package eu.europa.esig.dss.spi.validation;

import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.x509.CertificateSource;
import eu.europa.esig.dss.spi.x509.tsp.TimestampToken;
import eu.europa.esig.dss.utils.Utils;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-spi-6.1.jar:eu/europa/esig/dss/spi/validation/TimestampTokenVerifier.class */
public class TimestampTokenVerifier {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TimestampTokenVerifier.class);
    private CertificateSource trustedCertificateSource;
    private boolean acceptUntrustedCertificateChains;

    protected TimestampTokenVerifier() {
    }

    public static TimestampTokenVerifier createEmptyTimestampTokenVerifier() {
        return new TimestampTokenVerifier();
    }

    public static TimestampTokenVerifier createDefaultTimestampTokenVerifier() {
        TimestampTokenVerifier timestampTokenVerifier = new TimestampTokenVerifier();
        timestampTokenVerifier.setAcceptUntrustedCertificateChains(false);
        return timestampTokenVerifier;
    }

    public CertificateSource getTrustedCertificateSource() {
        return this.trustedCertificateSource;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setTrustedCertificateSource(CertificateSource certificateSource) {
        this.trustedCertificateSource = certificateSource;
    }

    public void setAcceptUntrustedCertificateChains(boolean z) {
        this.acceptUntrustedCertificateChains = z;
    }

    public boolean isAcceptable(TimestampToken timestampToken) {
        return isAcceptable(timestampToken, Collections.emptyList());
    }

    public boolean isAcceptable(TimestampToken timestampToken, List<CertificateToken> list) {
        return isTrustedTimestampToken(timestampToken, list) && isCryptographicallyValid(timestampToken);
    }

    protected boolean isTrustedTimestampToken(TimestampToken timestampToken, List<CertificateToken> list) {
        if (this.acceptUntrustedCertificateChains || containsTrustAnchor(list)) {
            return true;
        }
        LOG.warn("POE extraction is skipped for untrusted timestamp : {}.", timestampToken.getDSSIdAsString());
        return false;
    }

    private boolean containsTrustAnchor(List<CertificateToken> list) {
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        Iterator<CertificateToken> it = list.iterator();
        while (it.hasNext()) {
            if (isTrusted(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean isTrusted(CertificateToken certificateToken) {
        return this.trustedCertificateSource != null && this.trustedCertificateSource.isTrusted(certificateToken);
    }

    protected boolean isCryptographicallyValid(TimestampToken timestampToken) {
        if (!timestampToken.isMessageImprintDataIntact()) {
            LOG.warn("POE extraction is skipped for timestamp : {}. The message-imprint is not intact!", timestampToken.getDSSIdAsString());
            return false;
        }
        if (timestampToken.isSignatureIntact()) {
            return true;
        }
        LOG.warn("POE extraction is skipped for timestamp : {}. The signature is not intact!", timestampToken.getDSSIdAsString());
        return false;
    }
}
