:org/xipki/ocsp/server/OcspServerImpl$SizeComparableString.class */
    public static class SizeComparableString implements Comparable<SizeComparableString> {
        private String str;

        public SizeComparableString(String str) {
            this.str = (String) Args.notNull(str, "str");
        }

        @Override // java.lang.Comparable
        public int compareTo(SizeComparableString sizeComparableString) {
            if (this.str.length() == sizeComparableString.str.length()) {
                return 0;
            }
            return this.str.length() > sizeComparableString.str.length() ? 1 : -1;
        }
    }

    public void setSecurityFactory(SecurityFactory securityFactory) {
        this.securityFactory = securityFactory;
    }

    public void setConfFile(String str) {
        this.confFile = str;
    }

    @Override // org.xipki.ocsp.api.OcspServer
    public ResponderAndPath getResponderForPath(String str) throws UnsupportedEncodingException {
        for (String str2 : this.servletPaths) {
            if (str.startsWith(str2)) {
                return new ResponderAndPath(str2, this.path2responderMap.get(str2));
            }
        }
        return null;
    }

    public ResponderImpl getResponder(String str) {
        Args.notBlank(str, "name");
        return this.responders.get(str);
    }

    public boolean isInitialized() {
        return this.initialized.get();
    }

    public void init() throws InvalidConfException, DataAccessException, PasswordResolverException {
        init(true);
    }

    public void init(boolean z) throws InvalidConfException, PasswordResolverException {
        LOG.info("starting OCSPResponder server ...");
        if (this.initialized.get() && !z) {
            LOG.info("already started, skipping ...");
            return;
        }
        try {
            init0();
            this.initialized.set(true);
            LOG.info("started OCSPResponder server");
        } catch (Error e) {
            LOG.error("could not start OCSP responder", (Throwable) e);
            throw e;
        } catch (RuntimeException e2) {
            LOG.error("could not start OCSP responder", (Throwable) e2);
            throw e2;
        } catch (PasswordResolverException | InvalidConfException e3) {
            LOG.error("could not start OCSP responder", e3);
            throw e3;
        } catch (Throwable th) {
            LOG.error("could not start OCSP responder", th);
            throw new IllegalStateException(th);
        }
    }

