package iaik.pki.revocation;

import iaik.asn1.ObjectID;
import iaik.asn1.structures.AccessDescription;
import iaik.asn1.structures.AlgorithmID;
import iaik.asn1.structures.GeneralName;
import iaik.asn1.structures.Name;
import iaik.logging.TransactionId;
import iaik.pki.PKIException;
import iaik.pki.PKIFactory;
import iaik.pki.pathvalidation.ChainingModes;
import iaik.pki.pathvalidation.TrustResultImpl;
import iaik.pki.store.certinfo.CertInfoStore;
import iaik.pki.store.certinfo.CertInfoStoreException;
import iaik.pki.store.revocation.OCSPRevocationSource;
import iaik.pki.store.revocation.RevocationFactory;
import iaik.pki.store.revocation.RevocationInfo;
import iaik.pki.store.revocation.RevocationSource;
import iaik.pki.store.revocation.RevocationStoreException;
import iaik.pki.store.revocation.SupplementalRevocationSources;
import iaik.pki.utils.Constants;
import iaik.pki.utils.DBTypeParser;
import iaik.pki.utils.NameUtils;
import iaik.pki.utils.UtilsException;
import iaik.security.random.SecRandom;
import iaik.utils.CryptoUtils;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionException;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.AuthorityInfoAccess;
import iaik.x509.extensions.AuthorityKeyIdentifier;
import iaik.x509.extensions.ReasonCode;
import iaik.x509.extensions.ocsp.NoCheck;
import iaik.x509.ocsp.BasicOCSPResponse;
import iaik.x509.ocsp.CertID;
import iaik.x509.ocsp.CertStatus;
import iaik.x509.ocsp.OCSPException;
import iaik.x509.ocsp.OCSPRequest;
import iaik.x509.ocsp.ReqCert;
import iaik.x509.ocsp.Request;
import iaik.x509.ocsp.ResponderID;
import iaik.x509.ocsp.RevokedInfo;
import iaik.x509.ocsp.SingleResponse;
import iaik.x509.ocsp.extensions.commonpki.CertHash;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;

/* loaded from: input_file:BKULocal.war:WEB-INF/lib/iaik_pki-2.00-MOA-MOCCA.jar:iaik/pki/revocation/I.class */
class I extends B implements CertificateStatusChecker {
    protected ReqCert A(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) throws StatusCheckingException {
        if (str == null) {
            throw new NullPointerException("OCSP hash algorithm must not be null");
        }
        AlgorithmID algorithmID = AlgorithmID.getAlgorithmID(str);
        if (algorithmID == null) {
            throw new StatusCheckingException("Cannot get an algorithm id for hash algorithm: " + str, null, getClass().getName() + ":0");
        }
        return A(x509Certificate, x509Certificate2, algorithmID);
    }

    protected ReqCert A(X509Certificate x509Certificate, X509Certificate x509Certificate2, AlgorithmID algorithmID) throws StatusCheckingException {
        if (algorithmID == null) {
            throw new NullPointerException("OCSP hash algorithm must not be null");
        }
        try {
            return new ReqCert(0, new CertID(algorithmID, (Name) x509Certificate.getIssuerDN(), x509Certificate2.getPublicKey(), x509Certificate.getSerialNumber()));
        } catch (Exception e) {
            throw new StatusCheckingException("Error creating ocsp request", e, getClass().getName() + ":1");
        }
    }

