package sun.security.provider.certpath;

import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import sun.security.provider.certpath.OCSP;
import sun.security.provider.certpath.OCSPResponse;
import sun.security.util.Debug;
import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.GeneralName;
import sun.security.x509.URIName;
import sun.security.x509.X509CertImpl;
import sun.util.locale.LanguageTag;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:sun/security/provider/certpath/OCSPChecker.class */
public class OCSPChecker extends PKIXCertPathChecker {
    static final String OCSP_ENABLE_PROP = "ocsp.enable";
    static final String OCSP_URL_PROP = "ocsp.responderURL";
    static final String OCSP_CERT_SUBJECT_PROP = "ocsp.responderCertSubjectName";
    static final String OCSP_CERT_ISSUER_PROP = "ocsp.responderCertIssuerName";
    static final String OCSP_CERT_NUMBER_PROP = "ocsp.responderCertSerialNumber";
    private static final String HEX_DIGITS = "0123456789ABCDEFabcdef";
    private static final Debug DEBUG = Debug.getInstance("certpath");
    private static final boolean dump = false;
    private int remainingCerts;
    private X509Certificate[] certs;
    private CertPath cp;
    private PKIXParameters pkixParams;
    private boolean onlyEECert;

    OCSPChecker(CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this(certPath, pKIXParameters, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPChecker(CertPath certPath, PKIXParameters pKIXParameters, boolean z) throws CertPathValidatorException {
        this.onlyEECert = false;
        this.cp = certPath;
        this.pkixParams = pKIXParameters;
        this.onlyEECert = z;
        List<? extends Certificate> certificates = this.cp.getCertificates();
        this.certs = (X509Certificate[]) certificates.toArray(new X509Certificate[certificates.size()]);
        init(false);
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("Forward checking not supported");
        }
        this.remainingCerts = this.certs.length + 1;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return Collections.emptySet();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        byte[] keyId;
        this.remainingCerts--;
        try {
            X509CertImpl impl = X509CertImpl.toImpl((X509Certificate) certificate);
            if (this.onlyEECert && impl.getBasicConstraints() != -1) {
                if (DEBUG != null) {
                    DEBUG.println("Skipping revocation check, not end entity cert");
                    return;
                }
                return;
            }
            String[] oCSPProperties = getOCSPProperties();
            URI oCSPServerURI = getOCSPServerURI(impl, oCSPProperties[0]);
            X500Principal x500Principal = null;
            X500Principal x500Principal2 = null;
            BigInteger bigInteger = null;
            if (oCSPProperties[1] != null) {
                x500Principal = new X500Principal(oCSPProperties[1]);
            } else if (oCSPProperties[2] != null && oCSPProperties[3] != null) {
                x500Principal2 = new X500Principal(oCSPProperties[2]);
                bigInteger = new BigInteger(stripOutSeparators(oCSPProperties[3]), 16);
            } else if (oCSPProperties[2] != null || oCSPProperties[3] != null) {
                throw new CertPathValidatorException("Must specify both ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties");
            }
            boolean z = false;
            if (x500Principal != null || x500Principal2 != null) {
                z = true;
            }
            X509Certificate x509Certificate = null;
            boolean z2 = true;
            ArrayList arrayList = new ArrayList();
            if (this.remainingCerts < this.certs.length) {
                x509Certificate = this.certs[this.remainingCerts];
                z2 = false;
                if (!z) {
                    arrayList.add(x509Certificate);
                    if (DEBUG != null) {
                        DEBUG.println("Responder's certificate is the same as the issuer of the certificate being validated");
                    }
                }
            }
            if (z2 || z) {
                if (DEBUG != null && z) {
                    DEBUG.println("Searching trust anchors for issuer or responder certificate");
                }
                Iterator<TrustAnchor> it = this.pkixParams.getTrustAnchors().iterator();
                if (!it.hasNext()) {
                    throw new CertPathValidatorException("Must specify at least one trust anchor");
                }
                X500Principal issuerX500Principal = impl.getIssuerX500Principal();
                byte[] bArr = null;
                while (it.hasNext() && (z2 || z)) {
                    X509Certificate trustedCert = it.next2().getTrustedCert();
                    X500Principal subjectX500Principal = trustedCert.getSubjectX500Principal();
                    if (z2 && issuerX500Principal.equals(subjectX500Principal)) {
                        if (bArr == null) {
                            bArr = impl.getIssuerKeyIdentifier();
                            if (bArr == null && DEBUG != null) {
                                DEBUG.println("No issuer key identifier (AKID) in the certificate being validated");
                            }
                        }
                        if (bArr != null && (keyId = getKeyId(trustedCert)) != null) {
                            if (Arrays.equals(bArr, keyId)) {
                                if (DEBUG != null) {
                                    DEBUG.println("Issuer certificate key ID: " + String.format("0x%0" + (bArr.length * 2) + LanguageTag.PRIVATEUSE, new BigInteger(1, bArr)));
                                }
                            }
                        }
                        x509Certificate = trustedCert;
                        z2 = false;
                        if (!z && arrayList.isEmpty()) {
                            arrayList.add(trustedCert);
                            if (DEBUG != null) {
                                DEBUG.println("Responder's certificate is the same as the issuer of the certificate being validated");
                            }
                        }
                    }
                    if (z && ((x500Principal != null && x500Principal.equals(subjectX500Principal)) || (x500Principal2 != null && bigInteger != null && x500Principal2.equals(trustedCert.getIssuerX500Principal()) && bigInteger.equals(trustedCert.getSerialNumber())))) {
                        arrayList.add(trustedCert);
                    }
                }
                if (x509Certificate == null) {
                    throw new CertPathValidatorException("No trusted certificate for " + ((Object) impl.getIssuerDN()));
                }
                if (z) {
                    if (DEBUG != null) {
                        DEBUG.println("Searching cert stores for responder's certificate");
                    }
                    X509CertSelector x509CertSelector = null;
                    if (x500Principal != null) {
                        x509CertSelector = new X509CertSelector();
                        x509CertSelector.setSubject(x500Principal);
                    } else if (x500Principal2 != null && bigInteger != null) {
                        x509CertSelector = new X509CertSelector();
                        x509CertSelector.setIssuer(x500Principal2);
                        x509CertSelector.setSerialNumber(bigInteger);
                    }
                    if (x509CertSelector != null) {
                        Iterator<CertStore> it2 = this.pkixParams.getCertStores().iterator();
                        while (it2.hasNext()) {
                            try {
                                arrayList.addAll(it2.next2().getCertificates(x509CertSelector));
                            } catch (CertStoreException e) {
                                if (DEBUG != null) {
                                    DEBUG.println("CertStore exception:" + ((Object) e));
                                }
                            }
                        }
                    }
                }
            }
            if (z && arrayList.isEmpty()) {
                throw new CertPathValidatorException("Cannot find the responder's certificate (set using the OCSP security properties).");
            }
            if (DEBUG != null) {
                DEBUG.println("Located " + arrayList.size() + " trusted responder certificate(s)");
            }
            try {
                CertId certId = new CertId(x509Certificate, impl.getSerialNumberObject());
                OCSPResponse.SingleResponse singleResponse = OCSP.check(Collections.singletonList(certId), oCSPServerURI, arrayList, this.pkixParams.getDate()).getSingleResponse(certId);
                OCSP.RevocationStatus.CertStatus certStatus = singleResponse.getCertStatus();
                if (certStatus == OCSP.RevocationStatus.CertStatus.REVOKED) {
                    CertificateRevokedException certificateRevokedException = new CertificateRevokedException(singleResponse.getRevocationTime(), singleResponse.getRevocationReason(), ((X509Certificate) arrayList.get(0)).getSubjectX500Principal(), singleResponse.getSingleExtensions());
                    throw new CertPathValidatorException(certificateRevokedException.getMessage(), certificateRevokedException, null, -1, CertPathValidatorException.BasicReason.REVOKED);
                }
                if (certStatus == OCSP.RevocationStatus.CertStatus.UNKNOWN) {
                    throw new CertPathValidatorException("Certificate's revocation status is unknown", null, this.cp, this.remainingCerts - 1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                }
            } catch (Exception e2) {
                if (!(e2 instanceof CertPathValidatorException)) {
                    throw new CertPathValidatorException(e2);
                }
                throw ((CertPathValidatorException) e2);
            }
        } catch (CertificateException e3) {
            throw new CertPathValidatorException(e3);
        }
    }

