package cn.topca.api.cert;

import cn.tca.TopBasicCrypto.asn1.DERObjectIdentifier;
import cn.tca.TopBasicCrypto.asn1.ocsp.OCSPObjectIdentifiers;
import cn.tca.TopBasicCrypto.asn1.x509.AlgorithmIdentifier;
import cn.tca.TopBasicCrypto.asn1.x509.X509ExtensionsGenerator;
import cn.tca.TopBasicCrypto.cert.X509CertificateHolder;
import cn.tca.TopBasicCrypto.cert.ocsp.BasicOCSPResp;
import cn.tca.TopBasicCrypto.cert.ocsp.CertificateID;
import cn.tca.TopBasicCrypto.cert.ocsp.CertificateStatus;
import cn.tca.TopBasicCrypto.cert.ocsp.OCSPException;
import cn.tca.TopBasicCrypto.cert.ocsp.OCSPReqBuilder;
import cn.tca.TopBasicCrypto.cert.ocsp.OCSPResp;
import cn.tca.TopBasicCrypto.cert.ocsp.RevokedStatus;
import cn.tca.TopBasicCrypto.cert.ocsp.SingleResp;
import cn.tca.TopBasicCrypto.cert.ocsp.UnknownStatus;
import cn.tca.TopBasicCrypto.operator.ContentVerifier;
import cn.tca.TopBasicCrypto.operator.ContentVerifierProvider;
import cn.topca.security.x509.AlgorithmId;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.ProtocolException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Map;
import java.util.Random;

/* loaded from: input_file:cn/topca/api/cert/OCSPVerifyProvider.class */
class OCSPVerifyProvider extends BaseVerifier implements IVerifierProvider {
    private X509Certificate caCert = null;
    private boolean checkRovke = false;
    private String ocspUrl;

    @Override // cn.topca.api.cert.IVerifierProvider
    public boolean config(Map<String, String> map) {
        return false;
    }

    @Override // cn.topca.api.cert.IVerifierProvider
    public boolean config(VerifierConfig verifierConfig) {
        this.caCert = verifierConfig.getCaCert();
        this.ocspUrl = verifierConfig.getOcspUrl();
        this.checkRovke = verifierConfig.isCheckRevoke();
        return true;
    }

    @Override // cn.topca.api.cert.IVerifierProvider
    public boolean verify(X509Certificate x509Certificate, Date date) throws CertApiException {
        super.verifyCert(x509Certificate, this.caCert, date);
        if (!this.checkRovke) {
            return true;
        }
        byte[] genNonce = genNonce(16);
        return handleRep(doRequest(genReq(x509Certificate, this.caCert, genNonce), this.ocspUrl), genNonce);
    }

    @Override // cn.topca.api.cert.IVerifierProvider
    public boolean test() {
        return false;
    }

    private byte[] genNonce(int i) {
        byte[] bArr = new byte[i];
        new Random().nextBytes(bArr);
        return bArr;
    }

    private byte[] genReq(X509Certificate x509Certificate, X509Certificate x509Certificate2, byte[] bArr) throws CertApiException {
        X509ExtensionsGenerator x509ExtensionsGenerator = new X509ExtensionsGenerator();
        x509ExtensionsGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, bArr);
        OCSPReqBuilder requestExtensions = new OCSPReqBuilder().setRequestExtensions(x509ExtensionsGenerator.generate());
        try {
            requestExtensions.addRequest(new CertificateID(new TCACertID(AlgorithmId.get(TCA.SHA1), x509Certificate2.getIssuerX500Principal().getEncoded(), x509Certificate2.getPublicKey().getEncoded(), x509Certificate.getSerialNumber()).toASN1Object()));
            return requestExtensions.build().getEncoded();
        } catch (IOException e) {
            throw new CertApiException(TCAErrCode.ERR_STREAM, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_ALG, e2);
        } catch (OCSPException e3) {
            throw new CertApiException(TCAErrCode.ERR_OCSP_GENREQUEST, e3);
        }
    }

    private byte[] doRequest(byte[] bArr, String str) throws CertApiException {
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
            httpURLConnection.connect();
            OutputStream outputStream = httpURLConnection.getOutputStream();
            outputStream.write(bArr);
            outputStream.flush();
            outputStream.close();
            try {
                if (httpURLConnection.getResponseCode() != 200) {
                    throw new CertApiException(TCAErrCode.ERR_UNKNOWN);
                }
                return TCAUtil.readIS2Byte(httpURLConnection.getInputStream());
            } catch (IOException e) {
                throw new CertApiException(TCAErrCode.ERR_STREAM, e);
            }
        } catch (MalformedURLException e2) {
            throw new CertApiException(TCAErrCode.ERR_BAD_URL, e2);
        } catch (ProtocolException e3) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN, e3);
        } catch (IOException e4) {
            throw new CertApiException(TCAErrCode.ERR_STREAM, e4);
        }
    }

