package de.gematik.pki.ocsp;

import de.gematik.pki.error.ErrorCode;
import de.gematik.pki.exception.GemPkiException;
import de.gematik.pki.exception.GemPkiRuntimeException;
import de.gematik.pki.utils.Utils;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import lombok.Generated;
import lombok.NonNull;
import org.bouncycastle.asn1.isismtt.ocsp.CertHash;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.internal.asn1.isismtt.ISISMTTObjectIdentifiers;

/* loaded from: input_file:de/gematik/pki/ocsp/OcspVerifier.class */
public class OcspVerifier {

    @NonNull
    private final String productType;

    @NonNull
    final X509Certificate eeCert;

    @NonNull
    final OCSPResp ocspResponse;
    private static final String OCSP_ERROR = "OCSP Response Auswertung fehlgeschlagen.";

    @Generated
    /* loaded from: input_file:de/gematik/pki/ocsp/OcspVerifier$OcspVerifierBuilder.class */
    public static class OcspVerifierBuilder {

        @Generated
        private String productType;

        @Generated
        private X509Certificate eeCert;

        @Generated
        private OCSPResp ocspResponse;

        @Generated
        OcspVerifierBuilder() {
        }

        @Generated
        public OcspVerifierBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public OcspVerifierBuilder eeCert(@NonNull X509Certificate x509Certificate) {
            if (x509Certificate == null) {
                throw new NullPointerException("eeCert is marked non-null but is null");
            }
            this.eeCert = x509Certificate;
            return this;
        }

        @Generated
        public OcspVerifierBuilder ocspResponse(@NonNull OCSPResp oCSPResp) {
            if (oCSPResp == null) {
                throw new NullPointerException("ocspResponse is marked non-null but is null");
            }
            this.ocspResponse = oCSPResp;
            return this;
        }

        @Generated
        public OcspVerifier build() {
            return new OcspVerifier(this.productType, this.eeCert, this.ocspResponse);
        }

        @Generated
        public String toString() {
            return "OcspVerifier.OcspVerifierBuilder(productType=" + this.productType + ", eeCert=" + this.eeCert + ", ocspResponse=" + this.ocspResponse + ")";
        }
    }

    public void performOcspChecks() throws GemPkiException {
        verifyCertHash();
        verifyStatusGood();
    }

    public void verifyStatusGood() {
        if (this.ocspResponse.getStatus() != 0) {
            throw new GemPkiRuntimeException("OCSP response status ist nicht 0, sondern: " + this.ocspResponse.getStatus());
        }
        try {
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) this.ocspResponse.getResponseObject();
            if (basicOCSPResp == null) {
                throw new GemPkiRuntimeException("Keine OCSP Response erhalten.");
            }
            SingleResp[] responses = basicOCSPResp.getResponses();
            if (responses.length != 1) {
                throw new GemPkiRuntimeException("Mehr als eine OCSP Response erhalten: " + responses.length);
            }
            if (CertificateStatus.GOOD != responses[0].getCertStatus()) {
                throw new GemPkiRuntimeException("OCSP Response ist nicht GOOD, sondern: " + responses[0].getCertStatus());
            }
        } catch (OCSPException e) {
            throw new GemPkiRuntimeException(OCSP_ERROR, e);
        }
    }

    public void verifyCertHash() throws GemPkiException {
        try {
            if (Arrays.equals(CertHash.getInstance(((BasicOCSPResp) this.ocspResponse.getResponseObject()).getResponses()[0].getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash).getParsedValue()).getCertificateHash(), Utils.calculateSha256(this.eeCert.getEncoded()))) {
            } else {
                throw new GemPkiException(this.productType, ErrorCode.SE_1041);
            }
        } catch (NullPointerException e) {
            throw new GemPkiException(this.productType, ErrorCode.SE_1040);
        } catch (CertificateEncodingException | OCSPException e2) {
            throw new GemPkiRuntimeException(OCSP_ERROR, e2);
        }
    }

    @Generated
    public static OcspVerifierBuilder builder() {
        return new OcspVerifierBuilder();
    }

    @Generated
    private OcspVerifier(@NonNull String str, @NonNull X509Certificate x509Certificate, @NonNull OCSPResp oCSPResp) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("eeCert is marked non-null but is null");
        }
        if (oCSPResp == null) {
            throw new NullPointerException("ocspResponse is marked non-null but is null");
        }
        this.productType = str;
        this.eeCert = x509Certificate;
        this.ocspResponse = oCSPResp;
    }
}
