package hu.microsec.authenticator.util;

import hu.microsec.authenticator.util.CertificateUtil;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Random;
import org.apache.commons.io.IOUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spongycastle.asn1.ASN1Encodable;
import org.spongycastle.asn1.DEROctetString;
import org.spongycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.spongycastle.asn1.x509.ExtensionsGenerator;
import org.spongycastle.cert.X509CertificateHolder;
import org.spongycastle.cert.ocsp.BasicOCSPResp;
import org.spongycastle.cert.ocsp.CertificateID;
import org.spongycastle.cert.ocsp.CertificateStatus;
import org.spongycastle.cert.ocsp.OCSPException;
import org.spongycastle.cert.ocsp.OCSPReq;
import org.spongycastle.cert.ocsp.OCSPReqBuilder;
import org.spongycastle.cert.ocsp.OCSPResp;
import org.spongycastle.cert.ocsp.SingleResp;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: classes.dex */
public class OcspVerifier {
    private static final Logger LOGGER = LoggerFactory.getLogger(OcspVerifier.class);

    /* loaded from: classes.dex */
    public static final class OcspVerificationException extends Exception {
        private static final long serialVersionUID = 1;

        public OcspVerificationException(String str) {
            super(str);
        }

        public OcspVerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    public static OCSPReq generateOCSPRequest(X509CertificateHolder x509CertificateHolder, BigInteger bigInteger) throws OCSPException, CertificateEncodingException, IOException, OperatorCreationException {
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        oCSPReqBuilder.addRequest(new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), x509CertificateHolder, bigInteger));
        BigInteger valueOf = BigInteger.valueOf(new Random(System.currentTimeMillis()).nextLong());
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, (ASN1Encodable) new DEROctetString(valueOf.toByteArray()));
        oCSPReqBuilder.setRequestExtensions(extensionsGenerator.generate());
        return oCSPReqBuilder.build();
    }

    private static OCSPResp getOCSPResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws Exception {
        String extractStringFromAIA = CertificateUtil.extractStringFromAIA(x509Certificate2, CertificateUtil.AIA_OIDS.OCSP_URI);
        if (extractStringFromAIA != null) {
            LOGGER.debug("OCSP service address: {}", extractStringFromAIA);
            OCSPReq generateOCSPRequest = generateOCSPRequest(new X509CertificateHolder(x509Certificate.getEncoded()), x509Certificate2.getSerialNumber());
            try {
                try {
                    if (extractStringFromAIA.startsWith("http")) {
                        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(extractStringFromAIA).openConnection();
                        httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
                        httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
                        httpURLConnection.setDoOutput(true);
                        OutputStream outputStream = httpURLConnection.getOutputStream();
                        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
                        dataOutputStream.write(generateOCSPRequest.getEncoded());
                        dataOutputStream.flush();
                        dataOutputStream.close();
                        if (200 != httpURLConnection.getResponseCode()) {
                            throw new Exception("Http response code: " + httpURLConnection.getResponseCode());
                        }
                        OCSPResp oCSPResp = new OCSPResp(IOUtils.toByteArray(httpURLConnection.getInputStream()));
                        LOGGER.debug("OCSP response readed.");
                        IOUtils.close(httpURLConnection);
                        IOUtils.closeQuietly(outputStream);
                        return oCSPResp;
                    }
                    LOGGER.warn("Unsupported protocol for OCSP URL: {}", extractStringFromAIA);
                } catch (Exception e) {
                    LOGGER.error("Failed to get OCSP response");
                    throw e;
                }
            } finally {
                IOUtils.close(null);
                IOUtils.closeQuietly((OutputStream) null);
            }
        }
        return null;
    }

    public static boolean verify(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws OcspVerificationException {
        BigInteger serialNumber = x509Certificate2.getSerialNumber();
        LOGGER.debug("OCSP verification, issuer SN: {}  cert SN: {}", x509Certificate.getSerialNumber().toString(16), serialNumber.toString(16));
        try {
            OCSPResp oCSPResponse = getOCSPResponse(x509Certificate, x509Certificate2);
            if (oCSPResponse == null) {
                throw new OcspVerificationException("OCSP request error, no response");
            }
            if (oCSPResponse.getStatus() != 0) {
                throw new OcspVerificationException("OCSP request error, status: " + oCSPResponse.getStatus());
            }
            try {
                BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResponse.getResponseObject();
                if (basicOCSPResp == null) {
                    throw new OcspVerificationException("OCSP request error, empty response");
                }
                for (SingleResp singleResp : basicOCSPResp.getResponses()) {
                    BigInteger serialNumber2 = singleResp.getCertID().getSerialNumber();
                    CertificateStatus certStatus = singleResp.getCertStatus();
                    LOGGER.debug("Cert ID: {}", serialNumber2.toString(16));
                    LOGGER.debug("Status: {}", certStatus == null ? "-" : certStatus.getClass().getSimpleName());
                    if (serialNumber.equals(serialNumber2)) {
                        boolean z = certStatus == null;
                        LOGGER.debug("Valid: {}", Boolean.valueOf(z));
                        return z;
                    }
                }
                throw new OcspVerificationException("OCSP request error, no matching response");
            } catch (OCSPException e) {
                throw new OcspVerificationException("Can not verify cert by OCSP", e);
            }
        } catch (Exception e2) {
            throw new OcspVerificationException("Can not verify cert by OCSP", e2);
        }
    }
}
