package weblogic.security.pki.revocation.common;

import com.bea.saaj.SaajConstants;
import com.rsa.certj.CertJ;
import com.rsa.certj.DatabaseService;
import com.rsa.certj.InvalidParameterException;
import com.rsa.certj.InvalidUseException;
import com.rsa.certj.NoServiceException;
import com.rsa.certj.Provider;
import com.rsa.certj.ProviderManagementException;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.NameException;
import com.rsa.certj.provider.db.MemoryDB;
import com.rsa.certj.provider.path.X509V1CertPath;
import com.rsa.certj.provider.revocation.ocsp.OCSP;
import com.rsa.certj.provider.revocation.ocsp.OCSPEvidence;
import com.rsa.certj.provider.revocation.ocsp.OCSPRequestControl;
import com.rsa.certj.provider.revocation.ocsp.OCSPResponder;
import com.rsa.certj.provider.revocation.ocsp.OCSPRevocationInfo;
import com.rsa.certj.spi.db.DatabaseException;
import com.rsa.certj.spi.path.CertPathCtx;
import com.rsa.certj.spi.revocation.CertRevocationInfo;
import com.rsa.certj.spi.revocation.CertStatusException;
import com.rsa.jsafe.JSAFE_PrivateKey;
import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.logging.Level;
import javax.security.auth.x500.X500Principal;
import weblogic.jndi.internal.JNDIImageSourceConstants;
import weblogic.security.pki.revocation.common.AbstractCertRevocContext;
import weblogic.security.pki.revocation.common.CertRevocCheckMethodList;

/* loaded from: input_file:weblogic/security/pki/revocation/common/DefaultOcspChecker.class */
class DefaultOcspChecker extends OcspChecker {
    private static final String DB_PROVIDER_NAME = "OCSP_DB_PROVIDER";
    private static final String CERT_PATH_PROVIDER_NAME = "OCSP_CERT_PATH_PROVIDER";
    private static final String OCSP_PROVIDER_NAME = "OCSP_PROVIDER";

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultOcspChecker(AbstractCertRevocContext abstractCertRevocContext) {
        super(abstractCertRevocContext);
    }

    @Override // weblogic.security.pki.revocation.common.OcspChecker
    CertRevocStatus getRemoteStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Util.checkNotNull("Issuer X509Certificate.", x509Certificate);
        Util.checkNotNull("X509Certificate to be checked.", x509Certificate2);
        AbstractCertRevocContext context = getContext();
        LogListener logListener = context.getLogListener();
        X500Principal issuerX500Principal = x509Certificate2.getIssuerX500Principal();
        com.rsa.certj.cert.X509Certificate rsaCert = RsaUtil.toRsaCert(x509Certificate2, logListener);
        com.rsa.certj.cert.X509Certificate rsaCert2 = RsaUtil.toRsaCert(x509Certificate, logListener);
        if (null == rsaCert || null == rsaCert2) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, "Unable to check OCSP revocation status, unable to convert both subject and issuer certificates.", new Object[0]);
            return null;
        }
        com.rsa.certj.cert.X509Certificate responderTrustedCert = getResponderTrustedCert(issuerX500Principal);
        JSAFE_PrivateKey requestSigningPrivateKey = getRequestSigningPrivateKey(issuerX500Principal);
        com.rsa.certj.cert.X509Certificate requestSigningPublicCert = getRequestSigningPublicCert(issuerX500Principal);
        if (null == requestSigningPrivateKey || null == requestSigningPublicCert) {
            if (context.isLoggable(Level.FINEST)) {
                Level level = Level.FINEST;
                Object[] objArr = new Object[2];
                objArr[0] = null == requestSigningPrivateKey ? "missing" : "gotIt";
                objArr[1] = null == requestSigningPublicCert ? "missing" : "gotIt";
                context.log(level, "OCSP request signing disabled: Private key={0}, Public cert={1}.", objArr);
            }
            requestSigningPrivateKey = null;
            requestSigningPublicCert = null;
        } else if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OCSP request signing enabled, private key and public certificate configured.", new Object[0]);
        }
        JSAFE_PrivateKey jSAFE_PrivateKey = requestSigningPrivateKey;
        com.rsa.certj.cert.X509Certificate x509Certificate3 = requestSigningPublicCert;
        if (!RsaUtil.isFIPS140UsageOk(logListener)) {
            return null;
        }
        try {
            return evalRevocationInfo(x509Certificate2, checkCertRevocation(issuerX500Principal, rsaCert, rsaCert2, responderTrustedCert, jSAFE_PrivateKey, x509Certificate3));
        } catch (Exception e) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, e, "Exception while checking revocation status using OCSP.", new Object[0]);
            return null;
        }
    }

