package libcore.java.security.cert;

import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.Set;
import libcore.java.security.TestKeyStore;
import libcore.junit.junit3.TestCaseWithRules;
import libcore.junit.util.EnableDeprecatedBouncyCastleAlgorithmsRule;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.junit.Rule;
import org.junit.rules.TestRule;
import tests.security.cert.CertPathBuilder1Test;

/* loaded from: input_file:libcore/java/security/cert/CertPathValidatorTest.class */
public class CertPathValidatorTest extends TestCaseWithRules {

    @Rule
    public TestRule enableDeprecatedBCAlgorithmsRule = EnableDeprecatedBouncyCastleAlgorithmsRule.getInstance();

    private OCSPResp generateOCSPResponse(X509Certificate x509Certificate, X509Certificate x509Certificate2, PrivateKey privateKey, CertificateStatus certificateStatus) throws Exception {
        JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder(x509Certificate2);
        BcDigestCalculatorProvider bcDigestCalculatorProvider = new BcDigestCalculatorProvider();
        BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(SubjectPublicKeyInfo.getInstance(x509Certificate2.getPublicKey().getEncoded()), bcDigestCalculatorProvider.get(CertificateID.HASH_SHA1));
        basicOCSPRespBuilder.addResponse(new CertificateID(bcDigestCalculatorProvider.get(CertificateID.HASH_SHA1), jcaX509CertificateHolder, x509Certificate.getSerialNumber()), certificateStatus);
        return new OCSPRespBuilder().build(0, basicOCSPRespBuilder.build(new JcaContentSignerBuilder("SHA1withRSA").build(privateKey), null, new Date()));
    }

    private void runOCSPStapledTest(CertificateStatus certificateStatus, boolean z) throws Exception {
        KeyStore.PrivateKeyEntry privateKey = TestKeyStore.getServer().getPrivateKey("RSA", "RSA");
        KeyStore.PrivateKeyEntry privateKey2 = TestKeyStore.getIntermediateCa().getPrivateKey("RSA", "RSA");
        KeyStore.PrivateKeyEntry privateKey3 = TestKeyStore.getRootCa().getPrivateKey("RSA", "RSA");
        X509Certificate x509Certificate = (X509Certificate) privateKey.getCertificate();
        OCSPResp generateOCSPResponse = generateOCSPResponse(x509Certificate, (X509Certificate) privateKey2.getCertificate(), privateKey2.getPrivateKey(), certificateStatus);
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor((X509Certificate) privateKey3.getCertificate(), null)));
        Iterator<PKIXCertPathChecker> it = pKIXParameters.getCertPathCheckers().iterator();
        while (it.hasNext()) {
            assertFalse(it.next() instanceof PKIXRevocationChecker);
        }
        CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathBuilder1Test.defaultType);
        PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
        pKIXRevocationChecker.setOptions(Collections.singleton(PKIXRevocationChecker.Option.ONLY_END_ENTITY));
        pKIXRevocationChecker.setOcspResponses(Collections.singletonMap(x509Certificate, generateOCSPResponse.getEncoded()));
        ArrayList arrayList = new ArrayList(pKIXParameters.getCertPathCheckers());
        arrayList.add(pKIXRevocationChecker);
        pKIXParameters.setCertPathCheckers(arrayList);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(x509Certificate);
        arrayList2.add((X509Certificate) privateKey2.getCertificate());
        try {
            certPathValidator.validate(CertificateFactory.getInstance("X.509").generateCertPath(arrayList2), pKIXParameters);
            assertTrue("should fail with failure OCSP status", z);
        } catch (CertPathValidatorException e) {
            assertFalse("should not fail with good OCSP status", z);
        }
    }

    public void test_OCSP_EndEntity_KeyCompromise_Failure() throws Exception {
        runOCSPStapledTest(new RevokedStatus(Date.from(Instant.now().minus(1L, (TemporalUnit) ChronoUnit.SECONDS)), 1), false);
    }

    public void test_OCSP_EndEntity_Good_Success() throws Exception {
        runOCSPStapledTest(CertificateStatus.GOOD, true);
    }
}