    protected E A(ReqCert reqCert, BasicOCSPResponse basicOCSPResponse, Date date, TransactionId transactionId) {
        E h;
        if (basicOCSPResponse.hasUnsupportedCriticalExtension()) {
            A.info(transactionId, "BasicOCSPResponse contains unsupported critical extensions.", null);
            new H(date, RevocationStatusUnknown.UNKNOWN_REASON_UNSUPPORTED_CRITICAL_EXTENSION);
        }
        try {
            SingleResponse singleResponse = basicOCSPResponse.getSingleResponse(reqCert);
            if (singleResponse.hasUnsupportedCriticalExtension()) {
                A.info(transactionId, "SingleResponse contains unsupported critical extensions.", null);
                new H(date, RevocationStatusUnknown.UNKNOWN_REASON_UNSUPPORTED_CRITICAL_EXTENSION);
            }
            CertStatus certStatus = singleResponse.getCertStatus();
            switch (certStatus.getCertStatus()) {
                case 0:
                    h = new L(date);
                    break;
                case 1:
                    RevokedInfo revokedInfo = certStatus.getRevokedInfo();
                    Date revocationTime = revokedInfo.getRevocationTime();
                    ReasonCode revocationReason = revokedInfo.getRevocationReason();
                    if (revocationTime.after(date)) {
                        String str = "no reason code included";
                        if (revocationReason != null) {
                            int reasonCode = revocationReason.getReasonCode();
                            str = (reasonCode < 0 || reasonCode > RevocationStatusRevoked.ALL_ARRAY.length) ? "unexpected reason code " + reasonCode : RevocationStatusRevoked.ALL_ARRAY[reasonCode];
                        }
                        A.info(transactionId, "Certificate revoked at " + revocationTime + " (reason: " + str + "), but valid at " + date, null);
                        h = new L(date);
                    } else if (revocationReason != null) {
                        h = new K(date, revocationReason.getReasonCode(), revocationTime);
                    } else {
                        h = new K(date, 0, revocationTime);
                        A.error(transactionId, "Got invalid revocation information for " + reqCert + "!", null);
                    }
                    break;
                case 2:
                    String unknownInfo = certStatus.getUnknownInfo().toString();
                    if (!RevocationStatusUnknown.ALL.contains(unknownInfo)) {
                        unknownInfo = RevocationStatusUnknown.UNKNOWN_REASON_UNSPECIFIED;
                    }
                    h = new H(date, unknownInfo);
                    break;
                default:
                    A.error(transactionId, "Got invalid ocsp satus code : " + certStatus.getCertStatus() + " for:" + reqCert, null);
                    h = new H(date, RevocationStatus.UNKNOWN);
                    break;
            }
        } catch (OCSPException e) {
            A.error(transactionId, "Cannot extract single response from ocsp response", e);
            h = new H(date, RevocationStatus.UNKNOWN);
        }
        return h;
    }

    @Override // iaik.pki.revocation.CertificateStatusChecker
    public RevocationStatus getCertificateStatus(X509Certificate x509Certificate, boolean z, X509Certificate x509Certificate2, PublicKey publicKey, Date date, String str, SupplementalRevocationSources supplementalRevocationSources, RevocationTrustProfile revocationTrustProfile, RevocationProfile revocationProfile, TransactionId transactionId) throws X509ExtensionException, StatusCheckingException {
        E h;
        A.debug(transactionId, "Entering OCSPCertificateStatusChecker.", null);
        if (this.C == null) {
            throw new StatusCheckingException("Status checking not yet configured", null, getClass().getName() + ":10");
        }
        if (revocationTrustProfile == null) {
            throw new NullPointerException("Trust profile mustn't be null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("Argument \"certificate\" must not be null.");
        }
        if (date == null) {
            throw new NullPointerException("Argument \"concernedDate\" must not be null.");
        }
        if (revocationProfile == null) {
            throw new NullPointerException("Profile mustn't be null");
        }
        try {
            x509Certificate.checkValidity(date);
            try {
                h = A(date, str, x509Certificate, x509Certificate2, supplementalRevocationSources, revocationTrustProfile, revocationProfile, transactionId);
            } catch (RevocationStoreException e) {
                A.info(transactionId, "Can't get OCSP revocation info ", e);
                h = new H(date, RevocationStatusUnknown.UNKNOWN_REASON_SERVICE_UNAVAILABLE);
            }
            return h;
        } catch (Exception e2) {
            A.error(transactionId, "provided certificate not valid at " + date, e2);
            throw new StatusCheckingException("Certificate must be valid", e2, getClass().getName() + ":11");
        }
    }

