package de.bos_bremen.vii.validate.en319102;

import de.bos_bremen.algorithm_catalog.AlgorithmCatalogResponse;
import de.bos_bremen.algorithm_catalog.Usage;
import de.bos_bremen.ci.QLevel;
import de.bos_bremen.vii.common.Signal;
import de.bos_bremen.vii.common.SignalReason;
import de.bos_bremen.vii.common.SignalReasons;
import de.bos_bremen.vii.doctype.VIICertEntry;
import de.bos_bremen.vii.doctype.VIIEntry;
import de.bos_bremen.vii.doctype.VIIRevocationValueEntry;
import de.bos_bremen.vii.doctype.VIISignatureEntry;
import de.bos_bremen.vii.doctype.VIITimestampSignatureEntry;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:de/bos_bremen/vii/validate/en319102/ValidationBlocks.class */
public class ValidationBlocks {
    private static final Log LOG = LogFactory.getLog(ValidationBlocks.class);
    private final Date now = new Date();
    private final SignalReasonTransformer signalReasonsTransformer = new SignalReasonTransformer();

    public X509Certificate identificationOfSignerCertificate(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate) throws ValidationException {
        if (vIISignatureEntry == null) {
            throw new IllegalArgumentException("signature is a mandatory parameter");
        }
        X509Certificate x509certificateFromCertEntry = CertificateMetaData.x509certificateFromCertEntry(vIISignatureEntry.getAuthor());
        if (x509certificateFromCertEntry == null) {
            if (x509Certificate == null) {
                throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_NO_SIGNER_CERTIFICATE_FOUND, "no certificate found");
            }
            x509certificateFromCertEntry = x509Certificate;
        }
        return x509certificateFromCertEntry;
    }

    private void iscProcessXades(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate) throws ValidationException {
    }

    private void iscProcessCades(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate) throws ValidationException {
    }

    private void iscProcessPades(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate) throws ValidationException {
    }

    public ValidationContext validationContextInitialization(VIISignatureEntry vIISignatureEntry, SignatureValidationPolicies signatureValidationPolicies, TrustedStatusServiceLists trustedStatusServiceLists, LocalConfiguration localConfiguration) throws ValidationException {
        return new ValidationContext(new X509ValidationParameters(), new CertificateMetaData(vIISignatureEntry), null, new CryptographicConstraints(), null);
    }

    public void x509CertificateValidation(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate, ValidationContext validationContext) throws ValidationException {
        if (this.now.before(x509Certificate.getNotBefore()) || this.now.after(x509Certificate.getNotAfter())) {
            throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_OUT_OF_BOUNDS_NO_POE, "current time not in the certificate's validity range");
        }
        validationContext.getCertificateMetaData().getChain(x509Certificate);
    }

    public void cryptographicVerification(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate, ValidatedCertificateChain validatedCertificateChain, SignedDataObject... signedDataObjectArr) throws ValidationException {
    }

    public void signatureAcceptanceValidation(VIISignatureEntry vIISignatureEntry, CvOutput cvOutput, ValidationContext validationContext) throws ValidationException {
    }

    public void basicValidationProcess(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate, TrustedStatusServiceLists trustedStatusServiceLists, SignatureValidationPolicies signatureValidationPolicies, LocalConfiguration localConfiguration, SignedDataObject... signedDataObjectArr) throws ValidationException {
    }