    private void init0() throws OcspStoreException, InvalidConfException, PasswordResolverException {
        if (this.confFile == null) {
            throw new IllegalStateException("confFile is not set");
        }
        if (this.datasourceFactory == null) {
            throw new IllegalStateException("datasourceFactory is not set");
        }
        if (this.securityFactory == null) {
            throw new IllegalStateException("securityFactory is not set");
        }
        this.initialized.set(false);
        this.responseCacher = null;
        this.responders.clear();
        this.signers.clear();
        this.requestOptions.clear();
        this.responseOptions.clear();
        for (String str : this.stores.keySet()) {
            try {
                this.stores.get(str).close();
            } catch (IOException e) {
                throw new OcspStoreException("could not close OCSP store " + str, e);
            }
        }
        this.stores.clear();
        this.servletPaths.clear();
        this.path2responderMap.clear();
        OcspServerConf parseConf = parseConf(this.confFile);
        HashSet hashSet = new HashSet();
        Iterator<OcspServerConf.Responder> it = parseConf.getResponders().iterator();
        while (it.hasNext()) {
            String name = it.next().getName();
            if ("health".equalsIgnoreCase(name) || "mgmt".equalsIgnoreCase(name)) {
                throw new InvalidConfException("responder name '" + name + "' is not permitted");
            }
            if (hashSet.contains(name)) {
                throw new InvalidConfException("duplicated definition of responder named '" + name + "'");
            }
            if (StringUtil.isBlank(name)) {
                throw new InvalidConfException("responder name may not be empty");
            }
            for (int i = 0; i < name.length(); i++) {
                char charAt = name.charAt(i);
                if (((charAt < '0' || charAt > '9') && ((charAt < 'A' || charAt > 'Z') && ((charAt < 'a' || charAt > 'z') && charAt != '-'))) || charAt == '_' || charAt == '.') {
                    throw new InvalidConfException("invalid OCSP responder name '" + name + "'");
                }
            }
            hashSet.add(name);
        }
        hashSet.clear();
        Iterator<OcspServerConf.Signer> it2 = parseConf.getSigners().iterator();
        while (it2.hasNext()) {
            String name2 = it2.next().getName();
            if (hashSet.contains(name2)) {
                throw new InvalidConfException("duplicated definition of signer option named '" + name2 + "'");
            }
            hashSet.add(name2);
        }
        hashSet.clear();
        Iterator<OcspServerConf.RequestOption> it3 = parseConf.getRequestOptions().iterator();
        while (it3.hasNext()) {
            String name3 = it3.next().getName();
            if (hashSet.contains(name3)) {
                throw new InvalidConfException("duplicated definition of request option named '" + name3 + "'");
            }
            hashSet.add(name3);
        }
        hashSet.clear();
        Iterator<OcspServerConf.ResponseOption> it4 = parseConf.getResponseOptions().iterator();
        while (it4.hasNext()) {
            String name4 = it4.next().getName();
            if (hashSet.contains(name4)) {
                throw new InvalidConfException("duplicated definition of response option named '" + name4 + "'");
            }
            hashSet.add(name4);
        }
        hashSet.clear();
        Iterator<OcspServerConf.Store> it5 = parseConf.getStores().iterator();
        while (it5.hasNext()) {
            String name5 = it5.next().getName();
            if (hashSet.contains(name5)) {
                throw new InvalidConfException("duplicated definition of store named '" + name5 + "'");
            }
        }
        hashSet.clear();
        if (parseConf.getDatasources() != null) {
            Iterator<DataSourceConf> it6 = parseConf.getDatasources().iterator();
            while (it6.hasNext()) {
                String name6 = it6.next().getName();
                if (hashSet.contains(name6)) {
                    throw new InvalidConfException("duplicated definition of datasource named '" + name6 + "'");
                }
                hashSet.add(name6);
            }
        }
        this.master = parseConf.isMaster();
        this.unknownIssuerBehaviour = parseConf.getUnknownIssuerBehaviour();
        if (this.unknownIssuerBehaviour == null) {
            this.unknownIssuerBehaviour = CertStatusInfo.UnknownIssuerBehaviour.unknown;
        }
        OcspServerConf.ResponseCache responseCache = parseConf.getResponseCache();
        if (responseCache != null) {
            DataSourceConf datasource = responseCache.getDatasource();
            InputStream inputStream = null;
            try {
                try {
                    inputStream = getInputStream(datasource.getConf());
                    DataSourceWrapper createDataSource = this.datasourceFactory.createDataSource(datasource.getName(), inputStream, this.securityFactory.getPasswordResolver());
                    closeStream(inputStream);
                    this.responseCacher = new ResponseCacher(createDataSource, this.master, responseCache.validity());
                    this.responseCacher.init();
                } catch (IOException e2) {
                    throw new InvalidConfException(e2.getMessage(), e2);
                }
            } catch (Throwable th) {
                closeStream(inputStream);
                throw th;
            }
        }
        for (OcspServerConf.Signer signer : parseConf.getSigners()) {
            this.signers.put(signer.getName(), initSigner(signer));
        }
        for (OcspServerConf.RequestOption requestOption : parseConf.getRequestOptions()) {
            this.requestOptions.put(requestOption.getName(), new RequestOption(requestOption));
        }
        for (OcspServerConf.ResponseOption responseOption : parseConf.getResponseOptions()) {
            this.responseOptions.put(responseOption.getName(), responseOption);
        }
        HashMap hashMap = new HashMap();
        if (parseConf.getDatasources() != null) {
            for (DataSourceConf dataSourceConf : parseConf.getDatasources()) {
                String name7 = dataSourceConf.getName();
                InputStream inputStream2 = null;
                try {
                    try {
                        inputStream2 = getInputStream(dataSourceConf.getConf());
                        DataSourceWrapper createDataSource2 = this.datasourceFactory.createDataSource(name7, inputStream2, this.securityFactory.getPasswordResolver());
                        closeStream(inputStream2);
                        hashMap.put(name7, createDataSource2);
                    } catch (IOException e3) {
                        throw new InvalidConfException(e3.getMessage(), e3);
                    }
                } catch (Throwable th2) {
                    closeStream(inputStream2);
                    throw th2;
                }
            }
        }
        HashMap hashMap2 = new HashMap();
        for (OcspServerConf.Responder responder : parseConf.getResponders()) {
            ResponderOption responderOption = new ResponderOption(responder);
            String signerName = responderOption.getSignerName();
            if (!this.signers.containsKey(signerName)) {
                throw new InvalidConfException("no signer named '" + signerName + "' is defined");
            }
            String requestOptionName = responderOption.getRequestOptionName();
            if (!this.requestOptions.containsKey(requestOptionName)) {
                throw new InvalidConfException("no requestOption named '" + requestOptionName + "' is defined");
            }
            String responseOptionName = responderOption.getResponseOptionName();
            if (!this.responseOptions.containsKey(responseOptionName)) {
                throw new InvalidConfException("no responseOption named '" + responseOptionName + "' is defined");
            }
            List<OcspServerConf.Store> stores = parseConf.getStores();
            HashSet hashSet2 = new HashSet(stores.size());
            Iterator<OcspServerConf.Store> it7 = stores.iterator();
            while (it7.hasNext()) {
                hashSet2.add(it7.next().getName());
            }
            hashMap2.put(responder.getName(), responderOption);
        }
        for (OcspServerConf.Store store : parseConf.getStores()) {
            this.stores.put(store.getName(), newStore(store, hashMap));
        }
        for (String str2 : hashMap2.keySet()) {
            ResponderOption responderOption2 = (ResponderOption) hashMap2.get(str2);
            ArrayList arrayList = new ArrayList(responderOption2.getStoreNames().size());
            Iterator<String> it8 = responderOption2.getStoreNames().iterator();
            while (it8.hasNext()) {
                arrayList.add(this.stores.get(it8.next()));
            }
            OcspServerConf.ResponseOption responseOption2 = this.responseOptions.get(responderOption2.getResponseOptionName());
            ResponseSigner responseSigner = this.signers.get(responderOption2.getSignerName());
            if (responseSigner.isMacSigner()) {
                if (responseOption2.isResponderIdByName()) {
                    throw new InvalidConfException("could not use ResponderIdByName for signer " + responderOption2.getSignerName());
                }
                if (OcspServerConf.EmbedCertsMode.NONE != responseOption2.getEmbedCertsMode()) {
                    throw new InvalidConfException("could not embed certifcate in response for signer " + responderOption2.getSignerName());
                }
            }
            this.responders.put(str2, new ResponderImpl(responderOption2, this.requestOptions.get(responderOption2.getRequestOptionName()), responseOption2, responseSigner, arrayList));
        }
        LinkedList linkedList = new LinkedList();
        for (String str3 : hashMap2.keySet()) {
            ResponderImpl responderImpl = this.responders.get(str3);
            for (String str4 : ((ResponderOption) hashMap2.get(str3)).getServletPaths()) {
                linkedList.add(new SizeComparableString(str4));
                this.path2responderMap.put(str4, responderImpl);
            }
        }
        Collections.sort(linkedList);
        ArrayList arrayList2 = new ArrayList(linkedList.size());
        Iterator it9 = linkedList.iterator();
        while (it9.hasNext()) {
            arrayList2.add(((SizeComparableString) it9.next()).str);
        }
        this.servletPaths = arrayList2;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        LOG.info("stopped OCSP Responder");
        if (this.responseCacher != null) {
