package org.jruby.ext.openssl;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.Signature;
import org.bouncycastle.asn1.ocsp.TBSRequest;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.jruby.Ruby;
import org.jruby.RubyArray;
import org.jruby.RubyBoolean;
import org.jruby.RubyClass;
import org.jruby.RubyFixnum;
import org.jruby.RubyModule;
import org.jruby.RubyObject;
import org.jruby.RubyString;
import org.jruby.anno.JRubyMethod;
import org.jruby.ext.openssl.x509store.X509AuxCertificate;
import org.jruby.runtime.Arity;
import org.jruby.runtime.ObjectAllocator;
import org.jruby.runtime.ThreadContext;
import org.jruby.runtime.Visibility;
import org.jruby.runtime.builtin.IRubyObject;

/* loaded from: input_file:org/jruby/ext/openssl/OCSPRequest.class */
public class OCSPRequest extends RubyObject {
    private static final long serialVersionUID = -4020616730425816999L;
    private static ObjectAllocator REQUEST_ALLOCATOR = new ObjectAllocator() { // from class: org.jruby.ext.openssl.OCSPRequest.1
        public IRubyObject allocate(Ruby ruby, RubyClass rubyClass) {
            return new OCSPRequest(ruby, rubyClass);
        }
    };
    private static final String OCSP_NOCERTS = "NOCERTS";
    private static final String OCSP_NOSIGS = "NOSIGS";
    private static final String OCSP_NOINTERN = "NOINTERN";
    private static final String OCSP_NOVERIFY = "NOVERIFY";
    private static final String OCSP_TRUSTOTHER = "TRUSTOTHER";
    private static final String OCSP_NOCHAIN = "NOCHAIN";
    private org.bouncycastle.asn1.ocsp.OCSPRequest asn1bcReq;
    private List<OCSPCertificateId> certificateIds;
    private byte[] nonce;

    public OCSPRequest(Ruby ruby, RubyClass rubyClass) {
        super(ruby, rubyClass);
        this.certificateIds = new ArrayList();
    }

    public static void createRequest(Ruby ruby, RubyModule rubyModule) {
        rubyModule.defineClassUnder("Request", ruby.getObject(), REQUEST_ALLOCATOR).defineAnnotatedMethods(OCSPRequest.class);
    }

    @JRubyMethod(name = {"initialize"}, rest = true, visibility = Visibility.PRIVATE)
    public IRubyObject initialize(ThreadContext threadContext, IRubyObject[] iRubyObjectArr) {
        if (Arity.checkArgumentCount(threadContext.getRuntime(), iRubyObjectArr, 0, 1) == 0) {
            return this;
        }
        this.asn1bcReq = org.bouncycastle.asn1.ocsp.OCSPRequest.getInstance(StringHelper.readPossibleDERInput(threadContext, iRubyObjectArr[0]).getBytes());
        return this;
    }

    @JRubyMethod(name = {"add_certid"})
    public IRubyObject add_certid(IRubyObject iRubyObject) {
        Ruby runtime = getRuntime();
        this.certificateIds.add((OCSPCertificateId) iRubyObject);
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        Iterator<OCSPCertificateId> it = this.certificateIds.iterator();
        while (it.hasNext()) {
            oCSPReqBuilder.addRequest(new CertificateID(it.next().getCertID()));
        }
        try {
            this.asn1bcReq = org.bouncycastle.asn1.ocsp.OCSPRequest.getInstance(oCSPReqBuilder.build().getEncoded());
            if (this.nonce != null) {
                addNonceImpl();
            }
            return this;
        } catch (Exception e) {
            throw OCSP.newOCSPError(runtime, e);
        }
    }

