package com.ibm.security.cert;

import com.ibm.misc.Debug;
import com.ibm.misc.IOUtils;
import com.ibm.security.util.ObjectIdentifier;
import com.ibm.security.x509.AccessDescription;
import com.ibm.security.x509.GeneralName;
import com.ibm.security.x509.URIName;
import com.ibm.security.x509.X500Name;
import com.ibm.security.x509.X509CertImpl;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.Extension;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:jre/lib/ibmcertpathprovider.jar:com/ibm/security/cert/OCSPChecker.class */
public class OCSPChecker extends PKIXCertPathChecker {
    public static final String OCSP_ENABLE = "ocsp.enable";
    public static final String OCSP_URL = "ocsp.responderURL";
    public static final String OCSP_CERT_SUBJECT = "ocsp.responderCertSubjectName";
    public static final String OCSP_CERT_ISSUER = "ocsp.responderCertIssuerName";
    public static final String OCSP_CERT_SERIAL_NUMBER = "ocsp.responderCertSerialNumber";
    private URL responderURL;
    private String responderIssuerName;
    private String responderSubjectName;
    private BigInteger responderSerialNumber;
    private CertPath certPath;
    private int remainingCerts;
    private Set<TrustAnchor> trustAnchors;
    private List<CertStore> certStores;
    PKIXParameters pkixParams;
    private byte[] ocspRequestNonce = null;
    private byte[] ocspResponseNonce = null;
    private static final Debug debug = Debug.getInstance("certpath");
    static final ObjectIdentifier NONCE_EXTENSION_OID = ObjectIdentifier.newInternal(new int[]{1, 3, 6, 1, 5, 5, 7, 48, 1, 2});
    static int debugint = 0;

    public OCSPChecker(String str, String str2, CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this.pkixParams = null;
        try {
            this.responderURL = new URL(str);
        } catch (MalformedURLException e) {
            this.responderURL = null;
            if (debug != null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  The following MalformedURLException was thrown while processing the OCSP responder URL:");
                System.out.println(e.getMessage());
            }
        }
        try {
            if (str2 != null) {
                this.responderSubjectName = new X500Name(str2).getRFC2253Name();
            } else {
                this.responderSubjectName = null;
            }
        } catch (IOException e2) {
            this.responderSubjectName = null;
        }
        if (debug != null) {
            if (str == null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  respURL IS NULL");
            } else {
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  respURL = " + str);
            }
            if (this.responderSubjectName == null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  responderSubjectName IS NULL");
            } else {
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  responderSubjectName = " + this.responderSubjectName);
            }
        }
        this.certPath = certPath;
        this.pkixParams = pKIXParameters;
        this.trustAnchors = pKIXParameters.getTrustAnchors();
        this.certStores = pKIXParameters.getCertStores();
    }

    public OCSPChecker(String str, String str2, BigInteger bigInteger, CertPath certPath, PKIXParameters pKIXParameters) throws CertPathValidatorException {
        this.pkixParams = null;
        try {
            this.responderURL = new URL(str);
        } catch (MalformedURLException e) {
            this.responderURL = null;
            if (debug != null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  The following MalformedURLException was thrown while processing the OCSP responder URL:");
                System.out.println(e.getMessage());
            }
        }
        try {
            this.responderIssuerName = new X500Name(str2).getRFC2253Name();
            this.responderSerialNumber = bigInteger;
            if (debug != null) {
                if (str == null) {
                    System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  respURL IS NULL");
                } else {
                    System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  respURL = " + str);
                }
                if (this.responderIssuerName == null) {
                    System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  responderIssuerName IS NULL");
                } else {
                    System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  responderIssuerName = " + this.responderIssuerName);
                }
                System.out.println("CERTPATH:  OCSPChecker.java:  CONSTRUCTOR:  responderSerialNumber = " + this.responderSerialNumber);
            }
            this.certPath = certPath;
            this.pkixParams = pKIXParameters;
            this.trustAnchors = pKIXParameters.getTrustAnchors();
            this.certStores = pKIXParameters.getCertStores();
        } catch (IOException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (z) {
            throw new CertPathValidatorException("Forward checking not supported");
        }
        this.remainingCerts = this.certPath.getCertificates().size();
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set getSupportedExtensions() {
        return Collections.EMPTY_SET;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        TrustAnchor trustAnchor = null;
        List<? extends Certificate> certificates = this.certPath.getCertificates();
        X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size()];
        certificates.toArray(x509CertificateArr);
        if (debug != null) {
            System.out.println("CERTPATH:  OCSPChecker.java:  check():  The array of certificates being checked is:");
            for (X509Certificate x509Certificate : x509CertificateArr) {
                System.out.println(x509Certificate.toString() + "\n\n");
            }
        }
        X509Certificate x509Certificate2 = null;
        PKIXRevocationCheckerImpl pKIXRevocationCheckerFromPKIXParameters = PKIXRevocationCheckerImpl.getPKIXRevocationCheckerFromPKIXParameters(this.pkixParams);
        if (pKIXRevocationCheckerFromPKIXParameters != null) {
            x509Certificate2 = pKIXRevocationCheckerFromPKIXParameters.getOcspResponderCert();
            if (x509Certificate2 != null && debug != null) {
                System.out.println("CERTPATH: OCSPChecker.java:  check(): ");
                System.out.println("          The following OCSP responder certificate was specified within PKIXRevocationChecker: ");
