package org.xipki.qa.ocsp;

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers;
import org.bouncycastle.asn1.isismtt.ocsp.CertHash;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.xipki.ocsp.client.OcspResponseException;
import org.xipki.qa.ValidationIssue;
import org.xipki.qa.ValidationResult;
import org.xipki.security.CrlReason;
import org.xipki.security.HashAlgo;
import org.xipki.security.IssuerHash;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.DateUtil;
import org.xipki.util.TripleState;

/* loaded from: input_file:org/xipki/qa/ocsp/OcspQa.class */
public class OcspQa {
    private final SecurityFactory securityFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.qa.ocsp.OcspQa$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/qa/ocsp/OcspQa$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$CrlReason = new int[CrlReason.values().length];

        static {
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.UNSPECIFIED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.KEY_COMPROMISE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CA_COMPROMISE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.AFFILIATION_CHANGED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.SUPERSEDED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CERTIFICATE_HOLD.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.REMOVE_FROM_CRL.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.PRIVILEGE_WITHDRAWN.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.AA_COMPROMISE.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CESSATION_OF_OPERATION.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    public OcspQa(SecurityFactory securityFactory) {
        this.securityFactory = (SecurityFactory) Args.notNull(securityFactory, "securityFactory");
    }

    public ValidationResult checkOcsp(OCSPResp oCSPResp, IssuerHash issuerHash, BigInteger bigInteger, byte[] bArr, OcspCertStatus ocspCertStatus, OcspResponseOption ocspResponseOption, Date date, boolean z) {
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(bigInteger);
        HashMap hashMap = null;
        if (bArr != null) {
            hashMap = new HashMap();
            hashMap.put(bigInteger, bArr);
        }
        HashMap hashMap2 = null;
        if (ocspCertStatus != null) {
            hashMap2 = new HashMap();
            hashMap2.put(bigInteger, ocspCertStatus);
        }
        HashMap hashMap3 = null;
        if (date != null) {
            hashMap3 = new HashMap();
            hashMap3.put(bigInteger, date);
        }
        return checkOcsp(oCSPResp, issuerHash, arrayList, hashMap, hashMap2, hashMap3, ocspResponseOption, z);
    }

    public ValidationResult checkOcsp(OCSPResp oCSPResp, OcspError ocspError) {
        Args.notNull(oCSPResp, "response");
        Args.notNull(ocspError, "expectedOcspError");
        LinkedList linkedList = new LinkedList();
        int status = oCSPResp.getStatus();
        ValidationIssue validationIssue = new ValidationIssue("OCSP.STATUS", "response.status");
        linkedList.add(validationIssue);
        if (status != ocspError.getStatus()) {
            validationIssue.setFailureMessage("is '" + OcspResponseException.Unsuccessful.getStatusText(status) + "', but expected '" + OcspResponseException.Unsuccessful.getStatusText(ocspError.getStatus()) + "'");
        }
        return new ValidationResult(linkedList);
    }

