package org.xipki.ocsp.client.shell;

import java.io.File;
import java.math.BigInteger;
import java.net.URL;
import java.security.MessageDigest;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers;
import org.bouncycastle.asn1.isismtt.ocsp.CertHash;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.AttributeCertificateIssuer;
import org.bouncycastle.cert.X509AttributeCertificateHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.xipki.ocsp.client.OcspRequestor;
import org.xipki.ocsp.client.OcspResponseException;
import org.xipki.ocsp.client.RequestOptions;
import org.xipki.security.CrlReason;
import org.xipki.security.HashAlgo;
import org.xipki.security.IssuerHash;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SecurityFactory;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.shell.XiAction;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.Hex;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.ReqRespDebug;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/ocsp/client/shell/Actions.class */
public class Actions {

    /* loaded from: input_file:org/xipki/ocsp/client/shell/Actions$BaseOcspStatusAction.class */
    public static abstract class BaseOcspStatusAction extends CommonOcspStatusAction {
        protected static final Map<ASN1ObjectIdentifier, String> EXTENSION_OIDNAME_MAP = new HashMap();

        @Option(name = "--resp-issuer", description = "certificate file of the responder's issuer")
        @Completion(FileCompleter.class)
        private String respIssuerFile;

        @Option(name = "--url", description = "OCSP responder URL")
        private String serverUrl;

        @Option(name = "--req-out", description = "where to save the request")
        @Completion(FileCompleter.class)
        private String reqout;

        @Option(name = "--resp-out", description = "where to save the response")
        @Completion(FileCompleter.class)
        private String respout;

        @Option(name = "--serial", aliases = {"-s"}, description = "comma-separated serial numbers or ranges (like 1,3,6-10)\n(at least one of serial and cert must be specified)")
        private String serialNumberList;

        @Option(name = "--cert", aliases = {"-c"}, multiValued = true, description = "certificate files")
        @Completion(FileCompleter.class)
        private List<String> certFiles;

        @Reference
        private OcspRequestor requestor;

        @Option(name = "--verbose", aliases = {"-v"}, description = "show status verbosely")
        protected Boolean verbose = Boolean.FALSE;

        @Option(name = "--hex", description = "serial number without prefix is hex number")
        private Boolean hex = Boolean.FALSE;

        @Option(name = "--ac", description = "the certificates are attribute certificates")
        @Completion(FileCompleter.class)
        private Boolean isAttrCert = Boolean.FALSE;

        /* loaded from: input_file:org/xipki/ocsp/client/shell/Actions$BaseOcspStatusAction$BigIntegerRange.class */
        private static class BigIntegerRange {
            private final BigInteger from;
            private final BigInteger to;
            private final BigInteger diff;

            BigIntegerRange(BigInteger bigInteger, BigInteger bigInteger2) {
                if (bigInteger.compareTo(bigInteger2) > 0) {
                    throw new IllegalArgumentException("from (" + bigInteger + ") may not be larger than to (" + bigInteger2 + ")");
                }
                this.from = bigInteger;
                this.to = bigInteger2;
                this.diff = bigInteger2.subtract(bigInteger);
            }

            boolean isInRange(BigInteger bigInteger) {
                return bigInteger.compareTo(this.from) >= 0 && bigInteger.compareTo(this.to) <= 0;
            }
        }

        protected abstract void checkParameters(X509Certificate x509Certificate, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception;

        protected abstract void processResponse(OCSPResp oCSPResp, X509Certificate x509Certificate, IssuerHash issuerHash, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception;

