package com.rsa.certj.provider.revocation.ocsp;

import com.rsa.asn1.ASN1;
import com.rsa.asn1.ASN1Container;
import com.rsa.asn1.ASN_Exception;
import com.rsa.asn1.BitStringContainer;
import com.rsa.asn1.ChoiceContainer;
import com.rsa.asn1.EncodedContainer;
import com.rsa.asn1.EndContainer;
import com.rsa.asn1.EnumeratedContainer;
import com.rsa.asn1.GenTimeContainer;
import com.rsa.asn1.IntegerContainer;
import com.rsa.asn1.OIDContainer;
import com.rsa.asn1.OctetStringContainer;
import com.rsa.asn1.OfContainer;
import com.rsa.asn1.SequenceContainer;
import com.rsa.certj.CertJ;
import com.rsa.certj.CertJException;
import com.rsa.certj.CertJUtils;
import com.rsa.certj.DatabaseService;
import com.rsa.certj.InvalidParameterException;
import com.rsa.certj.NoServiceException;
import com.rsa.certj.NotSupportedException;
import com.rsa.certj.cert.Certificate;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.NameException;
import com.rsa.certj.cert.X500Name;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cert.extensions.ExtendedKeyUsage;
import com.rsa.certj.cert.extensions.OCSPAcceptableResponses;
import com.rsa.certj.cert.extensions.OCSPNonce;
import com.rsa.certj.cert.extensions.X509V3Extension;
import com.rsa.certj.spi.db.DatabaseException;
import com.rsa.certj.spi.path.CertPathCtx;
import com.rsa.certj.spi.revocation.CertRevocationInfo;
import com.rsa.certj.spi.revocation.CertStatusException;
import com.rsa.jsafe.JSAFE_Signature;
import java.util.Date;
import java.util.Vector;

/* loaded from: input_file:weblogic.jar:com/rsa/certj/provider/revocation/ocsp/OCSPResponse.class */
public final class OCSPResponse {
    private CertJ certJ;
    private DatabaseService database;
    private byte[] nonce;
    private String sigAlg;
    private OCSPCertID[] certIDs;
    private X509Certificate checkCert;
    private X509Certificate caCert;
    private X509Certificate designatedResponder;
    private X509Certificate actualResponder;
    private Date producedAt;
    private long validationTime;
    private int tolerance;
    private CertRevocationInfo[] revInfos;
    private X509V3Extensions responseExtensions;
    private boolean responderNoCheck;
    private static final int OCSP_STATUS_SUCCESSFUL = 0;
    private static final int OCSP_STATUS_MALFORMED_REQUEST = 1;
    private static final int OCSP_STATUS_INTERNAL_ERROR = 2;
    private static final int OCSP_STATUS_TRY_LATER = 3;
    private static final int OCSP_STATUS_SIG_REQUIRED = 5;
    private static final int OCSP_STATUS_UNAUTHORIZED = 6;
    private static final int NO_SPECIAL = 0;
    private static final int ZERO_OFFSET = 0;
    private static final int BOGUS_OPTTAG = 0;
    private static final int BOGUS_VALUE = 0;
    private static final int BOGUS_OFFSET = 0;
    private static final int BOGUS_LEN = 0;
    private static final int BOGUS_INDEX = 0;
    private static final boolean BOGUS_DATA_PRESENT = true;
    private static final byte[] BOGUS_DATA = null;
    private static final Date BOGUS_TIME = null;

