package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.enumerations.Context;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.EncryptionAlgorithm;
import eu.europa.esig.dss.policy.RuleUtils;
import eu.europa.esig.dss.policy.ValidationPolicy;
import eu.europa.esig.dss.policy.jaxb.BasicSignatureConstraints;
import eu.europa.esig.dss.policy.jaxb.CertificateConstraints;
import eu.europa.esig.dss.policy.jaxb.CertificateValuesConstraint;
import eu.europa.esig.dss.policy.jaxb.CryptographicConstraint;
import eu.europa.esig.dss.policy.jaxb.Level;
import eu.europa.esig.dss.policy.jaxb.MultiValuesConstraint;
import eu.europa.esig.dss.policy.jaxb.RevocationConstraints;
import eu.europa.esig.dss.policy.jaxb.SignatureConstraints;
import eu.europa.esig.dss.policy.jaxb.TimeConstraint;
import eu.europa.esig.dss.spi.validation.RevocationDataVerifier;
import eu.europa.esig.dss.validation.process.bbb.sav.checks.CryptographicConstraintWrapper;
import java.util.Arrays;
import java.util.Date;
import java.util.EnumMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-validation-6.1.jar:eu/europa/esig/dss/validation/RevocationDataVerifierFactory.class */
public class RevocationDataVerifierFactory {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RevocationDataVerifier.class);
    private final ValidationPolicy validationPolicy;
    private Date validationTime;

    public RevocationDataVerifierFactory(ValidationPolicy validationPolicy) {
        this.validationPolicy = validationPolicy;
    }

    protected Date getValidationTime() {
        if (this.validationTime == null) {
            this.validationTime = new Date();
        }
        return this.validationTime;
    }

    public RevocationDataVerifierFactory setValidationTime(Date date) {
        this.validationTime = date;
        return this;
    }

    public RevocationDataVerifier create() {
        RevocationDataVerifier createEmptyRevocationDataVerifier = RevocationDataVerifier.createEmptyRevocationDataVerifier();
        instantiateCryptographicConstraints(createEmptyRevocationDataVerifier, this.validationPolicy);
        instantiateRevocationSkipConstraints(createEmptyRevocationDataVerifier, this.validationPolicy);
        instantiateRevocationFreshnessConstraints(createEmptyRevocationDataVerifier, this.validationPolicy);
        return createEmptyRevocationDataVerifier;
    }

    private void instantiateCryptographicConstraints(RevocationDataVerifier revocationDataVerifier, ValidationPolicy validationPolicy) {
        List<DigestAlgorithm> asList;
        Map<EncryptionAlgorithm, Integer> enumMap;
        CryptographicConstraintWrapper revocationCryptographicConstraints = getRevocationCryptographicConstraints(validationPolicy);
        if (revocationCryptographicConstraints == null || !Level.FAIL.equals(revocationCryptographicConstraints.getLevel())) {
            LOG.info("No enforced cryptographic constraints have been found in the provided validation policy. Accept all cryptographic algorithms.");
            asList = Arrays.asList(DigestAlgorithm.values());
            enumMap = new EnumMap(EncryptionAlgorithm.class);
            for (EncryptionAlgorithm encryptionAlgorithm : EncryptionAlgorithm.values()) {
                enumMap.put(encryptionAlgorithm, 0);
            }
        } else {
            Date validationTime = getValidationTime();
            asList = revocationCryptographicConstraints.getReliableDigestAlgorithmsAtTime(validationTime);
            enumMap = revocationCryptographicConstraints.getReliableEncryptionAlgorithmsWithMinimalKeyLengthAtTime(validationTime);
        }
        revocationDataVerifier.setAcceptableDigestAlgorithms(asList);
        revocationDataVerifier.setAcceptableEncryptionAlgorithmKeyLength(enumMap);
    }

    private CryptographicConstraintWrapper getRevocationCryptographicConstraints(ValidationPolicy validationPolicy) {
        CryptographicConstraint signatureCryptographicConstraint = validationPolicy.getSignatureCryptographicConstraint(Context.REVOCATION);
        if (signatureCryptographicConstraint != null) {
            return new CryptographicConstraintWrapper(signatureCryptographicConstraint);
        }
        return null;
    }

