package sun.security.provider.certpath;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
import sun.security.util.Debug;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.x509.CertificateIssuerName;
import sun.security.x509.Extension;
import sun.security.x509.SerialNumber;
import sun.security.x509.X509CertImpl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:118666-04/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/rt.jar:sun/security/provider/certpath/OCSPResponse.class */
public class OCSPResponse {
    public static final int CERT_STATUS_GOOD = 0;
    public static final int CERT_STATUS_REVOKED = 1;
    public static final int CERT_STATUS_UNKNOWN = 2;
    private static final Debug DEBUG = Debug.getInstance("certpath");
    private static final boolean dump = false;
    private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID;
    private static final ObjectIdentifier OCSP_NONCE_EXTENSION_OID;
    private static final int OCSP_RESPONSE_OK = 0;
    private static final int NAME_TAG = 1;
    private static final int KEY_TAG = 2;
    private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
    private SingleResponse singleResponse;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:118666-04/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/rt.jar:sun/security/provider/certpath/OCSPResponse$SingleResponse.class */
    public class SingleResponse {
        private CertId certId;
        private int certStatus;
        private Date thisUpdate;
        private Date nextUpdate;

        private SingleResponse(DerValue derValue) throws IOException {
            if (derValue.tag != 48) {
                throw new IOException("Bad ASN.1 encoding in SingleResponse");
            }
            DerInputStream derInputStream = derValue.data;
            this.certId = new CertId(derInputStream.getDerValue().data);
            DerValue derValue2 = derInputStream.getDerValue();
            short s = (byte) (derValue2.tag & 31);
            if (s == 0) {
                this.certStatus = 0;
            } else if (s == 1) {
                this.certStatus = 1;
                if (OCSPResponse.DEBUG != null) {
                    OCSPResponse.DEBUG.println("Revocation time: " + ((Object) derValue2.data.getGeneralizedTime()));
                }
            } else {
                if (s != 2) {
                    throw new IOException("Invalid certificate status");
                }
                this.certStatus = 2;
            }
            this.thisUpdate = derInputStream.getGeneralizedTime();
            if (derInputStream.available() != 0) {
                DerValue derValue3 = derInputStream.getDerValue();
                if (((byte) (derValue3.tag & 31)) == 0) {
                    this.nextUpdate = derValue3.data.getGeneralizedTime();
                    if (derInputStream.available() == 0) {
                        return;
                    }
                }
            }
            Date date = new Date();
            if (OCSPResponse.DEBUG != null) {
                OCSPResponse.DEBUG.println("Response's validity interval is from " + ((Object) this.thisUpdate) + (this.nextUpdate != null ? " until " + ((Object) this.nextUpdate) : ""));
            }
            if ((this.thisUpdate == null || !date.before(this.thisUpdate)) && (this.nextUpdate == null || !date.after(this.nextUpdate))) {
                return;
            }
            if (OCSPResponse.DEBUG != null) {
                OCSPResponse.DEBUG.println("Response is unreliable: its validity interval is out-of-date");
            }
            throw new IOException("Response is unreliable: its validity interval is out-of-date");
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int getStatus() {
            return this.certStatus;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public CertId getCertId() {
            return this.certId;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("SingleResponse:  \n");
            sb.append((Object) this.certId);
            sb.append("\nCertStatus: " + OCSPResponse.certStatusToText(OCSPResponse.this.getCertStatus(null)) + "\n");
            sb.append("thisUpdate is " + ((Object) this.thisUpdate) + "\n");
            if (this.nextUpdate != null) {
                sb.append("nextUpdate is " + ((Object) this.nextUpdate) + "\n");
            }
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPResponse(byte[] bArr, PKIXParameters pKIXParameters, X509Certificate x509Certificate) throws IOException, CertPathValidatorException {
        try {
            DerValue derValue = new DerValue(bArr);
            if (derValue.tag != 48) {
                throw new IOException("Bad encoding in OCSP response: expected ASN.1 SEQUENCE tag.");
