package kz.gov.pki.provider.utils;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Hashtable;
import kz.gov.pki.kalkan.asn1.ASN1InputStream;
import kz.gov.pki.kalkan.asn1.ASN1OctetString;
import kz.gov.pki.kalkan.asn1.DERObject;
import kz.gov.pki.kalkan.asn1.DEROctetString;
import kz.gov.pki.kalkan.asn1.ocsp.OCSPObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.x509.X509Extension;
import kz.gov.pki.kalkan.asn1.x509.X509Extensions;
import kz.gov.pki.kalkan.ocsp.BasicOCSPResp;
import kz.gov.pki.kalkan.ocsp.CertificateID;
import kz.gov.pki.kalkan.ocsp.CertificateStatus;
import kz.gov.pki.kalkan.ocsp.OCSPException;
import kz.gov.pki.kalkan.ocsp.OCSPReqGenerator;
import kz.gov.pki.kalkan.ocsp.OCSPResp;
import kz.gov.pki.kalkan.util.encoders.Base64;
import kz.gov.pki.provider.exception.ProviderUtilException;
import kz.gov.pki.provider.exception.ProviderUtilExceptionCode;
import kz.gov.pki.reference.KNCAServiceRequestMethod;
import kz.gov.pki.reference.KalkanHashAlgorithm;

@Deprecated
/* loaded from: input_file:kz/gov/pki/provider/utils/OCSPUtil.class */
public class OCSPUtil {
    public static CertificateStatus verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, URL url, KalkanHashAlgorithm kalkanHashAlgorithm, KNCAServiceRequestMethod kNCAServiceRequestMethod, boolean z, Provider provider) throws IOException, OCSPException, NoSuchProviderException, ProviderUtilException {
        HttpURLConnection httpURLConnection;
        byte[] bArr = null;
        if (z) {
            bArr = new byte[4];
            new SecureRandom().nextBytes(bArr);
        }
        byte[] ocspPackage = getOcspPackage(x509Certificate.getSerialNumber(), x509Certificate2, kalkanHashAlgorithm.getId(), bArr, provider);
        if (kNCAServiceRequestMethod.equals(KNCAServiceRequestMethod.POST)) {
            httpURLConnection = (HttpURLConnection) url.openConnection();
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            Throwable th = null;
            try {
                OutputStream outputStream = httpURLConnection.getOutputStream();
                try {
                    outputStream.write(ocspPackage);
                    if (outputStream != null) {
                        outputStream.close();
                    }
                } catch (Throwable th2) {
                    if (outputStream != null) {
                        outputStream.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } else {
            httpURLConnection = url.getPath().endsWith("/") ? (HttpURLConnection) new URL(url + new String(Base64.encode(ocspPackage))).openConnection() : (HttpURLConnection) new URL(url + "/" + new String(Base64.encode(ocspPackage))).openConnection();
        }
        CertificateStatus makeOcspResponse = makeOcspResponse(httpURLConnection, provider, bArr);
        httpURLConnection.disconnect();
        return makeOcspResponse;
    }

    private static CertificateStatus makeOcspResponse(HttpURLConnection httpURLConnection, Provider provider, byte[] bArr) throws IOException, OCSPException, NoSuchProviderException, ProviderUtilException {
        Throwable th = null;
        try {
            InputStream inputStream = httpURLConnection.getInputStream();
            try {
                OCSPResp oCSPResp = new OCSPResp(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                if (oCSPResp.getStatus() != 0) {
                    throw new OCSPException("Unsuccessful request. Status: " + oCSPResp.getStatus());
                }
                BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                byte[] extensionValue = basicOCSPResp.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId());
                if (extensionValue != null) {
                    ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
                    DERObject readObject = aSN1InputStream.readObject();
                    aSN1InputStream.close();
                    ASN1InputStream aSN1InputStream2 = new ASN1InputStream(DEROctetString.getInstance(readObject).getOctets());
                    DERObject readObject2 = aSN1InputStream2.readObject();
                    aSN1InputStream2.close();
                    if (!Arrays.equals(bArr, DEROctetString.getInstance(readObject2).getOctets())) {
                        throw new ProviderUtilException(ProviderUtilExceptionCode.OCSP_NOT_EQUAL_NONCES);
                    }
                }
                if (basicOCSPResp.verify(basicOCSPResp.getCerts(provider.getName())[0].getPublicKey(), provider.getName())) {
                    return (CertificateStatus) basicOCSPResp.getResponses()[0].getCertStatus();
                }
                throw new ProviderUtilException(ProviderUtilExceptionCode.OCSP_RESPONSE_NOT_VERIFIED);
            } catch (Throwable th2) {
                if (inputStream != null) {
                    inputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private static byte[] getOcspPackage(BigInteger bigInteger, Certificate certificate, String str, byte[] bArr, Provider provider) throws OCSPException, IOException {
        OCSPReqGenerator oCSPReqGenerator = new OCSPReqGenerator();
        oCSPReqGenerator.addRequest(new CertificateID(str, (X509Certificate) certificate, bigInteger, provider.getName()));
        if (bArr != null) {
            oCSPReqGenerator.setRequestExtensions(generateExtensions(bArr));
        }
        return oCSPReqGenerator.generate().getEncoded();
    }

    private static X509Extensions generateExtensions(byte[] bArr) {
        Hashtable hashtable = new Hashtable();
        hashtable.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, new X509Extension(false, (ASN1OctetString) new DEROctetString(new DEROctetString(bArr))));
        return new X509Extensions(hashtable);
    }
}