            this.responseCacher.close();
        }
        for (OcspStore ocspStore : this.stores.values()) {
            try {
                ocspStore.close();
            } catch (Exception e) {
                LogUtil.warn(LOG, e, "shutdown store " + ocspStore.getName());
            }
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.xipki.ocsp.api.OcspServer
    public OcspRespWithCacheInfo answer(Responder responder, byte[] bArr, boolean z) {
        ExtendedExtension removeExtension;
        ResponderImpl responderImpl = (ResponderImpl) responder;
        RequestOption requestOption = responderImpl.getRequestOption();
        try {
            int readRequestVersion = OcspRequest.readRequestVersion(bArr);
            if (!requestOption.isVersionAllowed(Integer.valueOf(readRequestVersion))) {
                LOG.warn("invalid request version " + readRequestVersion);
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
            }
            ResponseSigner signer = responderImpl.getSigner();
            OcspServerConf.ResponseOption responseOption = responderImpl.getResponseOption();
            try {
                Object checkSignature = checkSignature(bArr, requestOption);
                if (checkSignature instanceof OcspRespWithCacheInfo) {
                    return (OcspRespWithCacheInfo) checkSignature;
                }
                OcspRequest ocspRequest = (OcspRequest) checkSignature;
                List<CertID> requestList = ocspRequest.getRequestList();
                int size = requestList.size();
                if (size > requestOption.getMaxRequestListCount()) {
                    LOG.warn(size + " entries in RequestList, but maximal " + requestOption.getMaxRequestListCount() + " is allowed");
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                }
                OcspRespControl ocspRespControl = new OcspRespControl();
                ocspRespControl.canCacheInfo = true;
                List<ExtendedExtension> extensions = ocspRequest.getExtensions();
                LinkedList linkedList = new LinkedList();
                ExtendedExtension removeExtension2 = removeExtension(extensions, OID.ID_PKIX_OCSP_NONCE);
                if (removeExtension2 != null) {
                    if (requestOption.getNonceOccurrence() == QuadrupleState.forbidden) {
                        LOG.warn("nonce forbidden, but is present in the request");
                        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                    }
                    if (requestOption.getNonceOccurrence() == QuadrupleState.ignore) {
                        removeExtension2 = null;
                    } else {
                        int extnValueLength = removeExtension2.getExtnValueLength();
                        int nonceMinLen = requestOption.getNonceMinLen();
                        int nonceMaxLen = requestOption.getNonceMaxLen();
                        if (extnValueLength < nonceMinLen || extnValueLength > nonceMaxLen) {
                            LOG.warn("length of nonce {} not within [{},{}]", Integer.valueOf(extnValueLength), Integer.valueOf(nonceMinLen), Integer.valueOf(nonceMaxLen));
                            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                        }
                        ocspRespControl.canCacheInfo = false;
                        linkedList.add(removeExtension2);
                    }
                } else if (requestOption.getNonceOccurrence() == QuadrupleState.required) {
                    LOG.warn("nonce required, but is not present in the request");
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                }
                ConcurrentContentSigner concurrentContentSigner = null;
                if (responderImpl.getResponderOption().getMode() != ResponderOption.OcspMode.RFC2560 && (removeExtension = removeExtension(extensions, OID.ID_PKIX_OCSP_PREFSIGALGS)) != null) {
                    ASN1InputStream aSN1InputStream = new ASN1InputStream(removeExtension.getExtnValueStream());
                    try {
                        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(aSN1InputStream.readObject());
                        int size2 = aSN1Sequence.size();
                        ArrayList arrayList = new ArrayList(size2);
                        for (int i = 0; i < size2; i++) {
                            arrayList.add(AlgorithmIdentifier.getInstance(aSN1Sequence.getObjectAt(i)));
                        }
                        aSN1InputStream.close();
                        concurrentContentSigner = signer.getSignerForPreferredSigAlgs(arrayList);
                    } catch (Throwable th) {
                        aSN1InputStream.close();
                        throw th;
                    }
                }
                if (!extensions.isEmpty()) {
                    boolean z2 = false;
                    Iterator<ExtendedExtension> it = extensions.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (it.next().isCritical()) {
                            z2 = true;
                            break;
                        }
                    }
                    if (z2) {
                        if (LOG.isWarnEnabled()) {
                            LinkedList linkedList2 = new LinkedList();
                            for (ExtendedExtension extendedExtension : extensions) {
                                if (extendedExtension.isCritical()) {
                                    linkedList2.add(extendedExtension.getExtnType());
                                }
                            }
                            LOG.warn("could not process critial request extensions: {}", linkedList2);
                        }
                        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                    }
                }
                if (concurrentContentSigner == null) {
                    concurrentContentSigner = signer.getFirstSigner();
                }
                AlgorithmCode algorithmCode = null;
                BigInteger bigInteger = null;
                Integer num = null;
                boolean z3 = size == 1 && this.responseCacher != null && removeExtension2 == null && this.responseCacher.isOnService();
                if (z3) {
                    CertID certID = requestList.get(0);
                    HashAlgo hashAlgorithm = certID.getIssuer().hashAlgorithm();
                    if (!requestOption.allows(hashAlgorithm)) {
                        LOG.warn("CertID.hashAlgorithm {} not allowed", hashAlgorithm != null ? hashAlgorithm : certID.getIssuer().hashAlgorithmOID());
                        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                    }
                    algorithmCode = concurrentContentSigner.getAlgorithmCode();
                    num = this.responseCacher.getIssuerId(certID.getIssuer());
                    bigInteger = certID.getSerialNumber();
                    if (num != null) {
                        OcspRespWithCacheInfo ocspResponse = this.responseCacher.getOcspResponse(num.intValue(), bigInteger, algorithmCode);
                        if (ocspResponse != null) {
                            return ocspResponse;
                        }
                    } else if (this.master) {
                        X509Certificate x509Certificate = null;
                        Iterator<OcspStore> it2 = responderImpl.getStores().iterator();
                        while (it2.hasNext()) {
                            x509Certificate = it2.next().getIssuerCert(certID.getIssuer());
                            if (x509Certificate != null) {
                                break;
                            }
                        }
                        if (x509Certificate != null) {
                            num = this.responseCacher.storeIssuer(x509Certificate);
                        }
                    }
                    if (num == null) {
                        z3 = false;
                    }
                }
                OCSPRespBuilder oCSPRespBuilder = new OCSPRespBuilder(signer.getResponderId(responseOption.isResponderIdByName()));
                for (int i2 = 0; i2 < size; i2++) {
                    OcspRespWithCacheInfo processCertReq = processCertReq(requestList.get(i2), oCSPRespBuilder, responderImpl, requestOption, responseOption, ocspRespControl);
                    if (processCertReq != null) {
                        return processCertReq;
                    }
                }
                if (ocspRespControl.includeExtendedRevokeExtension) {
                    linkedList.add(extension_pkix_ocsp_extendedRevoke);
                }
                if (!linkedList.isEmpty()) {
                    oCSPRespBuilder.setResponseExtensions(new Extensions(linkedList));
                }
                OcspServerConf.EmbedCertsMode embedCertsMode = responseOption.getEmbedCertsMode();
                try {
                    byte[] buildOCSPResponse = oCSPRespBuilder.buildOCSPResponse(concurrentContentSigner, embedCertsMode == OcspServerConf.EmbedCertsMode.SIGNER ? signer.getSequenceOfCert() : embedCertsMode == OcspServerConf.EmbedCertsMode.NONE ? null : signer.getSequenceOfCertChain(), new Date());
                    if (z3 && ocspRespControl.canCacheInfo) {
                        this.responseCacher.storeOcspResponse(num.intValue(), bigInteger, ocspRespControl.cacheThisUpdate, Long.valueOf(ocspRespControl.cacheNextUpdate), algorithmCode, buildOCSPResponse);
                    }
                    if (!z || !ocspRespControl.canCacheInfo) {
                        return new OcspRespWithCacheInfo(buildOCSPResponse, null);
                    }
                    OcspRespWithCacheInfo.ResponseCacheInfo responseCacheInfo = new OcspRespWithCacheInfo.ResponseCacheInfo(ocspRespControl.cacheThisUpdate);
                    if (ocspRespControl.cacheNextUpdate != Long.MAX_VALUE) {
                        responseCacheInfo.setNextUpdate(Long.valueOf(ocspRespControl.cacheNextUpdate));
                    }
                    return new OcspRespWithCacheInfo(buildOCSPResponse, responseCacheInfo);
                } catch (OCSPException e) {
                    LogUtil.error(LOG, e, "answer() basicOcspBuilder.build");
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.internalError);
                } catch (NoIdleSignerException e2) {
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.tryLater);
                }
            } catch (Throwable th2) {
                LogUtil.error(LOG, th2);
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.internalError);
            }
        } catch (EncodingException e3) {
            LOG.warn("could not extract version from request");
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
        }
    }