    /* JADX WARN: Type inference failed for: r1v78, types: [byte[], byte[][]] */
    public ValidationResult checkOcsp(OCSPResp oCSPResp, IssuerHash issuerHash, List<BigInteger> list, Map<BigInteger, byte[]> map, Map<BigInteger, OcspCertStatus> map2, Map<BigInteger, Date> map3, OcspResponseOption ocspResponseOption, boolean z) {
        Args.notNull(oCSPResp, "response");
        Args.notEmpty(list, "serialNumbers");
        Args.notEmpty(map2, "expectedOcspStatuses");
        Args.notNull(ocspResponseOption, "responseOption");
        LinkedList linkedList = new LinkedList();
        int status = oCSPResp.getStatus();
        ValidationIssue validationIssue = new ValidationIssue("OCSP.STATUS", "response.status");
        linkedList.add(validationIssue);
        if (status != 0) {
            validationIssue.setFailureMessage("is '" + OcspResponseException.Unsuccessful.getStatusText(status) + "', but expected 'successful'");
            return new ValidationResult(linkedList);
        }
        ValidationIssue validationIssue2 = new ValidationIssue("OCSP.ENCODING", "response encoding");
        linkedList.add(validationIssue2);
        try {
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            SingleResp[] responses = basicOCSPResp.getResponses();
            ValidationIssue validationIssue3 = new ValidationIssue("OCSP.RESPONSES.NUM", "number of single responses");
            linkedList.add(validationIssue3);
            if (responses == null || responses.length == 0) {
                validationIssue3.setFailureMessage("received no status from server");
                return new ValidationResult(linkedList);
            }
            int length = responses.length;
            if (length != list.size()) {
                validationIssue3.setFailureMessage("is '" + length + "', but expected '" + list.size() + "'");
                return new ValidationResult(linkedList);
            }
            boolean z2 = basicOCSPResp.getSignature() != null;
            ValidationIssue validationIssue4 = z ? new ValidationIssue("OCSP.SIG", z2 ? "signature presence (Ignore)" : "signature presence") : new ValidationIssue("OCSP.SIG", "signature presence");
            linkedList.add(validationIssue4);
            if (!z2) {
                validationIssue4.setFailureMessage("response is not signed");
            }
            if (z2 & (!z)) {
                ValidationIssue validationIssue5 = new ValidationIssue("OCSP.SIG.ALG", "signature algorithm");
                linkedList.add(validationIssue5);
                SignAlgo signatureAlg = ocspResponseOption.getSignatureAlg();
                if (signatureAlg != null) {
                    try {
                        SignAlgo signAlgo = SignAlgo.getInstance(basicOCSPResp.getSignatureAlgorithmID());
                        if (signAlgo != signatureAlg) {
                            validationIssue5.setFailureMessage("is '" + signAlgo.getJceName() + "', but expected '" + signatureAlg.getJceName() + "'");
                        }
                    } catch (NoSuchAlgorithmException e) {
                        validationIssue5.setFailureMessage("could not extract the signature algorithm");
                    }
                }
                ValidationIssue validationIssue6 = new ValidationIssue("OCSP.SIGNERCERT", "signer certificate");
                linkedList.add(validationIssue6);
                ValidationIssue validationIssue7 = new ValidationIssue("OCSP.SIG.VALIDATION", "signature validation");
                linkedList.add(validationIssue7);
                X509CertificateHolder x509CertificateHolder = null;
                X509CertificateHolder[] certs = basicOCSPResp.getCerts();
                if (certs == null || certs.length < 1) {
                    validationIssue6.setFailureMessage("no responder certificate is contained in the response");
                    validationIssue7.setFailureMessage("could not find certificate to validate signature");
                } else {
                    ResponderID aSN1Primitive = basicOCSPResp.getResponderId().toASN1Primitive();
                    X500Name name = aSN1Primitive.getName();
                    byte[] keyHash = aSN1Primitive.getKeyHash();
                    for (X509CertificateHolder x509CertificateHolder2 : certs) {
