package eu.europa.ec.markt.dss.validation.ocsp;

import eu.europa.ec.markt.dss.CertificateIdentifier;
import eu.europa.ec.markt.dss.validation.CertificateStatus;
import eu.europa.ec.markt.dss.validation.CertificateStatusVerifier;
import eu.europa.ec.markt.dss.validation.CertificateValidity;
import eu.europa.ec.markt.dss.validation.ValidatorSourceType;
import java.io.IOException;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPException;
import org.bouncycastle.ocsp.RevokedStatus;
import org.bouncycastle.ocsp.SingleResp;
import org.bouncycastle.ocsp.UnknownStatus;

/* loaded from: input_file:applet/signature-client.jar:eu/europa/ec/markt/dss/validation/ocsp/OCSPCertificateVerifier.class */
public class OCSPCertificateVerifier implements CertificateStatusVerifier {
    private static final Logger LOG = Logger.getLogger(OCSPCertificateVerifier.class.getName());
    private final OCSPSource ocspSource;

    public OCSPCertificateVerifier(OCSPSource oCSPSource) {
        Security.addProvider(new BouncyCastleProvider());
        this.ocspSource = oCSPSource;
    }

    @Override // eu.europa.ec.markt.dss.validation.CertificateStatusVerifier
    public CertificateStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) {
        CertificateStatus certificateStatus = new CertificateStatus();
        certificateStatus.setCertificate(x509Certificate);
        certificateStatus.setValidationDate(date);
        certificateStatus.setIssuerCertificate(x509Certificate2);
        if (this.ocspSource == null) {
            LOG.warning("OCSPSource null");
            return null;
        }
        try {
            BasicOCSPResp oCSPResponse = this.ocspSource.getOCSPResponse(x509Certificate, x509Certificate2);
            if (oCSPResponse == null) {
                if (!LOG.isLoggable(Level.INFO)) {
                    return null;
                }
                LOG.info("OCSP response not found for " + CertificateIdentifier.getIdAsString(x509Certificate) + "<--" + CertificateIdentifier.getIdAsString(x509Certificate2));
                return null;
            }
            CertificateID certificateID = new CertificateID(CertificateID.HASH_SHA1, x509Certificate2, x509Certificate.getSerialNumber());
            for (SingleResp singleResp : oCSPResponse.getResponses()) {
                if (certificateID.equals(singleResp.getCertID())) {
                    Date thisUpdate = singleResp.getThisUpdate();
                    if (LOG.isLoggable(Level.FINE)) {
                        LOG.fine("OCSP thisUpdate: " + thisUpdate);
                        LOG.fine("OCSP nextUpdate: " + singleResp.getNextUpdate());
                    }
                    certificateStatus.setStatusSourceType(ValidatorSourceType.OCSP);
                    certificateStatus.setStatusSource(oCSPResponse);
                    certificateStatus.setRevocationObjectIssuingTime(oCSPResponse.getProducedAt());
                    if (singleResp.getCertStatus() == null) {
                        if (LOG.isLoggable(Level.INFO)) {
                            LOG.info("OCSP OK for: " + CertificateIdentifier.getIdAsString(x509Certificate));
                        }
                        certificateStatus.setValidity(CertificateValidity.VALID);
                    } else {
                        if (LOG.isLoggable(Level.INFO)) {
                            LOG.info("OCSP certificate status: " + singleResp.getCertStatus().getClass().getName());
                        }
                        if (singleResp.getCertStatus() instanceof RevokedStatus) {
                            if (LOG.isLoggable(Level.INFO)) {
                                LOG.info("OCSP status revoked");
                            }
                            if (date.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
                                if (LOG.isLoggable(Level.INFO)) {
                                    LOG.info("OCSP revocation time after the validation date, the certificate was valid at " + date);
                                }
                                certificateStatus.setValidity(CertificateValidity.VALID);
                            } else {
                                certificateStatus.setRevocationDate(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime());
                                certificateStatus.setValidity(CertificateValidity.REVOKED);
                            }
                        } else if (singleResp.getCertStatus() instanceof UnknownStatus) {
                            if (LOG.isLoggable(Level.INFO)) {
                                LOG.info("OCSP status unknown");
                            }
                            certificateStatus.setValidity(CertificateValidity.UNKNOWN);
                        }
                    }
                    return certificateStatus;
                }
            }
            if (!LOG.isLoggable(Level.INFO)) {
                return null;
            }
            LOG.fine("no matching OCSP response entry");
            return null;
        } catch (IOException e) {
            LOG.log(Level.SEVERE, "OCSP exception: " + e.getMessage(), (Throwable) e);
            return null;
        } catch (OCSPException e2) {
            LOG.severe("OCSP exception: " + e2.getMessage());
            throw new RuntimeException(e2);
        }
    }
}