        /* JADX WARN: Finally extract failed */
        protected final Object execute0() throws Exception {
            byte[] response;
            byte[] request;
            byte[] response2;
            byte[] request2;
            List<String> extractOcspUrls;
            BigInteger serialNumber;
            if (StringUtil.isBlank(this.serialNumberList) && isEmpty(this.certFiles)) {
                throw new IllegalCmdParamException("Neither serialNumbers nor certFiles is set");
            }
            X509Certificate parseCert = X509Util.parseCert(new File(this.issuerCertFile));
            HashMap hashMap = null;
            LinkedList linkedList = new LinkedList();
            if (isNotEmpty(this.certFiles)) {
                hashMap = new HashMap(this.certFiles.size());
                String str = null;
                X500Name x500Name = null;
                for (String str2 : this.certFiles) {
                    if (this.isAttrCert.booleanValue()) {
                        if (x500Name == null) {
                            x500Name = X500Name.getInstance(parseCert.getSubjectX500Principal().getEncoded());
                        }
                        X509AttributeCertificateHolder x509AttributeCertificateHolder = new X509AttributeCertificateHolder(IoUtil.read(str2));
                        AttributeCertificateIssuer issuer = x509AttributeCertificateHolder.getIssuer();
                        if (issuer != null && x500Name != null) {
                            if (!x500Name.equals(issuer.getNames()[0])) {
                                throw new IllegalCmdParamException("certificate " + str2 + " is not issued by the given issuer");
                            }
                        }
                        extractOcspUrls = extractOcspUrls(x509AttributeCertificateHolder);
                        serialNumber = x509AttributeCertificateHolder.getSerialNumber();
                    } else {
                        X509Certificate parseCert2 = X509Util.parseCert(new File(str2));
                        if (!X509Util.issues(parseCert, parseCert2)) {
                            throw new IllegalCmdParamException("certificate " + str2 + " is not issued by the given issuer");
                        }
                        extractOcspUrls = extractOcspUrls(parseCert2);
                        serialNumber = parseCert2.getSerialNumber();
                    }
                    if (isBlank(this.serverUrl)) {
                        if (CollectionUtil.isEmpty(extractOcspUrls)) {
                            throw new IllegalCmdParamException("could not extract OCSP responder URL");
                        }
                        String str3 = extractOcspUrls.get(0);
                        if (str != null && !str.equals(str3)) {
                            throw new IllegalCmdParamException("given certificates have different OCSP responder URL in certificate");
                        }
                        str = str3;
                    }
                    linkedList.add(serialNumber);
                    hashMap.put(serialNumber, IoUtil.read(str2));
                }
                if (isBlank(this.serverUrl)) {
                    this.serverUrl = str;
                }
            } else {
                StringTokenizer stringTokenizer = new StringTokenizer(this.serialNumberList, ", ");
                while (stringTokenizer.hasMoreTokens()) {
                    StringTokenizer stringTokenizer2 = new StringTokenizer(stringTokenizer.nextToken(), "-");
                    BigInteger bigInt = toBigInt(stringTokenizer2.nextToken(), this.hex.booleanValue());
                    BigInteger bigInt2 = stringTokenizer2.hasMoreTokens() ? toBigInt(stringTokenizer2.nextToken(), this.hex.booleanValue()) : null;
                    if (bigInt2 == null) {
                        linkedList.add(bigInt);
                    } else {
                        BigIntegerRange bigIntegerRange = new BigIntegerRange(bigInt, bigInt2);
                        if (bigIntegerRange.diff.compareTo(BigInteger.valueOf(10L)) > 0) {
                            throw new IllegalCmdParamException("to many serial numbers");
                        }
                        BigInteger bigInteger = bigIntegerRange.from;
                        while (true) {
                            BigInteger bigInteger2 = bigInteger;
                            if (bigIntegerRange.isInRange(bigInteger2)) {
                                linkedList.add(bigInteger2);
                                bigInteger = bigInteger2.add(BigInteger.ONE);
                            }
                        }
                    }
                }
            }
            if (isBlank(this.serverUrl)) {
                throw new IllegalCmdParamException("could not get URL for the OCSP responder");
            }
            X509Certificate parseCert3 = this.respIssuerFile != null ? X509Util.parseCert(new File(this.respIssuerFile)) : null;
            URL url = new URL(this.serverUrl);
            RequestOptions requestOptions = getRequestOptions();
            checkParameters(parseCert3, linkedList, hashMap);
            boolean isNotBlank = isNotBlank(this.reqout);
            boolean isNotBlank2 = isNotBlank(this.respout);
            ReqRespDebug reqRespDebug = (isNotBlank || isNotBlank2) ? new ReqRespDebug(isNotBlank, isNotBlank2) : null;
            IssuerHash issuerHash = new IssuerHash(HashAlgo.getNonNullInstance(requestOptions.getHashAlgorithmId()), Certificate.getInstance(parseCert.getEncoded()));
            try {
                OCSPResp ask = this.requestor.ask(parseCert, (BigInteger[]) linkedList.toArray(new BigInteger[0]), url, requestOptions, reqRespDebug);
                if (reqRespDebug != null && reqRespDebug.size() > 0) {
                    ReqRespDebug.ReqRespPair reqRespPair = reqRespDebug.get(0);
                    if (isNotBlank && (request2 = reqRespPair.getRequest()) != null) {
                        IoUtil.save(this.reqout, request2);
                    }
                    if (isNotBlank2 && (response2 = reqRespPair.getResponse()) != null) {
                        IoUtil.save(this.respout, response2);
                    }
                }
                processResponse(ask, parseCert3, issuerHash, linkedList, hashMap);
                return null;
            } catch (Throwable th) {
                if (reqRespDebug != null && reqRespDebug.size() > 0) {
                    ReqRespDebug.ReqRespPair reqRespPair2 = reqRespDebug.get(0);
                    if (isNotBlank && (request = reqRespPair2.getRequest()) != null) {
                        IoUtil.save(this.reqout, request);
                    }
                    if (isNotBlank2 && (response = reqRespPair2.getResponse()) != null) {
                        IoUtil.save(this.respout, response);
                    }
                }
                throw th;
            }
        }