    public void validationProcessForTimestamps(VIITimestampSignatureEntry vIITimestampSignatureEntry, SignatureValidationPolicies signatureValidationPolicies, TrustedStatusServiceLists trustedStatusServiceLists, LocalConfiguration localConfiguration, X509Certificate x509Certificate) throws ValidationException {
        VIISignatureEntry vIISignatureEntry = (VIISignatureEntry) vIITimestampSignatureEntry.getParent();
        if (vIITimestampSignatureEntry.getCumulated() != Signal.GREEN || !vIITimestampSignatureEntry.getMatchingReason().getSignal().equals(Signal.GREEN)) {
            if (!vIITimestampSignatureEntry.getMatchingReason().getSignal().equals(Signal.GREEN)) {
                throw new ValidationException(vIITimestampSignatureEntry.getMatchingReason(), "digest does not match");
            }
            throw new ValidationException(vIITimestampSignatureEntry.getFirstCumulatedReason(), "timestamp was not checked as valid by vi");
        }
        Date signingTime = vIISignatureEntry.getSigningTime();
        Date generationTime = vIITimestampSignatureEntry.getGenerationTime();
        if (signingTime == null || !signingTime.after(generationTime)) {
            QLevel quality = vIITimestampSignatureEntry.getQuality();
            QLevel quality2 = vIISignatureEntry.getQuality();
            if (areBothQualified(quality, quality2) || quality.ordinal() >= quality2.ordinal()) {
                return;
            }
            vIISignatureEntry.setCumulated(Signal.max(vIISignatureEntry.getCumulated(), Signal.YELLOW));
            vIISignatureEntry.addCumulatedReason(SignalReasons.LEVELT_INDETERMINATE_QUALITYMISMATCH_TIMESTAMP_USERCERTIFICATE);
            throw new ValidationException(SignalReasons.LEVELT_INDETERMINATE_QUALITYMISMATCH_TIMESTAMP_USERCERTIFICATE, "signatureQuality: " + quality2 + " timestampQuality: " + quality);
        }
        vIISignatureEntry.setCumulated(Signal.max(vIISignatureEntry.getCumulated(), Signal.YELLOW));
        vIISignatureEntry.addCumulatedReason(SignalReasons.LEVELT_INDETERMINATE_SIGNINGTIME_AFTER_SIGNATURETIMESTAMP);
        if (vIITimestampSignatureEntry.getCumulatedReasons().contains(SignalReasons.LEVELT_VALID)) {
            vIITimestampSignatureEntry.getCumulatedReasons().remove(SignalReasons.LEVELT_VALID);
        }
        VIIEntry parent = vIISignatureEntry.getParent();
        parent.setCumulated(Signal.max(parent.getCumulated(), Signal.YELLOW));
        vIITimestampSignatureEntry.addCumulatedReason(SignalReasons.LEVELT_INDETERMINATE_SIGNINGTIME_AFTER_SIGNATURETIMESTAMP);
        throw new ValidationException(SignalReasons.LEVELT_INDETERMINATE_SIGNINGTIME_AFTER_SIGNATURETIMESTAMP, "claimedSigningTime: " + signingTime + " generationTime: " + generationTime);
    }

    public static boolean areBothQualified(QLevel qLevel, QLevel qLevel2) {
        return QLevel.QCPPLUS.compareTo(qLevel) <= 0 && QLevel.QCPPLUS.compareTo(qLevel2) <= 0;
    }

    public void validationProcessForAdEST(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate, TrustedStatusServiceLists trustedStatusServiceLists, SignatureValidationPolicies signatureValidationPolicies, LocalConfiguration localConfiguration, SignedDataObject... signedDataObjectArr) throws ValidationException {
    }

    public Date pastCertificateValidation(VIISignatureEntry vIISignatureEntry, X509Certificate x509Certificate, SetOfPOE setOfPOE, ValidationContext validationContext) throws ValidationException {
        if (vIISignatureEntry == null) {
            throw new IllegalArgumentException("signature is mandatory!");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("certificate is mandatory!");
        }
        if (validationContext == null || validationContext.getX509ValidationParameters() == null) {
            throw new IllegalArgumentException("X509 validations parameters are mandatory!");
        }
        if (setOfPOE == null) {
            throw new IllegalArgumentException("Set of POE is mandatory!");
        }
        try {
            return controlTimeSliding(validationContext.getCertificateMetaData().getChain(x509Certificate), setOfPOE, validationContext);
        } catch (ValidationException e) {
            throw e;
        }
    }

    public Date controlTimeSliding(X509Certificate[] x509CertificateArr, SetOfPOE setOfPOE, ValidationContext validationContext) throws ValidationException {
        Date date = this.now;
        CertificateMetaData certificateMetaData = validationContext.getCertificateMetaData();
        for (int i = 1; i < x509CertificateArr.length; i++) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            RevocationStatusInformation revocationStatusInformation = null;
            for (RevocationStatusInformation revocationStatusInformation2 : certificateMetaData.getRevocationStatusInformation(x509Certificate)) {
                if (revocationStatusInformation2.getIssueDate().before(date) && (revocationStatusInformation == null || revocationStatusInformation.getIssueDate().before(revocationStatusInformation2.getIssueDate()))) {
                    revocationStatusInformation = revocationStatusInformation2;
                }
            }
            if (revocationStatusInformation == null) {
                throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_NO_POE, "No Revocation Status Info for " + x509Certificate);
            }
            if (!setOfPOE.containsPOE(certificateMetaData.fetchCertEntry(x509Certificate), date) || !setOfPOE.containsPOE(revocationStatusInformation.getEntry(), date)) {
                throw new ValidationException(SignalReasons.EN_319102_INDETERMINATE_NO_POE, "No POE for " + x509Certificate);
            }
            if (revocationStatusInformation.isRevoked()) {
                date = revocationStatusInformation.revokedAt();
                LOG.debug("Certificate revoked: " + revocationStatusInformation.getCertEntry().getId() + " set the control time to " + date);
            } else if (!revocationStatusInformation.isFresh(date)) {
                date = revocationStatusInformation.getIssueDate();
            }
        }
        return date;
    }