    /* JADX INFO: Access modifiers changed from: protected */
    public OCSPResponse(CertJ certJ, OCSPResponderInternal oCSPResponderInternal, X509Certificate x509Certificate) {
        this.certJ = certJ;
        this.checkCert = x509Certificate;
        this.designatedResponder = oCSPResponderInternal.getResponderCert();
        this.tolerance = oCSPResponderInternal.getTimeTolerance();
        this.database = oCSPResponderInternal.getDatabase();
        this.caCert = oCSPResponderInternal.getResponderCACert(x509Certificate);
        this.responderNoCheck = (oCSPResponderInternal.getFlags() & 8) != 0;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CertRevocationInfo getRevocationInfo(OCSPCertID oCSPCertID) throws NotSupportedException {
        if (this.certIDs == null) {
            return null;
        }
        byte[] encode = oCSPCertID.encode();
        for (int i = 0; i < this.certIDs.length; i++) {
            if (CertJUtils.byteArraysEqual(this.certIDs[i].encode(), encode)) {
                return this.revInfos[i];
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] getNonce() {
        return this.nonce;
    }

    private void checkStatus(int i) throws CertStatusException {
        switch (i) {
            case 0:
                return;
            case 1:
                throw new CertStatusException("OCSP_STATUS_MALFORMED_REQUEST");
            case 2:
                throw new CertStatusException("OCSP_STATUS_INTERNAL_ERROR");
            case 3:
                throw new CertStatusException("OCSP_STATUS_TRY_LATER");
            case 4:
            default:
                throw new CertStatusException("OCSP_STATUS UNKNOWN!!!");
            case 5:
                throw new CertStatusException("OCSP_STATUS_SIG_REQUIRED");
            case 6:
                throw new CertStatusException("OCSP_STATUS_UNAUTHORIZED");
        }
    }

    private boolean verifySignature(Certificate certificate, String str, byte[] bArr, int i, int i2, byte[] bArr2, int i3, int i4) {
        boolean z;
        try {
            String device = this.certJ.getDevice();
            JSAFE_Signature jSAFE_Signature = JSAFE_Signature.getInstance(str, device);
            jSAFE_Signature.verifyInit(certificate.getSubjectPublicKey(device), null, null, this.certJ.getPKCS11Sessions());
            jSAFE_Signature.verifyUpdate(bArr, i, i2);
            z = jSAFE_Signature.verifyFinal(bArr2, i3, i4);
            jSAFE_Signature.clearSensitiveData();
        } catch (Exception e) {
            z = false;
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void decode(CertPathCtx certPathCtx, byte[] bArr, OCSPRequest oCSPRequest) throws ASN_Exception, NoServiceException, CertStatusException, InvalidParameterException {
        EndContainer endContainer = new EndContainer();
        SequenceContainer sequenceContainer = new SequenceContainer(0, true, 0);
        EnumeratedContainer enumeratedContainer = new EnumeratedContainer(0, true, 0, 0);
        EncodedContainer encodedContainer = new EncodedContainer(10563584, true, 0, BOGUS_DATA, 0, 0);
        SequenceContainer sequenceContainer2 = new SequenceContainer(10551296, true, 0);
        OIDContainer oIDContainer = new OIDContainer(16777216, true, 0, BOGUS_DATA, 0, 0, 0, 0);
        OctetStringContainer octetStringContainer = new OctetStringContainer(0, true, 0, BOGUS_DATA, 0, 0);
        ASN1Container[] aSN1ContainerArr = {sequenceContainer, enumeratedContainer, encodedContainer, endContainer};
        ASN1Container[] aSN1ContainerArr2 = {sequenceContainer2, oIDContainer, octetStringContainer, endContainer};
        Date validationTime = certPathCtx.getValidationTime();
        this.validationTime = validationTime == null ? System.currentTimeMillis() : validationTime.getTime();
        ASN1.berDecode(bArr, 0, aSN1ContainerArr);
        checkStatus(enumeratedContainer.getValueAsInt());
        if (!encodedContainer.dataPresent) {
            throw new CertStatusException("OCSPResponse: missing status=OK responseBytes!");
        }
        ASN1.berDecode(encodedContainer.data, encodedContainer.dataOffset, aSN1ContainerArr2);
        if (!CertJUtils.byteArraysEqual(oIDContainer.data, oIDContainer.dataOffset, oIDContainer.dataLen, OCSPAcceptableResponses.ID_PKIX_OCSP_BASIC)) {
            throw new CertStatusException("!ID_PKIX_OCSP_BASIC");
        }
        decodeBasicResponse(certPathCtx, octetStringContainer.data, octetStringContainer.dataOffset, octetStringContainer.dataLen);
    }