    @JRubyMethod(name = {"add_nonce"}, rest = true)
    public IRubyObject add_nonce(IRubyObject[] iRubyObjectArr) {
        Ruby runtime = getRuntime();
        if (Arity.checkArgumentCount(runtime, iRubyObjectArr, 0, 1) == 0) {
            this.nonce = OCSP.generateNonce(runtime);
        } else {
            this.nonce = ((RubyString) iRubyObjectArr[0]).getBytes();
        }
        addNonceImpl();
        return this;
    }

    private void addNonceImpl() {
        DERSequence dERSequence = new DERSequence();
        Signature signature = null;
        ArrayList arrayList = new ArrayList();
        if (this.asn1bcReq != null) {
            Extensions requestExtensions = this.asn1bcReq.getTbsRequest().getRequestExtensions();
            signature = this.asn1bcReq.getOptionalSignature();
            Enumeration oids = requestExtensions.oids();
            while (oids.hasMoreElements()) {
                arrayList.add(requestExtensions.getExtension((ASN1ObjectIdentifier) oids.nextElement()));
            }
        }
        arrayList.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, this.nonce));
        this.asn1bcReq = new org.bouncycastle.asn1.ocsp.OCSPRequest(new TBSRequest((GeneralName) null, dERSequence, new Extensions((Extension[]) arrayList.toArray(new Extension[arrayList.size()]))), signature);
    }

    @JRubyMethod(name = {"certid"})
    public IRubyObject certid() {
        return RubyArray.newArray(getRuntime(), this.certificateIds);
    }

    @JRubyMethod(name = {"check_nonce"})
    public IRubyObject check_nonce(ThreadContext threadContext, IRubyObject iRubyObject) {
        Ruby ruby = threadContext.runtime;
        return iRubyObject instanceof OCSPBasicResponse ? checkNonceImpl(ruby, this.nonce, ((OCSPBasicResponse) iRubyObject).getNonce()) : iRubyObject instanceof OCSPResponse ? checkNonceImpl(ruby, this.nonce, ((OCSPResponse) iRubyObject).basic(threadContext).getNonce()) : checkNonceImpl(ruby, this.nonce, null);
    }

    @JRubyMethod(name = {"sign"}, rest = true)
    public IRubyObject sign(ThreadContext threadContext, IRubyObject[] iRubyObjectArr) {
        Ruby ruby = threadContext.runtime;
        int i = 0;
        IRubyObject iRubyObject = threadContext.nil;
        IRubyObject iRubyObject2 = threadContext.nil;
        IRubyObject iRubyObject3 = threadContext.nil;
        Digest digest = new Digest(ruby, Digest._Digest(ruby));
        RubyFixnum constant = OCSP._OCSP(ruby).getConstant(OCSP_NOCERTS);
        switch (Arity.checkArgumentCount(ruby, iRubyObjectArr, 2, 5)) {
            case 3:
                iRubyObject = iRubyObjectArr[2];
                break;
            case 4:
                iRubyObject = iRubyObjectArr[2];
                iRubyObject2 = iRubyObjectArr[3];
                break;
            case 5:
                iRubyObject = iRubyObjectArr[2];
                iRubyObject2 = iRubyObjectArr[3];
                iRubyObject3 = iRubyObjectArr[4];
                break;
        }
        if (iRubyObject3.isNil()) {
            iRubyObject3 = digest.initialize(threadContext, RubyString.newString(ruby, "SHA1"));
        }
        if (iRubyObject.isNil()) {
            i = 0 | RubyFixnum.fix2int(constant);
        }
        if (!iRubyObject2.isNil()) {
            i = RubyFixnum.fix2int(iRubyObject2);
        }
        X509Cert x509Cert = (X509Cert) iRubyObjectArr[0];
        PKey pKey = (PKey) iRubyObjectArr[1];
        try {
            ContentSigner build = OCSP.newJcaContentSignerBuilder(((Digest) iRubyObject3).getShortAlgorithm() + "with" + pKey.getAlgorithm()).build(pKey.getPrivateKey());
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.setRequestorName(x509Cert.getSubject().getX500Name());
            Iterator<OCSPCertificateId> it = this.certificateIds.iterator();
            while (it.hasNext()) {
                oCSPReqBuilder.addRequest(new CertificateID(it.next().getCertID()));
            }
            ArrayList arrayList = new ArrayList();
            if (i != RubyFixnum.fix2int(constant)) {
                try {
                    arrayList.add(new X509CertificateHolder(x509Cert.getAuxCert().getEncoded()));
                    if (!iRubyObject.isNil()) {
                        Iterator it2 = ((RubyArray) iRubyObject).iterator();
                        while (it2.hasNext()) {
                            arrayList.add(new X509CertificateHolder(((Certificate) it2.next()).getEncoded()));
                        }
                    }
                } catch (Exception e) {
                    throw OCSP.newOCSPError(ruby, e);
                }
            }
            X509CertificateHolder[] x509CertificateHolderArr = new X509CertificateHolder[arrayList.size()];
            arrayList.toArray(x509CertificateHolderArr);
            try {
                this.asn1bcReq = org.bouncycastle.asn1.ocsp.OCSPRequest.getInstance(oCSPReqBuilder.build(build, x509CertificateHolderArr).getEncoded());
                if (this.nonce != null) {
                    addNonceImpl();
                }
                return this;
            } catch (Exception e2) {
                throw OCSP.newOCSPError(ruby, e2);
            }
        } catch (OperatorCreationException e3) {
            throw OCSP.newOCSPError(ruby, e3);
        }
    }

