package com.wizvera.wcrypto;

import com.wizvera.cert.X509CertificateHolder;
import com.wizvera.cert.jcajce.JcaX509CertificateConverter;
import com.wizvera.cert.ocsp.BasicOCSPResp;
import com.wizvera.cert.ocsp.CertificateID;
import com.wizvera.cert.ocsp.CertificateStatus;
import com.wizvera.cert.ocsp.OCSPException;
import com.wizvera.cert.ocsp.OCSPReq;
import com.wizvera.cert.ocsp.OCSPReqBuilder;
import com.wizvera.cert.ocsp.OCSPResp;
import com.wizvera.cert.ocsp.RevokedStatus;
import com.wizvera.cert.ocsp.SingleResp;
import com.wizvera.operator.OperatorCreationException;
import com.wizvera.operator.jcajce.JcaContentVerifierProviderBuilder;
import com.wizvera.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import com.wizvera.provider.asn1.ASN1OctetString;
import com.wizvera.provider.asn1.DEROctetString;
import com.wizvera.provider.asn1.ocsp.OCSPObjectIdentifiers;
import com.wizvera.provider.asn1.x509.Extension;
import com.wizvera.provider.asn1.x509.Extensions;
import com.wizvera.provider.jce.provider.WizveraProvider;
import java.io.IOException;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

/* loaded from: classes4.dex */
public class WOcspClient {
    private static final WizveraProvider wizveraProvider;
    private WHttpClient httpClient;

    /* loaded from: classes4.dex */
    public enum CertStatus {
        Good,
        Revoked,
        Unknown
    }

    static {
        WizveraProvider wizveraProvider2 = new WizveraProvider();
        wizveraProvider = wizveraProvider2;
        Security.addProvider(wizveraProvider2);
    }

    public WOcspClient(WHttpClient wHttpClient) {
        this.httpClient = wHttpClient;
    }

    private boolean checkNonce(BasicOCSPResp basicOCSPResp, OCSPReq oCSPReq) {
        Extension extension = oCSPReq.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        Extension extension2 = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension == null && extension2 == null) {
            return true;
        }
        if (extension == null || extension2 == null) {
            return false;
        }
        return extension.getExtnValue().equals(extension2.getExtnValue());
    }

    private static OCSPReq generateOCSPReq(X509Certificate x509Certificate, BigInteger bigInteger) throws WCryptoException {
        try {
            CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider(wizveraProvider).build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate.getEncoded()), bigInteger);
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.addRequest(certificateID);
            byte[] bArr = new byte[16];
            new SecureRandom().nextBytes(bArr);
            oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension[]{new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, (ASN1OctetString) new DEROctetString(bArr))}));
            return oCSPReqBuilder.build();
        } catch (OCSPException e) {
            throw new WCryptoException(e);
        } catch (OperatorCreationException e2) {
            throw new WCryptoException(e2);
        } catch (IOException e3) {
            throw new WCryptoException(e3);
        } catch (CertificateEncodingException e4) {
            throw new WCryptoException(e4);
        }
    }

    public CertStatus getCertStatus(WCertificate wCertificate, WCertificate wCertificate2) throws WCryptoException, WHttpClientException {
        return getCertStatus(wCertificate, wCertificate2, null);
    }

    public CertStatus getCertStatus(WCertificate wCertificate, WCertificate wCertificate2, URL url) throws WCryptoException, WHttpClientException {
        if (url == null) {
            try {
                url = new URL(wCertificate.ocspUrl());
            } catch (MalformedURLException e) {
                throw new WCryptoException("invalid OCSP url", e);
            }
        }
        OCSPReq generateOCSPReq = generateOCSPReq(wCertificate2.x509Certificate(), wCertificate.x509Certificate().getSerialNumber());
        CertificateID certID = generateOCSPReq.getRequestList()[0].getCertID();
        try {
            try {
                OCSPResp oCSPResp = new OCSPResp(this.httpClient.post(url, generateOCSPReq.getEncoded(), "application/ocsp-request", "application/ocsp-response"));
                if (oCSPResp.getStatus() != 0) {
                    throw new WCryptoException("OCSPResponseStatus is not successful:" + oCSPResp.getStatus());
                }
                BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                X509CertificateHolder[] certs = basicOCSPResp.getCerts();
                JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
                WizveraProvider wizveraProvider2 = wizveraProvider;
                try {
                    if (!basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(wizveraProvider2).build(jcaX509CertificateConverter.setProvider(wizveraProvider2).getCertificate(certs[0]).getPublicKey()))) {
                        throw new WCryptoException("OCSP response is not verified");
                    }
                    if (!checkNonce(basicOCSPResp, generateOCSPReq)) {
                        throw new WCryptoException("OCSP nonce mismatch");
                    }
                    for (SingleResp singleResp : basicOCSPResp.getResponses()) {
                        if (certID.equals(singleResp.getCertID())) {
                            CertificateStatus certStatus = singleResp.getCertStatus();
                            return certStatus == CertificateStatus.GOOD ? CertStatus.Good : certStatus instanceof RevokedStatus ? CertStatus.Revoked : CertStatus.Unknown;
                        }
                    }
                    throw new WCryptoException("OCSP response not found");
                } catch (Exception e2) {
                    throw new WCryptoException("OCSP response could not be verified (" + e2.getMessage() + ")", e2);
                }
            } catch (OCSPException e3) {
                throw new WCryptoException(e3);
            } catch (IOException e4) {
                throw new WCryptoException("OCSP response decoding error", e4);
            } catch (CertificateException e5) {
                throw new WCryptoException(e5);
            }
        } catch (IOException e6) {
            throw new WCryptoException(e6);
        }
    }
}