                System.out.println(x509Certificate2.toString());
            }
        }
        if (x509Certificate2 != null) {
            if (debug != null) {
                System.out.println("==================================================================================");
                System.out.println("CERTPATH: OCSPChecker.java:  check(): ");
                System.out.println("          The OCSP responder certificate from within PKIXRevocationChecker will be used by OCSPChecker.check() ");
                System.out.println("==================================================================================");
            }
            trustAnchor = new TrustAnchor(x509Certificate2, null);
            if (trustAnchor == null) {
                throw new CertPathValidatorException("Cannot create a TrustAnchor object from the OCSP responder certificate supplied in PKIXRevocationChecker.");
            }
        } else if (this.responderSubjectName != null) {
            if (debug != null) {
                System.out.println("==================================================================================");
                System.out.println("CERTPATH: OCSPChecker.java:  check(): ");
                System.out.println("          The OCSP responder certificate specified by the system property for \"OCSP responder subject dn\" will be used by OCSPChecker.check() ");
                System.out.println("==================================================================================");
            }
            trustAnchor = getResponderTA(this.responderSubjectName, x509CertificateArr);
            if (trustAnchor == null) {
                throw new CertPathValidatorException("Cannot find the responder's certificate (set using the OCSP security properties).");
            }
        } else if (this.responderIssuerName != null && this.responderSerialNumber != null) {
            if (debug != null) {
                System.out.println("==================================================================================");
                System.out.println("CERTPATH: OCSPChecker.java:  check(): ");
                System.out.println("          The OCSP responder certificate specified by the system properties for \"OCSP responder issuer dn and serial number\" will be used by OCSPChecker.check() ");
                System.out.println("==================================================================================");
            }
            trustAnchor = getResponderTA(this.responderSerialNumber, this.responderIssuerName, x509CertificateArr);
            if (trustAnchor == null) {
                throw new CertPathValidatorException("Cannot find the responder's certificate (set using the OCSP security properties).");
            }
        }
        if (debug != null) {
            if (trustAnchor == null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  check():  The responderTa IS NULL.");
            } else {
                System.out.println("CERTPATH:  OCSPChecker.java:  check():  The responderTa is:  \n" + trustAnchor.toString());
            }
        }
        internalCheck(x509CertificateArr, trustAnchor);
    }

    private TrustAnchor getResponderTA(String str, X509Certificate[] x509CertificateArr) throws CertPathValidatorException {
        for (TrustAnchor trustAnchor : this.trustAnchors) {
            String cAName = trustAnchor.getCAName();
            if (cAName == null) {
                X509Certificate trustedCert = trustAnchor.getTrustedCert();
                if (trustedCert instanceof X509CertImpl) {
                    if (((X500Name) ((X509CertImpl) trustedCert).getSubjectDN()).getRFC2253Name().equals(str)) {
                        return new TrustAnchor(trustedCert, null);
                    }
                } else if (trustedCert.getSubjectX500Principal().getName(X500Principal.RFC2253).equals(str)) {
                    return new TrustAnchor(trustedCert, null);
                }
            } else if (cAName.equals(str)) {
                return trustAnchor;
            }
        }
        if (x509CertificateArr != null) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                if (x509CertificateArr[i] instanceof X509CertImpl) {
                    if (((X500Name) ((X509CertImpl) x509CertificateArr[i]).getSubjectDN()).getRFC2253Name().equals(str)) {
                        return new TrustAnchor(x509CertificateArr[i], null);
                    }
                } else if (x509CertificateArr[i].getSubjectX500Principal().getName(X500Principal.RFC2253).equals(str)) {
                    return new TrustAnchor(x509CertificateArr[i], null);
                }
            }
        }
        Iterator<CertStore> it = this.certStores.iterator();
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            x509CertSelector.setSubject(str);
            if (debug != null) {
                System.out.println("CERTPATH, get responder cert using selector-" + x509CertSelector);
            }
            while (it.hasNext()) {
                Iterator<? extends Certificate> it2 = it.next().getCertificates(x509CertSelector).iterator();
                if (it2.hasNext()) {
                    return new TrustAnchor((X509Certificate) it2.next(), null);
                }
            }
            return null;
        } catch (IOException e) {
            throw new CertPathValidatorException(e);
        } catch (CertStoreException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    private TrustAnchor getResponderTA(BigInteger bigInteger, String str, X509Certificate[] x509CertificateArr) throws CertPathValidatorException {
        Iterator<TrustAnchor> it = this.trustAnchors.iterator();
        while (it.hasNext()) {
            X509Certificate trustedCert = it.next().getTrustedCert();
            if (trustedCert instanceof X509CertImpl) {
                if (((X500Name) ((X509CertImpl) trustedCert).getIssuerDN()).getRFC2253Name().equals(str) && trustedCert.getSerialNumber().equals(bigInteger)) {
                    return new TrustAnchor(trustedCert, null);
                }
            } else if (trustedCert.getIssuerX500Principal().getName(X500Principal.RFC2253).equals(str) && trustedCert.getSerialNumber().equals(bigInteger)) {
                return new TrustAnchor(trustedCert, null);
            }
        }
        if (x509CertificateArr != null) {
            for (int i = 0; i < x509CertificateArr.length; i++) {
