package io.netty.handler.ssl.ocsp;

import io.netty.bootstrap.Bootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelFactory;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelOption;
import io.netty.channel.ChannelPipeline;
import io.netty.channel.EventLoop;
import io.netty.channel.socket.SocketChannel;
import io.netty.handler.codec.http.DefaultFullHttpRequest;
import io.netty.handler.codec.http.HttpClientCodec;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpObjectAggregator;
import io.netty.handler.codec.http.HttpVersion;
import io.netty.resolver.dns.DnsNameResolver;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.FutureListener;
import io.netty.util.concurrent.GenericFutureListener;
import io.netty.util.concurrent.Promise;
import io.netty.util.internal.ObjectUtil;
import io.netty.util.internal.SystemPropertyUtil;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import java.net.InetAddress;
import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import org.apache.commons.compress.archivers.tar.TarConstants;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/netty/handler/ssl/ocsp/OcspClient.class */
public final class OcspClient {
    private static final InternalLogger logger = InternalLoggerFactory.getInstance((Class<?>) OcspClient.class);
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static final int OCSP_RESPONSE_MAX_SIZE = SystemPropertyUtil.getInt("io.netty.ocsp.responseSize", TarConstants.DEFAULT_BLKSIZE);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/netty/handler/ssl/ocsp/OcspClient$Initializer.class */
    public static final class Initializer extends ChannelInitializer<SocketChannel> {
        private final Promise<OCSPResp> responsePromise;