    protected E A(Date date, String str, X509Certificate x509Certificate, X509Certificate x509Certificate2, SupplementalRevocationSources supplementalRevocationSources, RevocationTrustProfile revocationTrustProfile, RevocationProfile revocationProfile, TransactionId transactionId) throws StatusCheckingException, RevocationStoreException, X509ExtensionInitException {
        ReqCert reqCert = null;
        Hashtable<CertID, OCSPRevocationSource> hashtable = null;
        boolean z = false;
        if (supplementalRevocationSources != null) {
            z = supplementalRevocationSources.useSupplementalRevocationSourcesOnly();
            hashtable = supplementalRevocationSources.getOcspRevocationSources();
        }
        OCSPRevocationSource oCSPRevocationSource = null;
        if (hashtable == null) {
            if (z) {
                throw new StatusCheckingException("Should use supplemental revocation sources only, but no supplemental OCSP revocation sources available", null, ":6");
            }
        } else if (!hashtable.isEmpty()) {
            Set<AlgorithmID> ocspRequestHashAlgorithms = supplementalRevocationSources.getOcspRequestHashAlgorithms();
            if (ocspRequestHashAlgorithms != null) {
                Iterator<AlgorithmID> it = ocspRequestHashAlgorithms.iterator();
                while (it.hasNext()) {
                    reqCert = A(x509Certificate, x509Certificate2, it.next());
                    oCSPRevocationSource = hashtable.get(reqCert.getReqCert());
                    if (oCSPRevocationSource != null) {
                        break;
                    }
                }
            } else {
                reqCert = A(x509Certificate, x509Certificate2, revocationProfile.getOCSPRequestHashAlgorithm());
                oCSPRevocationSource = hashtable.get(reqCert.getReqCert());
            }
            if (oCSPRevocationSource != null) {
                A.debug(transactionId, "Found supplemental revocation source.", null);
            }
            if (oCSPRevocationSource == null && z) {
                A.warn(transactionId, "Should use supplemental revocation data only, but cannot get OCSP response from supplemental revocation data", null);
                return new H(date, RevocationStatusUnknown.UNKNOWN_REASON_NO_SERVICE_CONFIGURED);
            }
        } else if (z) {
            throw new StatusCheckingException("Should use supplemental revocation sources only, but no supplemental OCSP revocation sources available", null, ":7");
        }
        Vector vector = new Vector(1);
        if (z) {
            vector.add(Constants.DUMMY_URI);
        }
        E e = null;
        H h = new H(date, RevocationStatusUnknown.UNKNOWN_REASON_NO_SERVICE_CONFIGURED);
        boolean z2 = false;
        if (!z) {
            Set<DistributionPoint> alternativeDistributionPoints = this.C.getAlternativeDistributionPoints(x509Certificate, x509Certificate2, date);
            if (alternativeDistributionPoints == null) {
                alternativeDistributionPoints = Collections.emptySet();
            }
            if (alternativeDistributionPoints.isEmpty()) {
                AuthorityInfoAccess authorityInfoAccess = (AuthorityInfoAccess) x509Certificate.getExtension(AuthorityInfoAccess.oid);
                if (authorityInfoAccess != null) {
                    Enumeration accessDescriptions = authorityInfoAccess.getAccessDescriptions();
                    while (accessDescriptions.hasMoreElements()) {
                        AccessDescription accessDescription = (AccessDescription) accessDescriptions.nextElement();
                        if (accessDescription.getAccessMethod().equals(ObjectID.ocsp)) {
                            GeneralName accessLocation = accessDescription.getAccessLocation();
                            if (accessLocation.getType() == 6) {
                                vector.add((String) accessLocation.getName());
                                A.debug(transactionId, "Found OCSP URL: " + ((String) accessLocation.getName()), null);
                            }
                        }
                    }
                }
            } else {
                z2 = true;
                for (DistributionPoint distributionPoint : alternativeDistributionPoints) {
                    if (RevocationSourceTypes.OCSP.equals(distributionPoint.getType())) {
                        String uri = distributionPoint.getUri();
                        vector.add(uri);
                        A.debug(transactionId, "Found alternative OCSP url: " + uri, null);
                    }
                }
            }
            if (vector.isEmpty() && oCSPRevocationSource != null) {
                vector.add(Constants.DUMMY_URI);
            }
        }
        int i = 0;
        if (vector.size() != 0) {
            Vector vector2 = new Vector();
            boolean z3 = false;
            byte[] bArr = new byte[18];
            if (!z) {
                if (reqCert == null) {
                    reqCert = A(x509Certificate, x509Certificate2, revocationProfile.getOCSPRequestHashAlgorithm());
