package eu.europa.esig.dss.service.ocsp;

import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.RevocationOrigin;
import eu.europa.esig.dss.model.DSSException;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP;
import eu.europa.esig.dss.service.NonceSource;
import eu.europa.esig.dss.service.http.commons.OCSPDataLoader;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.client.http.DataLoader;
import eu.europa.esig.dss.spi.exception.DSSExternalResourceException;
import eu.europa.esig.dss.spi.x509.revocation.OnlineRevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSourceAlternateUrlsSupport;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPRespStatus;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPSource;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPToken;
import eu.europa.esig.dss.utils.Utils;
import java.io.IOException;
import java.math.BigInteger;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import signservice.org.bouncycastle.asn1.ASN1OctetString;
import signservice.org.bouncycastle.asn1.ASN1Primitive;
import signservice.org.bouncycastle.asn1.DEROctetString;
import signservice.org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import signservice.org.bouncycastle.asn1.x509.Extension;
import signservice.org.bouncycastle.asn1.x509.Extensions;
import signservice.org.bouncycastle.cert.ocsp.BasicOCSPResp;
import signservice.org.bouncycastle.cert.ocsp.CertificateID;
import signservice.org.bouncycastle.cert.ocsp.OCSPException;
import signservice.org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import signservice.org.bouncycastle.cert.ocsp.OCSPResp;

/* loaded from: input_file:eu/europa/esig/dss/service/ocsp/OnlineOCSPSource.class */
public class OnlineOCSPSource implements OCSPSource, RevocationSourceAlternateUrlsSupport<OCSP>, OnlineRevocationSource<OCSP> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) OnlineOCSPSource.class);
    private NonceSource nonceSource;
    private DataLoader dataLoader;
    private DigestAlgorithm certIDDigestAlgorithm;

    public OnlineOCSPSource() {
        this.certIDDigestAlgorithm = DigestAlgorithm.SHA1;
        this.dataLoader = new OCSPDataLoader();
        LOG.trace("+OnlineOCSPSource with the default data loader.");
    }

    public OnlineOCSPSource(DataLoader dataLoader) {
        this.certIDDigestAlgorithm = DigestAlgorithm.SHA1;
        this.dataLoader = dataLoader;
        LOG.trace("+OnlineOCSPSource with the specific data loader.");
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.OnlineRevocationSource
    public void setDataLoader(DataLoader dataLoader) {
        this.dataLoader = dataLoader;
    }

    public void setNonceSource(NonceSource nonceSource) {
        this.nonceSource = nonceSource;
    }

    public void setCertIDDigestAlgorithm(DigestAlgorithm digestAlgorithm) {
        Objects.requireNonNull(digestAlgorithm, "The certIDDigestAlgorithm must not be null!");
        this.certIDDigestAlgorithm = digestAlgorithm;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPSource, eu.europa.esig.dss.spi.x509.revocation.RevocationSource, eu.europa.esig.dss.spi.x509.revocation.crl.CRLSource
    /* renamed from: getRevocationToken */
    public RevocationToken<OCSP> getRevocationToken2(CertificateToken certificateToken, CertificateToken certificateToken2) {
        return getRevocationToken(certificateToken, certificateToken2, Collections.emptyList());
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.RevocationSourceAlternateUrlsSupport
    public RevocationToken<OCSP> getRevocationToken(CertificateToken certificateToken, CertificateToken certificateToken2, List<String> list) {
        Objects.requireNonNull(this.dataLoader, "DataLoader is not provided !");
        String dSSIdAsString = certificateToken.getDSSIdAsString();
        LOG.trace("--> OnlineOCSPSource queried for {}", dSSIdAsString);
        if (Utils.isCollectionNotEmpty(list)) {
            LOG.info("OCSP alternative urls : {}", list);
        }
        List<String> oCSPAccessLocations = DSSASN1Utils.getOCSPAccessLocations(certificateToken);
        if (Utils.isCollectionEmpty(oCSPAccessLocations) && Utils.isCollectionEmpty(list)) {
            LOG.warn("No OCSP location found for {}", dSSIdAsString);
            return null;
        }
        oCSPAccessLocations.addAll(list);
        OnlineRevocationSource.RevocationTokenAndUrl<OCSP> revocationTokenAndUrl = getRevocationTokenAndUrl(certificateToken, certificateToken2, oCSPAccessLocations);
        if (revocationTokenAndUrl != null) {
            return (OCSPToken) revocationTokenAndUrl.getRevocationToken();
        }
        LOG.debug("No OCSP has been downloaded for a CertificateToken with Id '{}' from a list of urls : {}", certificateToken.getDSSIdAsString(), oCSPAccessLocations);
        return null;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.OnlineRevocationSource
    public OnlineRevocationSource.RevocationTokenAndUrl<OCSP> getRevocationTokenAndUrl(CertificateToken certificateToken, CertificateToken certificateToken2) {
        List<String> oCSPAccessLocations = DSSASN1Utils.getOCSPAccessLocations(certificateToken);
        if (!Utils.isCollectionEmpty(oCSPAccessLocations)) {
            return getRevocationTokenAndUrl(certificateToken, certificateToken2, oCSPAccessLocations);
        }
        LOG.warn("No OCSP location found for {}", certificateToken.getDSSIdAsString());
        return null;
    }

