package de.bos_bremen.vii.validate.en319102;

import de.bos_bremen.ci.asn1.x509.Certificate;
import de.bos_bremen.ci.asn1.x509.JX509Certificate;
import de.bos_bremen.vii.common.Signal;
import de.bos_bremen.vii.common.SignalReasons;
import de.bos_bremen.vii.doctype.VIICertEntry;
import de.bos_bremen.vii.doctype.VIIRevocationValueEntry;
import de.bos_bremen.vii.doctype.VIISignatureEntry;
import de.bos_bremen.vii.doctype.VIITimestampSignatureEntry;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:de/bos_bremen/vii/validate/en319102/CertificateMetaData.class */
public class CertificateMetaData {
    private static final Log LOG = LogFactory.getLog(CertificateMetaData.class);
    private final MultiMap<String, RevocationStatusInformation> revocationData;
    private final Map<String, VIICertEntry> certEntries;
    private final MultiMap<String, X509Certificate> issuers;
    private final MultiMap<String, X509Certificate> subjects;
    private final Set<String> trustAnchors;

    CertificateMetaData() {
        this.revocationData = new MultiMap<>();
        this.certEntries = new HashMap();
        this.issuers = new MultiMap<>();
        this.subjects = new MultiMap<>();
        this.trustAnchors = new HashSet();
    }

    public CertificateMetaData(VIISignatureEntry vIISignatureEntry) throws ValidationException {
        this();
        collectRevocationStatusInformation(vIISignatureEntry);
        collectTrustedAnchors(vIISignatureEntry.getAuthor());
    }

    private void collectTrustedAnchors(VIICertEntry vIICertEntry) throws ValidationException {
        if (vIICertEntry == null || vIICertEntry.getEvaluatedIdentityObject().getChainIntegrity() != Signal.GREEN) {
            return;
        }
        while (vIICertEntry.getIssuer() != null && !vIICertEntry.getId().equals(vIICertEntry.getIssuer().getId())) {
            vIICertEntry = vIICertEntry.getIssuer();
        }
        addTrustedAnchor(x509certificateFromCertEntry(vIICertEntry));
    }

    public void addVIICertEntry(VIICertEntry vIICertEntry) throws ValidationException {
        X509Certificate x509certificateFromCertEntry = x509certificateFromCertEntry(vIICertEntry);
        this.certEntries.put(fingerprintForCert(x509certificateFromCertEntry), vIICertEntry);
        addX509Certificate(x509certificateFromCertEntry);
        LOG.debug("Number of Certs found: " + this.certEntries.size());
    }

    public void addX509Certificate(X509Certificate x509Certificate) {
        String name = x509Certificate.getIssuerDN().getName();
        String name2 = x509Certificate.getSubjectDN().getName();
        this.issuers.add(name, x509Certificate);
        this.subjects.add(name2, x509Certificate);
    }

    public void addTrustedAnchor(X509Certificate x509Certificate) throws ValidationException {
        LOG.debug("Considering Certificate as Trusted Anchor: " + x509Certificate.getSubjectDN().getName());
        this.trustAnchors.add(fingerprintForCert(x509Certificate));
    }

    public VIICertEntry fetchCertEntry(X509Certificate x509Certificate) throws ValidationException {
        return this.certEntries.get(fingerprintForCert(x509Certificate));
    }

    public void addRevocationStatusInformation(X509Certificate x509Certificate, RevocationStatusInformation revocationStatusInformation) throws ValidationException {
        String fingerprintForCert = fingerprintForCert(x509Certificate);
        LOG.debug("add revocation status information for " + x509Certificate.getSubjectDN().getName() + " status.revokedAt(): " + revocationStatusInformation.revokedAt());
        this.revocationData.add(fingerprintForCert, revocationStatusInformation);
    }

    public Set<RevocationStatusInformation> getRevocationStatusInformation(X509Certificate x509Certificate) {
        try {
            Set<RevocationStatusInformation> set = this.revocationData.get(fingerprintForCert(x509Certificate));
            if (set == null) {
                set = Collections.EMPTY_SET;
            }
            return set;
        } catch (ValidationException e) {
            return Collections.EMPTY_SET;
        }
    }

