package org.keycloak.utils;

import java.io.IOException;
import java.net.URI;
import java.security.cert.CRLReason;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedList;
import java.util.List;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.apache.log4j.Priority;
import org.jboss.logging.Logger;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.models.KeycloakSession;

/* loaded from: input_file:WEB-INF/lib/keycloak-server-spi-private-20.0.2.jar:org/keycloak/utils/OCSPProvider.class */
public abstract class OCSPProvider {
    private static final Logger logger = Logger.getLogger((Class<?>) OCSPProvider.class);
    protected static int OCSP_CONNECT_TIMEOUT = Priority.DEBUG_INT;
    protected static final int TIME_SKEW = 900000;

    /* loaded from: input_file:WEB-INF/lib/keycloak-server-spi-private-20.0.2.jar:org/keycloak/utils/OCSPProvider$OCSPRevocationStatus.class */
    public interface OCSPRevocationStatus {
        RevocationStatus getRevocationStatus();

        Date getRevocationTime();

        CRLReason getRevocationReason();
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-server-spi-private-20.0.2.jar:org/keycloak/utils/OCSPProvider$RevocationStatus.class */
    public enum RevocationStatus {
        GOOD,
        REVOKED,
        UNKNOWN
    }

    public OCSPRevocationStatus check(KeycloakSession keycloakSession, X509Certificate x509Certificate, X509Certificate x509Certificate2, URI uri, X509Certificate x509Certificate3, Date date) throws CertPathValidatorException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert cannot be null");
        }
        if (x509Certificate2 == null) {
            throw new IllegalArgumentException("issuerCertificate cannot be null");
        }
        if (uri == null) {
            throw new IllegalArgumentException("responderURI cannot be null");
        }
        return check(keycloakSession, x509Certificate, x509Certificate2, Collections.singletonList(uri), x509Certificate3, date);
    }

    public OCSPRevocationStatus check(KeycloakSession keycloakSession, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date, X509Certificate x509Certificate3) throws CertPathValidatorException {
        try {
            List<String> responderURIs = getResponderURIs(x509Certificate);
            if (responderURIs.size() == 0) {
                logger.log(Logger.Level.INFO, "No OCSP responders in the specified certificate");
                throw new CertPathValidatorException("No OCSP Responder URI in certificate");
            }
            LinkedList linkedList = new LinkedList();
            for (String str : responderURIs) {
                try {
                    linkedList.add(URI.create(str));
                } catch (IllegalArgumentException e) {
                    logger.log(Logger.Level.DEBUG, "Malformed responder URI {0}", str, e);
                }
            }
            return check(keycloakSession, x509Certificate, x509Certificate2, Collections.unmodifiableList(linkedList), x509Certificate3, date);
        } catch (CertificateEncodingException e2) {
            logger.log(Logger.Level.DEBUG, "CertificateEncodingException: {0}", e2);
            throw new CertPathValidatorException(e2.getMessage(), e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] getEncodedOCSPResponse(KeycloakSession keycloakSession, byte[] bArr, URI uri) throws IOException {
        CloseableHttpClient httpClient = ((HttpClientProvider) keycloakSession.getProvider(HttpClientProvider.class)).getHttpClient();
        HttpPost httpPost = new HttpPost(uri);
        httpPost.setHeader("Content-Type", "application/ocsp-request");
        httpPost.setConfig(RequestConfig.custom().setConnectTimeout(OCSP_CONNECT_TIMEOUT).setSocketTimeout(OCSP_CONNECT_TIMEOUT).build());
        httpPost.setEntity(new ByteArrayEntity(bArr));
        CloseableHttpResponse execute = httpClient.execute((HttpUriRequest) httpPost);
        try {
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    throw new IOException(String.format("Connection error, unable to obtain certificate revocation status using OCSP responder \"%s\", code \"%d\"", uri.toString(), Integer.valueOf(execute.getStatusLine().getStatusCode())));
                }
                byte[] byteArray = EntityUtils.toByteArray(execute.getEntity());
                EntityUtils.consumeQuietly(execute.getEntity());
                if (execute != null) {
                    execute.close();
                }
                return byteArray;
            } catch (Throwable th) {
                EntityUtils.consumeQuietly(execute.getEntity());
                throw th;
            }
        } catch (Throwable th2) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th3) {
                    th2.addSuppressed(th3);
                }
            }
            throw th2;
        }
    }

    public OCSPRevocationStatus check(KeycloakSession keycloakSession, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertPathValidatorException {
        return check(keycloakSession, x509Certificate, x509Certificate2, null, null);
    }

    protected abstract OCSPRevocationStatus check(KeycloakSession keycloakSession, X509Certificate x509Certificate, X509Certificate x509Certificate2, List<URI> list, X509Certificate x509Certificate3, Date date) throws CertPathValidatorException;

    protected static OCSPRevocationStatus unknownStatus() {
        return new OCSPRevocationStatus() { // from class: org.keycloak.utils.OCSPProvider.1
            @Override // org.keycloak.utils.OCSPProvider.OCSPRevocationStatus
            public RevocationStatus getRevocationStatus() {
                return RevocationStatus.UNKNOWN;
            }

            @Override // org.keycloak.utils.OCSPProvider.OCSPRevocationStatus
            public Date getRevocationTime() {
                return new Date(System.currentTimeMillis());
            }

            @Override // org.keycloak.utils.OCSPProvider.OCSPRevocationStatus
            public CRLReason getRevocationReason() {
                return CRLReason.UNSPECIFIED;
            }
        };
    }

    protected abstract List<String> getResponderURIs(X509Certificate x509Certificate) throws CertificateEncodingException;
}