            }
            DerInputStream data = derValue.getData();
            int enumerated = data.getEnumerated();
            if (DEBUG != null) {
                DEBUG.println("OCSP response: " + responseToText(enumerated));
            }
            if (enumerated != 0) {
                throw new CertPathValidatorException("OCSP Response Failure: " + responseToText(enumerated));
            }
            DerValue derValue2 = data.getDerValue();
            if (!derValue2.isContextSpecific((byte) 0)) {
                throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 context specific tag 0.");
            }
            DerValue derValue3 = derValue2.data.getDerValue();
            if (derValue3.tag != 48) {
                throw new IOException("Bad encoding in responseBytes element of OCSP response: expected ASN.1 SEQUENCE tag.");
            }
            DerInputStream derInputStream = derValue3.data;
            ObjectIdentifier oid = derInputStream.getOID();
            if (!oid.equals(OCSP_BASIC_RESPONSE_OID)) {
                if (DEBUG != null) {
                    DEBUG.println("OCSP response type: " + ((Object) oid));
                }
                throw new IOException("Unsupported OCSP response type: " + ((Object) oid));
            }
            if (DEBUG != null) {
                DEBUG.println("OCSP response type: basic");
            }
            DerValue[] sequence = new DerInputStream(derInputStream.getOctetString()).getSequence(2);
            DerValue derValue4 = sequence[0];
            byte[] byteArray = sequence[0].toByteArray();
            if (derValue4.tag != 48) {
                throw new IOException("Bad encoding in tbsResponseData  element of OCSP response: expected ASN.1 SEQUENCE tag.");
            }
            DerInputStream derInputStream2 = derValue4.data;
            DerValue derValue5 = derInputStream2.getDerValue();
            if (derValue5.isContextSpecific((byte) 0) && derValue5.isConstructed() && derValue5.isContextSpecific()) {
                DerValue derValue6 = derValue5.data.getDerValue();
                derValue6.getInteger();
                if (derValue6.data.available() != 0) {
                    throw new IOException("Bad encoding in version  element of OCSP response: bad format");
                }
                derValue5 = derInputStream2.getDerValue();
            }
            short s = (byte) (derValue5.tag & 31);
            if (s == 1) {
                CertificateIssuerName certificateIssuerName = new CertificateIssuerName(derValue5.getData());
                if (DEBUG != null) {
                    DEBUG.println("OCSP Responder name: " + ((Object) certificateIssuerName));
                }
            } else if (s != 2) {
                throw new IOException("Bad encoding in responderID element of OCSP response: expected ASN.1 context specific tag 0 or 1");
            }
            derInputStream2.getDerValue().getGeneralizedTime();
            this.singleResponse = new SingleResponse(derInputStream2.getSequence(1)[0]);
            if (derInputStream2.available() > 0) {
                DerValue derValue7 = derInputStream2.getDerValue();
                if (derValue7.isContextSpecific((byte) 1)) {
                    DerValue[] sequence2 = derValue7.data.getSequence(3);
                    Extension[] extensionArr = new Extension[sequence2.length];
                    for (int i = 0; i < sequence2.length; i++) {
                        extensionArr[i] = new Extension(sequence2[i]);
                        if (DEBUG != null) {
                            DEBUG.println("OCSP extension: " + ((Object) extensionArr[i]));
                        }
                        if (extensionArr[i].getExtensionId().equals(OCSP_NONCE_EXTENSION_OID)) {
                            extensionArr[i].getExtensionValue();
                        } else if (extensionArr[i].isCritical()) {
                            throw new IOException("Unsupported OCSP criticial extension: " + ((Object) extensionArr[i].getExtensionId()));
                        }
                    }
                }
            }
            AlgorithmId parse = AlgorithmId.parse(sequence[1]);
            byte[] bitString = sequence[2].getBitString();
            X509CertImpl[] x509CertImplArr = null;
            if (sequence.length > 3) {
                DerValue derValue8 = sequence[3];
                if (!derValue8.isContextSpecific((byte) 0)) {
                    throw new IOException("Bad encoding in certs element of OCSP response: expected ASN.1 context specific tag 0.");
                }
                DerValue[] sequence3 = derValue8.getData().getSequence(3);