    private void instantiateRevocationSkipConstraints(RevocationDataVerifier revocationDataVerifier, ValidationPolicy validationPolicy) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (validationPolicy.getSignatureConstraints() != null) {
            populateRevocationSkipFromBasicSignatureConstraints(hashSet, hashSet2, validationPolicy.getSignatureConstraints().getBasicSignatureConstraints());
        }
        if (validationPolicy.getCounterSignatureConstraints() != null) {
            populateRevocationSkipFromBasicSignatureConstraints(hashSet, hashSet2, validationPolicy.getCounterSignatureConstraints().getBasicSignatureConstraints());
        }
        if (validationPolicy.getRevocationConstraints() != null) {
            populateRevocationSkipFromBasicSignatureConstraints(hashSet, hashSet2, validationPolicy.getRevocationConstraints().getBasicSignatureConstraints());
        }
        if (validationPolicy.getTimestampConstraints() != null) {
            populateRevocationSkipFromBasicSignatureConstraints(hashSet, hashSet2, validationPolicy.getTimestampConstraints().getBasicSignatureConstraints());
        }
        ensureOcspNoCheck(hashSet, validationPolicy);
        revocationDataVerifier.setRevocationSkipCertificateExtensions(hashSet);
        revocationDataVerifier.setRevocationSkipCertificatePolicies(hashSet2);
    }

    private void ensureOcspNoCheck(Set<String> set, ValidationPolicy validationPolicy) {
        BasicSignatureConstraints basicSignatureConstraints;
        CertificateConstraints signingCertificate;
        RevocationConstraints revocationConstraints = validationPolicy.getRevocationConstraints();
        if (revocationConstraints == null || (basicSignatureConstraints = revocationConstraints.getBasicSignatureConstraints()) == null || (signingCertificate = basicSignatureConstraints.getSigningCertificate()) == null || signingCertificate.getRevocationDataSkip() == null) {
            LOG.info("No RevocationDataSkip constraint is defined in the validation policy for Revocation/SigningCertificate element! Default behavior with ocsp-no-check is added to processing. Please set the constraint explicitly. To be required since DSS 6.2.");
            set.add(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId());
        }
    }

    private void populateRevocationSkipFromBasicSignatureConstraints(Set<String> set, Set<String> set2, BasicSignatureConstraints basicSignatureConstraints) {
        if (basicSignatureConstraints != null) {
            populateRevocationSkipFromCertificateConstraints(set, set2, basicSignatureConstraints.getSigningCertificate());
            populateRevocationSkipFromCertificateConstraints(set, set2, basicSignatureConstraints.getCACertificate());
        }
    }

    private void populateRevocationSkipFromCertificateConstraints(Set<String> set, Set<String> set2, CertificateConstraints certificateConstraints) {
        CertificateValuesConstraint revocationDataSkip;
        if (certificateConstraints == null || (revocationDataSkip = certificateConstraints.getRevocationDataSkip()) == null) {
            return;
        }
        MultiValuesConstraint certificateExtensions = revocationDataSkip.getCertificateExtensions();
        if (certificateExtensions != null) {
            set.addAll(certificateExtensions.getId());
        }
        MultiValuesConstraint certificatePolicies = revocationDataSkip.getCertificatePolicies();
        if (certificatePolicies != null) {
            set2.addAll(certificatePolicies.getId());
        }
    }

