package eu.europa.esig.dss.pki.x509.revocation.crl;

import eu.europa.esig.dss.crl.CRLBinary;
import eu.europa.esig.dss.crl.CRLUtils;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.EncryptionAlgorithm;
import eu.europa.esig.dss.enumerations.MaskGenerationFunction;
import eu.europa.esig.dss.enumerations.RevocationOrigin;
import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.revocation.crl.CRL;
import eu.europa.esig.dss.pki.exception.PKIException;
import eu.europa.esig.dss.pki.model.CertEntity;
import eu.europa.esig.dss.pki.model.CertEntityRepository;
import eu.europa.esig.dss.pki.model.CertEntityRevocation;
import eu.europa.esig.dss.spi.CertificateExtensionsUtils;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.spi.x509.revocation.crl.CRLSource;
import eu.europa.esig.dss.spi.x509.revocation.crl.CRLToken;
import eu.europa.esig.dss.utils.Utils;
import java.io.IOException;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-pki-factory-6.0.jar:eu/europa/esig/dss/pki/x509/revocation/crl/PKICRLSource.class */
public class PKICRLSource implements CRLSource, RevocationSource<CRL> {
    private static final long serialVersionUID = 6912729291417315212L;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) PKICRLSource.class);
    private final CertEntityRepository certEntityRepository;
    private CertEntity crlIssuer;
    private Date thisUpdate;
    private Date nextUpdate;
    private DigestAlgorithm digestAlgorithm;
    private EncryptionAlgorithm encryptionAlgorithm;
    private MaskGenerationFunction maskGenerationFunction;

    public PKICRLSource(CertEntityRepository<? extends CertEntity> certEntityRepository) {
        this.digestAlgorithm = DigestAlgorithm.SHA256;
        Objects.requireNonNull(certEntityRepository, "Certificate repository shall be provided!");
        this.certEntityRepository = certEntityRepository;
    }

    public PKICRLSource(CertEntityRepository<? extends CertEntity> certEntityRepository, CertEntity certEntity) {
        this(certEntityRepository);
        this.crlIssuer = certEntity;
    }

    public Date getNextUpdate() {
        return this.nextUpdate;
    }

    public void setNextUpdate(Date date) {
        this.nextUpdate = date;
    }

    protected Date getThisUpdate() {
        return this.thisUpdate == null ? new Date() : this.thisUpdate;
    }

    public void setThisUpdate(Date date) {
        this.thisUpdate = date;
    }

    public void setDigestAlgorithm(DigestAlgorithm digestAlgorithm) {
        this.digestAlgorithm = digestAlgorithm;
    }

    public void setEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm) {
        this.encryptionAlgorithm = encryptionAlgorithm;
    }

    public void setMaskGenerationFunction(MaskGenerationFunction maskGenerationFunction) {
        this.maskGenerationFunction = maskGenerationFunction;
    }

    protected CertEntity getCrlIssuer(CertificateToken certificateToken, CertificateToken certificateToken2) {
        CertEntity byCertificateToken;
        if (this.crlIssuer != null) {
            byCertificateToken = this.crlIssuer;
        } else {
            byCertificateToken = this.certEntityRepository.getByCertificateToken(certificateToken2);
            if (byCertificateToken == null) {
                throw new PKIException(String.format("CertEntity for certificate token with Id '%s' not found in the repository! Provide a valid issuer or use #setCrlIssuer method to set a custom issuer.", certificateToken2.getDSSIdAsString()));
            }
        }
        return byCertificateToken;
    }

    public void setCrlIssuer(CertEntity certEntity) {
        this.crlIssuer = certEntity;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.crl.CRLSource, eu.europa.esig.dss.spi.x509.revocation.RevocationSource
    /* renamed from: getRevocationToken */
    public RevocationToken<CRL> getRevocationToken2(CertificateToken certificateToken, CertificateToken certificateToken2) {
        Objects.requireNonNull(certificateToken, "Certificate cannot be null!");
        Objects.requireNonNull(certificateToken2, "The issuer of the certificate to be verified cannot be null!");
        LOG.trace("--> PKICRLSource queried for {}", certificateToken.getDSSIdAsString());
        if (!canGenerate(certificateToken, certificateToken2)) {
            return null;
        }
        try {
            CRLToken cRLToken = new CRLToken(certificateToken, CRLUtils.buildCRLValidity(generateCRL(getCrlIssuer(certificateToken, certificateToken2)), certificateToken2));
            cRLToken.setExternalOrigin(RevocationOrigin.EXTERNAL);
            return cRLToken;
        } catch (Exception e) {
            throw new PKIException(String.format("Unable to build a CRL for certificate with Id '%s'. Reason : %s", certificateToken.getDSSIdAsString(), e.getMessage()), e);
        }
    }

    protected boolean canGenerate(CertificateToken certificateToken, CertificateToken certificateToken2) {
        if (!Utils.isCollectionEmpty(CertificateExtensionsUtils.getCRLAccessUrls(certificateToken))) {
            return true;
        }
        LOG.debug("No CRL location found for {}", certificateToken.getDSSIdAsString());
        return false;
    }

    protected CRLBinary generateCRL(CertEntity certEntity) throws IOException, OperatorCreationException {
        X509CertificateHolder x509CertificateHolder = DSSASN1Utils.getX509CertificateHolder(certEntity.getCertificateToken());
        Map<CertEntity, CertEntityRevocation> revocationList = this.certEntityRepository.getRevocationList(certEntity);
        SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(certEntity);
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(x509CertificateHolder.getSubject(), getThisUpdate());
        Date nextUpdate = getNextUpdate();
        if (nextUpdate != null) {
            x509v2CRLBuilder.setNextUpdate(nextUpdate);
        }
        addRevocationsToCRL(x509v2CRLBuilder, revocationList);
        return new CRLBinary(x509v2CRLBuilder.build(new JcaContentSignerBuilder(signatureAlgorithm.getJCEId()).build(certEntity.getPrivateKey())).getEncoded());
    }

    protected SignatureAlgorithm getSignatureAlgorithm(CertEntity certEntity) {
        EncryptionAlgorithm encryptionAlgorithm = this.encryptionAlgorithm;
        if (encryptionAlgorithm == null) {
            encryptionAlgorithm = certEntity.getEncryptionAlgorithm();
        } else if (!encryptionAlgorithm.isEquivalent(certEntity.getEncryptionAlgorithm())) {
            throw new IllegalArgumentException(String.format("Defined EncryptionAlgorithm '%s' is not equivalent to the one returned by CRL Issuer '%s'", encryptionAlgorithm, certEntity.getEncryptionAlgorithm()));
        }
        return SignatureAlgorithm.getAlgorithm(encryptionAlgorithm, this.digestAlgorithm, this.maskGenerationFunction);
    }

    protected void addRevocationsToCRL(X509v2CRLBuilder x509v2CRLBuilder, Map<CertEntity, CertEntityRevocation> map) {
        if (Utils.isMapNotEmpty(map)) {
            map.forEach((certEntity, certEntityRevocation) -> {
                x509v2CRLBuilder.addCRLEntry(DSSASN1Utils.getX509CertificateHolder(certEntity.getCertificateToken()).getSerialNumber(), certEntityRevocation.getRevocationDate(), certEntityRevocation.getRevocationReason().getValue());
            });
        }
    }
}