    private OcspRespWithCacheInfo processCertReq(CertID certID, OCSPRespBuilder oCSPRespBuilder, ResponderImpl responderImpl, RequestOption requestOption, OcspServerConf.ResponseOption responseOption, OcspRespControl ocspRespControl) throws IOException {
        byte[] encodeRevokedInfo;
        String str;
        HashAlgo hashAlgorithm = certID.getIssuer().hashAlgorithm();
        if (!requestOption.allows(hashAlgorithm)) {
            LOG.warn("CertID.hashAlgorithm {} not allowed", hashAlgorithm);
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
        }
        CertStatusInfo certStatusInfo = null;
        boolean z = false;
        BigInteger serialNumber = certID.getSerialNumber();
        RequestIssuer issuer = certID.getIssuer();
        Date date = new Date();
        Iterator<OcspStore> it = responderImpl.getStores().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            OcspStore next = it.next();
            if (next.knowsIssuer(issuer)) {
                try {
                    certStatusInfo = next.getCertStatus(date, certID.getIssuer(), serialNumber, responseOption.isIncludeCerthash(), responseOption.isIncludeInvalidityDate(), responderImpl.getResponderOption().isInheritCaRevocation());
                    if (certStatusInfo != null) {
                        CertStatusInfo.CertStatus certStatus = certStatusInfo.getCertStatus();
                        if (certStatus == CertStatusInfo.CertStatus.UNKNOWN || certStatus == CertStatusInfo.CertStatus.IGNORE) {
                            switch (next.getUnknownCertBehaviour()) {
                                case good:
                                    if (certStatus == CertStatusInfo.CertStatus.UNKNOWN) {
                                        certStatusInfo.setCertStatus(CertStatusInfo.CertStatus.GOOD);
                                        break;
                                    }
                                    break;
                                case malformedRequest:
                                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                                case internalError:
                                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.internalError);
                                case tryLater:
                                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.tryLater);
                            }
                        }
                    }
                } catch (OcspStoreException e) {
                    z = true;
                    LogUtil.error(LOG, e, "getCertStatus() of CertStatusStore " + next.getName());
                }
            }
        }
        if (z) {
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.tryLater);
        }
        if (certStatusInfo == null) {
            switch (this.unknownIssuerBehaviour) {
                case unknown:
                    certStatusInfo = CertStatusInfo.getIssuerUnknownCertStatusInfo(date, new Date(date.getTime() + 86400000));
                    break;
                case malformedRequest:
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                case unauthorized:
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.unauthorized);
                case internalError:
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.internalError);
                case tryLater:
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.tryLater);
            }
        }
        Date thisUpdate = certStatusInfo.getThisUpdate();
        if (thisUpdate == null) {
            thisUpdate = new Date();
        }
        Date nextUpdate = certStatusInfo.getNextUpdate();
        LinkedList linkedList = new LinkedList();
        boolean z2 = false;
        switch (certStatusInfo.getCertStatus()) {
            case GOOD:
                encodeRevokedInfo = bytes_certstatus_good;
                break;
            case ISSUER_UNKNOWN:
                ocspRespControl.canCacheInfo = false;
                encodeRevokedInfo = bytes_certstatus_unknown;
                break;
            case UNKNOWN:
            case IGNORE:
                ocspRespControl.canCacheInfo = false;
                if (responderImpl.getResponderOption().getMode() != ResponderOption.OcspMode.RFC2560) {
                    z2 = true;
                    encodeRevokedInfo = bytes_certstatus_rfc6960_unknown;
                    break;
                } else {
                    encodeRevokedInfo = bytes_certstatus_unknown;
                    break;
                }
            case REVOKED:
                CertRevocationInfo revocationInfo = certStatusInfo.getRevocationInfo();
                encodeRevokedInfo = Template.getEncodeRevokedInfo(responseOption.isIncludeRevReason() ? revocationInfo.getReason() : null, revocationInfo.getRevocationTime());
                Date invalidityTime = revocationInfo.getInvalidityTime();
                if (responseOption.isIncludeInvalidityDate() && invalidityTime != null && !invalidityTime.equals(revocationInfo.getRevocationTime())) {
                    linkedList.add(Template.getInvalidityDateExtension(invalidityTime));
                    break;
                }
                break;
            default:
                throw new IllegalStateException("unknown CertificateStatus:" + certStatusInfo.getCertStatus());
        }
        if (responderImpl.getResponderOption().getMode() != ResponderOption.OcspMode.RFC2560) {
            ocspRespControl.includeExtendedRevokeExtension = true;
        }
        byte[] certHash = certStatusInfo.getCertHash();
        if (certHash != null) {
            linkedList.add(Template.getCertHashExtension(certStatusInfo.getCertHashAlgo(), certHash));
        }
        if (certStatusInfo.getArchiveCutOff() != null) {
            linkedList.add(Template.getArchiveOffExtension(certStatusInfo.getArchiveCutOff()));
        }
        if (LOG.isDebugEnabled()) {
            if (Arrays.equals(encodeRevokedInfo, bytes_certstatus_good)) {
                str = "good";
            } else if (Arrays.equals(encodeRevokedInfo, bytes_certstatus_unknown)) {
                str = "unknown";
            } else if (Arrays.equals(encodeRevokedInfo, bytes_certstatus_rfc6960_unknown)) {
                str = "RFC6969_unknown";
            } else {
                str = z2 ? "unknown_as_revoked" : "revoked";
            }
            String concatObjectsCap = StringUtil.concatObjectsCap(250, "issuer: ", certID.getIssuer(), ", serialNumber: ", LogUtil.formatCsn(certID.getSerialNumber()), ", certStatus: ", str, ", thisUpdate: ", thisUpdate, ", nextUpdate: ", nextUpdate);
            StringBuilder sb = new StringBuilder(concatObjectsCap.length() + 80);
            sb.append(concatObjectsCap);
            if (certHash != null) {
                sb.append(", certHash: ").append(Hex.encode(certHash));
            }
            LOG.debug(sb.toString());
        }
        if (CollectionUtil.isEmpty(linkedList)) {
            oCSPRespBuilder.addResponse(certID, encodeRevokedInfo, thisUpdate, nextUpdate, null);
        } else {
            oCSPRespBuilder.addResponse(certID, encodeRevokedInfo, thisUpdate, nextUpdate, new Extensions(linkedList));
        }
        ocspRespControl.cacheThisUpdate = Math.max(ocspRespControl.cacheThisUpdate, thisUpdate.getTime());
        if (nextUpdate == null) {
            return null;
        }
        ocspRespControl.cacheNextUpdate = Math.min(ocspRespControl.cacheNextUpdate, nextUpdate.getTime());
        return null;
    }