                }
                Request request = new Request(reqCert);
                OCSPRequest oCSPRequest = new OCSPRequest();
                byte[] bArr2 = new byte[16];
                SecRandom.getDefault().nextBytes(bArr2);
                bArr[0] = 4;
                bArr[1] = 16;
                System.arraycopy(bArr2, 0, bArr, 2, bArr2.length);
                try {
                    oCSPRequest.setNonce(bArr);
                    z3 = true;
                } catch (X509ExtensionException e2) {
                    A.warn(transactionId, "Could not add nonce to OCSP request", e2);
                }
                oCSPRequest.setRequestList(new Request[]{request});
                vector2.add(oCSPRequest);
            }
            Iterator it2 = vector.iterator();
            while (it2.hasNext()) {
                String str2 = (String) it2.next();
                long maxRevocationAge = revocationProfile.getMaxRevocationAge(str2);
                if (i != 0) {
                    oCSPRevocationSource = null;
                    z = false;
                } else if (oCSPRevocationSource != null) {
                    oCSPRevocationSource.setUri(str2);
                }
                RevocationSource revocationSource = this.D.getRevocationSource(str2, RevocationSourceTypes.OCSP, date, maxRevocationAge, x509Certificate, oCSPRevocationSource, z, new ArrayList(vector2), transactionId);
                if (revocationSource == null) {
                    A.debug(transactionId, "Cannot get revocation information from \"" + str2 + "\".", null);
                    h = new H(date, RevocationStatusUnknown.UNKNOWN_REASON_SERVICE_UNAVAILABLE);
                } else {
                    if (!revocationSource.getType().equals(RevocationSourceTypes.OCSP)) {
                        A.error(transactionId, "Internal error, got wrong revocation source type", null);
                        throw new StatusCheckingException("Internal error, got wrong revocation source type", null, getClass().getName() + ":5");
                    }
                    OCSPRevocationSource oCSPRevocationSource2 = (OCSPRevocationSource) revocationSource;
                    if (z2) {
                        oCSPRevocationSource2.setDownloadTime(null);
                    }
                    RevocationInfo createRevocationInfo = RevocationFactory.getInstance(transactionId).createRevocationInfo(x509Certificate, revocationSource);
                    if (A(x509Certificate, oCSPRevocationSource2.getSingleResponse(), str2, transactionId)) {
                        TrustResult A = A(reqCert, oCSPRevocationSource2, revocationTrustProfile, date, str, bArr, z3, supplementalRevocationSources, transactionId);
                        if (A.isCertificateTrusted()) {
                            A.debug(transactionId, "OCSP responder is trusted.", null);
                            E A2 = A(reqCert, oCSPRevocationSource2.getBasicResponse(), date, transactionId);
                            String statusCode = A2.getStatusCode();
                            if (A.isDebugEnabled()) {
                                A.debug(transactionId, str2.equals(Constants.DUMMY_URI) ? "Responder returned " + statusCode + "." : "Responder at \"" + str2 + "\" returned " + statusCode + ".", null);
                            }
                            if (statusCode.equals(RevocationStatus.REVOKED)) {
                                A2.A(A.getRevocationInfoList());
                                A2.A(createRevocationInfo);
                                return A2;
                            }
                            if (e == null) {
                                e = A2;
                                A2.A(A.getRevocationInfoList());
                                e.A(createRevocationInfo);
                            } else if (statusCode.equals(RevocationStatus.VALID)) {
                                e = A2;
                                A2.A(A.getRevocationInfoList());
                                e.A(createRevocationInfo);
                            }
                        } else {
                            A.warn(transactionId, "OCSP response not trusted thus setting revocation status to unknown", null);
                            h = new H(date, RevocationStatusUnknown.UNKNOWN_REASON_UNSPECIFIED);
                            h.A(A.getRevocationInfoList());
                            h.A(createRevocationInfo);
                        }
                    } else {
                        A.debug(transactionId, "Positive OCSP responder does not know the target certificate.", null);
                        h = new H(date, RevocationStatusUnknown.UNKNOWN_REASON_POSITIVE_OCSP_RESPONDER);
                    }
                }
                if (z) {
                    return e != null ? e : h;
                }
                i++;
            }
        } else {
            A.debug(transactionId, "Neither supplemental OCSP data nor any OCSP responder URL available.", null);
        }
        return e != null ? e : h;
    }