                if (x509CertificateArr[i] instanceof X509CertImpl) {
                    if (((X500Name) ((X509CertImpl) x509CertificateArr[i]).getIssuerDN()).getRFC2253Name().equals(str) && x509CertificateArr[i].getSerialNumber().equals(bigInteger)) {
                        return new TrustAnchor(x509CertificateArr[i], null);
                    }
                } else if (x509CertificateArr[i].getIssuerX500Principal().getName(X500Principal.RFC2253).equals(str) && x509CertificateArr[i].getSerialNumber().equals(bigInteger)) {
                    return new TrustAnchor(x509CertificateArr[i], null);
                }
            }
        }
        Iterator<CertStore> it2 = this.certStores.iterator();
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSerialNumber(bigInteger);
        try {
            x509CertSelector.setIssuer(str);
            if (debug != null) {
                System.out.println("CERTPATH: get responder cert using selector -" + x509CertSelector.toString());
            }
            while (it2.hasNext()) {
                Iterator<? extends Certificate> it3 = it2.next().getCertificates(x509CertSelector).iterator();
                if (it3.hasNext()) {
                    return new TrustAnchor((X509Certificate) it3.next(), null);
                }
            }
            return null;
        } catch (IOException e) {
            throw new CertPathValidatorException(e);
        } catch (CertStoreException e2) {
            throw new CertPathValidatorException(e2);
        }
    }

    private void internalCheck(X509Certificate[] x509CertificateArr, TrustAnchor trustAnchor) throws CertPathValidatorException {
        X509CertImpl x509CertImpl;
        OCSPRequest oCSPRequest;
        OCSPRequest oCSPRequest2;
        boolean onlyCheckEECert = PKIXRevocationCheckerImpl.getOnlyCheckEECert(this.pkixParams);
        int length = onlyCheckEECert ? 1 : x509CertificateArr.length;
        CertStatus[] certStatusArr = new CertStatus[length];
        CertID[] certIDArr = new CertID[length];
        for (int i = length - 1; i >= 0; i--) {
            if (i == x509CertificateArr.length - 1) {
                TrustAnchor trustAnchor2 = getTrustAnchor(x509CertificateArr[i], this.trustAnchors);
                if (trustAnchor2 == null) {
                    throw new CertPathValidatorException("Unable to find the issuer cert");
                }
                X509Certificate trustedCert = trustAnchor2.getTrustedCert();
                if (trustedCert != null) {
                    certIDArr[i] = new CertID(trustedCert, x509CertificateArr[i]);
                } else {
                    certIDArr[i] = new CertID(trustAnchor2.getCAName(), trustAnchor2.getCAPublicKey(), x509CertificateArr[i].getSerialNumber(), null);
                }
            } else {
                certIDArr[i] = new CertID(x509CertificateArr[i + 1], x509CertificateArr[i]);
            }
            if (debug != null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  CertID[" + i + "] is:  " + certIDArr[i].toString());
            }
        }
        SingleRequest[] singleRequestArr = new SingleRequest[length];
        for (int i2 = 0; i2 < length; i2++) {
            singleRequestArr[i2] = new SingleRequest(certIDArr[i2], null);
            if (debug != null) {
                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  SingleRequest[" + i2 + "] is:  " + singleRequestArr[i2].toString() + "\n\n");
            }
        }
        boolean z = true;
        PKIXRevocationCheckerImpl pKIXRevocationCheckerFromPKIXParameters = PKIXRevocationCheckerImpl.getPKIXRevocationCheckerFromPKIXParameters(this.pkixParams);
        if (pKIXRevocationCheckerFromPKIXParameters != null) {
            Map<X509Certificate, byte[]> ocspResponses = pKIXRevocationCheckerFromPKIXParameters.getOcspResponses();
            if (ocspResponses == null) {
                if (debug != null) {
                    System.out.println("OCSPChecker.java:  internalCheck():  No stapled OCSPReponse map was passed in by caller. ");
                }
            } else if (ocspResponses.size() != 0) {
                int i3 = 0;
                while (true) {
                    if (i3 >= length) {
                        break;
                    }
                    CertStatus certStatus = getCertStatus(x509CertificateArr[i3], ocspResponses.get(x509CertificateArr[i3]), certIDArr, trustAnchor);
                    if (certStatus != null) {
                        if (debug != null) {
                            System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  A stapled OCSPResponse was found for the ");
                            System.out.println("                             following certificate within PKIXRevocationChecker:");
                            System.out.println(x509CertificateArr[i3].toString());
                        }
                        certStatusArr[i3] = certStatus;
                        if (certStatus.getStatus() == 1) {
                            z = false;
                        }
                        i3++;
                    } else {
                        if (debug != null) {
                            System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  A stapled OCSPResponse was NOT FOUND for the ");
                            System.out.println("                             following certificate within PKIXRevocationChecker:");
                            System.out.println(x509CertificateArr[i3].toString());
                        }
                        z = true;
                    }
                }
            } else if (debug != null) {
                System.out.println("OCSPChecker.java:  internalCheck():  A stapled OCSPReponse map of size 0 was passed in by caller. ");
            }
        } else if (debug != null) {
            System.out.println("OCSPChecker.java:  internalCheck():  No RevocationChecker object passed in by caller. ");
        }
        if (z) {
            if (debug != null) {
                System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Still need to send OCSP request");
            }
            if (this.responderURL != null) {
                if (pKIXRevocationCheckerFromPKIXParameters == null) {
                    if (debug != null) {
                        System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  The pkixRevocationChecker is NULL");
                    }
                    oCSPRequest2 = new OCSPRequest(singleRequestArr);
