package eu.europa.ec.markt.dss.validation102853;

import eu.europa.ec.markt.dss.DSSUtils;
import eu.europa.ec.markt.dss.RemoteCertificateSource;
import eu.europa.ec.markt.dss.exception.DSSException;
import eu.europa.ec.markt.dss.validation.certificate.CertificateSourceType;
import eu.europa.ec.markt.dss.validation.crl.CRLSource;
import eu.europa.ec.markt.dss.validation.https.CommonsHttpDataLoader;
import eu.europa.ec.markt.dss.validation.ocsp.OCSPSource;
import eu.europa.ec.markt.dss.validation102853.condition.ServiceInfo;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:applet/signature-client.jar:eu/europa/ec/markt/dss/validation102853/SignatureValidationContext.class */
public class SignatureValidationContext implements ValidationContext {
    private static final Logger LOG = Logger.getLogger(SignatureValidationContext.class.getName());
    protected CertificatePool validationCertPool;
    protected AdvancedSignature signature;
    protected CertificateToken certToValidate;
    private OCSPSource ocspSource;
    private CRLSource crlSource;
    private RemoteCertificateSource remoteTrustedCertSource;
    private CRLSource signCRLSource;
    private OCSPSource signOCSPSource;
    private List<TimestampToken> sigTimestamps;
    private byte[] timestampData;
    private List<TimestampToken> sigAndRefsTimestamps;
    private byte[] sigAndRefsTimestampData;
    private List<TimestampReference> timestampedReferences;
    private List<TimestampToken> refsOnlyTimestamps;
    byte[] refsOnlyTimestampData;
    private List<TimestampToken> archiveTimestamps;
    private byte[] archiveTimestampData;
    private final Set<CertificateToken> processedCertificates = new HashSet();
    private final Set<RevocationToken> processedRevocations = new HashSet();
    private final Set<TimestampToken> processedTimestamps = new HashSet();
    private final Map<Token, Boolean> tokensToProcess = new HashMap();

    public SignatureValidationContext(AdvancedSignature advancedSignature, CertificateVerifier certificateVerifier, CertificatePool certificatePool) {
        if (advancedSignature == null) {
            throw new DSSException("The signature to validate cannot be null.");
        }
        if (certificateVerifier == null) {
            throw new DSSException("The certificate verifier cannot be null.");
        }
        if (certificatePool == null) {
            throw new DSSException("The certificate pool cannot be null.");
        }
        this.crlSource = certificateVerifier.getCrlSource();
        this.ocspSource = certificateVerifier.getOcspSource();
        if (certificateVerifier.getTrustedCertSource() instanceof RemoteCertificateSource) {
            this.remoteTrustedCertSource = (RemoteCertificateSource) certificateVerifier.getTrustedCertSource();
        }
        this.signCRLSource = advancedSignature.getCRLSource();
        this.signOCSPSource = advancedSignature.getOCSPSource();
        this.sigTimestamps = advancedSignature.getSignatureTimestamps();
        this.timestampData = advancedSignature.getSignatureTimestampData();
        this.sigAndRefsTimestamps = advancedSignature.getTimestampsX1();
        this.sigAndRefsTimestampData = advancedSignature.getTimestampX1Data();
        this.refsOnlyTimestamps = advancedSignature.getTimestampsX2();
        this.refsOnlyTimestampData = advancedSignature.getTimestampX2Data();
        this.timestampedReferences = advancedSignature.getTimestampedReferences();
        this.signature = advancedSignature;
        this.archiveTimestamps = advancedSignature.getArchiveTimestamps();
        this.validationCertPool = certificatePool;
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info("+ New ValidationContext created.");
        }
    }

