package org.jivesoftware.openfire.net;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/net/OCSPChecker.class */
public class OCSPChecker extends PKIXCertPathChecker {
    private static final Logger Log = LoggerFactory.getLogger(OCSPChecker.class);
    private static String ocspServerUrl = JiveGlobals.getProperty("ocsp.responderURL");
    private static String ocspServerSubject = JiveGlobals.getProperty("ocsp.responderCertSubjectName");
    private static final boolean dump = true;
    private int certIndex;
    private X509Certificate[] certs;
    private CertPath cp;
    private PKIXParameters pkixParams;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPChecker(CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this.cp = certPath;
        this.pkixParams = pKIXParameters;
        List<? extends Certificate> certificates = this.cp.getCertificates();
        this.certs = (X509Certificate[]) certificates.toArray(new X509Certificate[certificates.size()]);
        init(false);
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("Forward checking not supported");
        }
        this.certIndex = this.certs.length - 1;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        return Collections.emptySet();
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        Log.debug("OCSPChecker: check called");
        InputStream inputStream = null;
        OutputStream outputStream = null;
        try {
            try {
                X509Certificate x509Certificate = null;
                boolean z = true;
                X500Principal x500Principal = null;
                boolean z2 = false;
                if (ocspServerSubject != null) {
                    z = false;
                    x500Principal = new X500Principal(ocspServerSubject);
                }
                X509Certificate x509Certificate2 = null;
                X509Certificate x509Certificate3 = (X509Certificate) certificate;
                if (this.certIndex != 0) {
                    x509Certificate2 = this.certs[this.certIndex];
                    z2 = true;
                    if (z) {
                        x509Certificate = this.certs[this.certIndex];
                    }
                }
                if (!z2 || !z) {
                    if (!z) {
                        Log.debug("OCSPChecker: Looking for responder's certificate");
                    }
                    if (!z2) {
                        Log.debug("OCSPChecker: Looking for issuer's certificate");
                    }
                    Iterator<TrustAnchor> it = this.pkixParams.getTrustAnchors().iterator();
                    if (!it.hasNext()) {
                        throw new CertPathValidatorException("Must specify at least one trust anchor");
                    }
                    X500Principal issuerX500Principal = x509Certificate3.getIssuerX500Principal();
                    while (it.hasNext() && (!z2 || !z)) {
                        X509Certificate trustedCert = it.next().getTrustedCert();
                        X500Principal subjectX500Principal = trustedCert.getSubjectX500Principal();
                        if (!z2 && issuerX500Principal.equals(subjectX500Principal)) {
                            x509Certificate2 = trustedCert;
                            z2 = true;
                            if (z && x509Certificate == null) {
                                x509Certificate = trustedCert;
                                Log.debug("OCSPChecker: Responder's certificate = issuer certificate");
                            }
                        }
                        if (!z && x500Principal != null && x500Principal.equals(subjectX500Principal)) {
                            x509Certificate = trustedCert;
                            z = true;
                        }
                    }
                    if (x509Certificate2 == null) {
                        throw new CertPathValidatorException("No trusted certificate for " + String.valueOf(x509Certificate3.getIssuerDN()));
                    }
                    if (!z) {
                        Log.debug("OCSPChecker: Searching cert stores for responder's certificate");
                        if (x500Principal != null) {
                            X509CertSelector x509CertSelector = new X509CertSelector();
                            x509CertSelector.setSubject(x500Principal.getName());
                            Iterator<CertStore> it2 = this.pkixParams.getCertStores().iterator();
                            while (true) {
                                if (!it2.hasNext()) {
                                    break;
                                }
                                Iterator<? extends Certificate> it3 = it2.next().getCertificates(x509CertSelector).iterator();
                                if (it3.hasNext()) {
                                    x509Certificate = (X509Certificate) it3.next();
                                    z = true;
                                    break;
                                }
                            }
                        }
                    }
                }
                if (!z) {
                    throw new CertPathValidatorException("Cannot find the responder's certificate.");
                }
                OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
                CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate2.getEncoded()), x509Certificate3.getSerialNumber());
                oCSPReqBuilder.addRequest(certificateID);
                OCSPReq build = oCSPReqBuilder.build();
