package com.rsa.cryptoj.c;

import com.rsa.cryptoj.c.dn;
import com.rsa.cryptoj.c.py;
import com.rsa.jcp.OCSPResponderConfig;
import com.rsa.jcp.OCSPWithRespondersParameters;
import com.rsa.jsafe.provider.CacheInterface;
import com.rsa.jsafe.provider.JsafeJCE;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/rsa/cryptoj/c/qa.class */
public class qa implements qr {
    private static final int a = 1000;
    private static final String b = "Content-length";
    private static final String c = "application/ocsp-request";
    private static final String d = "Content-type";
    private final PKIXParameters e;
    private final List<OCSPResponderConfig> f;
    private final boolean t;
    private final boolean u;
    private String v;
    private final cf w;
    private final List<ca> x;
    private final de y;
    private final CacheInterface z;

    public qa(cf cfVar, List<ca> list) {
        this(cfVar, list, null, null, false, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public qa(cf cfVar, List<ca> list, PKIXParameters pKIXParameters, OCSPWithRespondersParameters oCSPWithRespondersParameters) {
        this(cfVar, list, pKIXParameters, oCSPWithRespondersParameters, oCSPWithRespondersParameters.isOverrideAIAEnabled(), oCSPWithRespondersParameters.isSupplementAIAEnabled());
    }

    private qa(cf cfVar, List<ca> list, PKIXParameters pKIXParameters, OCSPWithRespondersParameters oCSPWithRespondersParameters, boolean z, boolean z2) {
        this.y = new de();
        this.w = cfVar;
        this.x = list;
        this.e = pKIXParameters;
        this.t = z;
        this.u = z2;
        if (oCSPWithRespondersParameters != null) {
            this.f = oCSPWithRespondersParameters.getResponderConfigurations();
            this.z = oCSPWithRespondersParameters.getCache();
        } else {
            this.f = null;
            this.z = null;
        }
    }

    @Override // com.rsa.cryptoj.c.qr
    public qs a(X509Certificate x509Certificate, pm pmVar, Date date) throws InvalidAlgorithmParameterException {
        LinkedHashSet<String> linkedHashSet = new LinkedHashSet();
        if (!this.t) {
            d a2 = pk.a(x509Certificate, ow.cM);
            int c2 = a2 == null ? 0 : a2.c();
            for (int i = 0; i < c2; i++) {
                d a3 = a2.a(i);
                if (a3.a(0).equals(ow.dv.c())) {
                    linkedHashSet.add((String) new ot(a3.a(1)).c());
                }
            }
        }
        if (this.u || this.t) {
            Iterator<OCSPResponderConfig> it = this.f.iterator();
            while (it.hasNext()) {
                String oCSPResponderURL = it.next().getOCSPResponderURL();
                if (oCSPResponderURL != null) {
                    linkedHashSet.add(oCSPResponderURL);
                }
            }
        }
        if (!this.t && !this.u && linkedHashSet.isEmpty()) {
            return new qs(2, "No OCSP responders are configured.", ow.cM);
        }
        ArrayList arrayList = new ArrayList();
        if (this.f != null) {
            arrayList.addAll(this.f);
        }
        for (String str : linkedHashSet) {
            OCSPResponderConfig a4 = a(str, pmVar, arrayList);
            px pxVar = new px(this.w, this.x, x509Certificate, pmVar.b(), a4);
            py.a a5 = a(pxVar, a4, pmVar, date);
            if (a5 == null) {
                byte[] a6 = a(pxVar, str, a4.getOCSPProxy());
                if (a6 == null) {
                    continue;
                } else {
                    py pyVar = new py(this.w, this.x, a6);
                    if (a(pxVar, pyVar, a4, pmVar, date)) {
                        a5 = pyVar.b(pxVar.b());
                        a(a5, pxVar, a6);
                    } else {
                        continue;
                    }
                }
            }
            switch (a5.f()) {
                case 0:
                    return new qs(0, null, ow.cM);
                case 1:
                    return new qs(1, "Certificate revoked on " + a5.e() + " for reason: " + pb.e.get(a5.c()), ow.cM);
                case 2:
                    this.v = qr.k;
                    return new qs(2, qr.k, ow.cM);
            }
        }
        if (this.v == null) {
            this.v = "No valid OCSP Responder URLs specified.";
        }
        return new qs(2, "Could not determine revocation status: " + this.v, ow.cM);
    }

