package eu.europa.esig.dss.validation.process.bbb.xcv.sub.checks;

import eu.europa.esig.dss.detailedreport.jaxb.XmlSubXCV;
import eu.europa.esig.dss.diagnostic.CertificateWrapper;
import eu.europa.esig.dss.diagnostic.jaxb.XmlGeneralName;
import eu.europa.esig.dss.diagnostic.jaxb.XmlGeneralSubtree;
import eu.europa.esig.dss.enumerations.GeneralNameType;
import eu.europa.esig.dss.enumerations.Indication;
import eu.europa.esig.dss.enumerations.SubIndication;
import eu.europa.esig.dss.i18n.I18nProvider;
import eu.europa.esig.dss.i18n.MessageTag;
import eu.europa.esig.dss.policy.jaxb.LevelConstraint;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.process.ChainItem;
import eu.europa.esig.dss.validation.process.ValidationProcessUtils;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/validation-policy-6.0.jar:eu/europa/esig/dss/validation/process/bbb/xcv/sub/checks/CertificateNameConstraintsCheck.class */
public class CertificateNameConstraintsCheck extends ChainItem<XmlSubXCV> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CertificateNameConstraintsCheck.class);
    private final CertificateWrapper certificate;

    public CertificateNameConstraintsCheck(I18nProvider i18nProvider, XmlSubXCV xmlSubXCV, CertificateWrapper certificateWrapper, LevelConstraint levelConstraint) {
        super(i18nProvider, xmlSubXCV, levelConstraint);
        this.certificate = certificateWrapper;
    }

    @Override // eu.europa.esig.dss.validation.process.ChainItem
    protected boolean process() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.certificate);
        arrayList.addAll(this.certificate.getCertificateChain());
        Map<GeneralNameType, Set<XmlGeneralName>> map = null;
        Map<GeneralNameType, Set<XmlGeneralName>> map2 = null;
        for (int size = arrayList.size() - 1; size > -1; size--) {
            CertificateWrapper certificateWrapper = (CertificateWrapper) arrayList.get(size);
            if (size == 0) {
                String certificateDN = certificateWrapper.getCertificateDN();
                List<XmlGeneralName> subjectAlternativeNames = certificateWrapper.getSubjectAlternativeNames();
                if (!containsRFC822SubjectAlternativeName(subjectAlternativeNames)) {
                    subjectAlternativeNames.addAll(getEmailAddressDNIfPresent(certificateDN));
                }
                if (map != null) {
                    Set<XmlGeneralName> set = map.get(GeneralNameType.DIRECTORY_NAME);
                    if (set != null && !isWithinDNSubtrees(certificateDN, set)) {
                        return false;
                    }
                    for (XmlGeneralName xmlGeneralName : subjectAlternativeNames) {
                        Set<XmlGeneralName> set2 = map.get(xmlGeneralName.getType());
                        if (set2 != null && !isWithinSubtrees(xmlGeneralName, set2)) {
                            return false;
                        }
                    }
                }
                if (map2 != null) {
                    Set<XmlGeneralName> set3 = map2.get(GeneralNameType.DIRECTORY_NAME);
                    if (set3 != null && isWithinDNSubtrees(certificateDN, set3)) {
                        return false;
                    }
                    for (XmlGeneralName xmlGeneralName2 : subjectAlternativeNames) {
                        Set<XmlGeneralName> set4 = map2.get(xmlGeneralName2.getType());
                        if (set4 != null && isWithinSubtrees(xmlGeneralName2, set4)) {
                            return false;
                        }
                    }
                }
            }
            Map<GeneralNameType, Set<XmlGeneralName>> xmlGeneralNameMap = toXmlGeneralNameMap(certificateWrapper.getPermittedSubtrees());
            Map<GeneralNameType, Set<XmlGeneralName>> xmlGeneralNameMap2 = toXmlGeneralNameMap(certificateWrapper.getExcludedSubtrees());
            if (xmlGeneralNameMap != null) {
                map = map != null ? intersectNew(map, xmlGeneralNameMap) : xmlGeneralNameMap;
            }
            if (xmlGeneralNameMap2 != null) {
                map2 = map2 != null ? unionNew(map2, xmlGeneralNameMap2) : xmlGeneralNameMap2;
            }
        }
        return true;
    }