    public SetOfPOE performPOEExtraction(VIISignatureEntry vIISignatureEntry, VIITimestampSignatureEntry vIITimestampSignatureEntry, SetOfPOE setOfPOE, ValidationContext validationContext) {
        setOfPOE.add(new ProofOfExistence(vIITimestampSignatureEntry.getGenerationTime(), vIISignatureEntry));
        return setOfPOE;
    }

    public void pastSignatureValidation(VIISignatureEntry vIISignatureEntry, SignalReason signalReason, List<VIISignatureEntry> list, X509Certificate x509Certificate, SetOfPOE setOfPOE, ValidationContext validationContext) throws ValidationException {
        if (vIISignatureEntry == null) {
            throw new IllegalArgumentException("signature is mandatory!");
        }
        if (signalReason == null) {
            throw new IllegalArgumentException("currentTimeStatus is mandatory!");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("certificate is mandatory!");
        }
        if (validationContext == null || validationContext.getX509ValidationParameters() == null) {
            throw new IllegalArgumentException("X509 validations parameters are mandatory!");
        }
        if (setOfPOE == null) {
            throw new IllegalArgumentException("Set of POE is mandatory!");
        }
        try {
            if (setOfPOE.containsPOE(vIISignatureEntry, pastCertificateValidation(vIISignatureEntry, x509Certificate, setOfPOE, validationContext))) {
                if (signalReason.equals(SignalReasons.EN_319102_INDETERMINATE_REVOKED_NO_POE)) {
                    vIISignatureEntry.addCumulatedReason(SignalReasons.LEVELT_VALID_COMPROMISED_AFTER_TIMESTAMP);
                    return;
                }
                if (signalReason.equals(SignalReasons.EN_319102_INDETERMINATE_REVOKED_CA_NO_POE)) {
                    return;
                }
                if (signalReason.equals(SignalReasons.EN_319102_INDETERMINATE_OUT_OF_BOUNDS_NO_POE)) {
                    if (setOfPOE.getBestSignatureTime(vIISignatureEntry).before(x509Certificate.getNotBefore())) {
                        throw new ValidationException(SignalReasons.EN_319102_INVALID_NOT_YET_VALID, "certificate not yet valid");
                    }
                    return;
                }
                if (signalReason.equals(SignalReasons.EN_319102_INDETERMINATE_CRYPTO_CONSTRAINTS_FAILURE_NO_POE)) {
                    validationContext.getCryptographicConstraints();
                    for (VIISignatureEntry vIISignatureEntry2 : list) {
                        AlgorithmCatalogResponse validToForHashAlgAtVerifyTime = vIISignatureEntry2.getValidToForHashAlgAtVerifyTime();
                        AlgorithmCatalogResponse validToForPaddingAlgAtVerifyTime = vIISignatureEntry2.getValidToForPaddingAlgAtVerifyTime();
                        AlgorithmCatalogResponse validToForSignatureAlgAtVerifyTime = vIISignatureEntry2.getValidToForSignatureAlgAtVerifyTime();
                        if (!setOfPOE.containsPOE(vIISignatureEntry2, validToForHashAlgAtVerifyTime) || !setOfPOE.containsPOE(vIISignatureEntry2, validToForPaddingAlgAtVerifyTime) || !setOfPOE.containsPOE(vIISignatureEntry2, validToForSignatureAlgAtVerifyTime)) {
                            throw new ValidationException(SignalReasons.EN_319102_INVALID_CRYPTO_CONSTRAINTS_FAILURE, "algorithm wasn't considered secure at signing time");
                        }
                    }
                    return;
                }
            }
            throw new ValidationException(signalReason, "could not validate signature");
        } catch (ValidationException e) {
            throw e;
        }
    }