    private static URI getOCSPServerURI(X509CertImpl x509CertImpl, String str) throws CertPathValidatorException {
        if (str != null) {
            try {
                return new URI(str);
            } catch (URISyntaxException e) {
                throw new CertPathValidatorException(e);
            }
        }
        AuthorityInfoAccessExtension authorityInfoAccessExtension = x509CertImpl.getAuthorityInfoAccessExtension();
        if (authorityInfoAccessExtension == null) {
            throw new CertPathValidatorException("Must specify the location of an OCSP Responder");
        }
        for (AccessDescription accessDescription : authorityInfoAccessExtension.getAccessDescriptions()) {
            if (accessDescription.getAccessMethod().equals((Object) AccessDescription.Ad_OCSP_Id)) {
                GeneralName accessLocation = accessDescription.getAccessLocation();
                if (accessLocation.getType() == 6) {
                    return ((URIName) accessLocation.getName()).getURI();
                }
            }
        }
        throw new CertPathValidatorException("Cannot find the location of the OCSP Responder");
    }

    private static String[] getOCSPProperties() {
        final String[] strArr = new String[4];
        AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: sun.security.provider.certpath.OCSPChecker.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            /* renamed from: run */
            public Void run2() {
                strArr[0] = Security.getProperty(OCSPChecker.OCSP_URL_PROP);
                strArr[1] = Security.getProperty(OCSPChecker.OCSP_CERT_SUBJECT_PROP);
                strArr[2] = Security.getProperty(OCSPChecker.OCSP_CERT_ISSUER_PROP);
                strArr[3] = Security.getProperty(OCSPChecker.OCSP_CERT_NUMBER_PROP);
                return null;
            }
        });
        return strArr;
    }

    private static String stripOutSeparators(String str) {
        char[] charArray = str.toCharArray();
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < charArray.length; i++) {
            if (HEX_DIGITS.indexOf(charArray[i]) != -1) {
                sb.append(charArray[i]);
            }
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] getKeyId(X509Certificate x509Certificate) {
        byte[] bArr = null;
        try {
            bArr = X509CertImpl.toImpl(x509Certificate).getSubjectKeyIdentifier();
            if (bArr == null && DEBUG != null) {
                DEBUG.println("No subject key identifier (SKID) in the certificate (Subject: " + ((Object) x509Certificate.getSubjectX500Principal()) + ")");
            }
        } catch (CertificateException e) {
            if (DEBUG != null) {
                DEBUG.println("Error parsing X.509 certificate (Subject: " + ((Object) x509Certificate.getSubjectX500Principal()) + ") " + ((Object) e));
            }
        }
        return bArr;
    }
}