    @JRubyMethod(name = {"verify"}, rest = true)
    public IRubyObject verify(ThreadContext threadContext, IRubyObject[] iRubyObjectArr) {
        X509StoreContext newStoreContext;
        Ruby ruby = threadContext.runtime;
        int i = 0;
        boolean z = false;
        if (Arity.checkArgumentCount(ruby, iRubyObjectArr, 2, 3) == 3) {
            i = RubyFixnum.fix2int((RubyFixnum) iRubyObjectArr[2]);
        }
        IRubyObject iRubyObject = iRubyObjectArr[0];
        IRubyObject iRubyObject2 = iRubyObjectArr[1];
        OCSPReq bCOCSPReq = getBCOCSPReq();
        if (bCOCSPReq == null) {
            throw OCSP.newOCSPError(ruby, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?"));
        }
        if (!bCOCSPReq.isSigned()) {
            return RubyBoolean.newBoolean(ruby, false);
        }
        GeneralName requestorName = bCOCSPReq.getRequestorName();
        if (requestorName.getTagNo() != 4) {
            return RubyBoolean.newBoolean(ruby, false);
        }
        try {
            Certificate findCertByName = findCertByName(X500Name.getInstance(requestorName.getName()), iRubyObject, i);
            if (findCertByName == null) {
                return RubyBoolean.newBoolean(ruby, false);
            }
            if ((i & RubyFixnum.fix2int(OCSP._OCSP(ruby).getConstant(OCSP_NOINTERN))) > 0 && (i & RubyFixnum.fix2int(OCSP._OCSP(ruby).getConstant(OCSP_TRUSTOTHER))) > 0) {
                i |= RubyFixnum.fix2int(OCSP._OCSP(ruby).getConstant(OCSP_NOVERIFY));
            }
            if ((i & RubyFixnum.fix2int(OCSP._OCSP(ruby).getConstant(OCSP_NOSIGS))) == 0) {
                z = bCOCSPReq.isSignatureValid(OCSP.newJcaContentVerifierProviderBuilder().build(findCertByName.getPublicKey()));
                if (!z) {
                    return RubyBoolean.newBoolean(ruby, z);
                }
            }
            if ((i & RubyFixnum.fix2int(OCSP._OCSP(ruby).getConstant(OCSP_NOVERIFY))) == 0) {
                if ((i & RubyFixnum.fix2int(OCSP._OCSP(ruby).getConstant(OCSP_NOCHAIN))) > 0) {
                    newStoreContext = X509StoreContext.newStoreContext(threadContext, (X509Store) iRubyObject2, X509Cert.wrap(ruby, findCertByName), threadContext.nil);
                } else {
                    RubyArray newEmptyArray = RubyArray.newEmptyArray(ruby);
                    ASN1Sequence certs = this.asn1bcReq.getOptionalSignature().getCerts();
                    if (certs != null) {
                        Iterator it = certs.iterator();
                        while (it.hasNext()) {
                            newEmptyArray.add(X509Cert.wrap(ruby, new X509AuxCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(it.next()))));
                        }
                    }
                    newStoreContext = X509StoreContext.newStoreContext(threadContext, (X509Store) iRubyObject2, X509Cert.wrap(ruby, findCertByName), newEmptyArray);
                }
                newStoreContext.set_purpose(threadContext, X509._X509(ruby).getConstant("PURPOSE_OCSP_HELPER"));
                newStoreContext.set_trust(threadContext, X509._X509(ruby).getConstant("TRUST_OCSP_REQUEST"));
                z = newStoreContext.verify(threadContext).isTrue();
                if (!z) {
                    return RubyBoolean.newBoolean(ruby, false);
                }
            }
            return RubyBoolean.newBoolean(getRuntime(), z);
        } catch (Exception e) {
            OpenSSL.debugStackTrace(e);
            throw OCSP.newOCSPError(ruby, e);
        }
    }

