package kz.gov.pki.provider.utils;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import kz.gov.pki.kalkan.asn1.x509.KeyPurposeId;
import kz.gov.pki.kalkan.jce.provider.cms.CMSException;
import kz.gov.pki.kalkan.jce.provider.cms.SignerId;
import kz.gov.pki.kalkan.tsp.TSPException;
import kz.gov.pki.kalkan.tsp.TimeStampRequest;
import kz.gov.pki.kalkan.tsp.TimeStampRequestGenerator;
import kz.gov.pki.kalkan.tsp.TimeStampResponse;
import kz.gov.pki.kalkan.tsp.TimeStampToken;
import kz.gov.pki.kalkan.tsp.TimeStampTokenInfo;
import kz.gov.pki.kalkan.util.encoders.Base64;
import kz.gov.pki.provider.exception.ProviderUtilException;
import kz.gov.pki.provider.exception.ProviderUtilExceptionCode;
import kz.gov.pki.provider.utils.model.TSAProfile;
import kz.gov.pki.reference.KNCAServiceRequestMethod;
import kz.gov.pki.reference.KalkanHashAlgorithm;
import kz.gov.pki.reference.TSAPolicy;

/* loaded from: input_file:kz/gov/pki/provider/utils/TSPUtil.class */
public class TSPUtil {

    @Deprecated
    public static final String TSA_URL_PROP = "knca.tsaURL";

    @Deprecated
    public static final String TSA_URL = "http://tsp.pki.gov.kz/";
    private static final SecureRandom random = new SecureRandom();

    public static TimeStampResponse getTimeStampResponse(byte[] bArr, KalkanHashAlgorithm kalkanHashAlgorithm, TSAPolicy tSAPolicy, KNCAServiceRequestMethod kNCAServiceRequestMethod, Provider provider) throws IOException, NoSuchAlgorithmException, NoSuchProviderException, TSPException, CMSException, CertStoreException, CertificateExpiredException, CertificateNotYetValidException, ProviderUtilException {
        TSAProfile tSAProfile = new TSAProfile();
        tSAProfile.setHashAlgorithm(kalkanHashAlgorithm);
        tSAProfile.setRequestMethod(kNCAServiceRequestMethod);
        tSAProfile.setTsaPolicy(tSAPolicy);
        return getTimeStampResponse(bArr, tSAProfile, provider);
    }

    public static TimeStampResponse getTimeStampResponse(byte[] bArr, TSAProfile tSAProfile, Provider provider) throws IOException, NoSuchAlgorithmException, NoSuchProviderException, TSPException, CMSException, CertStoreException, CertificateExpiredException, CertificateNotYetValidException, ProviderUtilException {
        HttpURLConnection httpURLConnection;
        Throwable th;
        Throwable th2;
        String id = tSAProfile.getHashAlgorithm().getId();
        MessageDigest messageDigest = MessageDigest.getInstance(id, provider.getName());
        messageDigest.update(bArr);
        byte[] digest = messageDigest.digest();
        TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator();
        timeStampRequestGenerator.setCertReq(true);
        timeStampRequestGenerator.setReqPolicy(tSAProfile.getTsaPolicy().getId());
        TimeStampRequest generate = timeStampRequestGenerator.generate(id, digest, BigInteger.valueOf(random.nextLong()));
        byte[] encoded = generate.getEncoded();
        String encode = URLEncoder.encode(Base64.encodeStr(encoded), "UTF-8");
        String tsaURL = tSAProfile.getTsaURL();
        if (tSAProfile.getRequestMethod().equals(KNCAServiceRequestMethod.POST)) {
            httpURLConnection = (HttpURLConnection) new URL(tsaURL).openConnection();
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setRequestProperty("Content-Type", "application/timestamp-query");
            th = null;
            try {
                OutputStream outputStream = httpURLConnection.getOutputStream();
                try {
                    outputStream.write(encoded);
                    if (outputStream != null) {
                        outputStream.close();
                    }
                } catch (Throwable th3) {
                    if (outputStream != null) {
                        outputStream.close();
                    }
                    throw th3;
                }
            } finally {
            }
        } else {
            httpURLConnection = tsaURL.endsWith("/") ? (HttpURLConnection) new URL(String.valueOf(tsaURL) + encode).openConnection() : (HttpURLConnection) new URL(String.valueOf(tsaURL) + "/" + encode).openConnection();
        }
        if (httpURLConnection.getResponseCode() != 200) {
            throw new TSPException("HTTP error code: " + httpURLConnection.getResponseCode());
        }
        if (!"application/timestamp-reply".equals(httpURLConnection.getContentType())) {
            throw new TSPException("Wrong content-type: " + httpURLConnection.getContentType());
        }
        th = null;
        try {
            InputStream inputStream = httpURLConnection.getInputStream();
            try {
                TimeStampResponse timeStampResponse = new TimeStampResponse(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                timeStampResponse.validate(generate);
                validateTimeStampToken(timeStampResponse.getTimeStampToken(), bArr, provider);
                return timeStampResponse;
            } catch (Throwable th4) {
                if (inputStream != null) {
                    inputStream.close();
                }
                throw th4;
            }
        } finally {
        }
    }

    public static X509Certificate getTSPCertificate(TimeStampToken timeStampToken, Provider provider) throws NoSuchAlgorithmException, CertStoreException, NoSuchProviderException, CMSException, TSPException, IOException {
        SignerId sid = timeStampToken.getSID();
        HashSet hashSet = new HashSet();
        hashSet.add(KeyPurposeId.id_kp_timeStamping.getId());
        sid.setExtendedKeyUsage(hashSet);
        Iterator<? extends Certificate> it = timeStampToken.getCertificatesAndCRLs("Collection", provider.getName()).getCertificates(sid).iterator();
        if (it.hasNext()) {
            return (X509Certificate) it.next();
        }
        throw new TSPException("TSA-certificate not found");
    }

    public static void validateTimeStampToken(TimeStampToken timeStampToken, byte[] bArr, Provider provider) throws NoSuchProviderException, TSPException, CertificateExpiredException, CertificateNotYetValidException, NoSuchAlgorithmException, CMSException, CertStoreException, ProviderUtilException, IOException {
        X509Certificate tSPCertificate = getTSPCertificate(timeStampToken, provider);
        TimeStampTokenInfo timeStampInfo = timeStampToken.getTimeStampInfo();
        if (!Arrays.equals(MessageDigest.getInstance(timeStampInfo.getMessageImprintAlgOID(), provider).digest(bArr), timeStampInfo.getMessageImprintDigest())) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.DIFF_HASH);
        }
        timeStampToken.validate(tSPCertificate, provider.getName());
    }
}
