package br.net.woodstock.rockframework.security.cert.impl;

import br.net.woodstock.rockframework.security.cert.CertificateException;
import br.net.woodstock.rockframework.security.cert.CertificateValidator;
import br.net.woodstock.rockframework.security.cert.ValidationError;
import br.net.woodstock.rockframework.security.util.BouncyCastleProviderHelper;
import br.net.woodstock.rockframework.util.Assert;
import br.net.woodstock.rockframework.utils.Base64Utils;
import br.net.woodstock.rockframework.utils.CollectionUtils;
import br.net.woodstock.rockframework.utils.ConditionUtils;
import br.net.woodstock.rockframework.utils.IOUtils;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.URL;
import java.net.URLConnection;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;

/* loaded from: input_file:br/net/woodstock/rockframework/security/cert/impl/OCSPCertificateValidator.class */
public class OCSPCertificateValidator implements CertificateValidator {
    public static final String VALIDATOR_NAME = "OCSP Validator";
    private static final String CONTENT_TYPE_PROPERTY = "Content-Type";
    private static final String CONTENT_TYPE_VALUE = "application/ocsp-request";
    private static final String CONTENT_TRANSFER_ENCODING_PROPERTY = "Content-Transfer-Encoding";
    private static final String CONTENT_TRANSFER_ENCODING_BINARY = "binary";
    private URL url;

    public OCSPCertificateValidator() {
    }

    public OCSPCertificateValidator(URL url) {
        Assert.notNull(url, "url");
        this.url = url;
    }

    @Override // br.net.woodstock.rockframework.security.cert.CertificateValidator
    public ValidationError[] validate(Certificate[] certificateArr) {
        Assert.notEmpty(certificateArr, "chain");
        if (certificateArr.length < 2) {
            return new ValidationError[]{new ValidationError(VALIDATOR_NAME, "Certificate chain must be greater than 1(certificate and issuer certificate")};
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
            X509Certificate x509Certificate2 = (X509Certificate) certificateArr[1];
            URL url = null;
            if (this.url == null) {
                URL[] oCSPUrl = getOCSPUrl(x509Certificate);
                if (ConditionUtils.isNotEmpty(oCSPUrl)) {
                    url = oCSPUrl[0];
                }
            } else {
                url = this.url;
            }
            return url == null ? new ValidationError[]{new ValidationError(VALIDATOR_NAME, "No url found for validation")} : sendRequest(buildRequest(x509Certificate, x509Certificate2), url).getStatus() != 0 ? new ValidationError[]{new ValidationError(VALIDATOR_NAME, "Certificate not valid")} : new ValidationError[0];
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }

    protected OCSPReq buildRequest(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateEncodingException, IOException, OperatorCreationException, OCSPException {
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        BcDigestCalculatorProvider bcDigestCalculatorProvider = new BcDigestCalculatorProvider();
        CertificateID certificateID = new CertificateID(bcDigestCalculatorProvider.get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate2.getEncoded()), x509Certificate.getSerialNumber());
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        oCSPReqBuilder.addRequest(certificateID);
        new ExtensionsGenerator().addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(valueOf.toByteArray()));
        return oCSPReqBuilder.build();
    }

    protected OCSPResp sendRequest(OCSPReq oCSPReq, URL url) throws IOException {
        URLConnection openConnection = url.openConnection();
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        setConnectionProperties(openConnection);
        byte[] encoded = oCSPReq.getEncoded();
        OutputStream outputStream = openConnection.getOutputStream();
        writeBytes(outputStream, encoded);
        outputStream.close();
        return new OCSPResp(readBytes(openConnection.getInputStream(), openConnection.getContentEncoding()));
    }

    protected void setConnectionProperties(URLConnection uRLConnection) {
        uRLConnection.setRequestProperty("Content-Type", CONTENT_TYPE_VALUE);
        uRLConnection.setRequestProperty("Content-Transfer-Encoding", "binary");
    }

    protected void writeBytes(OutputStream outputStream, byte[] bArr) throws IOException {
        outputStream.write(bArr);
    }

    protected byte[] readBytes(InputStream inputStream, String str) throws IOException {
        byte[] byteArray = IOUtils.toByteArray(inputStream);
        if ("base64".equals(str)) {
            byteArray = Base64Utils.fromBase64(byteArray);
        }
        return byteArray;
    }

    public static URL[] getOCSPUrl(Certificate certificate) throws IOException {
        byte[] extensionValue = ((X509Certificate) certificate).getExtensionValue(X509Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            return new URL[0];
        }
        HashSet hashSet = new HashSet();
        for (AccessDescription accessDescription : AuthorityInformationAccess.getInstance(BouncyCastleProviderHelper.toASN1Primitive(BouncyCastleProviderHelper.toASN1Primitive(extensionValue).getOctets())).getAccessDescriptions()) {
            if (accessDescription.getAccessMethod().getId().equals("1.3.6.1.5.5.7.48.1")) {
                hashSet.add(new URL(DERIA5String.getInstance(accessDescription.getAccessLocation().toASN1Primitive().getObject()).getString()));
            }
        }
        return (URL[]) CollectionUtils.toArray(hashSet, URL.class);
    }
}