        public static List<String> extractOcspUrls(X509Certificate x509Certificate) throws CertificateEncodingException {
            byte[] coreExtValue = X509Util.getCoreExtValue(x509Certificate, Extension.authorityInfoAccess);
            return coreExtValue == null ? Collections.emptyList() : extractOcspUrls(AuthorityInformationAccess.getInstance(coreExtValue));
        }

        public static List<String> extractOcspUrls(X509AttributeCertificateHolder x509AttributeCertificateHolder) throws CertificateEncodingException {
            byte[] coreExtValue = X509Util.getCoreExtValue(x509AttributeCertificateHolder, Extension.authorityInfoAccess);
            return coreExtValue == null ? Collections.emptyList() : extractOcspUrls(AuthorityInformationAccess.getInstance(coreExtValue));
        }

        public static List<String> extractOcspUrls(AuthorityInformationAccess authorityInformationAccess) throws CertificateEncodingException {
            AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
            LinkedList linkedList = new LinkedList();
            for (AccessDescription accessDescription : accessDescriptions) {
                if (accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_ocsp)) {
                    linkedList.add(accessDescription);
                }
            }
            int size = linkedList.size();
            ArrayList arrayList = new ArrayList(size);
            for (int i = 0; i < size; i++) {
                GeneralName accessLocation = ((AccessDescription) linkedList.get(i)).getAccessLocation();
                if (accessLocation.getTagNo() == 6) {
                    arrayList.add(accessLocation.getName().getString());
                }
            }
            return arrayList;
        }

        static {
            EXTENSION_OIDNAME_MAP.put(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff, "ArchiveCutoff");
            EXTENSION_OIDNAME_MAP.put(OCSPObjectIdentifiers.id_pkix_ocsp_crl, "CrlID");
            EXTENSION_OIDNAME_MAP.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, "Nonce");
            EXTENSION_OIDNAME_MAP.put(ObjectIdentifiers.Extn.id_pkix_ocsp_extendedRevoke, "ExtendedRevoke");
        }
    }

    /* loaded from: input_file:org/xipki/ocsp/client/shell/Actions$CommonOcspStatusAction.class */
    public static abstract class CommonOcspStatusAction extends XiAction {