                        if (name != null) {
                            if (x509CertificateHolder2.getSubject().equals(name)) {
                                x509CertificateHolder = x509CertificateHolder2;
                            }
                        } else if (Arrays.equals(keyHash, HashAlgo.SHA1.hash((byte[][]) new byte[]{x509CertificateHolder2.getSubjectPublicKeyInfo().getPublicKeyData().getBytes()}))) {
                            x509CertificateHolder = x509CertificateHolder2;
                        }
                        if (x509CertificateHolder != null) {
                            break;
                        }
                    }
                    if (x509CertificateHolder == null) {
                        validationIssue6.setFailureMessage("no responder certificate match the ResponderId");
                        validationIssue7.setFailureMessage("could not find certificate matching the ResponderId to validate signature");
                    }
                }
                if (x509CertificateHolder != null) {
                    ValidationIssue validationIssue8 = new ValidationIssue("OCSP.SIGNERCERT.TRUST", "signer certificate validation");
                    linkedList.add(validationIssue8);
                    for (int i = 0; i < responses.length; i++) {
                        SingleResp singleResp = responses[i];
                        if (!x509CertificateHolder.isValidOn(singleResp.getThisUpdate())) {
                            validationIssue8.setFailureMessage(String.format("responder certificate is not valid on the thisUpdate[%d]: %s", Integer.valueOf(i), singleResp.getThisUpdate()));
                        }
                    }
                    X509Cert respIssuer = ocspResponseOption.getRespIssuer();
                    if (!validationIssue8.isFailed() && respIssuer != null) {
                        try {
                            X509Cert x509Cert = new X509Cert(x509CertificateHolder);
                            if (X509Util.issues(respIssuer, x509Cert)) {
                                x509Cert.verify(respIssuer.getPublicKey());
                            } else {
                                validationIssue8.setFailureMessage("responder signer is not trusted");
                            }
                        } catch (Exception e2) {
                            validationIssue8.setFailureMessage("responder signer is not trusted");
                        }
                    }
                    try {
                        if (!basicOCSPResp.isSignatureValid(this.securityFactory.getContentVerifierProvider(KeyUtil.generatePublicKey(x509CertificateHolder.getSubjectPublicKeyInfo())))) {
                            validationIssue7.setFailureMessage("signature is invalid");
                        }
                    } catch (Exception e3) {
                        validationIssue7.setFailureMessage("could not validate signature");
                    }
                }
            }
            linkedList.add(checkOccurrence("OCSP.NONCE", basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce), ocspResponseOption.getNonceOccurrence()));
            boolean z3 = basicOCSPResp.getExtension(ObjectIdentifiers.Extn.id_pkix_ocsp_extendedRevoke) != null;
            for (int i2 = 0; i2 < responses.length; i2++) {
                SingleResp singleResp2 = responses[i2];
                BigInteger serialNumber = singleResp2.getCertID().getSerialNumber();
                OcspCertStatus ocspCertStatus = map2.get(serialNumber);
                Date date = map3 != null ? map3.get(serialNumber) : null;
                byte[] bArr = null;
                if (map != null) {
                    bArr = map.get(serialNumber);
                }
                linkedList.addAll(checkSingleCert(i2, singleResp2, issuerHash, ocspCertStatus, bArr, date, z3, ocspResponseOption.getNextUpdateOccurrence(), ocspResponseOption.getCerthashOccurrence(), ocspResponseOption.getCerthashAlg()));
            }
            return new ValidationResult(linkedList);
        } catch (OCSPException e4) {
            validationIssue2.setFailureMessage(e4.getMessage());
            return new ValidationResult(linkedList);
        }
    }