    private JSAFE_PrivateKey getRequestSigningPrivateKey(X500Principal x500Principal) {
        Util.checkNotNull("issuerDn", x500Principal);
        AbstractCertRevocContext context = getContext();
        JSAFE_PrivateKey jSAFE_PrivateKey = null;
        PrivateKey ocspRequestSigningPrivateKey = context.getOcspRequestSigningPrivateKey(x500Principal);
        if (null != ocspRequestSigningPrivateKey) {
            jSAFE_PrivateKey = RsaUtil.toRsaPrivateKey(ocspRequestSigningPrivateKey, context.getLogListener());
            if (null == jSAFE_PrivateKey && context.isLoggable(Level.FINE)) {
                context.log(Level.FINE, "Unable to convert request signing private key.", new Object[0]);
            }
        }
        return jSAFE_PrivateKey;
    }

    private com.rsa.certj.cert.X509Certificate getRequestSigningPublicCert(X500Principal x500Principal) {
        Util.checkNotNull("issuerDn", x500Principal);
        AbstractCertRevocContext context = getContext();
        com.rsa.certj.cert.X509Certificate x509Certificate = null;
        X509Certificate ocspRequestSigningCert = context.getOcspRequestSigningCert(x500Principal);
        if (null != ocspRequestSigningCert) {
            x509Certificate = RsaUtil.toRsaCert(ocspRequestSigningCert, context.getLogListener());
            if (null == x509Certificate && context.isLoggable(Level.FINE)) {
                context.log(Level.FINE, "Unable to convert request signing public certificate.", new Object[0]);
            }
        }
        return x509Certificate;
    }

    private com.rsa.certj.cert.X509Certificate getResponderTrustedCert(X500Principal x500Principal) {
        Util.checkNotNull("issuerDn", x500Principal);
        AbstractCertRevocContext context = getContext();
        com.rsa.certj.cert.X509Certificate x509Certificate = null;
        X509Certificate ocspResponderTrustedCert = context.getOcspResponderTrustedCert(x500Principal);
        if (null != ocspResponderTrustedCert) {
            x509Certificate = RsaUtil.toRsaCert(ocspResponderTrustedCert, context.getLogListener());
            if (null == x509Certificate) {
                if (context.isLoggable(Level.FINE)) {
                    context.log(Level.FINE, "Unable to convert OCSP responder explicitly trusted certificate.", new Object[0]);
                }
            } else if (context.isLoggable(Level.FINEST)) {
                context.log(Level.FINEST, "OCSP using explicitly trust certificate \"{0}\".", x509Certificate.getSubjectName());
            }
        } else if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "No OCSP responder explicitly trusted certificate is available.", new Object[0]);
        }
        return x509Certificate;
    }

    private CertJ initCertJ() throws InvalidParameterException, ProviderManagementException, InvalidUseException {
        CertJ certJ = new CertJ(new Provider[]{new MemoryDB(DB_PROVIDER_NAME), new X509V1CertPath(CERT_PATH_PROVIDER_NAME)});
        certJ.setDevice(RsaUtil.getCryptoJDeviceList());
        return certJ;
    }

    private DatabaseService initDbService(com.rsa.certj.cert.X509Certificate x509Certificate, com.rsa.certj.cert.X509Certificate x509Certificate2, com.rsa.certj.cert.X509Certificate x509Certificate3, JSAFE_PrivateKey jSAFE_PrivateKey, CertJ certJ) throws InvalidParameterException, ProviderManagementException, NoServiceException, DatabaseException {
        Util.checkNotNull("certJ", certJ);
        DatabaseService databaseService = (DatabaseService) certJ.bindService(1, DB_PROVIDER_NAME);
        if (null != x509Certificate) {
            databaseService.insertCertificate(x509Certificate);
        }
        Util.checkNotNull("issuerCert", x509Certificate2);
        databaseService.insertCertificate(x509Certificate2);
        if (null != x509Certificate3 && null != jSAFE_PrivateKey) {
            databaseService.insertCertificate(x509Certificate3);
            databaseService.insertPrivateKeyByCertificate(x509Certificate3, jSAFE_PrivateKey);
        }
        return databaseService;
    }

