package com.karasiq.tls.x509.ocsp;

import com.karasiq.tls.TLS;
import com.karasiq.tls.internal.BCConversions$;
import com.karasiq.tls.internal.BCConversions$AsymmetricKeyParameterOps$;
import com.karasiq.tls.internal.TLSUtils$;
import com.karasiq.tls.x509.X509Utils$;
import com.karasiq.tls.x509.ocsp.OCSP;
import java.io.InputStream;
import java.net.URL;
import java.security.SecureRandom;
import java.util.Date;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder;
import org.bouncycastle.operator.DigestCalculator;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.encoders.Base64;
import scala.Array$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Some;
import scala.StringContext;
import scala.Tuple2;
import scala.collection.IterableLike;
import scala.collection.Seq;
import scala.collection.Seq$;
import scala.collection.mutable.ArrayOps;
import scala.concurrent.package$;
import scala.math.BigInt;
import scala.reflect.ClassTag$;
import scala.runtime.BoxesRunTime;

/* compiled from: OCSP.scala */
/* loaded from: input_file:com/karasiq/tls/x509/ocsp/OCSP$.class */
public final class OCSP$ {
    public static OCSP$ MODULE$;
    private final DigestCalculator digestCalculator;
    private final SecureRandom secureRandom;

    static {
        new OCSP$();
    }

    private DigestCalculator digestCalculator() {
        return this.digestCalculator;
    }

    private SecureRandom secureRandom() {
        return this.secureRandom;
    }

    public CertificateID id(Certificate certificate, BigInt bigInt) {
        return new CertificateID(digestCalculator(), new X509CertificateHolder(certificate), bigInt.underlying());
    }

    public OCSPReq signedRequest(TLS.CertificateKey certificateKey, Seq<CertificateID> seq) {
        OCSPReqBuilder oCSPReqBuilder = (OCSPReqBuilder) seq.foldLeft(new OCSPReqBuilder(), (oCSPReqBuilder2, certificateID) -> {
            return oCSPReqBuilder2.addRequest(certificateID);
        });
        oCSPReqBuilder.setRequestorName(certificateKey.certificate().getSubject());
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        byte[] bArr = new byte[16];
        secureRandom().nextBytes(bArr);
        extensionsGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(bArr));
        oCSPReqBuilder.setRequestExtensions(extensionsGenerator.generate());
        return oCSPReqBuilder.build(X509Utils$.MODULE$.contentSigner(BCConversions$AsymmetricKeyParameterOps$.MODULE$.toPrivateKey$extension(BCConversions$.MODULE$.AsymmetricKeyParameterOps(certificateKey.key().getPrivate())), X509Utils$.MODULE$.contentSigner$default$2()), (X509CertificateHolder[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(certificateKey.certificateChain().getCertificateList())).map(certificate -> {
            return new X509CertificateHolder(certificate);
        }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(X509CertificateHolder.class))));
    }

    public OCSPReq request(Seq<CertificateID> seq) {
        return ((OCSPReqBuilder) seq.foldLeft(new OCSPReqBuilder(), (oCSPReqBuilder, certificateID) -> {
            return oCSPReqBuilder.addRequest(certificateID);
        })).build();
    }

    public BasicOCSPResp response(TLS.CertificateKey certificateKey, Seq<OCSP.Status> seq) {
        return ((BasicOCSPRespBuilder) seq.foldLeft(new JcaBasicOCSPRespBuilder(BCConversions$AsymmetricKeyParameterOps$.MODULE$.toPublicKey$extension(BCConversions$.MODULE$.AsymmetricKeyParameterOps(certificateKey.key().getPublic())), digestCalculator()), (basicOCSPRespBuilder, status) -> {
            Tuple2 tuple2 = new Tuple2(basicOCSPRespBuilder, status);
            if (tuple2 != null) {
                BasicOCSPRespBuilder basicOCSPRespBuilder = (BasicOCSPRespBuilder) tuple2._1();
                OCSP.Status status = (OCSP.Status) tuple2._2();
                if (status != null) {
                    return basicOCSPRespBuilder.addResponse(status.id(), status.status());
                }
            }
            throw new MatchError(tuple2);
        })).build(X509Utils$.MODULE$.contentSigner(BCConversions$AsymmetricKeyParameterOps$.MODULE$.toPrivateKey$extension(BCConversions$.MODULE$.AsymmetricKeyParameterOps(certificateKey.key().getPrivate())), X509Utils$.MODULE$.contentSigner$default$2()), (X509CertificateHolder[]) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(certificateKey.certificateChain().getCertificateList())).map(certificate -> {
            return new X509CertificateHolder(certificate);
        }, Array$.MODULE$.canBuildFrom(ClassTag$.MODULE$.apply(X509CertificateHolder.class))), new Date());
    }

