package no.digipost.security.ocsp;

import java.net.URI;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import no.digipost.security.DigipostSecurity;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/digipost/security/ocsp/OcspUtils.class */
public final class OcspUtils {
    private static final String AUTHORITY_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
    private static final Logger LOG = LoggerFactory.getLogger(OcspUtils.class);
    private static final ASN1Sequence ASN1_OCSP_SIGNING = new DERSequence(new ASN1ObjectIdentifier("1.3.6.1.5.5.7.3.9"));
    private static final ASN1ObjectIdentifier ASN1_EXTENDED_KEY_USAGE = new ASN1ObjectIdentifier("2.5.29.37");
    private static final JcaX509CertificateConverter JCA_X509_CERTIFICATE_CONVERTER = new JcaX509CertificateConverter().setProvider(DigipostSecurity.PROVIDER_NAME);

    public static Optional<URI> findOcspResponderUrl(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(AUTHORITY_INFO_ACCESS_OID);
        if (extensionValue == null) {
            return Optional.empty();
        }
        try {
            Enumeration objects = ASN1Primitive.fromByteArray(ASN1Primitive.fromByteArray(extensionValue).getOctets()).getObjects();
            while (objects.hasMoreElements()) {
                DLSequence dLSequence = (ASN1Encodable) objects.nextElement();
                if (dLSequence instanceof ASN1Sequence) {
                    if (OCSPObjectIdentifiers.id_pkix_ocsp.equals(((ASN1Sequence) dLSequence).getObjectAt(0))) {
                        ASN1TaggedObject objectAt = dLSequence.getObjectAt(1);
                        return Optional.of(URI.create(new String(ASN1OctetString.getInstance(objectAt, objectAt.isExplicit()).getOctets())));
                    }
                }
            }
            LOG.warn("Failed to extract OCSP uri from " + DigipostSecurity.describe(x509Certificate) + ", because Object identifier " + OCSPObjectIdentifiers.id_pkix_ocsp + " not found");
            return Optional.empty();
        } catch (Exception e) {
            LOG.warn("Error when trying to find Object identifier " + OCSPObjectIdentifiers.id_pkix_ocsp + " to extract OCSP uri from " + DigipostSecurity.describe(x509Certificate) + ": " + e.getClass().getSimpleName() + " - '" + e.getMessage() + "'", e);
            return Optional.empty();
        }
    }

    public static Optional<X509Certificate> findOscpSigningCertificate(BasicOCSPResp basicOCSPResp) {
        if (basicOCSPResp.getCerts() == null || basicOCSPResp.getCerts().length <= 0) {
            return Optional.empty();
        }
        Optional<X509Certificate> findFirst = Stream.of((Object[]) basicOCSPResp.getCerts()).filter(x509CertificateHolder -> {
            Optional map = Optional.of(x509CertificateHolder).map((v0) -> {
                return v0.getExtensions();
            }).map(extensions -> {
                return extensions.getExtension(ASN1_EXTENDED_KEY_USAGE);
            }).map((v0) -> {
                return v0.getParsedValue();
            }).map((v0) -> {
                return v0.toASN1Primitive();
            });
            ASN1Sequence aSN1Sequence = ASN1_OCSP_SIGNING;
            Objects.requireNonNull(aSN1Sequence);
            return map.filter(aSN1Sequence::equals).isPresent();
        }).map(OcspUtils::getCertificateFromHolder).findFirst();
        if (!findFirst.isPresent()) {
            LOG.warn("OCSP response contained certificates, but none of them have OCSP signing extended key usage (identifier {})", ASN1_EXTENDED_KEY_USAGE.getId());
        }
        return findFirst;
    }

    static final X509Certificate getCertificateFromHolder(X509CertificateHolder x509CertificateHolder) {
        try {
            return JCA_X509_CERTIFICATE_CONVERTER.getCertificate(x509CertificateHolder);
        } catch (CertificateException e) {
            throw new RuntimeException("Error retrieving " + X509Certificate.class.getName() + " from BouncyCastle " + X509CertificateHolder.class.getSimpleName() + ". Reason: " + e.getMessage(), e);
        }
    }

    private OcspUtils() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<CertificateID> tryCreateCertificateId(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            return Optional.of(new CertificateID(new Sha1Calculator(), new JcaX509CertificateHolder(x509Certificate2), x509Certificate.getSerialNumber()));
        } catch (OCSPException | CertificateEncodingException e) {
            OcspLookupRequest.LOG.warn("Failed to create certificate ID from certificate: {}, issued by {}", new Object[]{DigipostSecurity.describe(x509Certificate), DigipostSecurity.describe(x509Certificate2), e});
            return Optional.empty();
        }
    }
}