    @Override // org.xipki.ocsp.api.OcspServer
    public HealthCheckResult healthCheck(Responder responder) {
        ResponderImpl responderImpl = (ResponderImpl) responder;
        HealthCheckResult healthCheckResult = new HealthCheckResult();
        healthCheckResult.setName("OCSPResponder");
        boolean z = true;
        for (OcspStore ocspStore : responderImpl.getStores()) {
            boolean isHealthy = ocspStore.isHealthy();
            z &= isHealthy;
            HealthCheckResult healthCheckResult2 = new HealthCheckResult();
            healthCheckResult2.setName("CertStatusStore." + ocspStore.getName());
            healthCheckResult2.setHealthy(isHealthy);
            healthCheckResult.addChildCheck(healthCheckResult2);
        }
        boolean isHealthy2 = responderImpl.getSigner().isHealthy();
        boolean z2 = z & isHealthy2;
        HealthCheckResult healthCheckResult3 = new HealthCheckResult();
        healthCheckResult3.setName("Signer");
        healthCheckResult3.setHealthy(isHealthy2);
        healthCheckResult.addChildCheck(healthCheckResult3);
        healthCheckResult.setHealthy(z2);
        return healthCheckResult;
    }

    public void refreshTokenForSignerType(String str) throws XiSecurityException {
        this.securityFactory.refreshTokenForSignerType(str);
    }