                } else {
                    if (debug != null) {
                        System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  The pkixRevocationChecker is NOT NULL");
                    }
                    List<Extension> ocspExtensions = pKIXRevocationCheckerFromPKIXParameters.getOcspExtensions();
                    if (ocspExtensions == null || ocspExtensions.size() == 0) {
                        if (debug != null) {
                            System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  No OCSP extensions were supplied in the RevocationChecker object.");
                        }
                        oCSPRequest2 = new OCSPRequest(singleRequestArr);
                    } else {
                        if (debug != null) {
                            System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  OCSP extensions were supplied in the RevocationChecker object.");
                        }
                        oCSPRequest2 = new OCSPRequest(singleRequestArr, convertExtensionListToArray(ocspExtensions));
                        this.ocspRequestNonce = oCSPRequest2.getNonce();
                        if (debug != null) {
                            if (this.ocspRequestNonce != null) {
                                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  A NONCE extension was among the OCSP extensions supplied in the RevocationChecker object.");
                                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  NONCE extension value being added to the OCSPRequest = ");
                                System.out.println(toHexString(this.ocspRequestNonce));
                            } else {
                                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  No NONCE extension was among the OCSP extensions supplied in the RevocationChecker object.");
                            }
                        }
                    }
                }
                try {
                    HttpURLConnection httpURLConnection = (HttpURLConnection) this.responderURL.openConnection();
                    sendRequest(httpURLConnection, oCSPRequest2.encode());
                    if (0 == 0) {
                        certStatusArr = checkResponse(httpURLConnection, certIDArr, trustAnchor);
                    }
                } catch (IOException e) {
                    if (!PKIXRevocationCheckerImpl.getSoftFail(this.pkixParams)) {
                        if (debug != null) {
                            System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Network failure while accessing OCSP responder defined by system properties.");
                            System.out.println("                                               SOFT_FAIL is false, so throw the exception.");
                        }
                        throw new CertPathValidatorException(e);
                    }
                    if (debug != null) {
                        System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Network failure while accessing OCSP responder defined by system properties.");
                        System.out.println("                                               SOFT_FAIL is true, so do not throw the exception.");
                        return;
                    }
                    return;
                }
            } else {
                for (int i4 = 0; i4 < length; i4++) {
                    if (certStatusArr[i4] == null) {
                        try {
                            if (x509CertificateArr[i4] instanceof X509CertImpl) {
                                x509CertImpl = (X509CertImpl) x509CertificateArr[i4];
                            } else {
                                try {
                                    x509CertImpl = new X509CertImpl(x509CertificateArr[i4].getEncoded());
                                } catch (CertificateException e2) {
                                    throw new CertPathValidatorException(e2);
                                }
                            }
                            if (debug != null) {
                                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  Beginning OCSP processing for the following SINGLE cert:");
                                System.out.println(x509CertImpl.toString());
                            }
                            URL url = null;
                            for (AccessDescription accessDescription : x509CertImpl.getAuthorityInformationAccess()) {
                                if (accessDescription.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id)) {
                                    GeneralName accessLocation = accessDescription.getAccessLocation();
                                    if (accessLocation.getType() == 6) {
                                        try {
                                            url = new URL(((URIName) accessLocation.getName()).getName());
                                        } catch (MalformedURLException e3) {
                                            if (debug != null) {
                                                e3.printStackTrace();
                                            }
                                        }
                                    }
                                }
                            }
                            if (url == null) {
                                if (debug != null) {
                                    System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  No OCSP responder URL was found in the cert.");
                                }
                                throw new IOException("Can't learn the responder URL from the AIA extension of the cert");
                            }
                            if (debug != null) {
                                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  An OCSP responder URL 'WAS FOUND' in the cert.");
                                System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  The OCSP responder URL learned from the AIA extension is:  " + url.toString());
                            }
                            HttpURLConnection httpURLConnection2 = (HttpURLConnection) url.openConnection();
                            if (pKIXRevocationCheckerFromPKIXParameters == null) {
                                if (debug != null) {
