package eu.europa.esig.dss.pki.x509.revocation.ocsp;

import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.EncryptionAlgorithm;
import eu.europa.esig.dss.enumerations.MaskGenerationFunction;
import eu.europa.esig.dss.enumerations.RevocationOrigin;
import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP;
import eu.europa.esig.dss.pki.exception.PKIException;
import eu.europa.esig.dss.pki.model.CertEntity;
import eu.europa.esig.dss.pki.model.CertEntityRepository;
import eu.europa.esig.dss.pki.model.CertEntityRevocation;
import eu.europa.esig.dss.spi.CertificateExtensionsUtils;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPSource;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPToken;
import eu.europa.esig.dss.utils.Utils;
import java.util.Date;
import java.util.Objects;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import org.bouncycastle.cert.ocsp.Req;
import org.bouncycastle.cert.ocsp.RespID;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-pki-factory-6.1.jar:eu/europa/esig/dss/pki/x509/revocation/ocsp/PKIOCSPSource.class */
public class PKIOCSPSource implements OCSPSource {
    private static final long serialVersionUID = 346675613204623498L;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) PKIOCSPSource.class);
    protected final CertEntityRepository certEntityRepository;
    private CertEntity ocspResponder;
    private Date producedAt;
    private Date thisUpdate;
    private Date nextUpdate;
    private DigestAlgorithm digestAlgorithm;
    private EncryptionAlgorithm encryptionAlgorithm;
    private boolean responderIdByKey;

    public PKIOCSPSource(CertEntityRepository<? extends CertEntity> certEntityRepository) {
        this.digestAlgorithm = DigestAlgorithm.SHA512;
        this.responderIdByKey = true;
        Objects.requireNonNull(certEntityRepository, "Certificate repository shall be provided!");
        this.certEntityRepository = certEntityRepository;
    }

    public PKIOCSPSource(CertEntityRepository<? extends CertEntity> certEntityRepository, CertEntity certEntity) {
        this(certEntityRepository);
        this.ocspResponder = certEntity;
    }

    protected Date getProducedAtTime() {
        return this.producedAt == null ? new Date() : this.producedAt;
    }

    public void setProducedAtTime(Date date) {
        this.producedAt = date;
        if (this.thisUpdate == null) {
            this.thisUpdate = date;
        }
    }

    protected Date getThisUpdate() {
        return this.thisUpdate == null ? new Date() : this.thisUpdate;
    }

    public void setThisUpdate(Date date) {
        this.thisUpdate = date;
    }

    protected Date getNextUpdate() {
        return this.nextUpdate;
    }

    public void setNextUpdate(Date date) {
        this.nextUpdate = date;
    }

    public void setDigestAlgorithm(DigestAlgorithm digestAlgorithm) {
        this.digestAlgorithm = digestAlgorithm;
    }

    public void setEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm) {
        this.encryptionAlgorithm = encryptionAlgorithm;
    }

    @Deprecated
    public void setMaskGenerationFunction(MaskGenerationFunction maskGenerationFunction) {
        if (EncryptionAlgorithm.RSASSA_PSS == this.encryptionAlgorithm && maskGenerationFunction == null) {
            setEncryptionAlgorithm(EncryptionAlgorithm.RSA);
        } else if (EncryptionAlgorithm.RSA == this.encryptionAlgorithm && MaskGenerationFunction.MGF1 == maskGenerationFunction) {
            setEncryptionAlgorithm(EncryptionAlgorithm.RSASSA_PSS);
        }
    }

    public void setResponderIdByKey(boolean z) {
        this.responderIdByKey = z;
    }

    protected CertEntity getOcspResponder(CertificateToken certificateToken, CertificateToken certificateToken2) {
        CertEntity byCertificateToken;
        if (this.ocspResponder != null) {
            byCertificateToken = this.ocspResponder;
        } else {
            byCertificateToken = this.certEntityRepository.getByCertificateToken(certificateToken2);
            if (byCertificateToken == null) {
                throw new PKIException(String.format("CertEntity for certificate token with Id '%s' not found in the repository! Provide a valid issuer or use #setOcspResponder method to set a custom OCSP responder.", certificateToken2.getDSSIdAsString()));
            }
        }
        return byCertificateToken;
    }

    public void setOcspResponder(CertEntity certEntity) {
        this.ocspResponder = certEntity;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPSource, eu.europa.esig.dss.spi.x509.revocation.RevocationSource
    /* renamed from: getRevocationToken, reason: merged with bridge method [inline-methods] */
    public RevocationToken<OCSP> getRevocationToken2(CertificateToken certificateToken, CertificateToken certificateToken2) {
        Objects.requireNonNull(certificateToken, "Certificate cannot be null!");
        Objects.requireNonNull(certificateToken2, "The issuer of the certificate to be verified cannot be null!");
        LOG.trace("--> PKIOCSPSource queried for {}", certificateToken.getDSSIdAsString());
        if (!canGenerate(certificateToken, certificateToken2)) {
            return null;
        }
        try {
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) buildOCSPResponse(certificateToken, certificateToken2, buildOCSPRequest(certificateToken, certificateToken2)).getResponseObject();
            OCSPToken oCSPToken = new OCSPToken(basicOCSPResp, DSSRevocationUtils.getLatestSingleResponse(basicOCSPResp, certificateToken, certificateToken2), certificateToken, certificateToken2);
            oCSPToken.setExternalOrigin(RevocationOrigin.EXTERNAL);
            return oCSPToken;
        } catch (OCSPException e) {
            throw new PKIException(String.format("Unable to build an OCSP response for certificate with Id '%s'. Reason : %s", certificateToken.getDSSIdAsString(), e.getMessage()), e);
        }
    }

