package eu.europa.esig.dss.spi.x509.revocation.ocsp;

import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.RevocationReason;
import eu.europa.esig.dss.enumerations.RevocationType;
import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
import eu.europa.esig.dss.enumerations.SignatureValidity;
import eu.europa.esig.dss.model.Digest;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.DSSSecurityProvider;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.x509.CandidatesForSigningCertificate;
import eu.europa.esig.dss.spi.x509.CertificateValidity;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.utils.Utils;
import java.security.PublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Objects;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers;
import org.bouncycastle.asn1.isismtt.ocsp.CertHash;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-spi-6.0.jar:eu/europa/esig/dss/spi/x509/revocation/ocsp/OCSPToken.class */
public class OCSPToken extends RevocationToken<OCSP> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) OCSPToken.class);
    private final BasicOCSPResp basicOCSPResp;
    private final SingleResp latestSingleResp;
    private CertificateToken issuerCertificateToken;
    private OCSPCertificateSource certificateSource;

    public OCSPToken(BasicOCSPResp basicOCSPResp, SingleResp singleResp, CertificateToken certificateToken, CertificateToken certificateToken2) {
        Objects.requireNonNull(basicOCSPResp, "The OCSP Response must be defined!");
        Objects.requireNonNull(certificateToken, "The related certificate token cannot be null!");
        this.basicOCSPResp = basicOCSPResp;
        this.productionDate = basicOCSPResp.getProducedAt();
        this.relatedCertificate = certificateToken;
        this.latestSingleResp = singleResp;
        if (singleResp != null) {
            this.thisUpdate = singleResp.getThisUpdate();
            this.nextUpdate = singleResp.getNextUpdate();
            extractStatusInfo(singleResp);
            extractArchiveCutOff(singleResp);
            extractCertHashExtension(singleResp);
        }
        checkSignatureValidity(certificateToken2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("OCSPToken created : {})", getDSSIdAsString());
        }
    }

    private void extractStatusInfo(SingleResp singleResp) {
        CertificateStatus certStatus = singleResp.getCertStatus();
        if (CertificateStatus.GOOD == certStatus) {
            if (LOG.isInfoEnabled()) {
                LOG.info("OCSP status is good");
            }
            this.status = eu.europa.esig.dss.enumerations.CertificateStatus.GOOD;
            return;
        }
        if (!(certStatus instanceof RevokedStatus)) {
            if (!(certStatus instanceof UnknownStatus)) {
                LOG.info("OCSP certificate status: {}", certStatus);
                return;
            }
            if (LOG.isInfoEnabled()) {
                LOG.info("OCSP status unknown");
            }
            this.status = eu.europa.esig.dss.enumerations.CertificateStatus.UNKNOWN;
            return;
        }
        if (LOG.isInfoEnabled()) {
            LOG.info("OCSP status revoked");
        }
        RevokedStatus revokedStatus = (RevokedStatus) certStatus;
        this.status = eu.europa.esig.dss.enumerations.CertificateStatus.REVOKED;
        this.revocationDate = revokedStatus.getRevocationTime();
        int i = 0;
        if (revokedStatus.hasRevocationReason()) {
            i = revokedStatus.getRevocationReason();
        }
        this.reason = RevocationReason.fromInt(i);
    }

    private void extractArchiveCutOff(SingleResp singleResp) {
        Extension extension = singleResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff);
        if (extension != null) {
            try {
                this.archiveCutOff = ((ASN1GeneralizedTime) extension.getParsedValue()).getDate();
            } catch (ParseException e) {
                LOG.warn("Unable to extract id_pkix_ocsp_archive_cutoff : {}", e.getMessage());
            }
        }
    }

    private void extractCertHashExtension(SingleResp singleResp) {
        Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
        if (extension != null) {
            try {
                CertHash certHash = CertHash.getInstance(extension.getParsedValue());
                Digest digest = new Digest(DigestAlgorithm.forOID(certHash.getHashAlgorithm().getAlgorithm().getId()), certHash.getCertificateHash());
                this.certHashPresent = true;
                this.certHashMatch = Arrays.equals(this.relatedCertificate.getDigest(digest.getAlgorithm()), digest.getValue());
            } catch (Exception e) {
                LOG.warn("Unable to extract id_isismtt_at_certHash : {}", e.getMessage());
            }
        }
    }

