package eu.europa.esig.dss.spi.x509.revocation.ocsp;

import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import java.io.IOException;
import java.math.BigInteger;
import java.util.Objects;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/spi/x509/revocation/ocsp/OCSPTokenBuilder.class */
public class OCSPTokenBuilder {
    private static final Logger LOG = LoggerFactory.getLogger(OCSPTokenBuilder.class);
    private final BasicOCSPResp basicOCSPResp;
    private final CertificateToken certificateToken;
    private final CertificateToken issuerCertificateToken;
    private boolean available;
    private String ocspAccessLocation;
    private OCSPRespStatus responseStatus;
    private BigInteger nonce;

    public OCSPTokenBuilder(OCSPResp oCSPResp, CertificateToken certificateToken, CertificateToken certificateToken2) throws OCSPException {
        this((BasicOCSPResp) oCSPResp.getResponseObject(), certificateToken, certificateToken2);
        this.responseStatus = OCSPRespStatus.fromInt(oCSPResp.getStatus());
        if (OCSPRespStatus.SUCCESSFUL.equals(this.responseStatus)) {
            this.available = true;
        }
    }

    public OCSPTokenBuilder(BasicOCSPResp basicOCSPResp, CertificateToken certificateToken, CertificateToken certificateToken2) {
        this.available = false;
        this.basicOCSPResp = basicOCSPResp;
        this.certificateToken = certificateToken;
        this.issuerCertificateToken = certificateToken2;
    }

    public void setSourceURL(String str) {
        this.ocspAccessLocation = str;
    }

    public void setAvailable(boolean z) {
        this.available = z;
    }

    public void setOCSPResponseStatus(OCSPRespStatus oCSPRespStatus) {
        this.responseStatus = oCSPRespStatus;
    }

    public void setNonce(BigInteger bigInteger) {
        this.nonce = bigInteger;
    }

    public OCSPToken build() throws OCSPException {
        Objects.requireNonNull(this.basicOCSPResp, "The basic OCSP response must be filled");
        Objects.requireNonNull(this.certificateToken, "The Certificate token must be filled");
        OCSPToken oCSPToken = new OCSPToken();
        if (this.ocspAccessLocation != null) {
            oCSPToken.setSourceURL(this.ocspAccessLocation);
            oCSPToken.setRevocationTokenKey(DSSRevocationUtils.getOcspRevocationKey(this.certificateToken, this.ocspAccessLocation));
        }
        oCSPToken.setCertId(DSSRevocationUtils.getOCSPCertificateID(this.certificateToken, this.issuerCertificateToken));
        oCSPToken.setAvailable(this.available);
        oCSPToken.setResponseStatus(this.responseStatus);
        oCSPToken.setRelatedCertificate(this.certificateToken);
        oCSPToken.setBasicOCSPResp(this.basicOCSPResp);
        if (this.nonce != null) {
            oCSPToken.setUseNonce(true);
            if (!isNonceMatch(this.basicOCSPResp, this.nonce)) {
                throw new OCSPException("Nonce received from OCSP response does not match a dispatched nonce.");
            }
            oCSPToken.setNonceMatch(true);
        }
        oCSPToken.initInfo();
        return oCSPToken;
    }

    private boolean isNonceMatch(BasicOCSPResp basicOCSPResp, BigInteger bigInteger) {
        try {
            DEROctetString fromByteArray = ASN1Primitive.fromByteArray(basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnValue().getOctets());
            if (fromByteArray instanceof DEROctetString) {
                return bigInteger.equals(new BigInteger(fromByteArray.getOctets()));
            }
            LOG.warn("Nonce extension value in OCSP response is not an OCTET STRING");
            return false;
        } catch (IOException e) {
            LOG.warn("Invalid encoding of nonce extension value in OCSP response", e);
            return false;
        }
    }
}