    protected boolean canGenerate(CertificateToken certificateToken, CertificateToken certificateToken2) {
        if (!Utils.isCollectionEmpty(CertificateExtensionsUtils.getOCSPAccessUrls(certificateToken))) {
            return true;
        }
        LOG.debug("No OCSP location found for {}", certificateToken.getDSSIdAsString());
        return false;
    }

    protected OCSPResp buildOCSPResponse(CertificateToken certificateToken, CertificateToken certificateToken2, OCSPReq oCSPReq) {
        try {
            CertEntity ocspResponder = getOcspResponder(certificateToken, certificateToken2);
            BasicOCSPRespBuilder initBuilder = initBuilder(ocspResponder.getCertificateToken());
            addRevocationStatusToOCSPResponse(initBuilder, oCSPReq, getCertificateTokenRevocation(certificateToken, oCSPReq));
            return new OCSPRespBuilder().build(0, initBuilder.build(new JcaContentSignerBuilder(getSignatureAlgorithm(ocspResponder).getJCEId()).build(ocspResponder.getPrivateKey()), (X509CertificateHolder[]) ocspResponder.getCertificateChain().stream().map(DSSASN1Utils::getX509CertificateHolder).toArray(i -> {
                return new X509CertificateHolder[i];
            }), getProducedAtTime()));
        } catch (OCSPException | OperatorCreationException e) {
            throw new PKIException(String.format("Unable to generate the OCSP Response. Reason: %s", e.getMessage()), e);
        }
    }

    protected CertEntityRevocation getCertificateTokenRevocation(CertificateToken certificateToken, OCSPReq oCSPReq) {
        CertEntity byCertificateToken = this.certEntityRepository.getByCertificateToken(certificateToken);
        if (byCertificateToken == null) {
            throw new PKIException(String.format("CertEntity for certificate token with Id '%s' not found in the repository!", certificateToken.getDSSIdAsString()));
        }
        return this.certEntityRepository.getRevocation(byCertificateToken);
    }

    protected void addRevocationStatusToOCSPResponse(BasicOCSPRespBuilder basicOCSPRespBuilder, OCSPReq oCSPReq, CertEntityRevocation certEntityRevocation) {
        Objects.requireNonNull(oCSPReq, "OCSPReq cannot be null!");
        if (Utils.isArrayEmpty(oCSPReq.getRequestList())) {
            throw new IllegalStateException("OCSPReq list cannot be empty!");
        }
        Req req = oCSPReq.getRequestList()[0];
        if (certEntityRevocation == null || certEntityRevocation.getRevocationDate() == null) {
            basicOCSPRespBuilder.addResponse(req.getCertID(), CertificateStatus.GOOD, getThisUpdate(), getNextUpdate());
        } else {
            basicOCSPRespBuilder.addResponse(req.getCertID(), new RevokedStatus(certEntityRevocation.getRevocationDate(), certEntityRevocation.getRevocationReason().getValue()), getThisUpdate(), getNextUpdate());
        }
    }

    protected SignatureAlgorithm getSignatureAlgorithm(CertEntity certEntity) {
        EncryptionAlgorithm encryptionAlgorithm = this.encryptionAlgorithm;
        if (encryptionAlgorithm == null) {
            encryptionAlgorithm = certEntity.getEncryptionAlgorithm();
        } else if (!encryptionAlgorithm.isEquivalent(certEntity.getEncryptionAlgorithm())) {
            throw new IllegalArgumentException(String.format("Defined EncryptionAlgorithm '%s' is not equivalent to the one returned by OCSP Issuer '%s'", encryptionAlgorithm, certEntity.getEncryptionAlgorithm()));
        }
        return SignatureAlgorithm.getAlgorithm(encryptionAlgorithm, this.digestAlgorithm);
    }

    protected BasicOCSPRespBuilder initBuilder(CertificateToken certificateToken) throws OperatorCreationException, OCSPException {
        return new BasicOCSPRespBuilder(getRespID(certificateToken));
    }

    protected RespID getRespID(CertificateToken certificateToken) throws OperatorCreationException, OCSPException {
        X509CertificateHolder x509CertificateHolder = DSSASN1Utils.getX509CertificateHolder(certificateToken);
        return this.responderIdByKey ? new RespID(x509CertificateHolder.getSubjectPublicKeyInfo(), new BcDigestCalculatorProvider().get(DSSASN1Utils.getAlgorithmIdentifier(DigestAlgorithm.SHA1))) : new RespID(x509CertificateHolder.getSubject());
    }

    protected OCSPReq buildOCSPRequest(CertificateToken certificateToken, CertificateToken certificateToken2) {
        try {
            OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
            oCSPReqBuilder.addRequest(DSSRevocationUtils.getOCSPCertificateID(certificateToken, certificateToken2, this.digestAlgorithm));
            return oCSPReqBuilder.build();
        } catch (OCSPException e) {
            throw new PKIException("Cannot build OCSP Request", e);
        }
    }
}
