package de.bos_bremen.vii.xkms;

import de.bos_bremen.ci.asn1.x509.Certificate;
import de.bos_bremen.vii.common.SignalReason;
import de.bos_bremen.vii.common.SignalReasons;
import de.bos_bremen.vii.validate.CertificateDatePair;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:de/bos_bremen/vii/xkms/XKMSResponseSecurity.class */
public class XKMSResponseSecurity {
    private static final Log LOG = LogFactory.getLog(XKMSResponseSecurity.class);
    private final Map<String, CertificateDatePair> id2cdp = new HashMap();
    private final Certificate xkmsServerCert;

    public XKMSResponseSecurity(Collection<CertificateDatePair> collection, Certificate certificate) {
        for (CertificateDatePair certificateDatePair : collection) {
            this.id2cdp.put(certificateDatePair.getRequestId(), certificateDatePair);
        }
        this.xkmsServerCert = certificate;
    }

    public SignalReason checkIntegrity(XKMSValidateResponse xKMSValidateResponse) {
        for (XKMSValidateResult xKMSValidateResult : xKMSValidateResponse.getValidateResults()) {
            if (xKMSValidateResult.isErroneous()) {
                LOG.warn("ValidateResult with requestId " + xKMSValidateResult.getRequestId() + " erroneous -> skip integrity check");
            } else {
                if (!this.id2cdp.containsKey(xKMSValidateResult.getRequestId())) {
                    LOG.error("Unknown RequestId " + xKMSValidateResult.getRequestId() + " responded");
                    return SignalReasons.XKMS_CORRUPT_SIGNING_TIME;
                }
                CertificateDatePair certificateDatePair = this.id2cdp.get(xKMSValidateResult.getRequestId());
                if (!certificateDatePair.certificate.equals(xKMSValidateResult.getCertificate())) {
                    LOG.error("Wrong certificate in response with request with id " + xKMSValidateResult.getRequestId());
                    return SignalReasons.XKMS_CORRUPT_SIGNING_TIME;
                }
                if (!certificateDatePair.date.equals(xKMSValidateResult.getVerificationTime())) {
                    LOG.error("Wrong verification time in response with request with id " + xKMSValidateResult.getRequestId());
                    return SignalReasons.XKMS_CORRUPT_SIGNING_TIME;
                }
            }
        }
        LOG.info("Validation times checked successful");
        return SignalReasons.VALID;
    }

    public SignalReason checkResponseSignature(XKMSValidateResponse xKMSValidateResponse) {
        return (isUnsignedResponseExpected() && XKMSXMLUtilities.isUnsigned(xKMSValidateResponse.getResponseXML())) ? SignalReasons.NONE : XKMSXMLUtilities.checkSignature(xKMSValidateResponse.getResponseXML(), this.xkmsServerCert, xKMSValidateResponse);
    }

    private boolean isUnsignedResponseExpected() {
        return this.xkmsServerCert == null;
    }
}