                                    System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  The pkixRevocationChecker object is NULL");
                                }
                                oCSPRequest = new OCSPRequest(new SingleRequest[]{singleRequestArr[i4]});
                            } else {
                                if (debug != null) {
                                    System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  The pkixRevocationChecker object is not NULL");
                                }
                                List<Extension> ocspExtensions2 = pKIXRevocationCheckerFromPKIXParameters.getOcspExtensions();
                                if (ocspExtensions2 != null) {
                                    if (debug != null) {
                                        System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  OCSP extensions were supplied in the RevocationChecker object.");
                                    }
                                    oCSPRequest = new OCSPRequest(new SingleRequest[]{singleRequestArr[i4]}, convertExtensionListToArray(ocspExtensions2));
                                    this.ocspRequestNonce = oCSPRequest.getNonce();
                                    if (debug != null) {
                                        if (this.ocspRequestNonce != null) {
                                            System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  A NONCE extension was among the OCSP extensions supplied in the RevocationChecker object.");
                                            System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  NONCE extension value added to OCSPRequest = ");
                                            System.out.println(toHexString(this.ocspRequestNonce));
                                        } else {
                                            System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  No NONCE extension was among the OCSP extensions supplied in the RevocationChecker object.");
                                        }
                                    }
                                } else {
                                    if (debug != null) {
                                        System.out.println("CERTPATH:  OCSPChecker.java:  internalCheck():  No OCSP extensions were supplied in the RevocationChecker object.");
                                    }
                                    oCSPRequest = new OCSPRequest(new SingleRequest[]{singleRequestArr[i4]});
                                }
                            }
                            sendRequest(httpURLConnection2, oCSPRequest.encode());
                            CertStatus[] certStatusArr2 = new CertStatus[1];
                            certStatusArr[i4] = checkResponse(httpURLConnection2, new CertID[]{certIDArr[i4]}, trustAnchor)[0];
                        } catch (IOException e4) {
                            if (debug != null) {
                                System.out.println("CERTPATH: internal error 2, " + e4.getMessage());
                            }
                            if (PKIXRevocationCheckerImpl.getSoftFail(this.pkixParams)) {
                                if (debug != null) {
                                    System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Network failure while accessing OCSP responder defined by AIA extension.");
                                    System.out.println("                                               SOFT_FAIL is true, so build artificial successful CertStatus.");
                                }
                                certStatusArr[i4] = new CertStatus(0, null, null);
                            } else {
                                certStatusArr[i4] = null;
                            }
                        } catch (CertPathValidatorException e5) {
                            if (debug != null) {
                                System.out.println("CERTPATH: internal error 3, " + e5.getMessage());
                            }
                            certStatusArr[i4] = null;
                        } catch (CertificateException e6) {
                            if (debug != null) {
                                System.out.println("CERTPATH: internal error 1 , " + e6.getMessage());
                            }
                            certStatusArr[i4] = null;
                        }
                    }
                }
            }
        }
        for (int i5 = 0; i5 < length; i5++) {
            if (certStatusArr[i5] == null) {
                if (debug != null) {
                    System.out.println("CERTPATH: error getting cert status for certificate, serial number is " + x509CertificateArr[i5].getSerialNumber() + ", subject is " + x509CertificateArr[i5].getSubjectDN().getName());
                    System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Throwing revocation exception for the cert below.");
                    System.out.println("                                               System property or option onlyCheckEECerts==" + onlyCheckEECert);
                    System.out.println(x509CertificateArr[i5].toString());
                }
                CertPathValidatorException certPathValidatorException = new CertPathValidatorException("certificate status undetermined", new OCSPCertPathStatusUnknownException(certStatusArr, x509CertificateArr, this.certPath), this.certPath, i5, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                PKIXRevocationCheckerImpl.isSoftFailException(certPathValidatorException, this.pkixParams);
                throw certPathValidatorException;
            }
            switch (certStatusArr[i5].getStatus()) {
                case 0:
                    if (debug != null) {
                        System.out.println("CERTPATH: cert status is " + certStatusArr[i5].toString() + " for certificate " + x509CertificateArr[i5].getSerialNumber() + ", subject is " + x509CertificateArr[i5].getSubjectDN().getName());
                        break;
                    } else {
                        break;
                    }
                case 1:
                    if (debug != null) {
                        System.out.println("CERTPATH: cert status is  " + certStatusArr[i5].toString() + " for certificate " + x509CertificateArr[i5].getSerialNumber() + ", subject is " + x509CertificateArr[i5].getSubjectDN().getName());
