package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.enumerations.Context;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.EncryptionAlgorithm;
import eu.europa.esig.dss.enumerations.RevocationType;
import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
import eu.europa.esig.dss.model.DSSException;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.policy.ValidationPolicy;
import eu.europa.esig.dss.policy.ValidationPolicyFacade;
import eu.europa.esig.dss.policy.jaxb.CryptographicConstraint;
import eu.europa.esig.dss.policy.jaxb.Level;
import eu.europa.esig.dss.spi.CertificateExtensionsUtils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.x509.ListCertificateSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.process.bbb.sav.checks.CryptographicConstraintWrapper;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.EnumMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-document-6.0.jar:eu/europa/esig/dss/validation/RevocationDataVerifier.class */
public class RevocationDataVerifier {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RevocationDataVerifier.class);
    protected ListCertificateSource trustedListCertificateSource;
    protected Collection<DigestAlgorithm> acceptableDigestAlgorithms;
    protected Map<EncryptionAlgorithm, Integer> acceptableEncryptionAlgorithmKeyLength;

    private RevocationDataVerifier() {
    }

    public static RevocationDataVerifier createDefaultRevocationDataVerifier() {
        try {
            return createRevocationDataVerifierFromPolicy(ValidationPolicyFacade.newFacade().getDefaultValidationPolicy());
        } catch (Exception e) {
            throw new DSSException(String.format("Unable to instantiate default RevocationDataVerifier. Reason : %s", e.getMessage()), e);
        }
    }

    public static RevocationDataVerifier createRevocationDataVerifierFromPolicy(ValidationPolicy validationPolicy) {
        return createRevocationDataVerifierFromPolicyWithTime(validationPolicy, new Date());
    }

    public static RevocationDataVerifier createRevocationDataVerifierFromPolicyWithTime(ValidationPolicy validationPolicy, Date date) {
        List<DigestAlgorithm> asList;
        Map<EncryptionAlgorithm, Integer> enumMap;
        RevocationDataVerifier revocationDataVerifier = new RevocationDataVerifier();
        CryptographicConstraintWrapper revocationCryptographicConstraints = getRevocationCryptographicConstraints(validationPolicy);
        if (revocationCryptographicConstraints == null || !Level.FAIL.equals(revocationCryptographicConstraints.getLevel())) {
            LOG.info("No enforced cryptographic constraints have been found in the provided validation policy. Accept all cryptographic algorithms.");
            asList = Arrays.asList(DigestAlgorithm.values());
            enumMap = new EnumMap(EncryptionAlgorithm.class);
            for (EncryptionAlgorithm encryptionAlgorithm : EncryptionAlgorithm.values()) {
                enumMap.put(encryptionAlgorithm, 0);
            }
        } else {
            asList = revocationCryptographicConstraints.getReliableDigestAlgorithmsAtTime(date);
            enumMap = revocationCryptographicConstraints.getReliableEncryptionAlgorithmsWithMinimalKeyLengthAtTime(date);
        }
        revocationDataVerifier.setAcceptableDigestAlgorithms(asList);
        revocationDataVerifier.setAcceptableEncryptionAlgorithmKeyLength(enumMap);
        return revocationDataVerifier;
    }

    private static CryptographicConstraintWrapper getRevocationCryptographicConstraints(ValidationPolicy validationPolicy) {
        CryptographicConstraint signatureCryptographicConstraint = validationPolicy.getSignatureCryptographicConstraint(Context.REVOCATION);
        if (signatureCryptographicConstraint != null) {
            return new CryptographicConstraintWrapper(signatureCryptographicConstraint);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setTrustedCertificateSource(ListCertificateSource listCertificateSource) {
        this.trustedListCertificateSource = listCertificateSource;
    }

    public void setAcceptableDigestAlgorithms(Collection<DigestAlgorithm> collection) {
        Objects.requireNonNull(collection, "Collection of DigestAlgorithms for acceptance cannot be null!");
        this.acceptableDigestAlgorithms = collection;
    }

    public void setAcceptableEncryptionAlgorithmKeyLength(Map<EncryptionAlgorithm, Integer> map) {
        Objects.requireNonNull(map, "Map of Encryption Algorithms for acceptance cannot be null!");
        this.acceptableEncryptionAlgorithmKeyLength = map;
    }

    public boolean isAcceptable(RevocationToken<?> revocationToken) {
        return isAcceptable(revocationToken, revocationToken.getIssuerCertificateToken());
    }

    public boolean isAcceptable(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return isRevocationDataComplete(revocationToken) && isGoodIssuer(revocationToken, certificateToken) && isConsistent(revocationToken) && isAcceptableSignatureAlgorithm(revocationToken, certificateToken);
    }

    private boolean isRevocationDataComplete(RevocationToken<?> revocationToken) {
        if (revocationToken.getRelatedCertificate() == null) {
            LOG.warn("The revocation '{}' does not have a related certificate!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (revocationToken.getStatus() == null) {
            LOG.warn("The obtained revocation token '{}' does not contain the certificate status!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (revocationToken.getThisUpdate() != null) {
            return true;
        }
        LOG.warn("The obtained revocation token '{}' does not contain thisUpdate field!", revocationToken.getDSSIdAsString());
        return false;
    }