    private ResponseSigner initSigner(OcspServerConf.Signer signer) throws InvalidConfException {
        X509Certificate[] x509CertificateArr = null;
        X509Certificate x509Certificate = null;
        if (signer.getCert() != null) {
            x509Certificate = parseCert(signer.getCert());
        }
        if (x509Certificate != null) {
            HashSet hashSet = null;
            if (signer.getCaCerts() != null) {
                hashSet = new HashSet();
                Iterator<FileOrBinary> it = signer.getCaCerts().iterator();
                while (it.hasNext()) {
                    hashSet.add(parseCert(it.next()));
                }
            }
            try {
                x509CertificateArr = X509Util.buildCertPath(x509Certificate, hashSet);
            } catch (CertPathBuilderException e) {
                throw new InvalidConfException(e);
            }
        }
        String type = signer.getType();
        String key = signer.getKey();
        List<String> algorithms = signer.getAlgorithms();
        ArrayList arrayList = new ArrayList(algorithms.size());
        Iterator<String> it2 = algorithms.iterator();
        while (it2.hasNext()) {
            try {
                arrayList.add(this.securityFactory.createSigner(type, new SignerConf("algo=" + it2.next() + "," + key), x509CertificateArr));
            } catch (ObjectCreationException e2) {
                throw new InvalidConfException(e2.getMessage(), e2);
            }
        }
        try {
            return new ResponseSigner(arrayList);
        } catch (IOException | CertificateException e3) {
            throw new InvalidConfException(e3.getMessage(), e3);
        }
    }