                        System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Throwing revocation exception for the cert below.");
                        System.out.println("                                               System property onlyCheckEECerts==" + onlyCheckEECert);
                        System.out.println(x509CertificateArr[i5].toString());
                    }
                    throw new CertPathValidatorException("certificate is revoked", new OCSPCertRevokedException(this.certPath, i5), this.certPath, i5);
                case 2:
                    if (debug != null) {
                        System.out.println("CERTPATH: cert status is " + certStatusArr[i5].toString() + " for certificate serial number " + x509CertificateArr[i5].getSerialNumber() + ", subject is " + x509CertificateArr[i5].getSubjectDN().getName());
                        System.out.println("CERTPATH: OCSPChecker.java:  internalCheck():  Throwing revocation exception for the cert below.");
                        System.out.println("                                               System property onlyCheckEECerts==" + onlyCheckEECert);
                        System.out.println(x509CertificateArr[i5].toString());
                    }
                    CertPathValidatorException certPathValidatorException2 = new CertPathValidatorException("certificate status unknown", new OCSPCertPathStatusUnknownException(certStatusArr, x509CertificateArr, this.certPath), this.certPath, i5, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                    PKIXRevocationCheckerImpl.isSoftFailException(certPathValidatorException2, this.pkixParams);
                    throw certPathValidatorException2;
            }
        }
    }

    private CertStatus[] checkResponse(HttpURLConnection httpURLConnection, CertID[] certIDArr, TrustAnchor trustAnchor) throws CertPathValidatorException {
        if (debug != null) {
            try {
                if (httpURLConnection.getResponseCode() != 200) {
                    throw new CertPathValidatorException("Received HTTP error: " + httpURLConnection.getResponseCode() + " - " + httpURLConnection.getResponseMessage());
                }
            } catch (IOException e) {
                if (debug != null) {
                    e.printStackTrace();
                }
            }
        }
        try {
            InputStream inputStream = httpURLConnection.getInputStream();
            byte[] bArr = null;
            try {
                bArr = IOUtils.readFully(inputStream, httpURLConnection.getContentLength(), false);
                inputStream.close();
            } catch (IOException e2) {
                if (debug != null) {
                    e2.printStackTrace();
                }
            }
            try {
                OCSPResponse oCSPResponse = new OCSPResponse(bArr);
                if (oCSPResponse.getResponseStatus().getStatus() != 0) {
                    throw ((CertPathValidatorException) new CertPathValidatorException("Unsuccessful OCSP response").initCause(new OCSPException(OCSPException.setResponseErrorMsg(oCSPResponse.getResponseStatus().getStatus()))));
                }
                this.ocspResponseNonce = oCSPResponse.getNonce();
                if (this.ocspRequestNonce != null) {
                    if (debug != null) {
                        System.out.println("CERTPATH: OCSPChecker.java:  checkResponse():  A nonce extension was included on the OCSPRequest");
                        System.out.println("                                               Compare it to the one echoed   on the OCSPResponse");
                    }
                    if (this.ocspResponseNonce == null) {
                        throw new CertPathValidatorException("Nonce was not echoed on OCSPResponse");
                    }
                    if (this.ocspRequestNonce.length != this.ocspResponseNonce.length) {
                        throw new CertPathValidatorException("Nonce value sent on the OCSPRequest is a different length than the Nonce value received on the OCSPResponse");
                    }
                    for (int i = 0; i < this.ocspRequestNonce.length; i++) {
                        if (this.ocspRequestNonce[i] != this.ocspResponseNonce[i]) {
                            throw new CertPathValidatorException("Nonce value sent on the OCSPRequest does not match the Nonce value received on the OCSPResponse");
                        }
                    }
                    if (debug != null) {
                        System.out.println("CERTPATH: OCSPChecker.java:  checkResponse():  The nonce extension received on the OCSPResponse matches the one sent on the OCSPRequest.");
                    }
                }
                if (oCSPResponse.getResponseData() == null) {
                    throw new CertPathValidatorException("No data was found in the OCSPResponse");
                }
                try {
                    if (debug != null) {
                        System.out.println("Get response type: " + oCSPResponse.getResponseType());
                    }
                    BasicOCSPResponse basicOCSPResponse = new BasicOCSPResponse(oCSPResponse.getResponseData(), this.pkixParams.getDate());
                    HashSet hashSet = new HashSet();
                    if (trustAnchor == null) {
                        for (int i2 = 0; i2 < certIDArr.length; i2++) {
                            TrustAnchor trustAnchor2 = new TrustAnchor(certIDArr[i2].getIssuerName(), certIDArr[i2].getIssuerPublicKey(), (byte[]) null);
                            if (!hashSet.contains(trustAnchor2)) {
                                hashSet.add(trustAnchor2);
                            }
                        }
                    } else {
                        hashSet.add(trustAnchor);
                    }
                    try {
                        basicOCSPResponse.verify(hashSet);
                        CertStatus[] certStatusArr = new CertStatus[certIDArr.length];
                        for (int i3 = 0; i3 < certIDArr.length; i3++) {
                            SingleResponse singleResponse = basicOCSPResponse.getSingleResponse(certIDArr[i3]);
                            if (singleResponse == null) {
                                certStatusArr[i3] = null;
                            } else {
                                Date thisUpdate = singleResponse.getThisUpdate();