        @Option(name = "--issuer", aliases = {"-i"}, required = true, description = "issuer certificate file")
        @Completion(FileCompleter.class)
        protected String issuerCertFile;

        @Option(name = "--nonce-len", description = "nonce length in octects")
        protected Integer nonceLen;

        @Option(name = "--sig-alg", multiValued = true, description = "comma-separated preferred signature algorithms")
        @Completion(Completers.SigAlgCompleter.class)
        protected List<String> prefSigAlgs;

        @Option(name = "--nonce", description = "use nonce")
        protected Boolean usenonce = Boolean.FALSE;

        @Option(name = "--allow-no-nonce-in-resp", description = "allow response without nonce, only applied if request has nonce.")
        protected Boolean allowNoNonceInResponse = Boolean.FALSE;

        @Option(name = "--hash", description = "hash algorithm name")
        @Completion(Completers.HashAlgCompleter.class)
        protected String hashAlgo = "SHA256";

        @Option(name = "--http-get", description = "use HTTP GET for small request")
        protected Boolean useHttpGetForSmallRequest = Boolean.FALSE;

        @Option(name = "--sign", description = "sign request")
        protected Boolean signRequest = Boolean.FALSE;

        protected RequestOptions getRequestOptions() throws Exception {
            RequestOptions requestOptions = new RequestOptions();
            requestOptions.setUseNonce(this.usenonce.booleanValue());
            if (this.nonceLen != null) {
                requestOptions.setNonceLen(this.nonceLen.intValue());
            }
            requestOptions.setAllowNoNonceInResponse(this.allowNoNonceInResponse.booleanValue());
            requestOptions.setHashAlgorithmId(AlgorithmUtil.getHashAlg(this.hashAlgo));
            requestOptions.setSignRequest(this.signRequest.booleanValue());
            requestOptions.setUseHttpGetForRequest(this.useHttpGetForSmallRequest.booleanValue());
            if (isNotEmpty(this.prefSigAlgs)) {
                requestOptions.setPreferredSignatureAlgorithms((String[]) this.prefSigAlgs.toArray(new String[0]));
            }
            return requestOptions;
        }
    }

    @Service
    @Command(scope = "xi", name = "ocsp-status", description = "request certificate status")
    /* loaded from: input_file:org/xipki/ocsp/client/shell/Actions$OcspStatus.class */
    public static class OcspStatus extends BaseOcspStatusAction {

        @Reference
        private SecurityFactory securityFactory;

        @Override // org.xipki.ocsp.client.shell.Actions.BaseOcspStatusAction
        protected void checkParameters(X509Certificate x509Certificate, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception {
            Args.notEmpty(list, "serialNunmbers");
        }