    private py.a a(px pxVar, OCSPResponderConfig oCSPResponderConfig, pm pmVar, Date date) {
        byte[] item;
        if (this.z == null || (item = this.z.getItem(pxVar.b())) == null) {
            return null;
        }
        py pyVar = new py(this.w, this.x, item);
        if (!a(pxVar, pyVar, oCSPResponderConfig, pmVar, date)) {
            return null;
        }
        py.a b2 = pyVar.b(pxVar.b());
        switch (b2.f()) {
            case 0:
            case 1:
                if (de.a()) {
                    this.y.a("OCSP response found in OCSP cache.");
                }
                return b2;
            default:
                return null;
        }
    }

    private void a(py.a aVar, px pxVar, byte[] bArr) {
        if (this.z != null) {
            if (aVar.f() == 0 || aVar.f() == 1) {
                if (de.a()) {
                    this.y.a("Adding OCSP response to OCSP Cache.");
                }
                this.z.updateItem(pxVar.b(), bArr, aVar.b().getTime() - System.currentTimeMillis());
            }
        }
    }

    private boolean a(px pxVar, py pyVar, OCSPResponderConfig oCSPResponderConfig, pm pmVar, Date date) {
        PublicKey publicKey;
        if (!pyVar.c()) {
            this.v = pyVar.d();
            return false;
        }
        X509Certificate trustedResponderCert = oCSPResponderConfig.getTrustedResponderCert();
        if (trustedResponderCert != null) {
            if (!pyVar.a(trustedResponderCert)) {
                this.v = qr.n;
                return false;
            }
            publicKey = trustedResponderCert.getPublicKey();
        } else if (pyVar.a(pmVar)) {
            publicKey = pmVar.b();
        } else {
            X509Certificate a2 = a(pyVar);
            if (a2 == null) {
                this.v = qr.q;
                return false;
            }
            if (!a2.getIssuerX500Principal().equals(pmVar.c())) {
                this.v = qr.r;
                return false;
            }
            List<String> list = null;
            try {
                list = a2.getExtendedKeyUsage();
            } catch (CertificateParsingException e) {
                this.v = "Certificate contained invalid extension: " + e.getMessage();
            }
            if (list == null || !list.contains(ow.dt.toString())) {
                this.v = qr.r;
                return false;
            }
            if (!a(a2, pmVar, !(pk.a(a2, ow.cW) != null) && oCSPResponderConfig.isResponderRevocationCheckingEnabled())) {
                return false;
            }
            publicKey = a2.getPublicKey();
        }
        if (!pyVar.a(publicKey)) {
            this.v = qr.p;
            return false;
        }
        if (!pyVar.a(pxVar.c())) {
            this.v = qr.o;
            return false;
        }
        py.a b2 = pyVar.b(pxVar.b());
        if (b2 == null) {
            this.v = qr.m;
            return false;
        }
        if (new Date(b2.a().getTime() - (oCSPResponderConfig.getTimeTolerance() * a)).after(date)) {
            this.v = qr.j;
            return false;
        }
        if (b2.b() == null || !new Date(b2.b().getTime() + (oCSPResponderConfig.getTimeTolerance() * a)).before(date)) {
            return true;
        }
        this.v = qr.l;
        return false;
    }

    private X509Certificate a(py pyVar) {
        X509Certificate x509Certificate = null;
        Iterator<X509Certificate> it = pyVar.b().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            X509Certificate next = it.next();
            if (pyVar.a(next)) {
                x509Certificate = next;
                break;
            }
        }
        if (x509Certificate == null) {
            x509Certificate = b(pyVar);
        }
        return x509Certificate;
    }