    private boolean handleRep(byte[] bArr, byte[] bArr2) throws CertApiException {
        try {
            OCSPResp oCSPResp = new OCSPResp(bArr);
            switch (oCSPResp.getStatus()) {
                case VerifierConfig.TYPE_NOREVOKE /* 0 */:
                    try {
                        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                        byte[] octets = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getValue().getOctets();
                        if (octets == null) {
                            throw new CertApiException(TCAErrCode.ERR_NOFOUND_NONCE);
                        }
                        if (!Arrays.equals(bArr2, octets)) {
                            throw new CertApiException(TCAErrCode.ERR_BAD_NONCE);
                        }
                        if (basicOCSPResp.getSignature() != null) {
                            try {
                                basicOCSPResp.isSignatureValid(getContentVerifyProvider(basicOCSPResp.getCerts()));
                            } catch (OCSPException e) {
                                throw new CertApiException(TCAErrCode.ERR_CERT_BADSIGN, e);
                            }
                        }
                        for (SingleResp singleResp : basicOCSPResp.getResponses()) {
                            CertificateStatus certStatus = singleResp.getCertStatus();
                            if (certStatus == null) {
                                return true;
                            }
                            if (certStatus instanceof UnknownStatus) {
                                throw new CertApiException(TCAErrCode.ERR_CERT_UNKNOWSTATU);
                            }
                            if (certStatus instanceof RevokedStatus) {
                                throw new CertApiException(TCAErrCode.ERR_CERT_NOTYETVALID);
                            }
                        }
                        throw new CertApiException(TCAErrCode.ERR_CERT_UNKNOWSTATU);
                    } catch (OCSPException e2) {
                        throw new CertApiException(TCAErrCode.ERR_OCSP_GENREQUEST, e2);
                    }
                case 1:
                case 2:
                case VerifierConfig.TYPE_OCSP /* 3 */:
                case 5:
                case 6:
                    throw new CertApiException(TCAErrCode.ERR_OCSP_BAD_GEN);
                case TCA.keyCertSign /* 4 */:
                default:
                    throw new CertApiException(TCAErrCode.ERR_OCSP_UNKNOWSTATU);
            }
        } catch (IOException e3) {
            throw new CertApiException(TCAErrCode.ERR_STREAM, e3);
        }
    }

    private ContentVerifierProvider getContentVerifyProvider(final X509CertificateHolder[] x509CertificateHolderArr) {
        return new ContentVerifierProvider() { // from class: cn.topca.api.cert.OCSPVerifyProvider.1
            public ContentVerifier get(AlgorithmIdentifier algorithmIdentifier) {
                if (x509CertificateHolderArr.length <= 0) {
                    return null;
                }
                try {
                    return OCSPVerifyProvider.this.getContentVerifier(TCAUtil.convBin2Cert(x509CertificateHolderArr[0].getEncoded()));
                } catch (CertApiException e) {
                    e.printStackTrace();
                    return null;
                } catch (IOException e2) {
                    e2.printStackTrace();
                    return null;
                }
            }

            public boolean hasAssociatedCertificate() {
                return x509CertificateHolderArr.length > 0;
            }

            public X509CertificateHolder getAssociatedCertificate() {
                if (x509CertificateHolderArr.length > 0) {
                    return x509CertificateHolderArr[0];
                }
                return null;
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ContentVerifier getContentVerifier(final X509Certificate x509Certificate) {
        return new ContentVerifier() { // from class: cn.topca.api.cert.OCSPVerifyProvider.2
            private ByteArrayOutputStream stream = new ByteArrayOutputStream();

            public OutputStream getOutputStream() {
                return this.stream;
            }

            public boolean verify(byte[] bArr) {
                byte[] byteArray = this.stream.toByteArray();
                String algorithm = x509Certificate.getPublicKey().getAlgorithm();
                try {
                    Signature signature = Signature.getInstance((algorithm.equalsIgnoreCase(TCA.SM2) || algorithm.equals(AlgorithmId.SM2_oid.toString())) ? "SM3withSM2" : "SHA1withRSA");
                    signature.initVerify(x509Certificate.getPublicKey());
                    signature.update(byteArray);
                    return signature.verify(bArr);
                } catch (InvalidKeyException e) {
                    e.printStackTrace();
                    return false;
                } catch (NoSuchAlgorithmException e2) {
                    e2.printStackTrace();
                    return false;
                } catch (SignatureException e3) {
                    e3.printStackTrace();
                    return false;
                }
            }

            public AlgorithmIdentifier getAlgorithmIdentifier() {
                String algorithm = x509Certificate.getPublicKey().getAlgorithm();
                return (algorithm.equalsIgnoreCase(TCA.SM2) || algorithm.equals(AlgorithmId.SM2_oid.toString())) ? new AlgorithmIdentifier(new DERObjectIdentifier(AlgorithmId.SM3withSM2_oid.toString())) : new AlgorithmIdentifier(new DERObjectIdentifier(AlgorithmId.sha1WithRSAEncryption_oid.toString()));
            }
        };
    }
}