    private boolean containsRFC822SubjectAlternativeName(List<XmlGeneralName> list) {
        return Utils.isCollectionNotEmpty(list) && list.stream().anyMatch(xmlGeneralName -> {
            return GeneralNameType.RFC822_NAME.equals(xmlGeneralName.getType());
        });
    }

    private Set<XmlGeneralName> getEmailAddressDNIfPresent(String str) {
        Set<String> set = toDNMap(str).get("1.2.840.113549.1.9.1");
        HashSet hashSet = new HashSet();
        if (set != null) {
            for (String str2 : set) {
                XmlGeneralName xmlGeneralName = new XmlGeneralName();
                xmlGeneralName.setType(GeneralNameType.RFC822_NAME);
                xmlGeneralName.setValue(str2);
                hashSet.add(xmlGeneralName);
            }
        }
        return hashSet;
    }

    private Map<String, Set<String>> toDNMap(String str) {
        if (Utils.isStringEmpty(str)) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        int indexOf = str.indexOf(44);
        int i = 0;
        while (indexOf >= 0) {
            if (indexOf > 0 && str.charAt(indexOf - 1) != '\\') {
                Map.Entry<String, String> rdn = getRDN(str.substring(i, indexOf));
                if (rdn != null) {
                    enrichMap(hashMap, rdn.getKey(), rdn.getValue());
                }
                i = indexOf + 1;
            }
            indexOf = str.indexOf(44, indexOf + 1);
        }
        Map.Entry<String, String> rdn2 = getRDN(str.substring(i));
        if (rdn2 != null) {
            enrichMap(hashMap, rdn2.getKey(), rdn2.getValue());
        }
        return hashMap;
    }

    private void enrichMap(Map<String, Set<String>> map, String str, String str2) {
        map.computeIfAbsent(str, str3 -> {
            return new HashSet();
        }).add(str2);
    }

    private Map.Entry<String, String> getRDN(String str) {
        int indexOf = str.indexOf(61);
        if (indexOf >= 0 && str.length() >= indexOf + 1) {
            return new AbstractMap.SimpleEntry(str.substring(0, indexOf), str.substring(indexOf + 1));
        }
        if (!LOG.isDebugEnabled()) {
            return null;
        }
        LOG.debug("Unable to build an RDN for string '{}'! Not a DN.", str);
        return null;
    }

    private boolean isWithinSubtrees(XmlGeneralName xmlGeneralName, Set<XmlGeneralName> set) {
        Iterator<XmlGeneralName> it = set.iterator();
        while (it.hasNext()) {
            if (isWithinSubtree(xmlGeneralName, it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean isWithinDNSubtrees(String str, Set<XmlGeneralName> set) {
        if (Utils.isStringEmpty(str) && Utils.isCollectionEmpty(set)) {
            return true;
        }
        Iterator<XmlGeneralName> it = set.iterator();
        while (it.hasNext()) {
            if (isWithinDNSubtree(str, it.next().getValue())) {
                return true;
            }
        }
        return false;
    }

    private Map<GeneralNameType, Set<XmlGeneralName>> toXmlGeneralNameMap(Collection<XmlGeneralSubtree> collection) {
        if (Utils.isCollectionEmpty(collection)) {
            return null;
        }
        EnumMap enumMap = new EnumMap(GeneralNameType.class);
        for (XmlGeneralSubtree xmlGeneralSubtree : collection) {
            ((Set) enumMap.computeIfAbsent(xmlGeneralSubtree.getType(), generalNameType -> {
                return new HashSet();
            })).add(xmlGeneralSubtree);
        }
        return enumMap;
    }