                x509CertImplArr = new X509CertImpl[sequence3.length];
                for (int i2 = 0; i2 < sequence3.length; i2++) {
                    x509CertImplArr[i2] = new X509CertImpl(sequence3[i2].toByteArray());
                }
            }
            if (x509CertImplArr[0] != null) {
                X509CertImpl x509CertImpl = x509CertImplArr[0];
                if (!x509CertImpl.equals(x509Certificate) && x509CertImpl.getIssuerDN().equals(x509Certificate.getSubjectDN())) {
                    List<String> extendedKeyUsage = x509CertImpl.getExtendedKeyUsage();
                    if (extendedKeyUsage == null || !extendedKeyUsage.contains(KP_OCSP_SIGNING_OID)) {
                        if (DEBUG != null) {
                            DEBUG.println("Responder's certificate is not valid for signing OCSP responses.");
                        }
                        throw new CertPathValidatorException("Responder's certificate not valid for signing OCSP responses");
                    }
                    try {
                        x509CertImpl.verify(x509Certificate.getPublicKey());
                        x509Certificate = x509CertImpl;
                    } catch (GeneralSecurityException e) {
                        x509Certificate = null;
                    }
                }
            }
            if (x509Certificate == null) {
                if (DEBUG != null) {
                    DEBUG.println("Unable to verify OCSP Responder's signature");
                }
                throw new CertPathValidatorException("Unable to verify OCSP Responder's signature");
            }
            if (verifyResponse(byteArray, x509Certificate, parse, bitString, pKIXParameters)) {
                return;
            }
            if (DEBUG != null) {
                DEBUG.println("Error verifying OCSP Responder's signature");
            }
            throw new CertPathValidatorException("Error verifying OCSP Responder's signature");
        } catch (CertPathValidatorException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new CertPathValidatorException(e3);
        }
    }

    private boolean verifyResponse(byte[] bArr, X509Certificate x509Certificate, AlgorithmId algorithmId, byte[] bArr2, PKIXParameters pKIXParameters) throws SignatureException {
        try {
            Signature signature = Signature.getInstance(algorithmId.getName());
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            if (signature.verify(bArr2)) {
                if (DEBUG == null) {
                    return true;
                }
                DEBUG.println("Verified signature of OCSP Responder");
                return true;
            }
            if (DEBUG == null) {
                return false;
            }
            DEBUG.println("Error verifying signature of OCSP Responder");
            return false;
        } catch (InvalidKeyException e) {
            throw new SignatureException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SignatureException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getCertStatus(SerialNumber serialNumber) {
        return this.singleResponse.getStatus();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertId getCertId() {
        return this.singleResponse.getCertId();
    }

    private static String responseToText(int i) {
        switch (i) {
            case 0:
                return "Successful";
            case 1:
                return "Malformed request";
            case 2:
                return "Internal error";
            case 3:
                return "Try again later";
            case 4:
                return "Unused status code";
            case 5:
                return "Request must be signed";
            case 6:
                return "Request is unauthorized";
            default:
                return "Unknown status code: " + i;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String certStatusToText(int i) {
        switch (i) {
            case 0:
                return "Good";
            case 1:
                return "Revoked";
            case 2:
                return "Unknown";
            default:
                return "Unknown certificate status code: " + i;
        }
    }

    static {
        ObjectIdentifier objectIdentifier = null;
        ObjectIdentifier objectIdentifier2 = null;
        try {
            objectIdentifier = new ObjectIdentifier("1.3.6.1.5.5.7.48.1.1");
            objectIdentifier2 = new ObjectIdentifier("1.3.6.1.5.5.7.48.1.2");
        } catch (Exception e) {
        }
        OCSP_BASIC_RESPONSE_OID = objectIdentifier;
        OCSP_NONCE_EXTENSION_OID = objectIdentifier2;
    }
}
