package eu.europa.esig.dss.spi.validation;

import eu.europa.esig.dss.enumerations.Context;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.EncryptionAlgorithm;
import eu.europa.esig.dss.enumerations.RevocationType;
import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
import eu.europa.esig.dss.model.DSSException;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.extension.CertificateExtensions;
import eu.europa.esig.dss.model.x509.extension.CertificatePolicies;
import eu.europa.esig.dss.spi.CertificateExtensionsUtils;
import eu.europa.esig.dss.spi.DSSPKUtils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.OID;
import eu.europa.esig.dss.spi.x509.CertificateSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.utils.Utils;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/spi/validation/RevocationDataVerifier.class */
public class RevocationDataVerifier {
    private static final Collection<String> DEFAULT_REVOCATION_SKIP_CERTIFICATE_EXTENSIONS;
    private CertificateSource trustedCertificateSource;
    private Collection<DigestAlgorithm> acceptableDigestAlgorithms;
    private Map<EncryptionAlgorithm, Integer> acceptableEncryptionAlgorithmKeyLength;
    private Collection<String> revocationSkipCertificateExtensions;
    private Collection<String> revocationSkipCertificatePolicies;
    private Long signatureMaximumRevocationFreshness;
    private Long timestampMaximumRevocationFreshness;
    private Long revocationMaximumRevocationFreshness;
    private boolean checkRevocationFreshnessNextUpdate;
    private static final Logger LOG = LoggerFactory.getLogger(RevocationDataVerifier.class);
    private static final Long DEFAULT_MAXIMUM_REVOCATION_FRESHNESS = 0L;
    private static final Collection<DigestAlgorithm> DEFAULT_DIGEST_ALGORITHMS = Arrays.asList(DigestAlgorithm.SHA224, DigestAlgorithm.SHA256, DigestAlgorithm.SHA384, DigestAlgorithm.SHA512, DigestAlgorithm.SHA3_256, DigestAlgorithm.SHA3_384, DigestAlgorithm.SHA3_512);
    private static final Map<EncryptionAlgorithm, Integer> DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: eu.europa.esig.dss.spi.validation.RevocationDataVerifier$1, reason: invalid class name */
    /* loaded from: input_file:eu/europa/esig/dss/spi/validation/RevocationDataVerifier$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$eu$europa$esig$dss$enumerations$Context = new int[Context.values().length];

        static {
            try {
                $SwitchMap$eu$europa$esig$dss$enumerations$Context[Context.SIGNATURE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$eu$europa$esig$dss$enumerations$Context[Context.COUNTER_SIGNATURE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$eu$europa$esig$dss$enumerations$Context[Context.CERTIFICATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$eu$europa$esig$dss$enumerations$Context[Context.TIMESTAMP.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$eu$europa$esig$dss$enumerations$Context[Context.EVIDENCE_RECORD.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$eu$europa$esig$dss$enumerations$Context[Context.REVOCATION.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    protected RevocationDataVerifier() {
    }

    public static RevocationDataVerifier createEmptyRevocationDataVerifier() {
        return new RevocationDataVerifier();
    }

    public static RevocationDataVerifier createDefaultRevocationDataVerifier() {
        try {
            RevocationDataVerifier revocationDataVerifier = new RevocationDataVerifier();
            revocationDataVerifier.setAcceptableDigestAlgorithms(DEFAULT_DIGEST_ALGORITHMS);
            revocationDataVerifier.setAcceptableEncryptionAlgorithmKeyLength(DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP);
            revocationDataVerifier.setRevocationSkipCertificateExtensions(DEFAULT_REVOCATION_SKIP_CERTIFICATE_EXTENSIONS);
            revocationDataVerifier.setSignatureMaximumRevocationFreshness(DEFAULT_MAXIMUM_REVOCATION_FRESHNESS);
            revocationDataVerifier.setTimestampMaximumRevocationFreshness(DEFAULT_MAXIMUM_REVOCATION_FRESHNESS);
            revocationDataVerifier.setRevocationMaximumRevocationFreshness(DEFAULT_MAXIMUM_REVOCATION_FRESHNESS);
            return revocationDataVerifier;
        } catch (Exception e) {
            throw new DSSException(String.format("Unable to instantiate default RevocationDataVerifier. Reason : %s", e.getMessage()), e);
        }
    }