    public SignatureValidationContext(CertificateVerifier certificateVerifier) {
        if (certificateVerifier == null) {
            throw new DSSException("The certificate verifier cannot be null.");
        }
        this.crlSource = certificateVerifier.getCrlSource();
        this.ocspSource = certificateVerifier.getOcspSource();
        TrustedCertificateSource trustedCertSource = certificateVerifier.getTrustedCertSource();
        if (trustedCertSource instanceof RemoteCertificateSource) {
            this.remoteTrustedCertSource = (RemoteCertificateSource) trustedCertSource;
        }
        this.validationCertPool = new CertificatePool();
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info("+ New ValidationContext created for a certificate.");
        }
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public void setCertificateToValidate(CertificateToken certificateToken) {
        this.certToValidate = certificateToken;
        addNotYetVerifiedCertificateToken(this.certToValidate);
    }

    private Token getNotYetVerifiedToken() {
        for (Map.Entry<Token, Boolean> entry : this.tokensToProcess.entrySet()) {
            if (entry.getValue() == null) {
                entry.setValue(true);
                return entry.getKey();
            }
        }
        return null;
    }

    private CertificateToken getIssuerCertificate(Token token) throws DSSException {
        CertificateToken issuerFromRemotePool;
        if (token.isTrusted()) {
            return null;
        }
        if (token.getIssuerToken() != null) {
            return token.getIssuerToken();
        }
        X500Principal issuerX500Principal = token.getIssuerX500Principal();
        CertificateToken issuerFromPool = getIssuerFromPool(token, issuerX500Principal);
        if (this.remoteTrustedCertSource != null && ((issuerFromPool == null || (issuerFromPool != null && !issuerFromPool.isTrusted())) && (issuerFromRemotePool = getIssuerFromRemotePool(token, issuerX500Principal)) != null)) {
            issuerFromPool = issuerFromRemotePool;
        }
        if (issuerFromPool == null && (token instanceof CertificateToken)) {
            issuerFromPool = getIssuerFromAIA((CertificateToken) token);
        }
        if (issuerFromPool == null) {
            token.extraInfo().infoTheSigningCertNotFound();
        }
        if (issuerFromPool != null && !issuerFromPool.isTrusted() && !issuerFromPool.isSelfSigned()) {
            getIssuerCertificate(issuerFromPool);
        }
        return issuerFromPool;
    }

    private CertificateToken getIssuerFromAIA(CertificateToken certificateToken) {
        try {
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info(String.format("Retrieving for the certificate %s its issuer using AIA.", certificateToken.getAbbreviation()));
            }
            X509Certificate loadIssuerCertificate = DSSUtils.loadIssuerCertificate(certificateToken.getCertificate(), new CommonsHttpDataLoader());
            if (loadIssuerCertificate == null) {
                return null;
            }
            CertificateToken certificatePool = this.validationCertPool.getInstance(loadIssuerCertificate, CertificateSourceType.AIA);
            if (certificateToken.isSignedBy(certificatePool)) {
                return certificatePool;
            }
            return null;
        } catch (DSSException e) {
            LOG.warning(e.getMessage());
            return null;
        }
    }

    private CertificateToken getIssuerFromRemotePool(Token token, X500Principal x500Principal) {
        System.out.println("GET ISSUER FROM REMOTE: ======================>" + x500Principal.toString());
        if (this.remoteTrustedCertSource == null) {
            return null;
        }
        List<CertificateToken> list = this.remoteTrustedCertSource.get(x500Principal);
        System.out.println("---> RETURNED REMOTE CERTIFICATEs: " + list.size());
        for (CertificateToken certificateToken : list) {
            System.out.println("---> RETURNED REMOTE CERTIFICATE: " + certificateToken.getAbbreviation());
            CertificateToken certificatePool = this.validationCertPool.getInstance(certificateToken.getCertificate(), CertificateSourceType.TRUSTED_LIST);
            Iterator<ServiceInfo> it2 = certificateToken.getAssociatedTSPS().iterator();
            while (it2.hasNext()) {
                certificatePool.addServiceInfo(it2.next());
            }
            System.out.println("LOCAL CERTIFICATE: " + certificatePool.getAbbreviation());
            if (token.isSignedBy(certificatePool)) {
                return certificatePool;
            }
        }
        return null;
    }