    private CertPathCtx initCertPathCtx(X500Principal x500Principal, com.rsa.certj.cert.X509Certificate x509Certificate, com.rsa.certj.cert.X509Certificate x509Certificate2, DatabaseService databaseService) {
        Util.checkNotNull("issuerDn", x500Principal);
        Util.checkNotNull("issuerCert", x509Certificate);
        Util.checkNotNull("dbService", databaseService);
        com.rsa.certj.cert.X509Certificate[] x509CertificateArr = null != x509Certificate2 ? new com.rsa.certj.cert.X509Certificate[]{x509Certificate, x509Certificate2} : new com.rsa.certj.cert.X509Certificate[]{x509Certificate};
        AbstractCertRevocContext context = getContext();
        AbstractCertRevocContext.AttributeUsage ocspResponderUrlUsage = context.getOcspResponderUrlUsage(x500Principal);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OcspResponderUrlUsage={0}", ocspResponderUrlUsage);
        }
        URI ocspResponderUrl = context.getOcspResponderUrl(x500Principal);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OcspResponderUrl={0}", ocspResponderUrl);
        }
        int i = 4;
        if (AbstractCertRevocContext.AttributeUsage.OVERRIDE == ocspResponderUrlUsage) {
            if (null == ocspResponderUrl) {
                throw new IllegalStateException("OCSP responder URI override is null, preventing OCSP checking for cert issuer \"" + x500Principal + JNDIImageSourceConstants.DOUBLE_QUOTES);
            }
            i = 4 | 2048;
        }
        byte[][] bArr = (byte[][]) null;
        Date date = new Date();
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "Validation time=\"{0}\"", date);
        }
        return new CertPathCtx(i, x509CertificateArr, bArr, date, databaseService);
    }

    private String[] initDestList(X500Principal x500Principal) {
        Util.checkNotNull("issuerDn", x500Principal);
        AbstractCertRevocContext context = getContext();
        URI ocspResponderUrl = context.getOcspResponderUrl(x500Principal);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OcspResponderUrl={0}", ocspResponderUrl);
        }
        String[] strArr = null;
        if (null != ocspResponderUrl) {
            strArr = new String[]{ocspResponderUrl.toASCIIString()};
        }
        return strArr;
    }

    private OCSPResponder initOcspResponder(com.rsa.certj.cert.X509Certificate x509Certificate, com.rsa.certj.cert.X509Certificate x509Certificate2, X500Principal x500Principal, com.rsa.certj.cert.X509Certificate x509Certificate3, DatabaseService databaseService) throws InvalidParameterException {
        Util.checkNotNull("issuerDn", x500Principal);
        Util.checkNotNull("issuerCert", x509Certificate3);
        Util.checkNotNull("dbService", databaseService);
        AbstractCertRevocContext context = getContext();
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "Using OCSP responder profile={0}", 0);
        }
        int i = 8;
        boolean isOcspNonceEnabled = context.isOcspNonceEnabled(x500Principal);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OcspNonceEnabled={0}", Boolean.valueOf(isOcspNonceEnabled));
        }
        if (!isOcspNonceEnabled) {
            i = 8 | 1;
        }
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "ocspResponderFlags={0}", Integer.valueOf(i));
        }
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "proxyList is empty, reverting to System Properties.", new Object[0]);
        }
        OCSPRequestControl initOcspRequestControl = initOcspRequestControl(x509Certificate);
        com.rsa.certj.cert.X509Certificate[] x509CertificateArr = {x509Certificate3};
        int ocspTimeTolerance = context.getOcspTimeTolerance(x500Principal);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OcspTimeTolerance={0}", Integer.valueOf(ocspTimeTolerance));
        }
        return new OCSPResponder(0, i, initDestList(x500Principal), null, initOcspRequestControl, x509Certificate2, x509CertificateArr, databaseService, ocspTimeTolerance);
    }

    private OCSPRequestControl initOcspRequestControl(com.rsa.certj.cert.X509Certificate x509Certificate) throws InvalidParameterException {
        AbstractCertRevocContext context = getContext();
        String str = null;
        if (x509Certificate != null && x509Certificate.getSubjectName() != null) {
            str = x509Certificate.getSubjectName().toStringRFC2253();
        }
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "Request signing: signingCert={0}, digestAlg={1}, signatureAlg={2}, extraCerts={3}, requestExtensions={4}", str, "SHA1", "SHA1/RSA/PKCS1Block01Pad", null, null);
        }
        return new OCSPRequestControl(x509Certificate, "SHA1", "SHA1/RSA/PKCS1Block01Pad", null, null);
    }

