package se.swedenconnect.ca.engine.revocation.ocsp.impl;

import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ocsp.CertID;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.OCSPRequest;
import org.bouncycastle.asn1.ocsp.Request;
import org.bouncycastle.asn1.ocsp.TBSRequest;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.ca.engine.ca.issuer.CertificateIssuer;
import se.swedenconnect.ca.engine.configuration.CAAlgorithmRegistry;
import se.swedenconnect.ca.engine.revocation.CertificateRevocationException;
import se.swedenconnect.ca.engine.revocation.ocsp.OCSPModel;
import se.swedenconnect.ca.engine.revocation.ocsp.OCSPResponder;
import se.swedenconnect.ca.engine.revocation.ocsp.OCSPStatusCheckingException;
import se.swedenconnect.ca.engine.utils.CAUtils;
import se.swedenconnect.security.credential.PkiCredential;

/* loaded from: input_file:se/swedenconnect/ca/engine/revocation/ocsp/impl/AbstractOCSPResponder.class */
public abstract class AbstractOCSPResponder implements OCSPResponder {
    private static final Logger log = LoggerFactory.getLogger(AbstractOCSPResponder.class);
    private final OCSPModel ocspModel;
    private final CAAlgorithmRegistry.SignatureAlgorithmProperties algorithmProperties;
    private final PkiCredential ocspIssuerCredential;
    private final List<X509CertificateHolder> responderCertificateCahin;

    public AbstractOCSPResponder(PkiCredential pkiCredential, OCSPModel oCSPModel) throws NoSuchAlgorithmException {
        this.ocspIssuerCredential = pkiCredential;
        this.algorithmProperties = CAAlgorithmRegistry.getAlgorithmProperties(oCSPModel.getAlgorithm());
        this.ocspModel = oCSPModel;
        try {
            this.responderCertificateCahin = CAUtils.getCertificateHolderList(pkiCredential.getCertificateChain());
            if (this.responderCertificateCahin.isEmpty()) {
                throw new IllegalArgumentException("OCSP certificate chain must not be empty");
            }
        } catch (CertificateEncodingException e) {
            log.error("The OCSP responder credentials do not contain a valid OCSP signing certificate");
            throw new RuntimeException(e);
        }
    }

    @Override // se.swedenconnect.ca.engine.revocation.ocsp.OCSPResponder
    public OCSPResp handleRequest(OCSPRequest oCSPRequest) throws CertificateRevocationException {
        Date offsetTime = CertificateIssuer.getOffsetTime(this.ocspModel.getStartOffset());
        Date offsetTime2 = this.ocspModel.getExpiryOffset() == null ? null : CertificateIssuer.getOffsetTime(this.ocspModel.getExpiryOffset());
        try {
            ContentSigner build = new JcaContentSignerBuilder(this.algorithmProperties.getSigAlgoName()).build(this.ocspIssuerCredential.getPrivateKey());
            try {
                TBSRequest tbsRequest = oCSPRequest.getTbsRequest();
                if (tbsRequest == null) {
                    log.debug("No request provided to the OCSP responder");
                    throw new CertificateRevocationException("Null request");
                }
                Extensions requestExtensions = tbsRequest.getRequestExtensions();
                Extension extension = requestExtensions != null ? requestExtensions.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce) : null;
                BasicOCSPRespBuilder responseBuilder = getResponseBuilder(extension);
                if (extension != null) {
                    try {
                        if (extension.getExtnValue().getOctets().length > 1024) {
                            throw new OCSPStatusCheckingException("Nonce length exceeds 1K bytes", 1);
                        }
                    } catch (OCSPStatusCheckingException e) {
                        log.info("OCSP request rejected - {}", e.getMessage());
                        return new OCSPRespBuilder().build(e.getResponseStatus(), getResponseBuilder(extension).build(build, getResponderCertChain(), new Date()));
                    }
                }
                validateRequest(tbsRequest);
                ASN1Sequence requestList = tbsRequest.getRequestList();
                for (int i = 0; i < requestList.size(); i++) {
                    CertID reqCert = Request.getInstance(requestList.getObjectAt(i)).getReqCert();
                    validateCertID(reqCert);
                    log.debug("Checking OCSP cert status on cert - {}", reqCert.getSerialNumber().getPositiveValue());
                    responseBuilder.addResponse(new CertificateID(reqCert), getCertStatus(reqCert.getSerialNumber().getPositiveValue()), offsetTime, offsetTime2);
                }
                log.debug("OCSP validation success");
                return new OCSPRespBuilder().build(0, responseBuilder.build(build, getResponderCertChain(), new Date()));
            } catch (Exception e2) {
                log.error("Error creating the OCSP response object", e2);
                try {
                    return new OCSPRespBuilder().build(2, getResponseBuilder(null).build(build, getResponderCertChain(), new Date()));
                } catch (Exception e3) {
                    log.error("Error generating OCSP error response", e2);
                    throw new CertificateRevocationException("", e2);
                }
            }
        } catch (OperatorCreationException e4) {
            log.error("Error creating the OCSP response content signer", e4);
            throw new CertificateRevocationException("", e4);
        }
    }