    public void longTermValidationProcess(VIISignatureEntry vIISignatureEntry, TrustedStatusServiceLists trustedStatusServiceLists, SignatureValidationPolicies signatureValidationPolicies, LocalConfiguration localConfiguration, SetOfPOE setOfPOE, SignedDataObject... signedDataObjectArr) throws ValidationException {
        LOG.debug("Starting long term validation for " + vIISignatureEntry.getId());
        ValidationContext validationContextInitialization = validationContextInitialization(vIISignatureEntry, signatureValidationPolicies, trustedStatusServiceLists, localConfiguration);
        SetOfPOE setOfPOE2 = setOfPOE == null ? new SetOfPOE() : setOfPOE;
        collectCurrentTimePOEs(setOfPOE2, vIISignatureEntry);
        SignalReason cumulatedReason = this.signalReasonsTransformer.getCumulatedReason(vIISignatureEntry);
        SignalReason transform = this.signalReasonsTransformer.transform(cumulatedReason);
        LOG.debug("Assuming Result from BasicSignature Validation: " + cumulatedReason);
        if (SignalReasons.IDrev_red.equals(cumulatedReason)) {
            LOG.debug("The signature certificate is revoked: " + cumulatedReason);
        }
        if (SignalReasons.IDrev_yellow.equals(cumulatedReason)) {
            LOG.debug("The signature certificate is revoked: " + cumulatedReason);
        }
        VIITimestampSignatureEntry signatureTimestamp = vIISignatureEntry.getSignatureTimestamp();
        if (signatureTimestamp != null) {
            Date generationTime = signatureTimestamp.getGenerationTime();
            LOG.debug("found signature timestamp as POE at " + generationTime);
            try {
                try {
                    validationProcessForTimestamps(signatureTimestamp, signatureValidationPolicies, trustedStatusServiceLists, localConfiguration, null);
                    if (validationContextInitialization.getCryptographicConstraints().isValid(signatureTimestamp.getDigestAlgorithm(), Usage.SIGN_TIMESTAMP, this.now)) {
                        setOfPOE2.add(new ProofOfExistence(generationTime, vIISignatureEntry));
                        setOfPOE2.add(new ProofOfExistence(generationTime, vIISignatureEntry.getAuthor()));
                        setOfPOE2.addAll(performPOEExtraction(vIISignatureEntry, signatureTimestamp, setOfPOE2, null));
                    }
                } catch (ValidationException e) {
                    pastSignatureValidation(signatureTimestamp, new SignalReasonTransformer().transform(e.getReason()), Collections.singletonList(vIISignatureEntry), CertificateMetaData.x509certificateFromCertEntry(signatureTimestamp.getAuthor()), setOfPOE2, validationContextInitialization);
                    if (validationContextInitialization.getCryptographicConstraints().isValid(signatureTimestamp.getDigestAlgorithm(), Usage.SIGN_TIMESTAMP, generationTime)) {
                        setOfPOE2.add(new ProofOfExistence(generationTime, vIISignatureEntry));
                        setOfPOE2.add(new ProofOfExistence(generationTime, vIISignatureEntry.getAuthor()));
                        setOfPOE2.addAll(performPOEExtraction(vIISignatureEntry, signatureTimestamp, setOfPOE2, null));
                    }
                }
            } catch (ValidationException e2) {
            }
        }
        pastSignatureValidation(vIISignatureEntry, transform, null, identificationOfSignerCertificate(vIISignatureEntry, null), setOfPOE2, validationContextInitialization);
    }

    private void collectCurrentTimePOEs(SetOfPOE setOfPOE, VIISignatureEntry vIISignatureEntry) {
        if (vIISignatureEntry != null) {
            if (vIISignatureEntry instanceof VIITimestampSignatureEntry) {
                VIITimestampSignatureEntry vIITimestampSignatureEntry = (VIITimestampSignatureEntry) vIISignatureEntry;
                if (vIITimestampSignatureEntry.getIntegrity() != Signal.GREEN || vIITimestampSignatureEntry.getMatchingReason() != SignalReasons.VALID) {
                    return;
                }
            }
            setOfPOE.add(new ProofOfExistence(this.now, vIISignatureEntry));
            collectCurrentTimePOEsForCert(setOfPOE, vIISignatureEntry.getAuthor());
            collectCurrentTimePOEs(setOfPOE, vIISignatureEntry.getContentTimestamp());
            collectCurrentTimePOEs(setOfPOE, vIISignatureEntry.getSignatureTimestamp());
        }
    }

    private void collectCurrentTimePOEsForCert(SetOfPOE setOfPOE, VIICertEntry vIICertEntry) {
        if (vIICertEntry != null) {
            setOfPOE.add(new ProofOfExistence(this.now, vIICertEntry));
            VIICertEntry issuer = vIICertEntry.getIssuer();
            if (issuer != null) {
                collectCurrentTimePOEsForCert(setOfPOE, issuer);
            }
            List<VIIRevocationValueEntry> revocationValues = vIICertEntry.getRevocationValues();
            if (revocationValues != null) {
                for (VIIRevocationValueEntry vIIRevocationValueEntry : revocationValues) {
                    Signal integrity = vIIRevocationValueEntry.getIntegrity();
                    Signal cumulated = vIIRevocationValueEntry.getCumulated();
                    if (integrity == Signal.GREEN && cumulated == Signal.GREEN) {
                        setOfPOE.add(new ProofOfExistence(this.now, vIIRevocationValueEntry));
                    }
                }
            }
        }
    }
}