    protected List<X509Certificate> A(X509Certificate[] x509CertificateArr, ResponderID responderID, boolean z, TransactionId transactionId) {
        CertInfoStore certInfoStore = null;
        if (z) {
            try {
                certInfoStore = PKIFactory.getInstance().getCertInfoStore();
                r11 = certInfoStore.hasWriteableCertStore(transactionId);
            } catch (PKIException e) {
            }
        }
        Vector vector = new Vector();
        if (x509CertificateArr.length != 0) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                try {
                    if (responderID.isResponderIdFor(x509Certificate)) {
                        vector.add(x509Certificate);
                    }
                    if (r11) {
                        try {
                            certInfoStore.createCertInfo(x509Certificate, true, transactionId);
                        } catch (CertInfoStoreException e2) {
                        }
                    }
                } catch (NoSuchAlgorithmException e3) {
                }
            }
            Name name = null;
            if (vector.isEmpty()) {
                name = responderID.getName();
                String name2 = name.getName();
                for (int i = 0; i < x509CertificateArr.length; i++) {
                    if (name2.equals(((Name) x509CertificateArr[i].getSubjectDN()).getName())) {
                        vector.add(x509CertificateArr[i]);
                    }
                }
            }
            if (vector.isEmpty()) {
                try {
                    String normalizedName = NameUtils.getNormalizedName(name);
                    for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
                        if (normalizedName.equals(NameUtils.getNormalizedName((Name) x509CertificateArr[i2].getSubjectDN()))) {
                            vector.add(x509CertificateArr[i2]);
                        }
                    }
                } catch (UtilsException e4) {
                }
            }
        }
        return vector;
    }

