package eu.europa.ec.markt.dss.validation;

import eu.europa.ec.markt.dss.CertificateIdentifier;
import eu.europa.ec.markt.dss.DSSUtils;
import eu.europa.ec.markt.dss.validation.certificate.CertificateAndContext;
import eu.europa.ec.markt.dss.validation.certificate.CertificateSource;
import eu.europa.ec.markt.dss.validation.certificate.CertificateSourceType;
import eu.europa.ec.markt.dss.validation.certificate.CompositeCertificateSource;
import eu.europa.ec.markt.dss.validation.crl.CRLSource;
import eu.europa.ec.markt.dss.validation.crl.ListCRLSource;
import eu.europa.ec.markt.dss.validation.https.CommonsHttpDataLoader;
import eu.europa.ec.markt.dss.validation.ocsp.ListOCSPSource;
import eu.europa.ec.markt.dss.validation.ocsp.OCSPSource;
import eu.europa.ec.markt.dss.validation.tsl.ServiceInfo;
import eu.europa.ec.markt.dss.validation.x509.CRLToken;
import eu.europa.ec.markt.dss.validation.x509.CertificateToken;
import eu.europa.ec.markt.dss.validation.x509.OCSPRespToken;
import eu.europa.ec.markt.dss.validation.x509.RevocationData;
import eu.europa.ec.markt.dss.validation.x509.SignedToken;
import eu.europa.ec.markt.dss.validation.x509.TimestampToken;
import java.io.IOException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPException;
import org.bouncycastle.ocsp.SingleResp;

/* loaded from: input_file:applet/signature-client.jar:eu/europa/ec/markt/dss/validation/ValidationContext.class */
public class ValidationContext {
    private static final Logger LOG = Logger.getLogger(ValidationContext.class.getName());
    private final X509Certificate certificate;
    private CertificateSource trustedListCertificatesSource;
    private OCSPSource ocspSource;
    private CRLSource crlSource;
    private final Date _validationDate;
    private final List<BasicOCSPResp> neededOCSPResp = new ArrayList();
    private final List<X509CRL> neededCRL = new ArrayList();
    private final List<CertificateAndContext> neededCertificates = new ArrayList();
    private final Map<SignedToken, RevocationData> revocationInfo = new HashMap();

    public ValidationContext(X509Certificate x509Certificate, Date date) {
        this.certificate = x509Certificate;
        this._validationDate = date;
        if (x509Certificate != null) {
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("+ New ValidationContext created for '" + CertificateIdentifier.getId(x509Certificate) + "' at " + date.toString());
            }
            CertificateAndContext certificateAndContext = new CertificateAndContext(x509Certificate);
            certificateAndContext.setCertificateSource(CertificateSourceType.OTHER);
            addNotYetVerifiedToken(new CertificateToken(certificateAndContext));
        }
    }

    public X509Certificate getCertificate() {
        return this.certificate;
    }

    public Date getValidationDate() {
        return this._validationDate;
    }

    public void setTrustedListCertificatesSource(CertificateSource certificateSource) {
        this.trustedListCertificatesSource = certificateSource;
    }

    public void setCrlSource(CRLSource cRLSource) {
        this.crlSource = cRLSource;
    }

    public void setOcspSource(OCSPSource oCSPSource) {
        this.ocspSource = oCSPSource;
    }

    SignedToken getNotYetVerifiedToken() {
        for (Map.Entry<SignedToken, RevocationData> entry : this.revocationInfo.entrySet()) {
            if (entry.getValue() == null) {
                return entry.getKey();
            }
        }
        return null;
    }