    public CertificateSource getTrustedCertificateSource() {
        return this.trustedCertificateSource;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setTrustedCertificateSource(CertificateSource certificateSource) {
        this.trustedCertificateSource = certificateSource;
    }

    public void setAcceptableDigestAlgorithms(Collection<DigestAlgorithm> collection) {
        Objects.requireNonNull(collection, "Collection of DigestAlgorithms for acceptance cannot be null!");
        this.acceptableDigestAlgorithms = collection;
    }

    public void setAcceptableEncryptionAlgorithmKeyLength(Map<EncryptionAlgorithm, Integer> map) {
        Objects.requireNonNull(map, "Map of Encryption Algorithms for acceptance cannot be null!");
        this.acceptableEncryptionAlgorithmKeyLength = map;
    }

    public void setRevocationSkipCertificateExtensions(Collection<String> collection) {
        this.revocationSkipCertificateExtensions = collection;
    }

    public void setRevocationSkipCertificatePolicies(Collection<String> collection) {
        this.revocationSkipCertificatePolicies = collection;
    }

    public void setSignatureMaximumRevocationFreshness(Long l) {
        this.signatureMaximumRevocationFreshness = l;
    }

    public void setTimestampMaximumRevocationFreshness(Long l) {
        this.timestampMaximumRevocationFreshness = l;
    }

    public void setRevocationMaximumRevocationFreshness(Long l) {
        this.revocationMaximumRevocationFreshness = l;
    }

    public void setCheckRevocationFreshnessNextUpdate(boolean z) {
        this.checkRevocationFreshnessNextUpdate = z;
    }

    public boolean isAcceptable(RevocationToken<?> revocationToken) {
        return isAcceptable(revocationToken, revocationToken.getIssuerCertificateToken());
    }

    public boolean isAcceptable(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return isRevocationDataComplete(revocationToken) && isGoodIssuer(revocationToken, certificateToken) && isConsistent(revocationToken) && isAcceptableSignatureAlgorithm(revocationToken, certificateToken);
    }

    private boolean isRevocationDataComplete(RevocationToken<?> revocationToken) {
        if (revocationToken.getRelatedCertificate() == null) {
            LOG.warn("The revocation '{}' does not have a related certificate!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (revocationToken.getStatus() == null) {
            LOG.warn("The obtained revocation token '{}' does not contain the certificate status!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (revocationToken.getThisUpdate() != null) {
            return true;
        }
        LOG.warn("The obtained revocation token '{}' does not contain thisUpdate field!", revocationToken.getDSSIdAsString());
        return false;
    }

    private boolean isGoodIssuer(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        if (certificateToken == null) {
            LOG.warn("The issuer certificate is not found for the obtained revocation '{}'!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (RevocationType.OCSP.equals(revocationToken.getRevocationType()) && doesRequireRevocation(certificateToken) && !hasRevocationAccessPoints(certificateToken)) {
            LOG.warn("The issuer certificate '{}' of the obtained OCSPToken '{}' requires a revocation data, which is not acceptable due its configuration (no revocation access location points)!", certificateToken.getDSSIdAsString(), revocationToken.getDSSIdAsString());
            return false;
        }
        if (!RevocationType.OCSP.equals(revocationToken.getRevocationType()) || DSSRevocationUtils.checkIssuerValidAtRevocationProductionTime(revocationToken, certificateToken)) {
            return true;
        }
        LOG.warn("The revocation token '{}' has been produced outside the issuer certificate's validity range!", revocationToken.getDSSIdAsString());
        return false;
    }

    private boolean doesRequireRevocation(CertificateToken certificateToken) {
        return (certificateToken.isSelfSigned() || isTrusted(certificateToken) || CertificateExtensionsUtils.hasOcspNoCheckExtension(certificateToken)) ? false : true;
    }

    private boolean isTrusted(CertificateToken certificateToken) {
        return this.trustedCertificateSource != null && this.trustedCertificateSource.isTrusted(certificateToken);
    }

    private boolean hasRevocationAccessPoints(CertificateToken certificateToken) {
        return Utils.isCollectionNotEmpty(CertificateExtensionsUtils.getCRLAccessUrls(certificateToken)) || Utils.isCollectionNotEmpty(CertificateExtensionsUtils.getOCSPAccessUrls(certificateToken));
    }