    protected TrustResult A(List<X509Certificate> list, OCSPRevocationSource oCSPRevocationSource, RevocationTrustProfile revocationTrustProfile, Date date, SupplementalRevocationSources supplementalRevocationSources, TransactionId transactionId) {
        TrustResult trustResultImpl = new TrustResultImpl(false, null);
        Iterator<X509Certificate> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            X509Certificate next = it.next();
            trustResultImpl = revocationTrustProfile.isIssuerTrustedOCSPResponder(next, date, supplementalRevocationSources, A(next, transactionId), transactionId);
            if (trustResultImpl.isCertificateTrusted()) {
                oCSPRevocationSource.setIssuer(next);
                break;
            }
        }
        return trustResultImpl;
    }

    protected boolean A(X509Certificate x509Certificate, TransactionId transactionId) {
        boolean z = false;
        if (x509Certificate != null) {
            try {
                if (x509Certificate.getExtension(NoCheck.oid) != null) {
                    A.info(transactionId, "\"NoCheck\" extension included in OCSP reponder certificate.", null);
                    z = true;
                }
            } catch (X509ExtensionInitException e) {
                A.debug(transactionId, "Unable to check if \"NoCheck\" extension is included in OCSP responder certificate", null);
            }
        }
        return z;
    }

    protected TrustResult A(ReqCert reqCert, OCSPRevocationSource oCSPRevocationSource, RevocationTrustProfile revocationTrustProfile, Date date, String str, byte[] bArr, boolean z, SupplementalRevocationSources supplementalRevocationSources, TransactionId transactionId) throws StatusCheckingException {
        Date A;
        if (oCSPRevocationSource == null) {
            throw new NullPointerException("OCSP Source must not be null");
        }
        BasicOCSPResponse basicResponse = oCSPRevocationSource.getBasicResponse();
        if (basicResponse == null) {
            throw new NullPointerException("OCSP basic response must not be null");
        }
        A.debug(transactionId, "Checking if OCSP responder is trusted", null);
        if (oCSPRevocationSource.isSupplemental()) {
            oCSPRevocationSource.setDownloadTime(null);
        } else {
            try {
                byte[] nonce = basicResponse.getNonce();
                if (nonce != null) {
                    if (CryptoUtils.equalsBlock(bArr, nonce)) {
                        A.debug(transactionId, "Nonce check OK", null);
                    } else {
                        A.warn(transactionId, "Nonce value received from responder does not match sent nonce value", null);
                    }
                } else if (z) {
                    A.warn(transactionId, "Nonce not returned in server response", null);
                }
            } catch (X509ExtensionInitException e) {
                A.warn(transactionId, "Could not check nonce values", e);
            }
        }
        X509Certificate issuer = oCSPRevocationSource.getIssuer();
        if (ChainingModes.PKIX_MODE.equalsIgnoreCase(str)) {
            A = oCSPRevocationSource.getDownloadTime();
            if (A.isDebugEnabled()) {
                if (A == null) {
                    A.debug(transactionId, "Chaining mode is \"" + str + "\", but no OCSP download time available. Using original date (" + date + ") for checking OCSP issuer trust.", null);
                } else {
                    A.debug(transactionId, "Chaining mode is \"" + str + "\", using OCSP download time (" + A + ") for checking OCSP issuer trust.", null);
                }
            }
            if (A == null) {
                A = date;
            }
        } else {
            if (!ChainingModes.CHAIN_MODE.equalsIgnoreCase(str)) {
                String str2 = "Chaining mode" + str + "not supported.";
                A.error(transactionId, str2, null);
                throw new StatusCheckingException(str2, null, getClass().getName() + ":13");
            }
            A = A(reqCert, basicResponse, "\"" + str + "\"", transactionId);
        }
        if (A == null) {
            A = date;
            if (A.isDebugEnabled()) {
                A.debug(transactionId, "No date information available from OCSP source, using original date (" + date + ") for checking OCSP issuer trust.", null);
            }
        }
        if (issuer != null) {
            return revocationTrustProfile.isIssuerTrustedOCSPResponder(issuer, A, supplementalRevocationSources, A(issuer, transactionId), transactionId);
        }
        ResponderID responderID = basicResponse.getResponderID();
        if (basicResponse.containsCertificates()) {
            X509Certificate[] certificates = basicResponse.getCertificates();
            A.debug(transactionId, certificates.length + " ocsp issuer candidate(s) included in response", null);
            List<X509Certificate> A2 = A(certificates, responderID, !supplementalRevocationSources.useSupplementalRevocationSourcesOnly(), transactionId);
            if (A2.size() > 0) {
                return A(A2, oCSPRevocationSource, revocationTrustProfile, A, supplementalRevocationSources, transactionId);
            }
        }
        A.debug(transactionId, "Trying to get ocsp issuer certificate from store", null);
        AuthorityKeyIdentifier authorityKeyIdentifier = null;
        try {
            authorityKeyIdentifier = (AuthorityKeyIdentifier) basicResponse.getExtension(AuthorityKeyIdentifier.oid);
        } catch (X509ExtensionInitException e2) {
        }
        X509Certificate[] issuerCertificate = responderID.byName() ? revocationTrustProfile.getIssuerCertificate(oCSPRevocationSource, A, transactionId) : revocationTrustProfile.getIssuerCertificate(responderID.getKeyHash(), authorityKeyIdentifier, A, transactionId);
        A.debug(transactionId, "Found " + issuerCertificate.length + " ocsp issuer candidate(s)", null);
        return A(Arrays.asList(issuerCertificate), oCSPRevocationSource, revocationTrustProfile, A, supplementalRevocationSources, transactionId);
    }

    private Date A(ReqCert reqCert, BasicOCSPResponse basicOCSPResponse, String str, TransactionId transactionId) {
        Date producedAt = basicOCSPResponse.getProducedAt();
        String str2 = "producedAt";
        if (producedAt == null) {
            try {
                producedAt = basicOCSPResponse.getSingleResponse(reqCert).getThisUpdate();
                str2 = "thisUpdate";
            } catch (OCSPException e) {
            }
        }
        A.debug(transactionId, "Chaining mode is " + str + ", using OCSP " + str2 + " (" + producedAt + ") for checking OCSP issuer trust.", null);
        return producedAt;
    }

    private boolean A(X509Certificate x509Certificate, SingleResponse singleResponse, String str, TransactionId transactionId) throws StatusCheckingException {
        Set<String> positiveOCSPResponders = this.C.getPositiveOCSPResponders();
        if (positiveOCSPResponders == null) {
            return true;
        }
        if (!positiveOCSPResponders.contains(RevocationConfiguration.POSITIVE_OCSP_ALL) && !positiveOCSPResponders.contains(str)) {
            return true;
        }
        try {
            CertHash certHash = (CertHash) singleResponse.getExtension(CertHash.oid);
            if (certHash == null) {
                A.debug(transactionId, "Responder at uri \"" + str + "\" is configured as positive responder, but no CertHash included in response.", null);
                return false;
            }
            A.debug(transactionId, "CertHash included in OCSP response.", null);
            if (certHash.identifiesCert(x509Certificate)) {
                A.debug(transactionId, "CertHash matches target certificate.", null);
                return true;
            }
            A.debug(transactionId, "CertHash does not match target certificate.", null);
            return false;
        } catch (Exception e) {
            A.error(transactionId, "Error checking CertHash extension of OCSP response.", e);
            throw new StatusCheckingException("Error checking CertHash extension of OCSP response.", e, getClass().getName() + DBTypeParser.SEPARATOR);
        }
    }
}