                if (ocspServerUrl == null) {
                    throw new CertPathValidatorException("Must set OCSP Server URL");
                }
                try {
                    URL url = new URL(ocspServerUrl);
                    HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
                    Log.debug("OCSPChecker: connecting to OCSP service at: " + String.valueOf(url));
                    httpURLConnection.setDoOutput(true);
                    httpURLConnection.setDoInput(true);
                    httpURLConnection.setRequestMethod("POST");
                    httpURLConnection.setRequestProperty("Content-type", "application/ocsp-request");
                    httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
                    byte[] encoded = build.getEncoded();
                    httpURLConnection.setRequestProperty("Content-length", String.valueOf(encoded.length));
                    OutputStream outputStream2 = httpURLConnection.getOutputStream();
                    outputStream2.write(encoded);
                    outputStream2.flush();
                    if (httpURLConnection.getResponseCode() != 200) {
                        Log.debug("OCSPChecker: Received HTTP error: " + httpURLConnection.getResponseCode() + " - " + httpURLConnection.getResponseMessage());
                    }
                    InputStream inputStream2 = httpURLConnection.getInputStream();
                    OCSPResp oCSPResp = new OCSPResp(inputStream2);
                    BigInteger serialNumber = x509Certificate3.getSerialNumber();
                    BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                    try {
                        if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(x509Certificate.getPublicKey()))) {
                            throw new CertPathValidatorException("OCSP response is not verified");
                        }
                        SingleResp[] responses = basicOCSPResp.getResponses();
                        boolean z3 = false;
                        int length = responses.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            SingleResp singleResp = responses[i];
                            if (singleResp.getCertID().equals(certificateID)) {
                                CertificateStatus certStatus = singleResp.getCertStatus();
                                if (certStatus != CertificateStatus.GOOD) {
                                    if (certStatus instanceof RevokedStatus) {
                                        Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: revoked");
                                        throw new CertPathValidatorException("Certificate has been revoked", null, this.cp, this.certIndex);
                                    }
                                    if (certStatus instanceof UnknownStatus) {
                                        Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: unknown");
                                        throw new CertPathValidatorException("Certificate's revocation status is unknown", null, this.cp, this.certIndex);
                                    }
                                    Log.debug("Status of certificate (with serial number " + serialNumber.toString() + ") is: not recognized");
                                    throw new CertPathValidatorException("Unknown OCSP response for certificate", null, this.cp, this.certIndex);
                                }
                                Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: good");
                                z3 = true;
                            } else {
                                i++;
                            }
                        }
                        if (!z3) {
                            throw new CertPathValidatorException("No certificates in the OCSP response match the certificate supplied in the OCSP request.");
                        }
                        if (inputStream2 != null) {
                            try {
                                inputStream2.close();
                            } catch (IOException e) {
                                throw new CertPathValidatorException(e);
                            }
                        }
                        if (outputStream2 != null) {
                            try {
                                outputStream2.close();
                            } catch (IOException e2) {
                                throw new CertPathValidatorException(e2);
                            }
                        }
                    } catch (Exception e3) {
                        throw new CertPathValidatorException("OCSP response could not be verified (" + e3.getMessage() + ")", null, this.cp, this.certIndex);
                    }
                } catch (MalformedURLException e4) {
                    throw new CertPathValidatorException(e4);
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e5) {
                        throw new CertPathValidatorException(e5);
                    }
                }
                if (0 != 0) {
                    try {
                        outputStream.close();
                    } catch (IOException e6) {
                        throw new CertPathValidatorException(e6);
                    }
                }
                throw th;
            }
        } catch (CertPathValidatorException e7) {
            throw e7;
        } catch (Exception e8) {
            throw new CertPathValidatorException(e8);
        }
    }
}