    public X509Certificate[] getChain(X509Certificate x509Certificate) throws ValidationException {
        VIICertEntry fetchCertEntry = fetchCertEntry(x509Certificate);
        if (fetchCertEntry == null) {
            throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_GENERIC, "no certificate entry found");
        }
        LinkedList linkedList = new LinkedList();
        linkedList.add(fetchCertEntry);
        while (true) {
            VIICertEntry issuer = ((VIICertEntry) linkedList.getLast()).getIssuer();
            if (issuer == null || isTrustAnchor((VIICertEntry) linkedList.getLast())) {
                break;
            }
            linkedList.add(issuer);
        }
        if (linkedList.getLast() == null || !isTrustAnchor((VIICertEntry) linkedList.getLast())) {
            throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_NO_CERTIFICATE_CHAIN_FOUND, "no trust anchor - for " + ((VIICertEntry) linkedList.getLast()).mo38getCertificate().getSubjectCommonName());
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[linkedList.size()];
        x509CertificateArr[0] = x509certificateFromCertEntry((VIICertEntry) linkedList.pollLast());
        for (int i = 1; i < x509CertificateArr.length; i++) {
            x509CertificateArr[i] = x509certificateFromCertEntry((VIICertEntry) linkedList.pollLast());
        }
        verifyChain(x509CertificateArr);
        return x509CertificateArr;
    }

    private void collectRevocationStatusInformation(VIISignatureEntry vIISignatureEntry) throws ValidationException {
        collectRevocationInformationFromCert(vIISignatureEntry.getAuthor());
        VIITimestampSignatureEntry signatureTimestamp = vIISignatureEntry.getSignatureTimestamp();
        if (signatureTimestamp != null) {
            collectRevocationStatusInformation(signatureTimestamp);
        }
        VIITimestampSignatureEntry contentTimestamp = vIISignatureEntry.getContentTimestamp();
        if (contentTimestamp != null) {
            collectRevocationStatusInformation(contentTimestamp);
        }
    }

    private void collectRevocationInformationFromCert(VIICertEntry vIICertEntry) throws ValidationException {
        X509Certificate x509certificateFromCertEntry = x509certificateFromCertEntry(vIICertEntry);
        addVIICertEntry(vIICertEntry);
        VIICertEntry issuer = vIICertEntry.getIssuer();
        if (issuer != null) {
            collectRevocationInformationFromCert(issuer);
        }
        List<VIIRevocationValueEntry> revocationValues = vIICertEntry.getRevocationValues();
        if (revocationValues != null) {
            for (VIIRevocationValueEntry vIIRevocationValueEntry : revocationValues) {
                addRevocationStatusInformation(x509certificateFromCertEntry, new RevocationStatusInformation(vIIRevocationValueEntry));
                collectRevocationStatusInformation(vIIRevocationValueEntry);
            }
        }
    }

    private void verifyChain(X509Certificate[] x509CertificateArr) throws ValidationException {
        for (int i = 1; i < x509CertificateArr.length; i++) {
            if (!x509CertificateArr[i - 1].getSubjectDN().getName().equals(x509CertificateArr[i].getIssuerDN().getName())) {
                throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_NO_CERTIFICATE_CHAIN_FOUND, "invalid issuer");
            }
            try {
                x509CertificateArr[i].verify(x509CertificateArr[i - 1].getPublicKey());
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_NO_CERTIFICATE_CHAIN_FOUND, e);
            }
        }
    }

    public boolean isTrustAnchor(VIICertEntry vIICertEntry) throws ValidationException {
        if (vIICertEntry == null) {
            return false;
        }
        return isTrustAnchor(x509certificateFromCertEntry(vIICertEntry));
    }

    public boolean isTrustAnchor(X509Certificate x509Certificate) throws ValidationException {
        if (x509Certificate == null) {
            return false;
        }
        return this.trustAnchors.contains(fingerprintForCert(x509Certificate));
    }

    public static X509Certificate x509certificateFromCertEntry(VIICertEntry vIICertEntry) throws ValidationException {
        if (vIICertEntry == null) {
            throw new IllegalArgumentException("certificate required");
        }
        Certificate mo38getCertificate = vIICertEntry.mo38getCertificate();
        if (mo38getCertificate instanceof Certificate) {
            return new JX509Certificate(mo38getCertificate);
        }
        throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_GENERIC, "Can not convert certificate");
    }

    public static String fingerprintForCert(X509Certificate x509Certificate) throws ValidationException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("certificate required");
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(x509Certificate.getEncoded());
            return DatatypeConverter.printHexBinary(messageDigest.digest());
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            throw new ValidationException(SignalReasons.EN_319102_INVALID_GENERIC, e);
        }
    }
}