    private OCSP initOcspProvider(X500Principal x500Principal, OCSPResponder oCSPResponder) throws UnsupportedEncodingException, InvalidParameterException, CertificateException, NameException {
        Util.checkNotNull("issuerDn", x500Principal);
        Util.checkNotNull("ocspResponder", oCSPResponder);
        AbstractCertRevocContext context = getContext();
        long ocspResponseTimeout = context.getOcspResponseTimeout(x500Principal);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OcspResponseTimeout={0}", Long.valueOf(ocspResponseTimeout));
        }
        StringBuilder sb = new StringBuilder();
        sb.append("timeoutSecs=");
        sb.append(ocspResponseTimeout);
        sb.append("\n");
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "OCSP configStream=\"{0}\"", sb.toString());
        }
        return new OCSP(OCSP_PROVIDER_NAME, oCSPResponder, new ByteArrayInputStream(sb.toString().getBytes(SaajConstants.ENCODING_US_ASCII)));
    }

    private CertRevocationInfo checkCertRevocation(X500Principal x500Principal, com.rsa.certj.cert.X509Certificate x509Certificate, com.rsa.certj.cert.X509Certificate x509Certificate2, com.rsa.certj.cert.X509Certificate x509Certificate3, JSAFE_PrivateKey jSAFE_PrivateKey, com.rsa.certj.cert.X509Certificate x509Certificate4) throws InvalidParameterException, ProviderManagementException, InvalidUseException, NoServiceException, DatabaseException, UnsupportedEncodingException, CertificateException, NameException, CertStatusException {
        Util.checkNotNull("issuerDn", x500Principal);
        Util.checkNotNull("certToCheck", x509Certificate);
        Util.checkNotNull("issuerCert", x509Certificate2);
        CertJ initCertJ = initCertJ();
        DatabaseService initDbService = initDbService(x509Certificate3, x509Certificate2, x509Certificate4, jSAFE_PrivateKey, initCertJ);
        CertPathCtx initCertPathCtx = initCertPathCtx(x500Principal, x509Certificate2, x509Certificate3, initDbService);
        initCertJ.registerService(initOcspProvider(x500Principal, initOcspResponder(x509Certificate4, x509Certificate3, x500Principal, x509Certificate2, initDbService)));
        return initCertJ.checkCertRevocation(initCertPathCtx, x509Certificate);
    }

    private CertRevocStatus evalRevocationInfo(X509Certificate x509Certificate, CertRevocationInfo certRevocationInfo) {
        Util.checkNotNull("certToCheck", x509Certificate);
        AbstractCertRevocContext context = getContext();
        if (null == certRevocationInfo) {
            if (!context.isLoggable(Level.FINER)) {
                return null;
            }
            context.log(Level.FINER, "Revocation status unavailable from OCSP (CertRevocationInfo is null).", new Object[0]);
            return null;
        }
        Boolean evalRevocStatusCode = RsaUtil.evalRevocStatusCode(CertRevocCheckMethodList.SelectableMethod.OCSP, certRevocationInfo.getStatus(), context.getLogListener());
        if (null == evalRevocStatusCode) {
            return null;
        }
        int type = certRevocationInfo.getType();
        if (type != 2) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, "Revocation status unavailable from OCSP, unexpected evidence type {0}.", Integer.valueOf(type));
            return null;
        }
        OCSPEvidence oCSPEvidence = (OCSPEvidence) certRevocationInfo.getEvidence();
        if (null == oCSPEvidence) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, "Revocation status unavailable from OCSP, no evidence available.", new Object[0]);
            return null;
        }
        int flags = oCSPEvidence.getFlags();
        boolean isNonceIgnored = isNonceIgnored(flags);
        Date date = null;
        Integer num = null;
        OCSPRevocationInfo revocationInfo = oCSPEvidence.getRevocationInfo();
        if (null != revocationInfo) {
            date = revocationInfo.getRevocationTime();
            num = Integer.valueOf(revocationInfo.getReasonCode());
        }
        HashMap hashMap = new HashMap(10);
        hashMap.put("Flags", Integer.toString(flags, 2));
        hashMap.put("ProducedAt", CertRevocStatus.format(oCSPEvidence.getProducedAt()));
        hashMap.put("RevocationTime", CertRevocStatus.format(date));
        hashMap.put("ReasonCode", null == num ? null : num.toString());
        return new CertRevocStatus(CertRevocCheckMethodList.SelectableMethod.OCSP, x509Certificate.getSubjectX500Principal(), x509Certificate.getIssuerX500Principal(), x509Certificate.getSerialNumber(), oCSPEvidence.getThisUpdate(), oCSPEvidence.getNextUpdate(), evalRevocStatusCode.booleanValue(), Boolean.valueOf(isNonceIgnored), hashMap);
    }

    private static boolean isNonceIgnored(int i) {
        return (i & 1) != 0;
    }
}