    private void decodeBasicResponse(CertPathCtx certPathCtx, byte[] bArr, int i, int i2) throws ASN_Exception, NoServiceException, CertStatusException {
        EndContainer endContainer = new EndContainer();
        SequenceContainer sequenceContainer = new SequenceContainer(0, true, 0);
        EncodedContainer encodedContainer = new EncodedContainer(ASN1.SEQUENCE, true, 0, BOGUS_DATA, 0, 0);
        EncodedContainer encodedContainer2 = new EncodedContainer(ASN1.ANY, true, 0, BOGUS_DATA, 0, 0);
        BitStringContainer bitStringContainer = new BitStringContainer(0, true, 0, 0, 0, 1);
        OfContainer ofContainer = new OfContainer(10551296, true, 0, ASN1.SEQUENCE, ASN1.ENCODED, ASN1.SEQUENCE, 0);
        ASN1Container[] aSN1ContainerArr = {sequenceContainer, encodedContainer, encodedContainer2, bitStringContainer, ofContainer, endContainer};
        ASN1Container[] aSN1ContainerArr2 = {new SequenceContainer(0, true, 0), new OIDContainer(16777216, true, 0, BOGUS_DATA, 0, 0, 0, 0), new EncodedContainer(65536, true, 0, BOGUS_DATA, 0, 0), endContainer};
        ASN1.berDecode(bArr, i, aSN1ContainerArr);
        ASN1.berDecode(encodedContainer2.data, encodedContainer2.dataOffset, aSN1ContainerArr2);
        try {
            JSAFE_Signature jSAFE_Signature = JSAFE_Signature.getInstance(encodedContainer2.data, encodedContainer2.dataOffset, "Java");
            this.sigAlg = new StringBuffer().append(jSAFE_Signature.getDigestAlgorithm()).append("/").append(jSAFE_Signature.getSignatureAlgorithm()).append("/").append(jSAFE_Signature.getPaddingScheme()).toString();
            for (int i3 = 0; i3 < ofContainer.getContainerCount(); i3++) {
                ASN1Container containerAt = ofContainer.containerAt(i3);
                this.database.insertCertificate(new X509Certificate(containerAt.data, containerAt.dataOffset, containerAt.dataLen));
            }
            decodeResponseData(certPathCtx, encodedContainer.data, encodedContainer.dataOffset, encodedContainer.dataLen);
            if (!verifyResponse(certPathCtx, encodedContainer, bitStringContainer)) {
                throw new CertStatusException("Unable to verify identity of responder");
            }
        } catch (CertStatusException e) {
            throw e;
        } catch (Exception e2) {
            throw new CertStatusException(e2.getMessage());
        }
    }