    private X509Certificate b(py pyVar) {
        Collection<? extends Certificate> certificates;
        X500Principal a2 = pyVar.a();
        List<CertStore> certStores = this.e.getCertStores();
        if (a2 == null) {
            Iterator<CertStore> it = certStores.iterator();
            while (it.hasNext()) {
                try {
                    Iterator<? extends Certificate> it2 = it.next().getCertificates(new X509CertSelector()).iterator();
                    while (it2.hasNext()) {
                        X509Certificate x509Certificate = (X509Certificate) it2.next();
                        if (pyVar.a(x509Certificate)) {
                            return x509Certificate;
                        }
                    }
                } catch (CertStoreException e) {
                }
            }
            return null;
        }
        Iterator<TrustAnchor> it3 = this.e.getTrustAnchors().iterator();
        while (it3.hasNext()) {
            X509Certificate trustedCert = it3.next().getTrustedCert();
            if (trustedCert != null && pyVar.a(trustedCert)) {
                return trustedCert;
            }
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(a2.getEncoded());
            Iterator<CertStore> it4 = certStores.iterator();
            while (it4.hasNext()) {
                try {
                    certificates = it4.next().getCertificates(x509CertSelector);
                } catch (CertStoreException e2) {
                }
                if (!certificates.isEmpty()) {
                    return (X509Certificate) certificates.iterator().next();
                }
                continue;
            }
            return null;
        } catch (IOException e3) {
            return null;
        }
    }

    private boolean a(X509Certificate x509Certificate, pm pmVar, boolean z) {
        try {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x509Certificate.getSubjectX500Principal().getEncoded());
            HashSet hashSet = new HashSet();
            if (pmVar.a() != null) {
                hashSet.add(pmVar.a());
            } else {
                hashSet.add(new TrustAnchor(pmVar.d(), null));
            }
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            CertStore certStore = CertStore.getInstance(JsafeJCE.COLLECTION, new CollectionCertStoreParameters(Arrays.asList(x509Certificate)), com.rsa.jsafe.provider.b.a(this.w, ka.a));
            pKIXBuilderParameters.setCertStores(this.e.getCertStores());
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setRevocationEnabled(z);
            pKIXBuilderParameters.addCertStore(certStore);
            new qc(this.w, this.x).engineBuild(pKIXBuilderParameters);
            return true;
        } catch (IOException e) {
            this.v = "Could not validate delegated responder certificate: " + e.getMessage();
            return false;
        } catch (GeneralSecurityException e2) {
            this.v = "Could not validate delegated responder certificate: " + e2.getMessage();
            return false;
        }
    }

    private OCSPResponderConfig a(String str, pm pmVar, List<OCSPResponderConfig> list) {
        OCSPResponderConfig[] oCSPResponderConfigArr = new OCSPResponderConfig[4];
        for (int i = 0; i < list.size(); i++) {
            OCSPResponderConfig oCSPResponderConfig = list.get(i);
            if (oCSPResponderConfig.getOCSPResponderURL() == null) {
                X509Certificate trustedResponderCert = oCSPResponderConfig.getTrustedResponderCert();
                if (trustedResponderCert != null && pmVar.a(trustedResponderCert) && oCSPResponderConfigArr[0] == null) {
                    oCSPResponderConfigArr[0] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[0].setResponderURL(str);
                } else if (trustedResponderCert != null && trustedResponderCert.getIssuerX500Principal().equals(pmVar.c()) && oCSPResponderConfigArr[1] == null) {
                    oCSPResponderConfigArr[1] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[1].setResponderURL(str);
                } else if (trustedResponderCert != null && oCSPResponderConfigArr[2] == null) {
                    oCSPResponderConfigArr[2] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[2].setResponderURL(str);
                } else if (trustedResponderCert == null && oCSPResponderConfigArr[3] == null) {
                    oCSPResponderConfigArr[3] = (OCSPResponderConfig) oCSPResponderConfig.clone();
                    oCSPResponderConfigArr[3].setResponderURL(str);
                }
            } else if (oCSPResponderConfig.getOCSPResponderURL().equals(str)) {
                list.remove(oCSPResponderConfig);
                return oCSPResponderConfig;
            }
        }
        for (int i2 = 0; i2 < oCSPResponderConfigArr.length; i2++) {
            if (oCSPResponderConfigArr[i2] != null) {
                return oCSPResponderConfigArr[i2];
            }
        }
        return new OCSPResponderConfig(str);
    }