    private CertificateToken getIssuerFromPool(Token token, X500Principal x500Principal) {
        for (CertificateToken certificateToken : this.validationCertPool.get(x500Principal)) {
            if (token.isSignedBy(certificateToken)) {
                return certificateToken;
            }
        }
        return null;
    }

    private boolean addNotYetVerifiedToken(Token token) {
        if (token == null) {
            return false;
        }
        if (this.tokensToProcess.containsKey(token)) {
            if (!LOG.isLoggable(Level.INFO)) {
                return false;
            }
            LOG.info("Token was already in the list " + token.getClass().getSimpleName() + ":" + token.getAbbreviation());
            return false;
        }
        this.tokensToProcess.put(token, null);
        if (!LOG.isLoggable(Level.INFO)) {
            return true;
        }
        LOG.info("+ New " + token.getClass().getSimpleName() + " to check: " + token.getAbbreviation());
        return true;
    }

    private void addNotYetVerifiedRevocationToken(RevocationToken revocationToken) {
        if (addNotYetVerifiedToken(revocationToken)) {
            this.processedRevocations.add(revocationToken);
        }
    }

    private void addNotYetVerifiedCertificateToken(CertificateToken certificateToken) {
        if (addNotYetVerifiedToken(certificateToken)) {
            this.processedCertificates.add(certificateToken);
        }
    }

    private void addNotYetVerifiedTimestampToken(TimestampToken timestampToken) {
        if (addNotYetVerifiedToken(timestampToken)) {
            this.processedTimestamps.add(timestampToken);
        }
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public void validate() throws DSSException {
        runValidation();
        if (this.signature == null) {
            return;
        }
        for (TimestampToken timestampToken : this.sigTimestamps) {
            timestampToken.matchData(this.timestampData);
            addNotYetVerifiedTimestampToken(timestampToken);
            runValidation();
        }
        for (TimestampToken timestampToken2 : this.sigAndRefsTimestamps) {
            timestampToken2.matchData(this.sigAndRefsTimestampData);
            addNotYetVerifiedTimestampToken(timestampToken2);
            runValidation();
        }
        for (TimestampToken timestampToken3 : this.refsOnlyTimestamps) {
            timestampToken3.matchData(this.refsOnlyTimestampData);
            addNotYetVerifiedTimestampToken(timestampToken3);
            runValidation();
        }
        for (TimestampToken timestampToken4 : this.archiveTimestamps) {
            this.archiveTimestampData = this.signature.getArchiveTimestampData(timestampToken4);
            timestampToken4.matchData(this.archiveTimestampData);
            addNotYetVerifiedTimestampToken(timestampToken4);
            runValidation();
        }
    }

    private void runValidation() throws DSSException {
        Token notYetVerifiedToken = getNotYetVerifiedToken();
        if (notYetVerifiedToken == null) {
            return;
        }
        CertificateToken issuerCertificate = getIssuerCertificate(notYetVerifiedToken);
        if (issuerCertificate != null && !notYetVerifiedToken.isSelfSigned() && !notYetVerifiedToken.isTrusted()) {
            addNotYetVerifiedCertificateToken(issuerCertificate);
        }
        if (notYetVerifiedToken instanceof CertificateToken) {
            addNotYetVerifiedRevocationToken(getRevocationData((CertificateToken) notYetVerifiedToken));
        }
        runValidation();
    }