    private boolean isGoodIssuer(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        if (certificateToken == null) {
            LOG.warn("The issuer certificate is not found for the obtained revocation '{}'!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (RevocationType.OCSP.equals(revocationToken.getRevocationType()) && doesRequireRevocation(certificateToken) && !hasRevocationAccessPoints(certificateToken)) {
            LOG.warn("The issuer certificate '{}' of the obtained OCSPToken '{}' requires a revocation data, which is not acceptable due its configuration (no revocation access location points)!", certificateToken.getDSSIdAsString(), revocationToken.getDSSIdAsString());
            return false;
        }
        if (!RevocationType.OCSP.equals(revocationToken.getRevocationType()) || DSSRevocationUtils.checkIssuerValidAtRevocationProductionTime(revocationToken, certificateToken)) {
            return true;
        }
        LOG.warn("The revocation token '{}' has been produced outside the issuer certificate's validity range!", revocationToken.getDSSIdAsString());
        return false;
    }

    private boolean doesRequireRevocation(CertificateToken certificateToken) {
        return (certificateToken.isSelfSigned() || isTrusted(certificateToken) || CertificateExtensionsUtils.hasOcspNoCheckExtension(certificateToken)) ? false : true;
    }

    private boolean isTrusted(CertificateToken certificateToken) {
        return this.trustedListCertificateSource != null && this.trustedListCertificateSource.isTrusted(certificateToken);
    }

    private boolean hasRevocationAccessPoints(CertificateToken certificateToken) {
        return Utils.isCollectionNotEmpty(CertificateExtensionsUtils.getCRLAccessUrls(certificateToken)) || Utils.isCollectionNotEmpty(CertificateExtensionsUtils.getOCSPAccessUrls(certificateToken));
    }

    private boolean isConsistent(RevocationToken<?> revocationToken) {
        CertificateToken relatedCertificate = revocationToken.getRelatedCertificate();
        if (!isRevocationIssuedAfterCertificateNotBefore(revocationToken, relatedCertificate)) {
            LOG.warn("The revocation '{}' has been produced before the start of the validity of the certificate '{}'!", revocationToken.getDSSIdAsString(), relatedCertificate.getDSSIdAsString());
            return false;
        }
        if (doesRevocationKnowCertificate(revocationToken, relatedCertificate)) {
            LOG.debug("The revocation '{}' is consistent. Certificate: {}", revocationToken.getDSSIdAsString(), relatedCertificate.getDSSIdAsString());
            return true;
        }
        LOG.warn("The revocation '{}' was not issued during the validity period of the certificate! Certificate: {}", revocationToken.getDSSIdAsString(), relatedCertificate.getDSSIdAsString());
        return false;
    }

    private boolean isRevocationIssuedAfterCertificateNotBefore(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return certificateToken.getNotBefore().compareTo(revocationToken.getThisUpdate()) <= 0;
    }

    private boolean doesRevocationKnowCertificate(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return revocationInformationAssured(revocationToken, certificateToken) || certHashMatch(revocationToken);
    }

    private boolean revocationInformationAssured(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        Date thisUpdate = revocationToken.getThisUpdate();
        Date notAfter = certificateToken.getNotAfter();
        Date expiredCertsOnCRL = revocationToken.getExpiredCertsOnCRL();
        if (expiredCertsOnCRL != null) {
            thisUpdate = expiredCertsOnCRL;
        }
        Date archiveCutOff = revocationToken.getArchiveCutOff();
        if (archiveCutOff != null) {
            thisUpdate = archiveCutOff;
        }
        return notAfter.compareTo(thisUpdate) >= 0;
    }

    private boolean certHashMatch(RevocationToken<?> revocationToken) {
        return revocationToken.isCertHashPresent() && revocationToken.isCertHashMatch();
    }

    private boolean isAcceptableSignatureAlgorithm(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        SignatureAlgorithm signatureAlgorithm = revocationToken.getSignatureAlgorithm();
        if (signatureAlgorithm == null) {
            LOG.warn("Signature algorithm was not identified for an obtained revocation token '{}'!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (!this.acceptableDigestAlgorithms.contains(signatureAlgorithm.getDigestAlgorithm())) {
            LOG.warn("The used DigestAlgorithm {} is not acceptable for revocation token '{}'!", signatureAlgorithm.getDigestAlgorithm(), revocationToken.getDSSIdAsString());
            return false;
        }
        Integer num = this.acceptableEncryptionAlgorithmKeyLength.get(signatureAlgorithm.getEncryptionAlgorithm());
        if (num == null) {
            LOG.warn("The EncryptionAlgorithm {} is not acceptable for revocation token '{}'!", signatureAlgorithm.getEncryptionAlgorithm(), revocationToken.getDSSIdAsString());
            return false;
        }
        int publicKeySize = certificateToken != null ? DSSPKUtils.getPublicKeySize(certificateToken.getPublicKey()) : -1;
        if (publicKeySize <= 0) {
            LOG.warn("Key size used to sign revocation token '{}' cannot be identified!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (publicKeySize >= num.intValue()) {
            return true;
        }
        LOG.warn("The key size '{}' used to sign revocation token '{}' is smaller than minimal acceptable value '{}'!", Integer.valueOf(publicKeySize), revocationToken.getDSSIdAsString(), num);
        return false;
    }
}