    private OcspStore newStore(OcspServerConf.Store store, Map<String, DataSourceWrapper> map) throws InvalidConfException {
        OcspStore ocspStore;
        try {
            String type = store.getSource().getType();
            if (StringUtil.isBlank(type)) {
                throw new ObjectCreationException("OCSP store type is not specified");
            }
            if (STORE_TYPE_XIPKI_DB.equalsIgnoreCase(type)) {
                ocspStore = new DbCertStatusStore();
            } else if (STORE_TYPE_CRL.equalsIgnoreCase(type)) {
                ocspStore = new CrlDbCertStatusStore();
            } else if (STORE_TYPE_XIPKI_CA_DB.equalsIgnoreCase(type)) {
                ocspStore = new CaDbCertStatusStore();
            } else if (STORE_TYPE_EJBCA_DB.equalsIgnoreCase(type)) {
                ocspStore = new EjbcaCertStatusStore();
            } else {
                if (!type.startsWith("java:")) {
                    throw new ObjectCreationException("unknown OCSP store type " + type);
                }
                try {
                    ocspStore = (OcspStore) Class.forName(type.substring("java:".length()).trim(), false, getClass().getClassLoader()).newInstance();
                } catch (ClassCastException | ClassNotFoundException | IllegalAccessException | InstantiationException e) {
                    throw new InvalidConfException("ObjectCreationException of store " + store.getName() + ParameterizedMessage.ERROR_MSG_SEPARATOR + e.getMessage(), e);
                }
            }
            ocspStore.setName(store.getName());
            Integer retentionInterval = store.getRetentionInterval();
            ocspStore.setRetentionInterval(retentionInterval == null ? -1 : retentionInterval.intValue());
            ocspStore.setUnknownCertBehaviour(store.getUnknownCertBehaviour());
            ocspStore.setIncludeArchiveCutoff(getBoolean(store.getIncludeArchiveCutoff(), true));
            ocspStore.setIncludeCrlId(getBoolean(store.getIncludeCrlId(), true));
            ocspStore.setIgnoreExpiredCert(getBoolean(store.getIgnoreExpiredCert(), true));
            ocspStore.setIgnoreNotYetValidCert(getBoolean(store.getIgnoreNotYetValidCert(), true));
            if (store.getMinNextUpdatePeriod() != null) {
                ocspStore.setMinNextUpdatePeriod(Validity.getInstance(store.getMinNextUpdatePeriod()));
            } else {
                ocspStore.setMinNextUpdatePeriod(null);
            }
            if ("NEVER".equalsIgnoreCase(store.getUpdateInterval())) {
                ocspStore.setUpdateInterval(null);
            } else {
                String updateInterval = store.getUpdateInterval();
                ocspStore.setUpdateInterval(Validity.getInstance(StringUtil.isBlank(updateInterval) ? "5m" : updateInterval));
            }
            String datasource = store.getSource().getDatasource();
            DataSourceWrapper dataSourceWrapper = null;
            if (datasource != null) {
                dataSourceWrapper = map.get(datasource);
                if (dataSourceWrapper == null) {
                    throw new InvalidConfException("datasource named '" + datasource + "' not defined");
                }
            }
            try {
                ocspStore.init(store.getSource().getConf(), dataSourceWrapper);
                return ocspStore;
            } catch (OcspStoreException e2) {
                throw new InvalidConfException("CertStatusStoreException of store " + store.getName() + ParameterizedMessage.ERROR_MSG_SEPARATOR + e2.getMessage(), e2);
            }
        } catch (ObjectCreationException e3) {
            throw new InvalidConfException("ObjectCreationException of store " + store.getName() + ParameterizedMessage.ERROR_MSG_SEPARATOR + e3.getMessage(), e3);
        }
    }

    private Object checkSignature(byte[] bArr, RequestOption requestOption) throws OCSPException, CertificateParsingException, InvalidAlgorithmParameterException {
        try {
            if (!requestOption.isValidateSignature()) {
                return OcspRequest.getInstance(bArr);
            }
            if (!OcspRequest.containsSignature(bArr)) {
                if (!requestOption.isSignatureRequired()) {
                    return OcspRequest.getInstance(bArr);
                }
                LOG.warn("signature in request required");
                return unsuccesfulOCSPRespMap.get(OcspResponseStatus.sigRequired);
            }
            try {
                OCSPRequest oCSPRequest = OCSPRequest.getInstance(bArr);
                OCSPReq oCSPReq = new OCSPReq(oCSPRequest);
                X509CertificateHolder[] certs = oCSPReq.getCerts();
                if (certs == null || certs.length < 1) {
                    LOG.warn("no certificate found in request to verify the signature");
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.unauthorized);
                }
                try {
                    if (!oCSPReq.isSignatureValid(this.securityFactory.getContentVerifierProvider(certs[0]))) {
                        LOG.warn("request signature is invalid");
                        return unsuccesfulOCSPRespMap.get(OcspResponseStatus.unauthorized);
                    }
                    if (canBuildCertpath(certs, requestOption, new Date())) {
                        try {
                            return OcspRequest.getInstance(oCSPRequest);
                        } catch (EncodingException e) {
                            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
                        }
                    }
                    LOG.warn("could not build certpath for the request's signer certificate");
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.unauthorized);
                } catch (InvalidKeyException e2) {
                    LOG.warn("securityFactory.getContentVerifierProvider, InvalidKeyException: {}", e2.getMessage());
                    return unsuccesfulOCSPRespMap.get(OcspResponseStatus.unauthorized);
                }
            } catch (IllegalArgumentException e3) {
                throw new EncodingException("could not parse OCSP request", e3);
            }
        } catch (EncodingException e4) {
            return unsuccesfulOCSPRespMap.get(OcspResponseStatus.malformedRequest);
        }
    }