    CertificateAndContext getIssuerCertificate(SignedToken signedToken, CertificateSource certificateSource, Date date) throws IOException {
        CertificateAndContext issuerFromAIA;
        X500Principal signerSubjectName = signedToken.getSignerSubjectName();
        if (signerSubjectName == null) {
            return null;
        }
        List<CertificateAndContext> certificateBySubjectName = new CompositeCertificateSource(this.trustedListCertificatesSource, certificateSource).getCertificateBySubjectName(signerSubjectName);
        if (certificateBySubjectName == null || certificateBySubjectName.isEmpty()) {
            if (!(signedToken instanceof CertificateToken) || (issuerFromAIA = getIssuerFromAIA((CertificateToken) signedToken, signerSubjectName)) == null) {
                return null;
            }
            certificateBySubjectName.add(issuerFromAIA);
        }
        for (CertificateAndContext certificateAndContext : certificateBySubjectName) {
            X509Certificate certificate = certificateAndContext.getCertificate();
            if (LOG.isLoggable(Level.INFO)) {
                CertificateIdentifier.getId(certificate);
            }
            if (date != null) {
                try {
                    certificate.checkValidity(date);
                } catch (CertificateExpiredException e) {
                    if (LOG.isLoggable(Level.INFO)) {
                        LOG.info(CertificateIdentifier.getIdAsString(certificate) + " validity: expired");
                    }
                } catch (CertificateNotYetValidException e2) {
                    if (LOG.isLoggable(Level.INFO)) {
                        LOG.info(CertificateIdentifier.getIdAsString(certificate) + " validity: not yet valid");
                    }
                }
                if (CertificateSourceType.TRUSTED_LIST.equals(certificateAndContext.getCertificateSource()) && certificateAndContext.getContext() != null) {
                    ServiceInfo serviceInfo = (ServiceInfo) certificateAndContext.getContext();
                    if (serviceInfo.getStatusStartingDateAtReferenceTime() == null || !date.before(serviceInfo.getStatusStartingDateAtReferenceTime())) {
                        if (serviceInfo.getStatusEndingDateAtReferenceTime() != null && date.after(serviceInfo.getStatusEndingDateAtReferenceTime())) {
                            if (LOG.isLoggable(Level.INFO)) {
                                LOG.info("tsl validity: expired");
                            }
                        }
                    } else if (LOG.isLoggable(Level.INFO)) {
                        LOG.info("tsl validity: not yet valid");
                    }
                }
            }
            if (signedToken.isSignedBy(certificate)) {
                return certificateAndContext;
            }
        }
        return null;
    }

    private CertificateAndContext getIssuerFromAIA(CertificateToken certificateToken, X500Principal x500Principal) {
        try {
            X509Certificate loadIssuerCertificate = DSSUtils.loadIssuerCertificate(certificateToken.getCertificate(), new CommonsHttpDataLoader());
            if (loadIssuerCertificate == null || !certificateToken.isSignedBy(loadIssuerCertificate)) {
                return null;
            }
            CertificateAndContext certificateAndContext = new CertificateAndContext(loadIssuerCertificate);
            certificateAndContext.setCertificateSource(CertificateSourceType.AIA);
            return certificateAndContext;
        } catch (Exception e) {
            return null;
        }
    }

    void addNotYetVerifiedToken(SignedToken signedToken) {
        if (this.revocationInfo.containsKey(signedToken)) {
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("Token was already in list " + signedToken);
                return;
            }
            return;
        }
        this.revocationInfo.put(signedToken, null);
        if (signedToken instanceof CRLToken) {
            this.neededCRL.add(((CRLToken) signedToken).getX509crl());
        } else if (signedToken instanceof OCSPRespToken) {
            this.neededOCSPResp.add(((OCSPRespToken) signedToken).getOcspResp());
        } else if (signedToken instanceof CertificateToken) {
            CertificateAndContext certificateAndContext = ((CertificateToken) signedToken).getCertificateAndContext();
            X509Certificate certificate = certificateAndContext.getCertificate();
            Iterator<CertificateAndContext> it2 = this.neededCertificates.iterator();
            while (it2.hasNext()) {
                if (it2.next().getCertificate().equals(certificate)) {
                    return;
                }
            }
            this.neededCertificates.add(certificateAndContext);
        }
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info("+ New " + signedToken.getClass().getSimpleName() + " to check: " + signedToken);
        }
    }

    void validate(SignedToken signedToken, RevocationData revocationData) {
        if (revocationData == null) {
            throw new IllegalArgumentException("data cannot be null");
        }
        if (!this.revocationInfo.containsKey(signedToken)) {
            throw new IllegalArgumentException(signedToken + " must be a key of revocationInfo");
        }
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info("RevocationValidation: " + signedToken + ":\n" + revocationData.toString("\t"));
        }
        this.revocationInfo.put(signedToken, revocationData);
    }

    public void validateTimestamp(TimestampToken timestampToken, CertificateSource certificateSource, CRLSource cRLSource, OCSPSource oCSPSource) throws IOException {
        addNotYetVerifiedToken(timestampToken);
        validate(timestampToken.getTimeStamp().getTimeStampInfo().getGenTime(), new CompositeCertificateSource(timestampToken.getWrappedCertificateSource(), certificateSource), cRLSource, oCSPSource);
    }