    protected OnlineRevocationSource.RevocationTokenAndUrl<OCSP> getRevocationTokenAndUrl(CertificateToken certificateToken, CertificateToken certificateToken2, List<String> list) {
        CertificateID oCSPCertificateID = DSSRevocationUtils.getOCSPCertificateID(certificateToken, certificateToken2, this.certIDDigestAlgorithm);
        BigInteger nonce = this.nonceSource != null ? this.nonceSource.getNonce() : null;
        byte[] buildOCSPRequest = buildOCSPRequest(oCSPCertificateID, nonce);
        int size = list.size();
        for (String str : list) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Trying to retrieve an OCSP response from URL '{}'...", str);
            }
            size--;
            try {
                byte[] post = this.dataLoader.post(str, buildOCSPRequest);
                if (Utils.isArrayEmpty(post)) {
                    LOG.warn("OCSP Data Loader for certificate {} responded with an empty byte array!", certificateToken.getDSSIdAsString());
                } else {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace(String.format("Obtained OCSPResponse binaries from URL '%s' : %s", str, Utils.toBase64(post)));
                    }
                    OCSPResp oCSPResp = new OCSPResp(post);
                    verifyNonce(oCSPResp, nonce);
                    OCSPRespStatus fromInt = OCSPRespStatus.fromInt(oCSPResp.getStatus());
                    if (OCSPRespStatus.SUCCESSFUL.equals(fromInt)) {
                        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                        OCSPToken oCSPToken = new OCSPToken(basicOCSPResp, DSSRevocationUtils.getLatestSingleResponse(basicOCSPResp, certificateToken, certificateToken2), certificateToken, certificateToken2);
                        oCSPToken.setSourceURL(str);
                        oCSPToken.setExternalOrigin(RevocationOrigin.EXTERNAL);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("OCSP Response '{}' has been retrieved from a source with URL '{}'.", oCSPToken.getDSSIdAsString(), str);
                        }
                        return new OnlineRevocationSource.RevocationTokenAndUrl<>(str, oCSPToken);
                    }
                    LOG.warn("Ignored OCSP Response from URL '{}' : status -> {}", str, fromInt);
                }
            } catch (Exception e) {
                if (size == 0) {
                    throw new DSSExternalResourceException(String.format("Unable to retrieve OCSP response for certificate with Id '%s' from URL '%s'. Reason : %s", certificateToken.getDSSIdAsString(), str, e.getMessage()), e);
                }
                LOG.warn("Unable to retrieve OCSP response with URL '{}' : {}", str, e.getMessage());
            }
        }
        return null;
    }

    private byte[] buildOCSPRequest(CertificateID certificateID, BigInteger bigInteger) throws DSSException {
        try {
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.addRequest(certificateID);
            if (bigInteger != null) {
                oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, (ASN1OctetString) new DEROctetString(new DEROctetString(bigInteger.toByteArray()).getEncoded()))));
            }
            return oCSPReqBuilder.build().getEncoded();
        } catch (IOException | OCSPException e) {
            throw new DSSException("Cannot build OCSP Request", e);
        }
    }

    private void verifyNonce(OCSPResp oCSPResp, BigInteger bigInteger) {
        if (bigInteger != null) {
            BigInteger embeddedNonceValue = getEmbeddedNonceValue(oCSPResp);
            if (!bigInteger.equals(embeddedNonceValue)) {
                throw new DSSExternalResourceException(String.format("Nonce received from OCSP response '%s' does not match a dispatched nonce '%s'.", embeddedNonceValue, bigInteger));
            }
        }
    }

    private BigInteger getEmbeddedNonceValue(OCSPResp oCSPResp) {
        try {
            ASN1Primitive fromByteArray = fromByteArray(((BasicOCSPResp) oCSPResp.getResponseObject()).getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnValue());
            if (fromByteArray instanceof DEROctetString) {
                return new BigInteger(((DEROctetString) fromByteArray).getOctets());
            }
            throw new OCSPException("Nonce extension value in OCSP response is not an OCTET STRING");
        } catch (Exception e) {
            throw new DSSExternalResourceException(String.format("Unable to extract the nonce from the OCSPResponse! Reason : [%s]", e.getMessage()), e);
        }
    }

    private ASN1Primitive fromByteArray(ASN1OctetString aSN1OctetString) throws OCSPException {
        try {
            return ASN1Primitive.fromByteArray(aSN1OctetString.getOctets());
        } catch (IOException e) {
            throw new OCSPException("Invalid encoding of nonce extension value in OCSP response", e);
        }
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.RevocationSourceAlternateUrlsSupport
    /* renamed from: getRevocationToken, reason: avoid collision after fix types in other method */
    public /* bridge */ /* synthetic */ RevocationToken<OCSP> getRevocationToken2(CertificateToken certificateToken, CertificateToken certificateToken2, List list) {
        return getRevocationToken(certificateToken, certificateToken2, (List<String>) list);
    }
}
