package io.netty.handler.ssl.ocsp;

import gf0.a;
import gf0.h;
import gf0.i;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.handler.ssl.ocsp.OcspResponse;
import io.netty.resolver.dns.DnsNameResolver;
import io.netty.resolver.dns.DnsNameResolverBuilder;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import io.netty.util.internal.ObjectUtil;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.bouncycastle.cert.ocsp.OCSPException;

/* loaded from: classes6.dex */
public class OcspServerCertificateValidator extends ChannelInboundHandlerAdapter {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private final boolean closeAndThrowIfNotValid;
    private final DnsNameResolver dnsNameResolver;
    private final IoTransport ioTransport;
    private final boolean validateNonce;

    public OcspServerCertificateValidator() {
        this(false);
    }

    public OcspServerCertificateValidator(boolean z11) {
        this(z11, IoTransport.DEFAULT);
    }

    public OcspServerCertificateValidator(boolean z11, IoTransport ioTransport) {
        this(z11, ioTransport, createDefaultResolver(ioTransport));
    }

    public OcspServerCertificateValidator(boolean z11, IoTransport ioTransport, DnsNameResolver dnsNameResolver) {
        this(true, z11, ioTransport, dnsNameResolver);
    }

    public OcspServerCertificateValidator(boolean z11, boolean z12, IoTransport ioTransport, DnsNameResolver dnsNameResolver) {
        this.closeAndThrowIfNotValid = z11;
        this.validateNonce = z12;
        this.ioTransport = (IoTransport) ObjectUtil.checkNotNull(ioTransport, "IoTransport");
        this.dnsNameResolver = (DnsNameResolver) ObjectUtil.checkNotNull(dnsNameResolver, "DnsNameResolver");
    }

    protected static DnsNameResolver createDefaultResolver(IoTransport ioTransport) {
        return new DnsNameResolverBuilder().eventLoop(ioTransport.eventLoop()).channelFactory(ioTransport.datagramChannel()).socketChannelFactory(ioTransport.socketChannel()).build();
    }

    @Override // io.netty.channel.ChannelInboundHandlerAdapter, io.netty.channel.ChannelHandlerAdapter, io.netty.channel.ChannelHandler, io.netty.channel.ChannelInboundHandler
    public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th2) {
        channelHandlerContext.channel().close();
    }

    @Override // io.netty.channel.ChannelInboundHandlerAdapter, io.netty.channel.ChannelInboundHandler
    public void userEventTriggered(final ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        channelHandlerContext.fireUserEventTriggered(obj);
        if (obj instanceof SslHandshakeCompletionEvent) {
            if (((SslHandshakeCompletionEvent) obj).isSuccess()) {
                Certificate[] peerCertificates = ((SslHandler) channelHandlerContext.pipeline().get(SslHandler.class)).engine().getSession().getPeerCertificates();
                OcspClient.query((X509Certificate) peerCertificates[0], (X509Certificate) peerCertificates[1], this.validateNonce, this.ioTransport, this.dnsNameResolver).addListener((GenericFutureListener<? extends Future<? super a>>) new GenericFutureListener<Future<a>>() { // from class: io.netty.handler.ssl.ocsp.OcspServerCertificateValidator.1
                    @Override // io.netty.util.concurrent.GenericFutureListener
                    public void operationComplete(Future<a> future) throws Exception {
                        if (!future.isSuccess()) {
                            channelHandlerContext.fireExceptionCaught(future.cause());
                            return;
                        }
                        i iVar = future.get().b()[0];
                        Date date = new Date();
                        if (!date.after(iVar.c()) || !date.before(iVar.b())) {
                            channelHandlerContext.fireExceptionCaught((Throwable) new IllegalStateException("OCSP Response is out-of-date"));
                        }
                        OcspResponse.Status status = iVar.a() == null ? OcspResponse.Status.VALID : iVar.a() instanceof h ? OcspResponse.Status.REVOKED : OcspResponse.Status.UNKNOWN;
                        channelHandlerContext.fireUserEventTriggered((Object) new OcspValidationEvent(new OcspResponse(status, iVar.c(), iVar.b())));
                        if (status == OcspResponse.Status.VALID || !OcspServerCertificateValidator.this.closeAndThrowIfNotValid) {
                            return;
                        }
                        channelHandlerContext.channel().close();
                        channelHandlerContext.fireExceptionCaught((Throwable) new OCSPException("Certificate not valid. Status: " + status));
                    }
                });
            }
            channelHandlerContext.pipeline().remove(this);
        }
    }
}