    private OCSPResp loadUrl(String str, OCSPReq oCSPReq) {
        return (OCSPResp) package$.MODULE$.blocking(() -> {
            String base64String = Base64.toBase64String(oCSPReq.getEncoded());
            InputStream openStream = new URL(str.endsWith("/") ? str + base64String : str + "/" + base64String).openStream();
            try {
                return new OCSPResp(openStream);
            } finally {
                IOUtils.closeQuietly(openStream);
            }
        });
    }

    public boolean verify(BasicOCSPResp basicOCSPResp, Certificate certificate) {
        return X509Utils$.MODULE$.isKeyUsageAllowed(certificate, 2) && basicOCSPResp.isSignatureValid(X509Utils$.MODULE$.contentVerifierProvider(certificate));
    }

    public boolean verify(OCSPReq oCSPReq, Certificate certificate) {
        return X509Utils$.MODULE$.isKeyUsageAllowed(certificate, 128) && oCSPReq.isSignatureValid(X509Utils$.MODULE$.contentVerifierProvider(certificate));
    }

    public Option<BasicOCSPResp> fromUrl(String str, Certificate certificate, OCSPReq oCSPReq) {
        Some some;
        OCSPResp loadUrl = loadUrl(str, oCSPReq);
        Predef$.MODULE$.assert(loadUrl.getStatus() == 0, () -> {
            return new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"OCSP error: ", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{BoxesRunTime.boxToInteger(loadUrl.getStatus())}));
        });
        Object responseObject = loadUrl.getResponseObject();
        if (responseObject instanceof BasicOCSPResp) {
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject;
            if (verify(basicOCSPResp, certificate)) {
                some = new Some(basicOCSPResp);
                return some;
            }
        }
        some = None$.MODULE$;
        return some;
    }

    public Option<OCSP.Status> getStatus(Certificate certificate, Certificate certificate2) {
        return X509Utils$.MODULE$.getOcspUrl(certificate).flatMap(str -> {
            CertificateID id = MODULE$.id(certificate2, scala.package$.MODULE$.BigInt().apply(certificate.getSerialNumber().getValue()));
            return ((IterableLike) Option$.MODULE$.option2Iterable(MODULE$.fromUrl(str, certificate2, MODULE$.request(Predef$.MODULE$.wrapRefArray(new CertificateID[]{id})))).toSeq().flatMap(basicOCSPResp -> {
                return new ArrayOps.ofRef($anonfun$getStatus$2(basicOCSPResp));
            }, Seq$.MODULE$.canBuildFrom())).find(singleResp -> {
                return BoxesRunTime.boxToBoolean($anonfun$getStatus$3(id, singleResp));
            }).map(singleResp2 -> {
                return new OCSP.Status(singleResp2.getCertID(), singleResp2.getCertStatus());
            });
        });
    }

    public static final /* synthetic */ Object[] $anonfun$getStatus$2(BasicOCSPResp basicOCSPResp) {
        return Predef$.MODULE$.refArrayOps(basicOCSPResp.getResponses());
    }

    public static final /* synthetic */ boolean $anonfun$getStatus$3(CertificateID certificateID, SingleResp singleResp) {
        CertificateID certID = singleResp.getCertID();
        return certID != null ? certID.equals(certificateID) : certificateID == null;
    }

    private OCSP$() {
        MODULE$ = this;
        this.digestCalculator = new JcaDigestCalculatorProviderBuilder().setProvider(TLSUtils$.MODULE$.provider()).build().get(CertificateID.HASH_SHA1);
        this.secureRandom = SecureRandom.getInstanceStrong();
    }
}