    private boolean isConsistent(RevocationToken<?> revocationToken) {
        CertificateToken relatedCertificate = revocationToken.getRelatedCertificate();
        if (!isRevocationIssuedAfterCertificateNotBefore(revocationToken, relatedCertificate)) {
            LOG.warn("The revocation '{}' has been produced before the start of the validity of the certificate '{}'!", revocationToken.getDSSIdAsString(), relatedCertificate.getDSSIdAsString());
            return false;
        }
        if (doesRevocationKnowCertificate(revocationToken, relatedCertificate)) {
            LOG.debug("The revocation '{}' is consistent. Certificate: {}", revocationToken.getDSSIdAsString(), relatedCertificate.getDSSIdAsString());
            return true;
        }
        LOG.warn("The revocation '{}' was not issued during the validity period of the certificate! Certificate: {}", revocationToken.getDSSIdAsString(), relatedCertificate.getDSSIdAsString());
        return false;
    }

    private boolean isRevocationIssuedAfterCertificateNotBefore(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return certificateToken.getNotBefore().compareTo(revocationToken.getThisUpdate()) <= 0;
    }

    private boolean doesRevocationKnowCertificate(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return revocationInformationAssured(revocationToken, certificateToken) || certHashMatch(revocationToken);
    }

    private boolean revocationInformationAssured(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        Date thisUpdate = revocationToken.getThisUpdate();
        Date notAfter = certificateToken.getNotAfter();
        Date expiredCertsOnCRL = revocationToken.getExpiredCertsOnCRL();
        if (expiredCertsOnCRL != null) {
            thisUpdate = expiredCertsOnCRL;
        }
        Date archiveCutOff = revocationToken.getArchiveCutOff();
        if (archiveCutOff != null) {
            thisUpdate = archiveCutOff;
        }
        return notAfter.compareTo(thisUpdate) >= 0;
    }

    private boolean certHashMatch(RevocationToken<?> revocationToken) {
        return revocationToken.isCertHashPresent() && revocationToken.isCertHashMatch();
    }

    private boolean isAcceptableSignatureAlgorithm(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        if (Utils.isCollectionEmpty(this.acceptableDigestAlgorithms)) {
            LOG.info("No acceptable digest algorithms defined!");
            return false;
        }
        if (Utils.isMapEmpty(this.acceptableEncryptionAlgorithmKeyLength)) {
            LOG.info("No acceptable encryption algorithms defined!");
            return false;
        }
        SignatureAlgorithm signatureAlgorithm = revocationToken.getSignatureAlgorithm();
        if (signatureAlgorithm == null) {
            LOG.warn("Signature algorithm was not identified for an obtained revocation token '{}'!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (!this.acceptableDigestAlgorithms.contains(signatureAlgorithm.getDigestAlgorithm())) {
            LOG.warn("The used DigestAlgorithm {} is not acceptable for revocation token '{}'!", signatureAlgorithm.getDigestAlgorithm(), revocationToken.getDSSIdAsString());
            return false;
        }
        Integer num = this.acceptableEncryptionAlgorithmKeyLength.get(signatureAlgorithm.getEncryptionAlgorithm());
        if (num == null) {
            LOG.warn("The EncryptionAlgorithm {} is not acceptable for revocation token '{}'!", signatureAlgorithm.getEncryptionAlgorithm(), revocationToken.getDSSIdAsString());
            return false;
        }
        int publicKeySize = certificateToken != null ? DSSPKUtils.getPublicKeySize(certificateToken.getPublicKey()) : -1;
        if (publicKeySize <= 0) {
            LOG.warn("Key size used to sign revocation token '{}' cannot be identified!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (publicKeySize >= num.intValue()) {
            return true;
        }
        LOG.warn("The key size '{}' used to sign revocation token '{}' is smaller than minimal acceptable value '{}'!", new Object[]{Integer.valueOf(publicKeySize), revocationToken.getDSSIdAsString(), num});
        return false;
    }