    private void checkSignatureValidity(CertificateToken certificateToken) {
        CandidatesForSigningCertificate candidatesForSigningCertificate = getCertificateSource().getCandidatesForSigningCertificate(certificateToken);
        CertificateValidity validate = new OCSPSignatureIntegrityValidator(this).validate(candidatesForSigningCertificate);
        if (validate != null) {
            candidatesForSigningCertificate.setTheCertificateValidity(validate);
            this.issuerCertificateToken = validate.getCertificateToken();
        }
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    public SignatureAlgorithm getSignatureAlgorithm() {
        if (this.signatureAlgorithm == null) {
            AlgorithmIdentifier signatureAlgorithmID = this.basicOCSPResp.getSignatureAlgorithmID();
            this.signatureAlgorithm = SignatureAlgorithm.forOidAndParams(signatureAlgorithmID.getAlgorithm().getId(), signatureAlgorithmID.getParameters() == null ? null : DSSASN1Utils.getDEREncoded(signatureAlgorithmID.getParameters()));
        }
        return this.signatureAlgorithm;
    }

    public BasicOCSPResp getBasicOCSPResp() {
        return this.basicOCSPResp;
    }

    public SingleResp getLatestSingleResp() {
        return this.latestSingleResp;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.RevocationToken
    public OCSPCertificateSource getCertificateSource() {
        if (this.certificateSource == null) {
            this.certificateSource = new OCSPCertificateSource(getBasicOCSPResp());
        }
        return this.certificateSource;
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    public byte[] getEncoded() {
        return DSSRevocationUtils.getEncodedFromBasicResp(this.basicOCSPResp);
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    public X500Principal getIssuerX500Principal() {
        if (this.issuerCertificateToken != null) {
            return this.issuerCertificateToken.getSubject().getPrincipal();
        }
        return null;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.RevocationToken
    public CertificateToken getIssuerCertificateToken() {
        return this.issuerCertificateToken;
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    public boolean isValid() {
        return isSignatureIntact() && isOCSPVersionValid();
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    protected SignatureValidity checkIsSignedBy(PublicKey publicKey) {
        try {
            this.signatureInvalidityReason = "";
            JcaContentVerifierProviderBuilder jcaContentVerifierProviderBuilder = new JcaContentVerifierProviderBuilder();
            jcaContentVerifierProviderBuilder.setProvider(DSSSecurityProvider.getSecurityProvider());
            this.signatureValidity = SignatureValidity.get(Boolean.valueOf(this.basicOCSPResp.isSignatureValid(jcaContentVerifierProviderBuilder.build(publicKey))));
        } catch (Exception e) {
            LOG.error("An error occurred during in attempt to check signature owner : ", (Throwable) e);
            this.signatureInvalidityReason = e.getClass().getSimpleName() + " - " + e.getMessage();
            this.signatureValidity = SignatureValidity.INVALID;
        }
        return this.signatureValidity;
    }

    public int getOCSPTokenVersion() {
        return this.basicOCSPResp.getVersion();
    }

    private boolean isOCSPVersionValid() {
        boolean z = getOCSPTokenVersion() == 1;
        if (!z && Utils.isStringEmpty(this.signatureInvalidityReason)) {
            this.signatureInvalidityReason = "Basic OCSP Response version is invalid (shall be v1)!";
        }
        return z;
    }

    @Override // eu.europa.esig.dss.spi.x509.revocation.RevocationToken
    public RevocationType getRevocationType() {
        return RevocationType.OCSP;
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    public String getAbbreviation() {
        return "OCSPToken[" + (this.basicOCSPResp == null ? "?" : DSSUtils.formatDateToRFC(this.basicOCSPResp.getProducedAt())) + ", signedBy=" + getIssuerX500Principal() + "]";
    }

    @Override // eu.europa.esig.dss.model.x509.Token
    public String toString(String str) {
        StringBuilder sb = new StringBuilder();
        sb.append(str).append("OCSPToken[\n");
        String str2 = str + "\t";
        sb.append(str2).append("Id: ").append(getDSSIdAsString()).append('\n');
        sb.append(str2).append("ProductionTime: ").append(DSSUtils.formatDateToRFC(this.productionDate)).append("; ");
        sb.append(str2).append("ThisUpdate: ").append(DSSUtils.formatDateToRFC(this.thisUpdate)).append("; ");
        sb.append(str2).append("NextUpdate: ").append(DSSUtils.formatDateToRFC(this.nextUpdate)).append('\n');
        if (getIssuerX500Principal() != null) {
            sb.append(str2).append("SignedBy: ").append(getIssuerX500Principal().toString()).append('\n');
        }
        sb.append(str2).append("Signature algorithm: ").append(this.signatureAlgorithm == null ? "?" : this.signatureAlgorithm.getJCEId()).append('\n');
        if (getRelatedCertificateId() != null) {
            sb.append(str2).append("Related certificate: ").append(getRelatedCertificateId()).append('\n');
        }
        sb.append(str2.substring(1)).append("]");
        return sb.toString();
    }
}