    public void validate(Date date, CertificateSource certificateSource, CRLSource cRLSource, OCSPSource oCSPSource) throws IOException {
        RevocationData revocationData;
        int size = this.revocationInfo.size();
        int verifiedTokenCount = verifiedTokenCount();
        SignedToken notYetVerifiedToken = getNotYetVerifiedToken();
        if (notYetVerifiedToken == null) {
            return;
        }
        CertificateSource certificateSource2 = certificateSource;
        if (notYetVerifiedToken.getWrappedCertificateSource() != null) {
            certificateSource2 = new CompositeCertificateSource(notYetVerifiedToken.getWrappedCertificateSource(), certificateSource);
        }
        CertificateAndContext issuerCertificate = getIssuerCertificate(notYetVerifiedToken, certificateSource2, date);
        if (issuerCertificate == null) {
            LOG.warning("No issuer found for token " + notYetVerifiedToken);
            revocationData = new RevocationData(notYetVerifiedToken);
        } else {
            addNotYetVerifiedToken(new CertificateToken(issuerCertificate));
            X509Certificate certificate = issuerCertificate.getCertificate();
            if (X500PrincipalMatcher.viaAny(certificate.getSubjectX500Principal(), certificate.getIssuerX500Principal())) {
                validate(new CertificateToken(issuerCertificate), new RevocationData());
            }
            if (issuerCertificate.getCertificateSource() == CertificateSourceType.TRUSTED_LIST) {
                CertificateToken certificateToken = new CertificateToken(issuerCertificate);
                RevocationData revocationData2 = new RevocationData();
                revocationData2.setRevocationData(CertificateSourceType.TRUSTED_LIST);
                validate(certificateToken, revocationData2);
            }
            if (notYetVerifiedToken instanceof CertificateToken) {
                CertificateAndContext certificateAndContext = ((CertificateToken) notYetVerifiedToken).getCertificateAndContext();
                if (certificateAndContext.isOCSPSigning() && certificateAndContext.has_id_pkix_ocsp_nocheck_extension()) {
                    LOG.info("Revocation check not needed. The certificate " + CertificateIdentifier.getIdAsString(certificateAndContext.getCertificate()) + " has id_pkix_ocsp_nocheck extension.");
                    revocationData = new RevocationData();
                    revocationData.setRevocationData(CertificateSourceType.TRUSTED_LIST);
                } else {
                    CertificateStatus revocationData3 = getRevocationData(certificateAndContext, issuerCertificate, date, cRLSource, oCSPSource);
                    revocationData = new RevocationData(notYetVerifiedToken);
                    if (revocationData3 != null) {
                        revocationData.setRevocationData(revocationData3.getStatusSource());
                        if (revocationData3.getStatusSource() instanceof X509CRL) {
                            addNotYetVerifiedToken(new CRLToken((X509CRL) revocationData3.getStatusSource()));
                        } else if (revocationData3.getStatusSource() instanceof BasicOCSPResp) {
                            addNotYetVerifiedToken(new OCSPRespToken((BasicOCSPResp) revocationData3.getStatusSource()));
                        }
                    } else {
                        LOG.warning("No status for " + notYetVerifiedToken);
                    }
                }
            } else {
                if (!(notYetVerifiedToken instanceof CRLToken) && !(notYetVerifiedToken instanceof OCSPRespToken) && !(notYetVerifiedToken instanceof TimestampToken)) {
                    throw new RuntimeException("Not supported token type " + notYetVerifiedToken.getClass().getSimpleName());
                }
                revocationData = new RevocationData(notYetVerifiedToken);
                revocationData.setRevocationData(issuerCertificate);
            }
        }
        validate(notYetVerifiedToken, revocationData);
        int size2 = this.revocationInfo.size();
        int verifiedTokenCount2 = verifiedTokenCount();
        if (size2 == size && verifiedTokenCount2 == verifiedTokenCount) {
            return;
        }
        validate(date, certificateSource2, cRLSource, oCSPSource);
    }