    private void decodeResponseData(CertPathCtx certPathCtx, byte[] bArr, int i, int i2) throws ASN_Exception, NoServiceException, CertStatusException, NotSupportedException {
        EndContainer endContainer = new EndContainer();
        SequenceContainer sequenceContainer = new SequenceContainer(0, true, 0);
        IntegerContainer integerContainer = new IntegerContainer(131072, true, 0, 0);
        EncodedContainer encodedContainer = new EncodedContainer(ASN1.ANY, true, 0, BOGUS_DATA, 0, 0);
        GenTimeContainer genTimeContainer = new GenTimeContainer(0, true, 0, BOGUS_TIME);
        OfContainer ofContainer = new OfContainer(0, true, 0, ASN1.SEQUENCE, ASN1.ENCODED, ASN1.SEQUENCE, 0);
        EncodedContainer encodedContainer2 = new EncodedContainer(130816, true, 0, BOGUS_DATA, 0, 0);
        ASN1.berDecode(bArr, i, new ASN1Container[]{sequenceContainer, integerContainer, encodedContainer, genTimeContainer, ofContainer, encodedContainer2, endContainer});
        if (integerContainer.dataPresent && integerContainer.getValueAsInt() != 0) {
            throw new CertStatusException(new StringBuffer().append("0 != ").append(integerContainer.getValueAsInt()).toString());
        }
        decodeResponderID(certPathCtx.getDatabase(), encodedContainer.data, encodedContainer.dataOffset, encodedContainer.dataLen);
        this.producedAt = new Date(genTimeContainer.theTime.getTime());
        decodeSingleResponses(ofContainer, this.producedAt, this.tolerance);
        try {
            if (encodedContainer2.dataPresent) {
                this.responseExtensions = new X509V3Extensions(encodedContainer2.data, encodedContainer2.dataOffset, 10485761, 5);
                int extensionCount = this.responseExtensions.getExtensionCount();
                for (int i3 = 0; i3 < extensionCount; i3++) {
                    X509V3Extension extensionByIndex = this.responseExtensions.getExtensionByIndex(i3);
                    int extensionType = extensionByIndex.getExtensionType();
                    if (extensionByIndex.getCriticality()) {
                        if (extensionType != 120) {
                            throw new CertStatusException("unknown critical OCSP response extension");
                        }
                    } else if (extensionType == 120) {
                        this.nonce = ((OCSPNonce) extensionByIndex).getNonceValue();
                    }
                }
            }
        } catch (CertificateException e) {
            throw new CertStatusException(e.getMessage());
        }
    }

    private void decodeResponderID(DatabaseService databaseService, byte[] bArr, int i, int i2) throws ASN_Exception, NoServiceException, CertStatusException {
        EndContainer endContainer = new EndContainer();
        ChoiceContainer choiceContainer = new ChoiceContainer(0, 0);
        EncodedContainer encodedContainer = new EncodedContainer(10498049, true, 0, BOGUS_DATA, 0, 0);
        EncodedContainer encodedContainer2 = new EncodedContainer(10551042, true, 0, BOGUS_DATA, 0, 0);
        ASN1.berDecode(bArr, i, new ASN1Container[]{choiceContainer, encodedContainer, encodedContainer2, endContainer});
        Vector vector = new Vector();
        try {
            if (encodedContainer.dataPresent) {
                databaseService.selectCertificateBySubject(new X500Name(encodedContainer.data, encodedContainer.dataOffset, 10485761), vector);
            } else {
                if (!encodedContainer2.dataPresent) {
                    throw new CertStatusException("unknown ResponderID CHOICE");
                }
                OctetStringContainer octetStringContainer = new OctetStringContainer(10485762, true, 0, BOGUS_DATA, 0, 0);
                ASN1.berDecode(bArr, i, new ASN1Container[]{octetStringContainer});
                OCSPutil.selectCertificateByKeyHash(this.certJ, databaseService, octetStringContainer.data, octetStringContainer.dataOffset, octetStringContainer.dataLen, vector);
            }
            switch (vector.size()) {
                case 0:
                    throw new CertStatusException("ResponderID not found in database");
                case 1:
                    this.actualResponder = (X509Certificate) vector.elementAt(0);
                    return;
                default:
                    throw new CertStatusException("ResponderID.numCerts > 1");
            }
        } catch (InvalidParameterException e) {
            throw new CertStatusException(e.getMessage());
        } catch (CertificateException e2) {
            throw new CertStatusException(e2.getMessage());
        } catch (NameException e3) {
            throw new CertStatusException(e3.getMessage());
        } catch (DatabaseException e4) {
            throw new CertStatusException(e4.getMessage());
        }
    }