    @JRubyMethod(name = {"to_der"})
    public IRubyObject to_der() {
        Ruby runtime = getRuntime();
        try {
            return RubyString.newString(runtime, this.asn1bcReq.getEncoded("DER"));
        } catch (IOException e) {
            throw OCSP.newOCSPError(runtime, e);
        }
    }

    @JRubyMethod(visibility = Visibility.PRIVATE)
    public IRubyObject initialize_copy(IRubyObject iRubyObject) {
        if (this == iRubyObject) {
            return this;
        }
        checkFrozen();
        this.asn1bcReq = ((OCSPRequest) iRubyObject).asn1bcReq;
        return this;
    }

    private Certificate findCertByName(ASN1Encodable aSN1Encodable, IRubyObject iRubyObject, int i) throws CertificateException, IOException {
        ASN1Sequence certs;
        if ((i & RubyFixnum.fix2int(OCSP._OCSP(getRuntime()).getConstant(OCSP_NOINTERN))) == 0 && (certs = this.asn1bcReq.getOptionalSignature().getCerts()) != null) {
            Iterator it = certs.iterator();
            while (it.hasNext()) {
                org.bouncycastle.asn1.x509.Certificate certificate = org.bouncycastle.asn1.x509.Certificate.getInstance(it.next());
                if (aSN1Encodable.equals(certificate.getSubject())) {
                    return new X509AuxCertificate(certificate);
                }
            }
        }
        for (X509Certificate x509Certificate : (RubyArray) iRubyObject) {
            if (aSN1Encodable.equals(X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded()))) {
                return new X509AuxCertificate(x509Certificate);
            }
        }
        return null;
    }

    public byte[] getNonce() {
        return this.nonce;
    }

    private IRubyObject checkNonceImpl(Ruby ruby, byte[] bArr, byte[] bArr2) {
        return (bArr == null || bArr2 == null) ? (bArr == null && bArr2 == null) ? RubyFixnum.two(ruby) : (bArr == null || bArr2 != null) ? RubyFixnum.three(ruby) : RubyFixnum.newFixnum(ruby, -1L) : Arrays.equals(bArr, bArr2) ? RubyFixnum.one(ruby) : RubyFixnum.zero(ruby);
    }

    private OCSPReq getBCOCSPReq() {
        if (this.asn1bcReq == null) {
            return null;
        }
        return new OCSPReq(this.asn1bcReq);
    }
}