    int verifiedTokenCount() {
        int i = 0;
        Iterator<Map.Entry<SignedToken, RevocationData>> it2 = this.revocationInfo.entrySet().iterator();
        while (it2.hasNext()) {
            if (it2.next().getValue() != null) {
                i++;
            }
        }
        return i;
    }

    public String getShortConclusion() {
        int i = 0;
        Iterator<Map.Entry<SignedToken, RevocationData>> it2 = this.revocationInfo.entrySet().iterator();
        while (it2.hasNext()) {
            if (it2.next().getValue() != null) {
                i++;
            }
        }
        StringBuilder sb = new StringBuilder();
        sb.append("ValidationContext contains ").append(this.revocationInfo.size()).append(" SignedToken and ").append(i).append(" of them have been verified.");
        return sb.toString();
    }

    public String toString(String str) {
        int i = 0;
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<SignedToken, RevocationData> entry : this.revocationInfo.entrySet()) {
            sb.append(str).append("SignedToken[").append('\n');
            String str2 = str + "\t";
            sb.append(str2).append(entry.getKey().toString(str2)).append('\n');
            if (entry.getValue() != null) {
                sb.append(str2).append(entry.getValue().toString(str2)).append('\n');
                i++;
            } else {
                sb.append(str2).append("NO REVOCATION DATA AVAILABLE!").append('\n');
            }
            str = str2.substring(1);
            sb.append(str).append("],\n");
        }
        StringBuilder sb2 = new StringBuilder();
        sb2.append("\n").append(str).append("ValidationContext contains ").append(this.revocationInfo.size()).append(" SignedToken and ").append(i).append(" of them have been verified:\n");
        sb2.append((CharSequence) sb);
        return sb2.toString();
    }

    public String toString() {
        return toString("");
    }

    private CertificateStatus getRevocationData(CertificateAndContext certificateAndContext, CertificateAndContext certificateAndContext2, Date date, CRLSource cRLSource, OCSPSource oCSPSource) {
        X509Certificate certificate = certificateAndContext.getCertificate();
        X509Certificate certificate2 = certificateAndContext2.getCertificate();
        if (cRLSource != null || oCSPSource != null) {
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("Verify OCSPAndCRL with offline services for " + CertificateIdentifier.getIdAsString(certificate));
            }
            OCSPAndCRLCertificateVerifier oCSPAndCRLCertificateVerifier = new OCSPAndCRLCertificateVerifier();
            oCSPAndCRLCertificateVerifier.setCrlSource(cRLSource);
            oCSPAndCRLCertificateVerifier.setOcspSource(oCSPSource);
            CertificateStatus check = oCSPAndCRLCertificateVerifier.check(certificate, certificate2, date);
            if (check != null) {
                return check;
            }
        }
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info("Verifing OCSPAndCRL with online services for " + CertificateIdentifier.getIdAsString(certificate));
        }
        OCSPAndCRLCertificateVerifier oCSPAndCRLCertificateVerifier2 = new OCSPAndCRLCertificateVerifier();
        oCSPAndCRLCertificateVerifier2.setCrlSource(this.crlSource);
        oCSPAndCRLCertificateVerifier2.setOcspSource(this.ocspSource);
        return oCSPAndCRLCertificateVerifier2.check(certificate, certificate2, date);
    }

    public List<X509CRL> getNeededCRL() {
        return this.neededCRL;
    }

    public List<BasicOCSPResp> getNeededOCSPResp() {
        return this.neededOCSPResp;
    }

    public List<CertificateAndContext> getNeededCertificates() {
        return this.neededCertificates;
    }

    public CertificateAndContext getIssuerCertificateFromThisContext(CertificateAndContext certificateAndContext) {
        X509Certificate certificate = certificateAndContext.getCertificate();
        X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
        if (X500PrincipalMatcher.viaAny(certificate.getSubjectX500Principal(), issuerX500Principal)) {
            return null;
        }
        for (CertificateAndContext certificateAndContext2 : this.neededCertificates) {
            if (X500PrincipalMatcher.viaAny(certificateAndContext2.getCertificate().getSubjectX500Principal(), issuerX500Principal)) {
                return certificateAndContext2;
            }
        }
        return null;
    }

    public List<X509CRL> getRelatedCRLs(CertificateAndContext certificateAndContext) {
        ArrayList arrayList = new ArrayList();
        for (X509CRL x509crl : this.neededCRL) {
            if (X500PrincipalMatcher.viaAny(x509crl.getIssuerX500Principal(), certificateAndContext.getCertificate().getIssuerX500Principal())) {
                arrayList.add(x509crl);
            }
        }
        return arrayList;
    }