    private OCSPRevocationInfo decodeRevocationInfo(byte[] bArr, int i, CertRevocationInfo certRevocationInfo) throws ASN_Exception, NotSupportedException {
        ChoiceContainer choiceContainer = new ChoiceContainer(0, 0);
        EncodedContainer encodedContainer = new EncodedContainer(8389888, true, 0, BOGUS_DATA, 0, 0);
        EncodedContainer encodedContainer2 = new EncodedContainer(8400897, true, 0, BOGUS_DATA, 0, 0);
        EncodedContainer encodedContainer3 = new EncodedContainer(8389890, true, 0, BOGUS_DATA, 0, 0);
        EndContainer endContainer = new EndContainer();
        OCSPRevocationInfo oCSPRevocationInfo = null;
        ASN1.berDecode(bArr, i, new ASN1Container[]{choiceContainer, encodedContainer, encodedContainer2, encodedContainer3, endContainer});
        if (encodedContainer.dataPresent) {
            certRevocationInfo.setStatus(0);
        } else if (encodedContainer2.dataPresent) {
            SequenceContainer sequenceContainer = new SequenceContainer(8388609, true, 0);
            GenTimeContainer genTimeContainer = new GenTimeContainer(0, true, 0, BOGUS_TIME);
            EncodedContainer encodedContainer4 = new EncodedContainer(10616576, true, 0, BOGUS_DATA, 0, 0);
            ASN1.berDecode(encodedContainer2.data, encodedContainer2.dataOffset, new ASN1Container[]{sequenceContainer, genTimeContainer, encodedContainer4, endContainer});
            oCSPRevocationInfo = new OCSPRevocationInfo(genTimeContainer.theTime.getTime());
            if (encodedContainer4.dataPresent) {
                EnumeratedContainer enumeratedContainer = new EnumeratedContainer(10551040, true, 0, 0);
                ASN1.berDecode(encodedContainer4.data, encodedContainer4.dataOffset, new ASN1Container[]{enumeratedContainer});
                oCSPRevocationInfo.setReasonCode(enumeratedContainer.getValueAsInt());
            }
            certRevocationInfo.setStatus(1);
        } else {
            if (!encodedContainer3.dataPresent) {
                throw new NotSupportedException("CertStatus");
            }
            certRevocationInfo.setStatus(2);
        }
        return oCSPRevocationInfo;
    }

    private boolean checkTime(long j, int i, OCSPEvidence oCSPEvidence) {
        long time = oCSPEvidence.getThisUpdate().getTime() - (i * 1000);
        if (j < time) {
            long j2 = (j - time) / 1000;
            return false;
        }
        Date nextUpdate = oCSPEvidence.getNextUpdate();
        return nextUpdate == null || j <= nextUpdate.getTime() + ((long) (i * 1000));
    }