    private Map<GeneralNameType, Set<XmlGeneralName>> intersectNew(Map<GeneralNameType, Set<XmlGeneralName>> map, Map<GeneralNameType, Set<XmlGeneralName>> map2) {
        EnumMap enumMap = new EnumMap(GeneralNameType.class);
        for (Map.Entry<GeneralNameType, Set<XmlGeneralName>> entry : map2.entrySet()) {
            GeneralNameType key = entry.getKey();
            Set<XmlGeneralName> value = entry.getValue();
            Set set = (Set) enumMap.computeIfAbsent(key, generalNameType -> {
                return new HashSet();
            });
            Set<XmlGeneralName> set2 = map.get(key);
            if (Utils.isCollectionNotEmpty(set2)) {
                for (XmlGeneralName xmlGeneralName : value) {
                    for (XmlGeneralName xmlGeneralName2 : set2) {
                        if (isWithinSubtree(xmlGeneralName2, xmlGeneralName)) {
                            set.add(xmlGeneralName2);
                        } else if (isWithinSubtree(xmlGeneralName, xmlGeneralName2)) {
                            set.add(xmlGeneralName);
                        }
                    }
                }
            } else {
                set.addAll(value);
            }
        }
        for (Map.Entry<GeneralNameType, Set<XmlGeneralName>> entry2 : map.entrySet()) {
            if (!enumMap.containsKey(entry2.getKey())) {
                ((Set) enumMap.computeIfAbsent(entry2.getKey(), generalNameType2 -> {
                    return new HashSet();
                })).addAll(entry2.getValue());
            }
        }
        return enumMap;
    }

    private Map<GeneralNameType, Set<XmlGeneralName>> unionNew(Map<GeneralNameType, Set<XmlGeneralName>> map, Map<GeneralNameType, Set<XmlGeneralName>> map2) {
        EnumMap enumMap = new EnumMap(GeneralNameType.class);
        for (Map.Entry<GeneralNameType, Set<XmlGeneralName>> entry : map2.entrySet()) {
            GeneralNameType key = entry.getKey();
            Set<XmlGeneralName> value = entry.getValue();
            Set set = (Set) enumMap.computeIfAbsent(key, generalNameType -> {
                return new HashSet();
            });
            Set<XmlGeneralName> set2 = map.get(key);
            if (Utils.isCollectionNotEmpty(set2)) {
                for (XmlGeneralName xmlGeneralName : value) {
                    for (XmlGeneralName xmlGeneralName2 : set2) {
                        if (isWithinSubtree(xmlGeneralName2, xmlGeneralName)) {
                            set.add(xmlGeneralName);
                        } else if (isWithinSubtree(xmlGeneralName, xmlGeneralName2)) {
                            set.add(xmlGeneralName2);
                        } else {
                            set.add(xmlGeneralName);
                            set.add(xmlGeneralName2);
                        }
                    }
                }
            } else {
                set.addAll(value);
            }
        }
        for (Map.Entry<GeneralNameType, Set<XmlGeneralName>> entry2 : map.entrySet()) {
            if (!enumMap.containsKey(entry2.getKey())) {
                ((Set) enumMap.computeIfAbsent(entry2.getKey(), generalNameType2 -> {
                    return new HashSet();
                })).addAll(entry2.getValue());
            }
        }
        return enumMap;
    }

    private boolean isWithinSubtree(XmlGeneralName xmlGeneralName, XmlGeneralName xmlGeneralName2) {
        if (Utils.isStringEmpty(xmlGeneralName.getValue()) || Utils.isStringEmpty(xmlGeneralName2.getValue())) {
            return false;
        }
        if (!GeneralNameType.IP_ADDRESS.equals(xmlGeneralName.getType()) && xmlGeneralName2.getValue().length() > xmlGeneralName.getValue().length()) {
            return false;
        }
        switch (xmlGeneralName.getType()) {
            case UNIFORM_RESOURCE_IDENTIFIER:
                return isWithinURISubtree(xmlGeneralName.getValue(), xmlGeneralName2.getValue());
            case RFC822_NAME:
                return isWithinEmailSubtree(xmlGeneralName.getValue(), xmlGeneralName2.getValue());
            case DNS_NAME:
                return isWithinDNSSubtree(xmlGeneralName.getValue(), xmlGeneralName2.getValue());
            case DIRECTORY_NAME:
                return isWithinDNSubtree(xmlGeneralName.getValue(), xmlGeneralName2.getValue());
            case IP_ADDRESS:
                return isWithinIPAddressSubtree(xmlGeneralName.getValue(), xmlGeneralName2.getValue());
            case OTHER_NAME:
            case X400_ADDRESS:
            case EDI_PARTY_NAME:
            case REGISTERED_ID:
                LOG.warn("The NameConstraint of type '{}' is not supported. Full comparison is executed.", xmlGeneralName.getType());
                return isWithinOtherNameSubtree(xmlGeneralName.getValue(), xmlGeneralName2.getValue());
            default:
                return false;
        }
    }