                                Date date = new Date();
                                Date nextUpdate = singleResponse.getNextUpdate();
                                if (nextUpdate != null && nextUpdate.before(date)) {
                                    certStatusArr[i3] = null;
                                }
                                if (thisUpdate.after(date)) {
                                    certStatusArr[i3] = null;
                                }
                                certStatusArr[i3] = singleResponse.getCertStatus();
                            }
                        }
                        return certStatusArr;
                    } catch (OCSPException e3) {
                        if (debug != null) {
                            System.out.println("CERTPATH:  OCSPChecker.java:  checkOCSPResponse():  The following exception was thrown while trying to verify the BasicOCSPResponse:");
                            System.out.println(e3.toString());
                            e3.printStackTrace();
                        }
                        throw new CertPathValidatorException(e3);
                    }
                } catch (IOException e4) {
                    if (debug != null) {
                        e4.printStackTrace();
                    }
                    throw new CertPathValidatorException(e4);
                }
            } catch (IOException e5) {
                if (debug != null) {
                    System.out.println("OCSPChecker.java:  checkResponse():  The following exception was thrown while");
                    System.out.println("                                     creating an OCSPResponse object from    ");
                    System.out.println("                                     the byte array:                         ");
                    System.out.println(e5.toString());
                    e5.printStackTrace();
                }
                throw new CertPathValidatorException(e5);
            }
        } catch (IOException e6) {
            throw new CertPathValidatorException(e6);
        }
    }

    private void sendRequest(HttpURLConnection httpURLConnection, byte[] bArr) throws IOException {
        httpURLConnection.setConnectTimeout(CertPathSystemProperties.getOCSPConnectTimeout());
        httpURLConnection.setReadTimeout(CertPathSystemProperties.getOCSPConnectTimeout());
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setDoInput(true);
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Content-type", "application/ocsp-request");
        httpURLConnection.setRequestProperty("Content-length", String.valueOf(bArr));
        OutputStream outputStream = httpURLConnection.getOutputStream();
        outputStream.write(bArr);
        outputStream.flush();
        outputStream.close();
    }

    private TrustAnchor getTrustedCert(X509Certificate x509Certificate, List list) {
        Iterator it = list.iterator();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        while (it.hasNext()) {
            CertStore certStore = (CertStore) it.next();
            X509CertSelector x509CertSelector = new X509CertSelector();
            try {
                x509CertSelector.setSubject(issuerX500Principal.getName(X500Principal.RFC2253));
                try {
                    Collection<? extends Certificate> certificates = certStore.getCertificates(x509CertSelector);
                    if (certificates.size() > 0) {
                        Iterator<? extends Certificate> it2 = certificates.iterator();
                        if (it2.hasNext()) {
                            X509Certificate x509Certificate2 = (X509Certificate) it2.next();
                            try {
                                x509Certificate.verify(x509Certificate2.getPublicKey());
                            } catch (Exception e) {
                                if (debug != null) {
                                    System.out.println("CERTPATH: can not verify the signature" + e.getMessage());
                                }
                            }
                            return new TrustAnchor(x509Certificate2, null);
                        }
                    } else {
                        continue;
                    }
                } catch (CertStoreException e2) {
                    if (debug != null) {
                        System.out.println(e2.getMessage());
                    }
                }
            } catch (IOException e3) {
                if (debug != null) {
                    System.out.println(e3.getMessage());
                }
            }
        }
        return null;
    }

    private TrustAnchor getTrustAnchor(X509Certificate x509Certificate, Set set) {
        Iterator it = set.iterator();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        while (it.hasNext()) {
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            X509Certificate trustedCert = trustAnchor.getTrustedCert();
            if (trustedCert == null) {
                String cAName = trustAnchor.getCAName();
                PublicKey cAPublicKey = trustAnchor.getCAPublicKey();
                if (cAName.equals(issuerX500Principal.getName(X500Principal.RFC2253))) {
                    try {
                        x509Certificate.verify(cAPublicKey);
                        return trustAnchor;
                    } catch (Exception e) {
                        if (debug != null) {
                            System.out.println("CERTPATH: try to find the trust anchor of the cert chain " + e.getMessage());
                        }
                    }
                } else {
                    continue;
                }
            } else if (trustedCert.getSubjectX500Principal().equals(issuerX500Principal)) {
                return trustAnchor;
            }
        }
        if (debug == null) {
            return null;
        }
        System.out.println("CERTPATH: failed to find the trust anchor");
        return null;
    }

    CertStatus getCertStatus(X509Certificate x509Certificate, byte[] bArr, CertID[] certIDArr, TrustAnchor trustAnchor) throws CertPathValidatorException {
        if (x509Certificate == null || bArr == null) {
            throw new CertPathValidatorException("Bad entry found witin the stapled OCSPResponses supplied by the user within the PKIXRevocationChecker object.");
        }
        BigInteger serialNumber = x509Certificate.getSerialNumber();
        if (serialNumber == null) {