    private void decodeSingleResponses(OfContainer ofContainer, Date date, int i) throws ASN_Exception, NotSupportedException {
        EndContainer endContainer = new EndContainer();
        SequenceContainer sequenceContainer = new SequenceContainer(0, true, 0);
        EncodedContainer encodedContainer = new EncodedContainer(ASN1.ANY, true, 0, BOGUS_DATA, 0, 0);
        EncodedContainer encodedContainer2 = new EncodedContainer(ASN1.ANY, true, 0, BOGUS_DATA, 0, 0);
        GenTimeContainer genTimeContainer = new GenTimeContainer(0, true, 0, BOGUS_TIME);
        GenTimeContainer genTimeContainer2 = new GenTimeContainer(10551296, true, 0, BOGUS_TIME);
        OfContainer ofContainer2 = new OfContainer(10551297, true, 0, ASN1.SEQUENCE, ASN1.ENCODED, ASN1.SEQUENCE, 0);
        ASN1Container[] aSN1ContainerArr = {sequenceContainer, encodedContainer, encodedContainer2, genTimeContainer, genTimeContainer2, ofContainer2, endContainer};
        int containerCount = ofContainer.getContainerCount();
        this.certIDs = new OCSPCertID[containerCount];
        this.revInfos = new CertRevocationInfo[containerCount];
        for (int i2 = 0; i2 < containerCount; i2++) {
            ASN1Container containerAt = ofContainer.containerAt(i2);
            ASN1.berDecode(containerAt.data, containerAt.dataOffset, aSN1ContainerArr);
            this.revInfos[i2] = new CertRevocationInfo();
            try {
                OCSPEvidence oCSPEvidence = new OCSPEvidence(0, date, new Date(genTimeContainer.theTime.getTime()), genTimeContainer2.dataPresent ? new Date(genTimeContainer2.theTime.getTime()) : null, (!ofContainer2.dataPresent || ofContainer2.data == null) ? null : new X509V3Extensions(ofContainer2.data, ofContainer2.dataOffset, ofContainer2.dataLen, 4), decodeRevocationInfo(encodedContainer2.data, encodedContainer2.dataOffset, this.revInfos[i2]));
                this.revInfos[i2].setEvidence(oCSPEvidence);
                this.revInfos[i2].setType(2);
                this.certIDs[i2] = new OCSPCertID(encodedContainer.data, encodedContainer.dataOffset, encodedContainer.dataLen);
                if (!checkTime(this.validationTime, this.tolerance, oCSPEvidence)) {
                    this.revInfos[i2].setStatus(2);
                }
            } catch (InvalidParameterException e) {
                throw new NotSupportedException(e.getMessage());
            } catch (CertificateException e2) {
                throw new NotSupportedException(e2.getMessage());
            }
        }
    }

    private boolean verifyResponse(CertPathCtx certPathCtx, ASN1Container aSN1Container, ASN1Container aSN1Container2) throws CertStatusException {
        boolean z;
        CertPathCtx certPathCtx2 = certPathCtx;
        if (!verifySignature(this.actualResponder, this.sigAlg, aSN1Container.data, aSN1Container.dataOffset, aSN1Container.dataLen, aSN1Container2.data, aSN1Container2.dataOffset, aSN1Container2.dataLen)) {
            throw new CertStatusException("Unable to verify signature of responder");
        }
        try {
            if (this.checkCert.equals(this.actualResponder)) {
                if (!this.responderNoCheck) {
                    return false;
                }
                certPathCtx2 = new CertPathCtx(certPathCtx.getPathOptions() | 4, certPathCtx.getTrustedCerts(), certPathCtx.getPolicies(), certPathCtx.getValidationTime(), certPathCtx.getDatabase());
            }
            z = this.certJ.buildCertPath(certPathCtx2, this.actualResponder, null, null, null, null);
        } catch (CertJException e) {
            z = false;
        }
        if (!z) {
            throw new CertStatusException("Unable to build cert path from responder certificate");
        }
        if (this.actualResponder.equals(this.caCert) || isOCSPDelegatedResponder(this.actualResponder, this.checkCert)) {
            return true;
        }
        return this.actualResponder.equals(this.designatedResponder);
    }

    private boolean isOCSPDelegatedResponder(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        X509V3Extensions extensions = x509Certificate.getExtensions();
        if (extensions == null || extensions.getExtensionCount() == 0) {
            return false;
        }
        try {
            ExtendedKeyUsage extendedKeyUsage = (ExtendedKeyUsage) extensions.getExtensionByType(37);
            if (extendedKeyUsage == null) {
                return false;
            }
            for (int i = 0; i < extendedKeyUsage.getKeyUsageCount(); i++) {
                if (CertJUtils.byteArraysEqual(ExtendedKeyUsage.ID_KP_OCSP_SIGNING, extendedKeyUsage.getExtendedKeyUsage(i))) {
                    return true;
                }
            }
            return this.actualResponder.getIssuerName().equals(x509Certificate2.getSubjectName());
        } catch (CertificateException e) {
            return false;
        }
    }
}