    public boolean isRevocationDataSkip(CertificateToken certificateToken) {
        CertificatePolicies certificatePolicies;
        if ((this.trustedCertificateSource != null && this.trustedCertificateSource.isTrusted(certificateToken)) || certificateToken.isSelfSigned()) {
            return true;
        }
        if (Utils.isCollectionEmpty(this.revocationSkipCertificateExtensions)) {
            return false;
        }
        CertificateExtensions certificateExtensions = CertificateExtensionsUtils.getCertificateExtensions(certificateToken);
        List allCertificateExtensions = certificateExtensions.getAllCertificateExtensions();
        if (Utils.isCollectionNotEmpty(allCertificateExtensions) && Utils.containsAny((Collection) allCertificateExtensions.stream().map((v0) -> {
            return v0.getOid();
        }).collect(Collectors.toSet()), this.revocationSkipCertificateExtensions)) {
            return true;
        }
        return !Utils.isCollectionEmpty(this.revocationSkipCertificatePolicies) && (certificatePolicies = certificateExtensions.getCertificatePolicies()) != null && Utils.isCollectionNotEmpty(certificatePolicies.getPolicyList()) && Utils.containsAny((Collection) certificatePolicies.getPolicyList().stream().map((v0) -> {
            return v0.getOid();
        }).collect(Collectors.toSet()), this.revocationSkipCertificatePolicies);
    }

    public boolean isRevocationDataFresh(RevocationToken<?> revocationToken, Date date, Context context) {
        Long maximumRevocationFreshness = getMaximumRevocationFreshness(context);
        return maximumRevocationFreshness == null ? isRevocationThisUpdateAfterValidationTimeNullConstraint(revocationToken, date) : isRevocationThisUpdateAfterValidationTime(revocationToken, date, maximumRevocationFreshness.longValue());
    }

    protected boolean isRevocationThisUpdateAfterValidationTime(RevocationToken<?> revocationToken, Date date, long j) {
        long time = date.getTime() - j;
        Date thisUpdate = revocationToken.getThisUpdate();
        return thisUpdate != null && thisUpdate.after(new Date(time));
    }

    protected boolean isRevocationThisUpdateAfterValidationTimeNullConstraint(RevocationToken<?> revocationToken, Date date) {
        if (!this.checkRevocationFreshnessNextUpdate) {
            return true;
        }
        Date nextUpdate = revocationToken.getNextUpdate();
        if (nextUpdate != null) {
            return isRevocationThisUpdateAfterValidationTime(revocationToken, date, getDifference(nextUpdate, revocationToken.getThisUpdate()));
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug("No NextUpdate for revocation data with id '{}'. Revocation Freshness check failed.", revocationToken.getDSSIdAsString());
        return false;
    }

    private long getDifference(Date date, Date date2) {
        return (date == null ? 0L : date.getTime()) - (date2 == null ? 0L : date2.getTime());
    }

    private Long getMaximumRevocationFreshness(Context context) {
        switch (AnonymousClass1.$SwitchMap$eu$europa$esig$dss$enumerations$Context[context.ordinal()]) {
            case 1:
            case 2:
            case 3:
                return this.signatureMaximumRevocationFreshness;
            case 4:
            case 5:
                return this.timestampMaximumRevocationFreshness;
            case 6:
                return this.revocationMaximumRevocationFreshness;
            default:
                throw new UnsupportedOperationException(String.format("The provided validation context '%s' is not supported!", context));
        }
    }

    public boolean isRevocationDataAfterLastCertificateUsage(RevocationToken<?> revocationToken, Date date) {
        if (date == null) {
            return true;
        }
        return isRevocationThisUpdateAfterValidationTime(revocationToken, date, 0L);
    }

    static {
        DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP.put(EncryptionAlgorithm.DSA, 2048);
        DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP.put(EncryptionAlgorithm.RSA, 1900);
        DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP.put(EncryptionAlgorithm.RSASSA_PSS, 1900);
        DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP.put(EncryptionAlgorithm.ECDSA, 256);
        DEFAULT_ENCRYPTION_ALGORITHMS_KEY_LENGTH_MAP.put(EncryptionAlgorithm.PLAIN_ECDSA, 256);
        DEFAULT_REVOCATION_SKIP_CERTIFICATE_EXTENSIONS = Arrays.asList(OID.id_etsi_ext_valassured_ST_certs.getId(), OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId());
    }
}