    private RevocationToken getRevocationData(CertificateToken certificateToken) {
        if (certificateToken.isSelfSigned() || certificateToken.isTrusted()) {
            return null;
        }
        if (certificateToken.isOCSPSigning() && certificateToken.hasIdPkixOcspNoCheckExtension()) {
            certificateToken.extraInfo().add("OCSP check not needed: id-pkix-ocsp-nocheck extension present.");
            return null;
        }
        CertificateToken issuerToken = certificateToken.getIssuerToken();
        if (issuerToken == null) {
            return null;
        }
        RevocationToken revocationToken = null;
        boolean isExpired = certificateToken.isExpired();
        boolean z = isExpired && issuerToken.hasExpiredCertOnCRLExtension();
        Date date = null;
        CertificateToken trustAnchor = certificateToken.getTrustAnchor();
        if (trustAnchor != null) {
            Iterator<ServiceInfo> it2 = trustAnchor.getAssociatedTSPS().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Date expiredCertsRevocationInfo = it2.next().getExpiredCertsRevocationInfo();
                if (date == null) {
                    date = expiredCertsRevocationInfo;
                    break;
                }
                if (expiredCertsRevocationInfo != null && expiredCertsRevocationInfo.before(date)) {
                    date = expiredCertsRevocationInfo;
                }
            }
            if (date != null && date.after(certificateToken.getNotAfter())) {
                date = null;
            }
        }
        if (!isExpired || z || date != null) {
            if (z) {
                certificateToken.extraInfo().add("Certificate is expired but the issuer certificate has ExpiredCertOnCRL extension.");
            }
            if (date != null) {
                certificateToken.extraInfo().add("Certificate is expired but the TSL extension 'expiredCertsRevocationInfo' is present: " + date);
            }
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("Verification OCSPAndCRL with ON-LINE services for " + certificateToken.getDSSIdAsString());
            }
            revocationToken = new OCSPAndCRLCertificateVerifier(this.crlSource, this.ocspSource, this.validationCertPool).check(certificateToken);
        }
        if (revocationToken == null) {
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("Verification OCSPAndCRL with OFF-LINE services for " + certificateToken.getDSSIdAsString());
            }
            revocationToken = new OCSPAndCRLCertificateVerifier(this.signCRLSource, this.signOCSPSource, this.validationCertPool).check(certificateToken);
        }
        return revocationToken;
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public Set<CertificateToken> getProcessedCertificates() {
        return Collections.unmodifiableSet(this.processedCertificates);
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public Set<RevocationToken> getProcessedRevocations() {
        return Collections.unmodifiableSet(this.processedRevocations);
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public Set<TimestampToken> getProcessedTimestamps() {
        return Collections.unmodifiableSet(this.processedTimestamps);
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public List<TimestampToken> getTimestampTokens() {
        return Collections.unmodifiableList(this.sigTimestamps);
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public List<TimestampToken> getSigAndRefsTimestamps() {
        return Collections.unmodifiableList(this.sigAndRefsTimestamps);
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public List<TimestampToken> getRefsOnlyTimestamps() {
        return Collections.unmodifiableList(this.refsOnlyTimestamps);
    }

    @Override // eu.europa.ec.markt.dss.validation102853.ValidationContext
    public List<TimestampToken> getArchiveTimestamps() {
        return Collections.unmodifiableList(this.archiveTimestamps);
    }

    public List<TimestampReference> getTimestampedReferences() {
        return this.timestampedReferences;
    }

    public String toString(String str) {
        try {
            StringBuilder sb = new StringBuilder();
            sb.append(str).append("ValidationContext[").append('\n');
            String str2 = str + "\t";
            sb.append(str2).append("Certificates[").append('\n');
            String str3 = str2 + "\t";
            Iterator<CertificateToken> it2 = this.processedCertificates.iterator();
            while (it2.hasNext()) {
                sb.append(it2.next().toString(str3));
            }
            String substring = str3.substring(1);
            sb.append(substring).append("],\n");
            sb.append(substring.substring(1)).append("],\n");
            return sb.toString();
        } catch (Exception e) {
            return super.toString();
        }
    }

    public String toString() {
        return toString("");
    }
}