        /* JADX WARN: Type inference failed for: r1v33, types: [byte[], byte[][]] */
        @Override // org.xipki.ocsp.client.shell.Actions.BaseOcspStatusAction
        protected void processResponse(OCSPResp oCSPResp, X509Certificate x509Certificate, IssuerHash issuerHash, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception {
            String str;
            Args.notNull(oCSPResp, "response");
            Args.notNull(issuerHash, "issuerHash");
            Args.notNull(list, "serialNumbers");
            int status = oCSPResp.getStatus();
            if (status != 0) {
                throw new OcspResponseException.Unsuccessful(status);
            }
            try {
                BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                boolean z = basicOCSPResp.getExtension(ObjectIdentifiers.Extn.id_pkix_ocsp_extendedRevoke) != null;
                SingleResp[] responses = basicOCSPResp.getResponses();
                if (responses == null || responses.length == 0) {
                    throw new CmdFailure("received no status from server");
                }
                int length = responses.length;
                if (length != list.size()) {
                    throw new CmdFailure("received status with " + length + " single responses from server, but " + list.size() + " were requested");
                }
                Date[] dateArr = new Date[length];
                for (int i = 0; i < length; i++) {
                    dateArr[i] = responses[i].getThisUpdate();
                }
                if (null == basicOCSPResp.getSignature()) {
                    println("response is not signed");
                } else {
                    X509CertificateHolder[] certs = basicOCSPResp.getCerts();
                    if (certs == null || certs.length < 1) {
                        throw new CmdFailure("no responder certificate is contained in the response");
                    }
                    ResponderID aSN1Primitive = basicOCSPResp.getResponderId().toASN1Primitive();
                    X500Name name = aSN1Primitive.getName();
                    byte[] keyHash = aSN1Primitive.getKeyHash();
                    X509CertificateHolder x509CertificateHolder = null;
                    for (X509CertificateHolder x509CertificateHolder2 : certs) {
                        if (name != null) {
                            if (x509CertificateHolder2.getSubject().equals(name)) {
                                x509CertificateHolder = x509CertificateHolder2;
                            }
                        } else if (Arrays.equals(keyHash, HashAlgo.SHA1.hash((byte[][]) new byte[]{x509CertificateHolder2.getSubjectPublicKeyInfo().getPublicKeyData().getBytes()}))) {
                            x509CertificateHolder = x509CertificateHolder2;
                        }
                        if (x509CertificateHolder != null) {
                            break;
                        }
                    }
                    if (x509CertificateHolder == null) {
                        throw new CmdFailure("no responder certificate match the ResponderId");
                    }
                    boolean z2 = true;
                    for (Date date : dateArr) {
                        z2 = x509CertificateHolder.isValidOn(date);
                        if (!z2) {
                            throw new CmdFailure("responder certificate is not valid on " + date);
                        }
                    }
                    if (z2) {
                        if (!basicOCSPResp.isSignatureValid(this.securityFactory.getContentVerifierProvider(KeyUtil.generatePublicKey(x509CertificateHolder.getSubjectPublicKeyInfo())))) {
                            throw new CmdFailure("response is equipped with invalid signature");
                        }
                        if (x509Certificate != null) {
                            boolean z3 = true;
                            X509Certificate x509Cert = X509Util.toX509Cert(x509CertificateHolder.toASN1Structure());
                            if (X509Util.issues(x509Certificate, x509Cert)) {
                                try {
                                    x509Cert.verify(x509Certificate.getPublicKey());
                                } catch (SignatureException e) {
                                    z3 = false;
                                }
                            }
                            if (!z3) {
                                throw new CmdFailure("response is equipped with valid signature but the OCSP signer is not trusted");
                            }
                        } else {
                            println("response is equipped with valid signature");
                        }
                    }
                    if (this.verbose.booleanValue()) {
                        println("responder is " + X509Util.getRfc4519Name(certs[0].getSubject()));
                    }
                }
                println("produced at " + basicOCSPResp.getProducedAt());
                for (int i2 = 0; i2 < length; i2++) {
                    if (length > 1) {
                        println("---------------------------- " + i2 + "----------------------------");
                    }
                    SingleResp singleResp = responses[i2];
                    RevokedStatus certStatus = singleResp.getCertStatus();
                    if (certStatus == null) {
                        str = "good";
                    } else if (certStatus instanceof RevokedStatus) {
                        RevokedStatus revokedStatus = certStatus;
                        Date revocationTime = revokedStatus.getRevocationTime();
                        Extension extension = singleResp.getExtension(Extension.invalidityDate);
