package dev.fitko.fitconnect.jwkvalidator.x5c.ocsp;

import java.net.Proxy;
import java.security.cert.X509Certificate;
import java.util.Optional;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/x5c/ocsp/OCSPResponseManager.class */
class OCSPResponseManager {
    private static final Logger log = LoggerFactory.getLogger(OCSPResponseManager.class);
    private final Proxy proxy;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPResponseManager(Proxy proxy) {
        this.proxy = proxy == null ? Proxy.NO_PROXY : proxy;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<BasicOCSPResp> obtainValidatedBasicOcspResponse(OCSPReq oCSPReq, String str, X509Certificate x509Certificate) {
        return obtainOcspResponse(oCSPReq, str, x509Certificate).flatMap(this::verifyOcspResponse).flatMap(oCSPResp -> {
            return extractBasicOcspResponse(oCSPResp, str, x509Certificate);
        }).flatMap(this::verifySingleResponseInBasicResponse).flatMap(basicOCSPResp -> {
            return verifyNonceExtension(oCSPReq, basicOCSPResp, str, x509Certificate);
        });
    }

    private Optional<OCSPResp> obtainOcspResponse(OCSPReq oCSPReq, String str, X509Certificate x509Certificate) {
        Optional<OCSPResp> downloadResponse = new OCSPDownloadRequest(this.proxy).downloadResponse(str, oCSPReq, x509Certificate);
        if (!downloadResponse.isEmpty()) {
            return downloadResponse;
        }
        log.warn("Failed obtaining OCSP response for leaf cert {} in url {}", x509Certificate.getSerialNumber(), str);
        return Optional.empty();
    }

    private Optional<OCSPResp> verifyOcspResponse(OCSPResp oCSPResp) {
        return 0 != oCSPResp.getStatus() ? Optional.empty() : Optional.of(oCSPResp);
    }

    private Optional<BasicOCSPResp> extractBasicOcspResponse(OCSPResp oCSPResp, String str, X509Certificate x509Certificate) {
        try {
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            if (basicOCSPResp != null) {
                return Optional.of(basicOCSPResp);
            }
            log.warn("Invalid response for leaf cert {} in url {}", x509Certificate.getSerialNumber(), str);
            return Optional.empty();
        } catch (OCSPException e) {
            log.warn("Invalid OCSP response object for leaf cert {} in url {}", new Object[]{x509Certificate.getSerialNumber(), str, e});
            return Optional.empty();
        }
    }

    private Optional<BasicOCSPResp> verifySingleResponseInBasicResponse(BasicOCSPResp basicOCSPResp) {
        SingleResp[] responses = basicOCSPResp.getResponses();
        return (responses == null || responses.length != 1) ? Optional.empty() : Optional.of(basicOCSPResp);
    }

    private Optional<BasicOCSPResp> verifyNonceExtension(OCSPReq oCSPReq, BasicOCSPResp basicOCSPResp, String str, X509Certificate x509Certificate) {
        Optional<Extension> obtainResponseNonceExtension = obtainResponseNonceExtension(basicOCSPResp, str, x509Certificate);
        if (!obtainResponseNonceExtension.isEmpty() && !responseNonceValid(oCSPReq, obtainResponseNonceExtension.get(), str, x509Certificate)) {
            log.error("Invalid nonce for leaf cert {} in url {}", x509Certificate.getSerialNumber(), str);
            return Optional.empty();
        }
        return Optional.of(basicOCSPResp);
    }

    private Optional<Extension> obtainResponseNonceExtension(BasicOCSPResp basicOCSPResp, String str, X509Certificate x509Certificate) {
        if (!basicOCSPResp.hasExtensions()) {
            log.warn("OCSP response for leaf cert {} and url {} returned no extensions and therefore no nonce", x509Certificate.getSerialNumber(), str);
            return Optional.empty();
        }
        Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension != null) {
            return Optional.of(extension);
        }
        log.warn("OCSP response for leaf cert {} and url {} returned no id_pkix_ocsp_nonce extension", x509Certificate.getSerialNumber(), str);
        return Optional.empty();
    }

    private boolean responseNonceValid(OCSPReq oCSPReq, Extension extension, String str, X509Certificate x509Certificate) {
        Extension extension2 = oCSPReq.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension2 == null) {
            log.error("OCSP request for leaf cert {} and url {} returned no id_pkix_ocsp_nonce extension", x509Certificate.getSerialNumber(), str);
            return false;
        }
        if (extension2.getExtnValue().equals(extension.getExtnValue())) {
            return true;
        }
        log.error("Request nonce and response nonce are not equal for leaf cert {} and url {}", x509Certificate.getSerialNumber(), str);
        return false;
    }
}