    private boolean isWithinURISubtree(String str, String str2) {
        return isWithinDomain(ValidationProcessUtils.getDomainName(str), ValidationProcessUtils.getDomainName(str2));
    }

    private boolean isWithinDomain(String str, String str2) {
        return str2.startsWith(".") ? str.toLowerCase().endsWith(str2.toLowerCase()) : str2.equalsIgnoreCase(str);
    }

    private boolean isWithinEmailSubtree(String str, String str2) {
        if (isEmail(str2)) {
            return str.equalsIgnoreCase(str2);
        }
        if (isEmail(str)) {
            str = getDomainNameFromEmail(str);
        }
        return isWithinDomain(str, str2);
    }

    private boolean isEmail(String str) {
        return str.indexOf(64) != -1;
    }

    private String getDomainNameFromEmail(String str) {
        return str.substring(str.indexOf(64) + 1);
    }

    private boolean isWithinDNSSubtree(String str, String str2) {
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        int length = split.length - split2.length;
        if (length == 0) {
            return Arrays.equals(split2, split);
        }
        if (length <= 0) {
            return false;
        }
        for (int length2 = split2.length - 1; length2 > -1; length2--) {
            if (!split2[length2].equals(split[length2 + length])) {
                return false;
            }
        }
        return true;
    }

    private boolean isWithinDNSubtree(String str, String str2) {
        Map<String, Set<String>> dNMap = toDNMap(str);
        for (Map.Entry<String, Set<String>> entry : toDNMap(str2).entrySet()) {
            String key = entry.getKey();
            Set<String> value = entry.getValue();
            if (!dNMap.containsKey(key) || !dNMap.get(key).containsAll(value)) {
                return false;
            }
        }
        return true;
    }

    private boolean isWithinIPAddressSubtree(String str, String str2) {
        byte[] byteArrayIPAddress = toByteArrayIPAddress(str);
        byte[] byteArrayIPAddress2 = toByteArrayIPAddress(str2);
        int length = byteArrayIPAddress.length;
        if (length != byteArrayIPAddress2.length / 2) {
            return false;
        }
        byte[] subarray = Utils.subarray(byteArrayIPAddress2, length, byteArrayIPAddress2.length);
        byte[] bArr = new byte[length];
        byte[] bArr2 = new byte[length];
        for (int i = 0; i < length; i++) {
            bArr[i] = (byte) (byteArrayIPAddress2[i] & subarray[i]);
            bArr2[i] = (byte) (byteArrayIPAddress[i] & subarray[i]);
        }
        return Arrays.equals(bArr, bArr2);
    }

    private byte[] toByteArrayIPAddress(String str) {
        if (str.startsWith("#")) {
            str = str.replace("#", "");
            if (Utils.isHexEncoded(str)) {
                return Utils.fromHex(str);
            }
        }
        LOG.debug("Incorrectly encoded IP Address value: {}", str);
        return str.getBytes();
    }

    private boolean isWithinOtherNameSubtree(String str, String str2) {
        return str2.equals(str);
    }

    @Override // eu.europa.esig.dss.validation.process.ChainItem
    protected MessageTag getMessageTag() {
        return MessageTag.BBB_XCV_DCSBSINC;
    }

    @Override // eu.europa.esig.dss.validation.process.ChainItem
    protected MessageTag getErrorMessageTag() {
        return MessageTag.BBB_XCV_DCSBSINC_ANS;
    }

    @Override // eu.europa.esig.dss.validation.process.ChainItem
    protected Indication getFailedIndicationForConclusion() {
        return Indication.INDETERMINATE;
    }

    @Override // eu.europa.esig.dss.validation.process.ChainItem
    protected SubIndication getFailedSubIndicationForConclusion() {
        return SubIndication.CERTIFICATE_CHAIN_GENERAL_FAILURE;
    }
}