            if (debug != null) {
                System.out.println("OCSPChecker.java:  getCertStatus():  Unable to read the serial number from the following \"stapled\" X509Certificate.");
                System.out.println("                                     Throwing CertPathValidatorException.             ");
                System.out.println(x509Certificate.toString());
            }
            throw new CertPathValidatorException("Unable to read the serial number from a \"stapled\" X509Certificate.");
        }
        try {
            OCSPResponse oCSPResponse = new OCSPResponse(bArr);
            byte[] responseData = oCSPResponse.getResponseData();
            if (responseData == null) {
                throw new CertPathValidatorException("No data was found within the stapled OCSPResponse passed in for the certificate with the following subject dn:  " + x509Certificate.getSubjectX500Principal().toString());
            }
            try {
                if (debug != null) {
                    System.out.println("Get response type: " + oCSPResponse.getResponseType());
                }
                BasicOCSPResponse basicOCSPResponse = new BasicOCSPResponse(responseData, this.pkixParams.getDate());
                HashSet hashSet = new HashSet();
                for (int i = 0; i < certIDArr.length; i++) {
                    TrustAnchor trustAnchor2 = new TrustAnchor(certIDArr[i].getIssuerName(), certIDArr[i].getIssuerPublicKey(), (byte[]) null);
                    if (!hashSet.contains(trustAnchor2)) {
                        hashSet.add(trustAnchor2);
                    }
                }
                if (trustAnchor != null && !hashSet.contains(trustAnchor)) {
                    hashSet.add(trustAnchor);
                }
                try {
                    basicOCSPResponse.verify(hashSet);
                    if (oCSPResponse.getResponseStatus().getStatus() != 0) {
                        throw ((CertPathValidatorException) new CertPathValidatorException("OCSP response carrying unsuccessful status was passed as a stapled OCSPResponse by the user within PKIXRevocationChecker").initCause(new OCSPException(OCSPException.setResponseErrorMsg(oCSPResponse.getResponseStatus().getStatus()))));
                    }
                    try {
                        for (Map.Entry<CertID, SingleResponse> entry : oCSPResponse.getCertIDToSingleResponseMap(bArr, this.pkixParams.getDate()).entrySet()) {
                            CertID key = entry.getKey();
                            SingleResponse value = entry.getValue();
                            if (key.getTargetCertSerialNumber().equals(serialNumber)) {
                                return value.getCertStatus();
                            }
                        }
                        return null;
                    } catch (IOException e) {
                        throw new CertPathValidatorException("An exception was thrown while getting the \"CertID\" to \"SingleResponse\" map from the stapled OCSPResponse bytes.");
                    }
                } catch (OCSPException e2) {
                    if (debug != null) {
                        System.out.println("CERTPATH:  OCSPChecker.java:  getCertStatus():  The following exception was thrown while trying to verify the BasicOCSPResponse portion of the stapled OCSPResponse passed in for the certificate with the following subject dn:  " + x509Certificate.getSubjectX500Principal().toString());
                        System.out.println(e2.toString());
                        e2.printStackTrace();
                    }
                    throw new CertPathValidatorException(e2);
                }
            } catch (IOException e3) {
                if (debug != null) {
                    e3.printStackTrace();
                }
                throw new CertPathValidatorException(e3);
            }
        } catch (IOException e4) {
            if (debug != null) {
                System.out.println("OCSPChecker.java:  getCertStatus():  Unable to convert the stapled OCSPResponse bytes, passed by the user within");
                System.out.println("                                     PKIXRevocationChecker, to an OCSPResponse object.");
                System.out.println("                                     Throwing CertPathValidatorException.             ");
            }
            throw new CertPathValidatorException("Unable to convert the stapled OCSPResponse bytes, passed by the user within PKIXRevocationChecker, to an OCSPResponse object.", e4);
        }
    }

    private com.ibm.security.x509.Extension[] convertExtensionListToArray(List<Extension> list) {
        com.ibm.security.x509.Extension[] extensionArr = new com.ibm.security.x509.Extension[list.size()];
        int i = 0;
        Iterator<Extension> it = list.iterator();
        while (it.hasNext()) {
            extensionArr[i] = (com.ibm.security.x509.Extension) it.next();
            if (debug != null) {
                System.out.println("==========================================================================");
                System.out.println("OCSPChecker.java:  ConvertExtensionListToArray():  DUMPING THE CONTENTS OF THE NONCE EXTENSION PASSED IN:");
                System.out.println("OCSPChecker.java:  ConvertExtensionListToArray():  THE OID IS:  " + extensionArr[i].getExtensionId().toString());
                System.out.println("OCSPChecker.java:  ConvertExtensionListToArray():  THE ISCRITICAL IS:  " + extensionArr[i].isCritical());
                System.out.println("OCSPChecker.java:  ConvertExtensionListToArray():  THE EXTENSION VALUE IS:  " + toHexString(extensionArr[i].getExtensionValue()));
                System.out.println("==========================================================================");
            }
            i++;
        }
        return extensionArr;
    }

    public static String toHexString(byte[] bArr) {
        StringBuffer stringBuffer = new StringBuffer();
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
        int length = bArr.length;
        for (int i = 0; i < length; i++) {
            if (i % 16 == 0) {
                stringBuffer.append('\n');
            }
            int i2 = (bArr[i] & 240) >> 4;
            int i3 = bArr[i] & 15;
            stringBuffer.append(cArr[i2]);
            stringBuffer.append(cArr[i3]);
            stringBuffer.append(' ');
        }
        return stringBuffer.toString();
    }
}