    public List<BasicOCSPResp> getRelatedOCSPResp(CertificateAndContext certificateAndContext) {
        ArrayList arrayList = new ArrayList();
        for (BasicOCSPResp basicOCSPResp : this.neededOCSPResp) {
            if (concernsCertificate(basicOCSPResp, certificateAndContext)) {
                arrayList.add(basicOCSPResp);
            }
        }
        return arrayList;
    }

    private boolean concernsCertificate(BasicOCSPResp basicOCSPResp, CertificateAndContext certificateAndContext) {
        CertificateAndContext issuerCertificateFromThisContext = getIssuerCertificateFromThisContext(certificateAndContext);
        if (issuerCertificateFromThisContext == null) {
            return false;
        }
        try {
            CertificateID certificateID = new CertificateID(CertificateID.HASH_SHA1, issuerCertificateFromThisContext.getCertificate(), certificateAndContext.getCertificate().getSerialNumber());
            for (SingleResp singleResp : basicOCSPResp.getResponses()) {
                if (singleResp.getCertID().equals(certificateID)) {
                    return true;
                }
            }
            return false;
        } catch (OCSPException e) {
            throw new RuntimeException(e);
        }
    }

    public CertificateStatus getCertificateStatusFromContext(CertificateAndContext certificateAndContext) {
        if (certificateAndContext.getCertificateSource() == CertificateSourceType.TRUSTED_LIST) {
            CertificateStatus certificateStatus = new CertificateStatus();
            certificateStatus.setValidity(CertificateValidity.VALID);
            certificateStatus.setStatusSourceType(ValidatorSourceType.TRUSTED_LIST);
            certificateStatus.setCertificate(certificateAndContext.getCertificate());
            return certificateStatus;
        }
        CertificateAndContext issuerCertificateFromThisContext = getIssuerCertificateFromThisContext(certificateAndContext);
        if (issuerCertificateFromThisContext == null) {
            return null;
        }
        ListOCSPSource listOCSPSource = new ListOCSPSource(this.neededOCSPResp);
        ListCRLSource listCRLSource = new ListCRLSource(this.neededCRL);
        OCSPAndCRLCertificateVerifier oCSPAndCRLCertificateVerifier = new OCSPAndCRLCertificateVerifier();
        oCSPAndCRLCertificateVerifier.setCrlSource(listCRLSource);
        oCSPAndCRLCertificateVerifier.setOcspSource(listOCSPSource);
        return oCSPAndCRLCertificateVerifier.check(certificateAndContext.getCertificate(), issuerCertificateFromThisContext.getCertificate(), getValidationDate());
    }

    public CertificateAndContext getParentFromTrustedList(CertificateAndContext certificateAndContext) {
        CertificateAndContext certificateAndContext2 = certificateAndContext;
        do {
            CertificateAndContext issuerCertificateFromThisContext = getIssuerCertificateFromThisContext(certificateAndContext2);
            certificateAndContext2 = issuerCertificateFromThisContext;
            if (issuerCertificateFromThisContext == null) {
                LOG.warning("***No issuer in the TrustedList for certificate " + CertificateIdentifier.getIdAsString(certificateAndContext.getCertificate()) + ". The parent found is " + certificateAndContext2);
                return null;
            }
        } while (!CertificateSourceType.TRUSTED_LIST.equals(certificateAndContext2.getCertificateSource()));
        LOG.info("Parent from TrustedList found " + CertificateIdentifier.getIdAsString(certificateAndContext2.getCertificate()));
        return certificateAndContext2;
    }

    public ServiceInfo getRelevantServiceInfo() {
        CertificateAndContext parentFromTrustedList = getParentFromTrustedList(new CertificateAndContext(this.certificate));
        if (parentFromTrustedList == null) {
            return null;
        }
        return (ServiceInfo) parentFromTrustedList.getContext();
    }

    public List<String> getQualificationStatement() {
        ServiceInfo relevantServiceInfo = getRelevantServiceInfo();
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info("Service Information " + relevantServiceInfo);
        }
        if (relevantServiceInfo == null) {
            return null;
        }
        return relevantServiceInfo.getQualifiers(new CertificateAndContext(this.certificate));
    }
}