    private static boolean canBuildCertpath(X509CertificateHolder[] x509CertificateHolderArr, RequestOption requestOption, Date date) {
        try {
            X509Certificate x509Cert = X509Util.toX509Cert(x509CertificateHolderArr[0].toASN1Structure());
            HashSet hashSet = new HashSet();
            Set<CertWithEncoded> trustAnchors = requestOption.getTrustAnchors();
            Iterator<CertWithEncoded> it = trustAnchors.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getCert());
            }
            int length = x509CertificateHolderArr.length;
            if (length > 1) {
                for (int i = 1; i < length; i++) {
                    try {
                        hashSet.add(X509Util.toX509Cert(x509CertificateHolderArr[i].toASN1Structure()));
                    } catch (CertificateException e) {
                    }
                }
            }
            if (CollectionUtil.isNotEmpty(requestOption.getCerts())) {
                hashSet.addAll(requestOption.getCerts());
            }
            try {
                X509Certificate[] buildCertPath = X509Util.buildCertPath(x509Cert, hashSet);
                CertpathValidationModel certpathValidationModel = requestOption.getCertpathValidationModel();
                Date date2 = new Date();
                if (certpathValidationModel == null || certpathValidationModel == CertpathValidationModel.PKIX) {
                    for (X509Certificate x509Certificate : buildCertPath) {
                        if (x509Certificate.getNotBefore().after(date2) || x509Certificate.getNotAfter().before(date2)) {
                            return false;
                        }
                    }
                } else if (certpathValidationModel != CertpathValidationModel.CHAIN) {
                    throw new IllegalStateException("invalid CertpathValidationModel " + certpathValidationModel.name());
                }
                for (int length2 = buildCertPath.length - 1; length2 >= 0; length2--) {
                    X509Certificate x509Certificate2 = buildCertPath[length2];
                    Iterator<CertWithEncoded> it2 = trustAnchors.iterator();
                    while (it2.hasNext()) {
                        if (it2.next().equalsCert(x509Certificate2)) {
                            return true;
                        }
                    }
                }
                return false;
            } catch (CertPathBuilderException e2) {
                LogUtil.warn(LOG, e2);
                return false;
            }
        } catch (CertificateException e3) {
            return false;
        }
    }

    private static boolean getBoolean(Boolean bool, boolean z) {
        return bool == null ? z : bool.booleanValue();
    }

    private static InputStream getInputStream(FileOrBinary fileOrBinary) throws IOException {
        return fileOrBinary.getFile() != null ? Files.newInputStream(Paths.get(IoUtil.expandFilepath(fileOrBinary.getFile()), new String[0]), new OpenOption[0]) : new ByteArrayInputStream(fileOrBinary.getBinary());
    }

    private static InputStream getInputStream(FileOrValue fileOrValue) throws IOException {
        return fileOrValue.getFile() != null ? Files.newInputStream(Paths.get(IoUtil.expandFilepath(fileOrValue.getFile()), new String[0]), new OpenOption[0]) : new ByteArrayInputStream(StringUtil.toUtf8Bytes(fileOrValue.getValue()));
    }

    private static void closeStream(InputStream inputStream) {
        if (inputStream == null) {
            return;
        }
        try {
            inputStream.close();
        } catch (IOException e) {
            LOG.warn("could not close stream: {}", e.getMessage());
        }
    }

    private static X509Certificate parseCert(FileOrBinary fileOrBinary) throws InvalidConfException {
        String str;
        InputStream inputStream = null;
        try {
            try {
                inputStream = getInputStream(fileOrBinary);
                X509Certificate parseCert = X509Util.parseCert(inputStream);
                closeStream(inputStream);
                return parseCert;
            } catch (IOException | CertificateException e) {
                str = "could not parse certificate";
                throw new InvalidConfException(fileOrBinary.getFile() != null ? str + " from file " + fileOrBinary.getFile() : "could not parse certificate");
            }
        } catch (Throwable th) {
            closeStream(inputStream);
            throw th;
        }
    }

    private static OcspServerConf parseConf(String str) throws InvalidConfException {
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                OcspServerConf ocspServerConf = (OcspServerConf) JSON.parseObject(newInputStream, OcspServerConf.class, new Feature[0]);
                ocspServerConf.validate();
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return ocspServerConf;
            } finally {
            }
        } catch (IOException | RuntimeException e) {
            throw new InvalidConfException("parse profile failed, message: " + e.getMessage(), e);
        }
    }

    private static ExtendedExtension removeExtension(List<ExtendedExtension> list, OID oid) {
        ExtendedExtension extendedExtension = null;
        Iterator<ExtendedExtension> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ExtendedExtension next = it.next();
            if (oid == next.getExtnType()) {
                extendedExtension = next;
                break;
            }
        }
        if (extendedExtension != null) {
            list.remove(extendedExtension);
        }
        return extendedExtension;
    }

    static {
        for (OcspResponseStatus ocspResponseStatus : OcspResponseStatus.values()) {
            if (ocspResponseStatus != OcspResponseStatus.successful) {
                try {
                    unsuccesfulOCSPRespMap.put(ocspResponseStatus, new OcspRespWithCacheInfo(new OCSPResponse(new OCSPResponseStatus(ocspResponseStatus.getStatus()), (ResponseBytes) null).getEncoded(), null));
                } catch (IOException e) {
                    throw new ExceptionInInitializerError("could not encode OCSPResp for status " + ocspResponseStatus + ": " + e.getMessage());
                }
            }
        }
        ExtendedExtension extendedExtension = new ExtendedExtension(OID.ID_PKIX_OCSP_EXTENDEDREVOKE, true, DERNullBytes);
        byte[] bArr = new byte[extendedExtension.getEncodedLength()];
        extendedExtension.write(bArr, 0);
        extension_pkix_ocsp_extendedRevoke = new WritableOnlyExtension(bArr);
    }
}