    private X509CertificateHolder[] getResponderCertChain() {
        return (X509CertificateHolder[]) getResponderCertificateCahin().toArray(new X509CertificateHolder[0]);
    }

    private BasicOCSPRespBuilder getResponseBuilder(Extension extension) throws OCSPException, OperatorCreationException {
        BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(getResponderCertificateCahin().get(0).getSubjectPublicKeyInfo(), new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1));
        if (extension != null) {
            log.debug("Found nonce in the request. Adding the nonce to the response.");
            basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
        } else {
            log.debug("No nonce in the request. Creating response without nonce.");
        }
        return basicOCSPRespBuilder;
    }

    protected abstract CertificateStatus getCertStatus(BigInteger bigInteger) throws OCSPStatusCheckingException;

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateRequest(TBSRequest tBSRequest) throws OCSPStatusCheckingException {
        ASN1Sequence requestList = tBSRequest.getRequestList();
        if (requestList == null || requestList.size() == 0) {
            throw new OCSPStatusCheckingException("OCSP request does not request status for any certificates", 1);
        }
    }

    protected void validateCertID(CertID certID) throws OCSPStatusCheckingException {
        try {
            AlgorithmIdentifier hashAlgorithm = certID.getHashAlgorithm();
            byte[] octets = certID.getIssuerKeyHash().getOctets();
            byte[] octets2 = certID.getIssuerNameHash().getOctets();
            BigInteger positiveValue = certID.getSerialNumber().getPositiveValue();
            if (hashAlgorithm == null || octets == null || octets2 == null || positiveValue == null) {
                log.debug("Malformed OCSP request - CertID contains illegal data");
                throw new OCSPStatusCheckingException("Illegal certID", 1);
            }
            CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(hashAlgorithm), this.ocspModel.getCertificateIssuerCert(), positiveValue);
            if (Arrays.equals(octets, certificateID.getIssuerKeyHash()) && Arrays.equals(octets2, certificateID.getIssuerNameHash())) {
                return;
            }
            log.debug("OCSP request for certificate not handled by this OCSP responder");
            throw new OCSPStatusCheckingException("OCSP request for certificate not handled by this OCSP responder", 6);
        } catch (Exception e) {
            log.debug("Malformed OCSP request - CertID could not be parsed");
            throw new OCSPStatusCheckingException("Error parsing certID", e, 1);
        }
    }

    public OCSPModel getOcspModel() {
        return this.ocspModel;
    }

    public CAAlgorithmRegistry.SignatureAlgorithmProperties getAlgorithmProperties() {
        return this.algorithmProperties;
    }

    public List<X509CertificateHolder> getResponderCertificateCahin() {
        return this.responderCertificateCahin;
    }
}