    private List<ValidationIssue> checkSingleCert(int i, SingleResp singleResp, IssuerHash issuerHash, OcspCertStatus ocspCertStatus, byte[] bArr, Date date, boolean z, TripleState tripleState, TripleState tripleState2, HashAlgo hashAlgo) {
        if (ocspCertStatus == OcspCertStatus.unknown || ocspCertStatus == OcspCertStatus.issuerUnknown) {
            tripleState2 = TripleState.forbidden;
        }
        LinkedList linkedList = new LinkedList();
        ValidationIssue validationIssue = new ValidationIssue("OCSP.RESPONSE." + i + ".ISSUER", "certificate issuer");
        linkedList.add(validationIssue);
        CertificateID certID = singleResp.getCertID();
        try {
            if (!issuerHash.match(HashAlgo.getInstance(certID.getHashAlgOID()), certID.getIssuerNameHash(), certID.getIssuerKeyHash())) {
                validationIssue.setFailureMessage("issuer not match");
            }
        } catch (NoSuchAlgorithmException e) {
            validationIssue.setFailureMessage("unknown hash algorithm " + certID.getHashAlgOID().getId());
        }
        ValidationIssue validationIssue2 = new ValidationIssue("OCSP.RESPONSE." + i + ".STATUS", "certificate status");
        linkedList.add(validationIssue2);
        RevokedStatus certStatus = singleResp.getCertStatus();
        OcspCertStatus ocspCertStatus2 = null;
        Long l = null;
        if (certStatus == null) {
            ocspCertStatus2 = OcspCertStatus.good;
        } else if (certStatus instanceof RevokedStatus) {
            RevokedStatus revokedStatus = certStatus;
            l = Long.valueOf(revokedStatus.getRevocationTime().getTime() / 1000);
            if (revokedStatus.hasRevocationReason()) {
                int revocationReason = revokedStatus.getRevocationReason();
                if (!z || revocationReason != CrlReason.CERTIFICATE_HOLD.getCode() || l.longValue() != 0) {
                    CrlReason forReasonCode = CrlReason.forReasonCode(revocationReason);
                    switch (AnonymousClass1.$SwitchMap$org$xipki$security$CrlReason[forReasonCode.ordinal()]) {
                        case 1:
                            ocspCertStatus2 = OcspCertStatus.unspecified;
                            break;
                        case 2:
                            ocspCertStatus2 = OcspCertStatus.keyCompromise;
                            break;
                        case 3:
                            ocspCertStatus2 = OcspCertStatus.cACompromise;
                            break;
                        case 4:
                            ocspCertStatus2 = OcspCertStatus.affiliationChanged;
                            break;
                        case 5:
                            ocspCertStatus2 = OcspCertStatus.superseded;
                            break;
                        case 6:
                            ocspCertStatus2 = OcspCertStatus.certificateHold;
                            break;
                        case 7:
                            ocspCertStatus2 = OcspCertStatus.removeFromCRL;
                            break;
                        case 8:
                            ocspCertStatus2 = OcspCertStatus.privilegeWithdrawn;
                            break;
                        case 9:
                            ocspCertStatus2 = OcspCertStatus.aACompromise;
                            break;
                        case 10:
                            ocspCertStatus2 = OcspCertStatus.cessationOfOperation;
                            break;
                        default:
                            validationIssue2.setFailureMessage("should not reach here, unknown CRLReason " + forReasonCode);
                            break;
                    }
                } else {
                    ocspCertStatus2 = OcspCertStatus.unknown;
                    l = null;
                }
            } else {
                ocspCertStatus2 = OcspCertStatus.rev_noreason;
            }
        } else if (certStatus instanceof UnknownStatus) {
            ocspCertStatus2 = z ? OcspCertStatus.issuerUnknown : OcspCertStatus.unknown;
        } else {
            validationIssue2.setFailureMessage("unknown certstatus: " + certStatus.getClass().getName());
        }
        if (!validationIssue2.isFailed() && ocspCertStatus != ocspCertStatus2) {
            validationIssue2.setFailureMessage("is='" + ocspCertStatus2 + "', but expected='" + ocspCertStatus + "'");
        }
        ValidationIssue validationIssue3 = new ValidationIssue("OCSP.RESPONSE." + i + ".REVTIME", "certificate time");
        linkedList.add(validationIssue3);
        if (date != null) {
            if (l == null) {
                validationIssue3.setFailureMessage("is='null', but expected='" + formatTime(date) + "'");
            } else if (l.longValue() != date.getTime() / 1000) {
                validationIssue3.setFailureMessage("is='" + formatTime(new Date(l.longValue() * 1000)) + "', but expected='" + formatTime(date) + "'");
            }
        }
        linkedList.add(checkOccurrence("OCSP.RESPONSE." + i + ".NEXTUPDATE", singleResp.getNextUpdate(), tripleState));
        Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
        linkedList.add(checkOccurrence("OCSP.RESPONSE." + i + ".CERTHASH", extension, tripleState2));
        if (extension != null) {
            CertHash certHash = CertHash.getInstance(extension.getParsedValue());
            ASN1ObjectIdentifier algorithm = certHash.getHashAlgorithm().getAlgorithm();
            if (hashAlgo != null) {
                ValidationIssue validationIssue4 = new ValidationIssue("OCSP.RESPONSE." + i + ".CHASH.ALG", "certhash algorithm");
                linkedList.add(validationIssue4);
                try {
                    HashAlgo hashAlgo2 = HashAlgo.getInstance(certHash.getHashAlgorithm());
                    if (hashAlgo2 != hashAlgo) {
                        validationIssue4.setFailureMessage("is '" + hashAlgo2 + "', but expected '" + hashAlgo + "'");
                    }
                } catch (NoSuchAlgorithmException e2) {
                    validationIssue4.setFailureMessage(e2.getMessage());
                }
            }
            byte[] certificateHash = certHash.getCertificateHash();
            if (bArr != null) {
                byte[] derEncoded = X509Util.toDerEncoded(bArr);
                ValidationIssue validationIssue5 = new ValidationIssue("OCSP.RESPONSE." + i + ".CHASH.VALIDITY", "certhash validity");
                linkedList.add(validationIssue5);
                try {
                    if (!Arrays.equals(MessageDigest.getInstance(algorithm.getId()).digest(derEncoded), certificateHash)) {
                        validationIssue5.setFailureMessage("certhash does not match the requested certificate");
                    }
                } catch (NoSuchAlgorithmException e3) {
                    validationIssue5.setFailureMessage("NoSuchAlgorithm " + algorithm.getId());
                }
            }
        }
        return linkedList;
    }

    private static ValidationIssue checkOccurrence(String str, Object obj, TripleState tripleState) {
        ValidationIssue validationIssue = new ValidationIssue(str, str);
        if (tripleState == TripleState.forbidden) {
            if (obj != null) {
                validationIssue.setFailureMessage("is present, but none is expected");
            }
        } else if (tripleState == TripleState.required && obj == null) {
            validationIssue.setFailureMessage("is absent, but it is expected");
        }
        return validationIssue;
    }

    private static String formatTime(Date date) {
        return DateUtil.toUtcTimeyyyyMMddhhmmss(date);
    }
}