                        Date date2 = extension != null ? ASN1GeneralizedTime.getInstance(extension.getParsedValue()).getDate() : null;
                        if (revokedStatus.hasRevocationReason()) {
                            int revocationReason = revokedStatus.getRevocationReason();
                            if (z && revocationReason == CrlReason.CERTIFICATE_HOLD.getCode() && revocationTime.getTime() == 0) {
                                str = "unknown (RFC6960)";
                            } else {
                                Object[] objArr = new Object[4];
                                objArr[0] = CrlReason.forReasonCode(revocationReason).getDescription();
                                objArr[1] = ", revocationTime = ";
                                objArr[2] = revocationTime;
                                objArr[3] = date2 == null ? "" : ", invalidityTime = " + date2;
                                str = StringUtil.concatObjects("revoked, reason = ", objArr);
                            }
                        } else {
                            str = "revoked, no reason, revocationTime = " + revocationTime;
                        }
                    } else {
                        str = certStatus instanceof UnknownStatus ? "unknown (RFC2560)" : "ERROR";
                    }
                    StringBuilder sb = new StringBuilder();
                    CertificateID certID = singleResp.getCertID();
                    boolean match = issuerHash.match(HashAlgo.getNonNullInstance(certID.getHashAlgOID()), certID.getIssuerNameHash(), certID.getIssuerKeyHash());
                    BigInteger serialNumber = certID.getSerialNumber();
                    sb.append("issuer matched: ").append(match);
                    sb.append("\nserialNumber: ").append(LogUtil.formatCsn(serialNumber));
                    sb.append("\nCertificate status: ").append(str);
                    if (this.verbose.booleanValue()) {
                        sb.append("\nthisUpdate: ").append(singleResp.getThisUpdate());
                        sb.append("\nnextUpdate: ").append(singleResp.getNextUpdate());
                        Extension extension2 = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
                        if (extension2 != null) {
                            sb.append("\nCertHash is provided:\n");
                            CertHash certHash = CertHash.getInstance(extension2.getParsedValue());
                            ASN1ObjectIdentifier algorithm = certHash.getHashAlgorithm().getAlgorithm();
                            byte[] certificateHash = certHash.getCertificateHash();
                            sb.append("\tHash algo : ").append(algorithm.getId()).append("\n");
                            sb.append("\tHash value: ").append(Hex.encode(certificateHash)).append("\n");
                            if (map != null) {
                                if (Arrays.equals(MessageDigest.getInstance(algorithm.getId()).digest(map.get(serialNumber)), certificateHash)) {
                                    sb.append("\tThis matches the requested certificate");
                                } else {
                                    sb.append("\tThis differs from the requested certificate");
                                }
                            }
                        }
                        Extension extension3 = singleResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff);
                        if (extension3 != null) {
                            ASN1GeneralizedTime aSN1GeneralizedTime = ASN1GeneralizedTime.getInstance(extension3.getParsedValue());
                            sb.append("\nArchive-CutOff: ");
                            sb.append(aSN1GeneralizedTime.getTimeString());
                        }
                        AlgorithmIdentifier signatureAlgorithmID = basicOCSPResp.getSignatureAlgorithmID();
                        if (signatureAlgorithmID == null) {
                            sb.append("\nresponse is not signed");
                        } else {
                            String signatureAlgoName = AlgorithmUtil.getSignatureAlgoName(signatureAlgorithmID);
                            if (signatureAlgoName == null) {
                                signatureAlgoName = "unknown";
                            }
                            sb.append("\nresponse is signed with ").append(signatureAlgoName);
                        }
                        sb.append("\nExtensions: ");
                        List extensionOIDs = basicOCSPResp.getExtensionOIDs();
                        if (extensionOIDs == null || extensionOIDs.size() == 0) {
                            sb.append("-");
                        } else {
                            int size = extensionOIDs.size();
                            for (int i3 = 0; i3 < size; i3++) {
                                ASN1ObjectIdentifier aSN1ObjectIdentifier = (ASN1ObjectIdentifier) extensionOIDs.get(i3);
                                String str2 = EXTENSION_OIDNAME_MAP.get(aSN1ObjectIdentifier);
                                if (str2 == null) {
                                    sb.append(aSN1ObjectIdentifier.getId());
                                } else {
                                    sb.append(str2);
                                }
                                if (i3 != size - 1) {
                                    sb.append(", ");
                                }
                            }
                        }
                    }
                    println(sb.toString());
                }
                println("");
            } catch (OCSPException e2) {
                throw new OcspResponseException.InvalidResponse(e2.getMessage(), e2);
            }
        }
    }
}