        Initializer(Promise<OCSPResp> promise) {
            this.responsePromise = (Promise) ObjectUtil.checkNotNull(promise, "ResponsePromise");
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // io.netty.channel.ChannelInitializer
        public void initChannel(SocketChannel socketChannel) {
            ChannelPipeline pipeline = socketChannel.pipeline();
            pipeline.addLast(new HttpClientCodec());
            pipeline.addLast(new HttpObjectAggregator(OcspClient.OCSP_RESPONSE_MAX_SIZE));
            pipeline.addLast(new OcspHttpHandler(this.responsePromise));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Promise<BasicOCSPResp> query(final X509Certificate x509Certificate, final X509Certificate x509Certificate2, final boolean z, final IoTransport ioTransport, final DnsNameResolver dnsNameResolver) {
        final EventLoop eventLoop = ioTransport.eventLoop();
        final Promise<BasicOCSPResp> newPromise = eventLoop.newPromise();
        eventLoop.execute(new Runnable() { // from class: io.netty.handler.ssl.ocsp.OcspClient.1
            @Override // java.lang.Runnable
            public void run() {
                try {
                    CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(x509Certificate2), x509Certificate.getSerialNumber());
                    OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
                    oCSPReqBuilder.addRequest(certificateID);
                    byte[] bArr = new byte[16];
                    OcspClient.SECURE_RANDOM.nextBytes(bArr);
                    final DEROctetString dEROctetString = new DEROctetString(bArr);
                    oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, dEROctetString)));
                    URL url = new URL(OcspClient.parseOcspUrlFromCertificate(x509Certificate));
                    int port = url.getPort();
                    if (port == -1) {
                        port = url.getDefaultPort();
                    }
                    String path = url.getPath();
                    if (path.isEmpty()) {
                        path = "/";
                    } else if (url.getQuery() != null) {
                        path = path + "?" + url.getQuery();
                    }
                    OcspClient.query(eventLoop, Unpooled.wrappedBuffer(oCSPReqBuilder.build().getEncoded()), url.getHost(), port, path, ioTransport, dnsNameResolver).addListener2((GenericFutureListener) new GenericFutureListener<Future<OCSPResp>>() { // from class: io.netty.handler.ssl.ocsp.OcspClient.1.1
                        @Override // io.netty.util.concurrent.GenericFutureListener
                        public void operationComplete(Future<OCSPResp> future) throws Exception {
                            if (!future.isSuccess()) {
                                newPromise.tryFailure(future.cause());
                            } else {
                                OcspClient.validateResponse(newPromise, (BasicOCSPResp) future.get().getResponseObject(), dEROctetString, x509Certificate2, z);
                            }
                        }
                    });
                } catch (Exception e) {
                    newPromise.tryFailure(e);
                }
            }
        });
        return newPromise;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Promise<OCSPResp> query(EventLoop eventLoop, final ByteBuf byteBuf, final String str, final int i, final String str2, IoTransport ioTransport, DnsNameResolver dnsNameResolver) {
        final Promise<OCSPResp> newPromise = eventLoop.newPromise();
        try {
            final Bootstrap handler = new Bootstrap().group(ioTransport.eventLoop()).option(ChannelOption.TCP_NODELAY, true).channelFactory((ChannelFactory) ioTransport.socketChannel()).handler(new Initializer(newPromise));
            dnsNameResolver.resolve(str).addListener2(new FutureListener<InetAddress>() { // from class: io.netty.handler.ssl.ocsp.OcspClient.2
                @Override // io.netty.util.concurrent.GenericFutureListener
                public void operationComplete(Future<InetAddress> future) throws Exception {
                    if (!future.isSuccess()) {
                        newPromise.tryFailure(future.cause());
                        return;
                    }
                    final ChannelFuture connect = Bootstrap.this.connect(future.get(), i);
                    connect.addListener2((GenericFutureListener<? extends Future<? super Void>>) new ChannelFutureListener() { // from class: io.netty.handler.ssl.ocsp.OcspClient.2.1
                        @Override // io.netty.util.concurrent.GenericFutureListener
                        public void operationComplete(ChannelFuture channelFuture) {
                            if (!channelFuture.isSuccess()) {
                                newPromise.tryFailure(new IllegalStateException("Connection to OCSP Responder Failed", channelFuture.cause()));
                                return;
                            }
                            DefaultFullHttpRequest defaultFullHttpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, str2, byteBuf);
                            defaultFullHttpRequest.headers().add(HttpHeaderNames.HOST, str);
                            defaultFullHttpRequest.headers().add(HttpHeaderNames.USER_AGENT, "Netty OCSP Client");
                            defaultFullHttpRequest.headers().add(HttpHeaderNames.CONTENT_TYPE, OcspHttpHandler.OCSP_REQUEST_TYPE);
                            defaultFullHttpRequest.headers().add(HttpHeaderNames.ACCEPT_ENCODING, OcspHttpHandler.OCSP_RESPONSE_TYPE);
                            defaultFullHttpRequest.headers().add(HttpHeaderNames.CONTENT_LENGTH, Integer.valueOf(byteBuf.readableBytes()));
                            connect.channel().writeAndFlush(defaultFullHttpRequest);
                        }
                    });
                }
            });
        } catch (Exception e) {
            newPromise.tryFailure(e);
        }
        return newPromise;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void validateResponse(Promise<BasicOCSPResp> promise, BasicOCSPResp basicOCSPResp, DEROctetString dEROctetString, X509Certificate x509Certificate, boolean z) {
        try {
            int length = basicOCSPResp.getResponses().length;
            if (length != 1) {
                throw new IllegalArgumentException("Expected number of responses was 1 but got: " + length);
            }
            if (z) {
                validateNonce(basicOCSPResp, dEROctetString);
            }
            validateSignature(basicOCSPResp, x509Certificate);
            promise.trySuccess(basicOCSPResp);
        } catch (Exception e) {
            promise.tryFailure(e);
        }
    }

    private static void validateNonce(BasicOCSPResp basicOCSPResp, DEROctetString dEROctetString) throws OCSPException {
        Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
        if (extension == null) {
            throw new IllegalArgumentException("Nonce is not present");
        }
        if (!extension.getExtnValue().equals(dEROctetString)) {
            throw new OCSPException("Nonce does not match");
        }
    }

    private static void validateSignature(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate) throws OCSPException {
        try {
            if (basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().build(x509Certificate))) {
            } else {
                throw new OCSPException("OCSP signature is not valid");
            }
        } catch (OperatorCreationException e) {
            throw new OCSPException("Error validating OCSP-Signature", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String parseOcspUrlFromCertificate(X509Certificate x509Certificate) {
        try {
            for (AccessDescription accessDescription : AuthorityInformationAccess.fromExtensions(new JcaX509CertificateHolder(x509Certificate).getExtensions()).getAccessDescriptions()) {
                if (accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_ocsp)) {
                    return accessDescription.getAccessLocation().getName().toASN1Primitive().toString();
                }
            }
            throw new NullPointerException("Unable to find OCSP responder URL in Certificate");
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Error while parsing X509Certificate into JcaX509CertificateHolder", e);
        }
    }

    private OcspClient() {
    }

    static {
        logger.debug("-Dio.netty.ocsp.responseSize: {} bytes", Integer.valueOf(OCSP_RESPONSE_MAX_SIZE));
    }
}