    public byte[] a(px pxVar, String str, String str2) {
        URL url;
        OutputStream outputStream = null;
        InputStream inputStream = null;
        try {
            try {
                try {
                    byte[] a2 = pxVar.a();
                    if (str2 != null) {
                        URL url2 = new URL(str2);
                        url = new URL(url2.getProtocol(), url2.getHost(), url2.getPort(), str);
                    } else {
                        url = new URL(str);
                    }
                    HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
                    if (co.D() != 0) {
                        httpURLConnection.setConnectTimeout(co.D());
                    }
                    httpURLConnection.setDoOutput(true);
                    httpURLConnection.setRequestMethod("POST");
                    httpURLConnection.setRequestProperty(d, c);
                    httpURLConnection.setRequestProperty(b, String.valueOf(a2.length));
                    OutputStream outputStream2 = httpURLConnection.getOutputStream();
                    outputStream2.write(a2);
                    outputStream2.flush();
                    outputStream2.close();
                    if (httpURLConnection.getResponseCode() != 200) {
                        this.v = "HTTP response code was " + httpURLConnection.getResponseCode();
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (IOException e) {
                            }
                        }
                        if (outputStream2 != null) {
                            try {
                                outputStream2.close();
                            } catch (IOException e2) {
                            }
                        }
                        return null;
                    }
                    InputStream inputStream2 = httpURLConnection.getInputStream();
                    int contentLength = httpURLConnection.getContentLength();
                    int i = 0;
                    if (contentLength != -1) {
                        int i2 = 0;
                        byte[] bArr = new byte[contentLength];
                        while (i != -1 && i2 < contentLength) {
                            i = inputStream2.read(bArr, i2, bArr.length - i2);
                            i2 += i;
                        }
                        if (inputStream2 != null) {
                            try {
                                inputStream2.close();
                            } catch (IOException e3) {
                            }
                        }
                        if (outputStream2 != null) {
                            try {
                                outputStream2.close();
                            } catch (IOException e4) {
                            }
                        }
                        return bArr;
                    }
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    byte[] bArr2 = new byte[a];
                    while (true) {
                        int read = inputStream2.read(bArr2, 0, bArr2.length);
                        if (read == -1) {
                            break;
                        }
                        byteArrayOutputStream.write(bArr2, 0, read);
                    }
                    dn.a.a(bArr2);
                    byte[] byteArray = byteArrayOutputStream.toByteArray();
                    if (inputStream2 != null) {
                        try {
                            inputStream2.close();
                        } catch (IOException e5) {
                        }
                    }
                    if (outputStream2 != null) {
                        try {
                            outputStream2.close();
                        } catch (IOException e6) {
                        }
                    }
                    return byteArray;
                } catch (Throwable th) {
                    if (0 != 0) {
                        try {
                            inputStream.close();
                        } catch (IOException e7) {
                        }
                    }
                    if (0 != 0) {
                        try {
                            outputStream.close();
                        } catch (IOException e8) {
                        }
                    }
                    throw th;
                }
            } catch (IOException e9) {
                this.v = e9.getMessage();
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e10) {
                    }
                }
                if (0 != 0) {
                    try {
                        outputStream.close();
                    } catch (IOException e11) {
                    }
                }
                return null;
            }
        } catch (CertPathValidatorException e12) {
            this.v = e12.getMessage();
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e13) {
                }
            }
            if (0 != 0) {
                try {
                    outputStream.close();
                } catch (IOException e14) {
                }
            }
            return null;
        }
    }

    public String a() {
        return this.v;
    }
}