    private void instantiateRevocationFreshnessConstraints(RevocationDataVerifier revocationDataVerifier, ValidationPolicy validationPolicy) {
        boolean z = false;
        if (validationPolicy.getSignatureConstraints() != null || validationPolicy.getCounterSignatureConstraints() != null) {
            revocationDataVerifier.setSignatureMaximumRevocationFreshness(getSignatureRevocationFreshnessConstraint(validationPolicy));
            if (validationPolicy.getSignatureConstraints() != null) {
                z = getRevocationFreshnessNextUpdateConstraint(validationPolicy.getSignatureConstraints().getBasicSignatureConstraints());
            }
            if (!z && validationPolicy.getCounterSignatureConstraints() != null) {
                z = getRevocationFreshnessNextUpdateConstraint(validationPolicy.getCounterSignatureConstraints().getBasicSignatureConstraints());
            }
        }
        if (validationPolicy.getTimestampConstraints() != null) {
            revocationDataVerifier.setTimestampMaximumRevocationFreshness(getRevocationFreshnessConstraint(validationPolicy.getTimestampConstraints().getBasicSignatureConstraints()));
            if (!z && validationPolicy.getTimestampConstraints() != null) {
                z = getRevocationFreshnessNextUpdateConstraint(validationPolicy.getTimestampConstraints().getBasicSignatureConstraints());
            }
        }
        if (validationPolicy.getRevocationConstraints() != null) {
            revocationDataVerifier.setRevocationMaximumRevocationFreshness(getRevocationFreshnessConstraint(validationPolicy.getRevocationConstraints().getBasicSignatureConstraints()));
            if (!z && validationPolicy.getRevocationConstraints() != null) {
                z = getRevocationFreshnessNextUpdateConstraint(validationPolicy.getRevocationConstraints().getBasicSignatureConstraints());
            }
        }
        revocationDataVerifier.setCheckRevocationFreshnessNextUpdate(z);
    }

    private Long getSignatureRevocationFreshnessConstraint(ValidationPolicy validationPolicy) {
        Long l = null;
        SignatureConstraints signatureConstraints = validationPolicy.getSignatureConstraints();
        if (signatureConstraints != null) {
            l = getRevocationFreshnessConstraint(signatureConstraints.getBasicSignatureConstraints());
        }
        SignatureConstraints counterSignatureConstraints = validationPolicy.getCounterSignatureConstraints();
        if (counterSignatureConstraints != null) {
            Long revocationFreshnessConstraint = getRevocationFreshnessConstraint(counterSignatureConstraints.getBasicSignatureConstraints());
            if (l == null || (revocationFreshnessConstraint != null && revocationFreshnessConstraint.longValue() < l.longValue())) {
                l = revocationFreshnessConstraint;
            }
        }
        return l;
    }

    private Long getRevocationFreshnessConstraint(BasicSignatureConstraints basicSignatureConstraints) {
        Long l = null;
        if (basicSignatureConstraints != null) {
            CertificateConstraints signingCertificate = basicSignatureConstraints.getSigningCertificate();
            if (signingCertificate != null) {
                l = getRevocationFreshnessConstraintValue(signingCertificate);
            }
            CertificateConstraints cACertificate = basicSignatureConstraints.getCACertificate();
            if (cACertificate != null) {
                Long revocationFreshnessConstraintValue = getRevocationFreshnessConstraintValue(cACertificate);
                if (l == null || (revocationFreshnessConstraintValue != null && revocationFreshnessConstraintValue.longValue() < l.longValue())) {
                    l = revocationFreshnessConstraintValue;
                }
            }
        }
        return l;
    }

    private Long getRevocationFreshnessConstraintValue(CertificateConstraints certificateConstraints) {
        TimeConstraint revocationFreshness = certificateConstraints.getRevocationFreshness();
        if (revocationFreshness != null) {
            return Long.valueOf(RuleUtils.convertDuration(revocationFreshness));
        }
        return null;
    }

    private boolean getRevocationFreshnessNextUpdateConstraint(BasicSignatureConstraints basicSignatureConstraints) {
        if (basicSignatureConstraints == null) {
            return false;
        }
        CertificateConstraints signingCertificate = basicSignatureConstraints.getSigningCertificate();
        if (signingCertificate != null && signingCertificate.getRevocationFreshnessNextUpdate() != null) {
            return true;
        }
        CertificateConstraints cACertificate = basicSignatureConstraints.getCACertificate();
        return (cACertificate == null || cACertificate.getRevocationFreshnessNextUpdate() == null) ? false : true;
    }
}
