package de.gematik.pki.certificate;

import de.gematik.pki.error.ErrorCode;
import de.gematik.pki.exception.GemPkiException;
import de.gematik.pki.exception.GemPkiRuntimeException;
import de.gematik.pki.tsl.TspServiceSubset;
import eu.europa.esig.trustedlist.jaxb.tsl.ExtensionType;
import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Node;

/* loaded from: input_file:de/gematik/pki/certificate/CertificateProfileVerification.class */
public class CertificateProfileVerification {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(CertificateProfileVerification.class);

    @NonNull
    private final String productType;

    @NonNull
    private final TspServiceSubset tspServiceSubset;

    @NonNull
    private final CertificateProfile certificateProfile;

    @NonNull
    private final X509Certificate x509EeCert;

    @Generated
    /* loaded from: input_file:de/gematik/pki/certificate/CertificateProfileVerification$CertificateProfileVerificationBuilder.class */
    public static class CertificateProfileVerificationBuilder {

        @Generated
        private String productType;

        @Generated
        private TspServiceSubset tspServiceSubset;

        @Generated
        private CertificateProfile certificateProfile;

        @Generated
        private X509Certificate x509EeCert;

        @Generated
        CertificateProfileVerificationBuilder() {
        }

        @Generated
        public CertificateProfileVerificationBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public CertificateProfileVerificationBuilder tspServiceSubset(@NonNull TspServiceSubset tspServiceSubset) {
            if (tspServiceSubset == null) {
                throw new NullPointerException("tspServiceSubset is marked non-null but is null");
            }
            this.tspServiceSubset = tspServiceSubset;
            return this;
        }

        @Generated
        public CertificateProfileVerificationBuilder certificateProfile(@NonNull CertificateProfile certificateProfile) {
            if (certificateProfile == null) {
                throw new NullPointerException("certificateProfile is marked non-null but is null");
            }
            this.certificateProfile = certificateProfile;
            return this;
        }

        @Generated
        public CertificateProfileVerificationBuilder x509EeCert(@NonNull X509Certificate x509Certificate) {
            if (x509Certificate == null) {
                throw new NullPointerException("x509EeCert is marked non-null but is null");
            }
            this.x509EeCert = x509Certificate;
            return this;
        }

        @Generated
        public CertificateProfileVerification build() {
            return new CertificateProfileVerification(this.productType, this.tspServiceSubset, this.certificateProfile, this.x509EeCert);
        }

        @Generated
        public String toString() {
            return "CertificateProfileVerification.CertificateProfileVerificationBuilder(productType=" + this.productType + ", tspServiceSubset=" + this.tspServiceSubset + ", certificateProfile=" + this.certificateProfile + ", x509EeCert=" + this.x509EeCert + ")";
        }
    }

    public void verifyKeyUsage() throws GemPkiException {
        if (this.x509EeCert.getKeyUsage() == null) {
            throw new GemPkiException(this.productType, ErrorCode.SE_1016);
        }
        int i = 0;
        for (boolean z : this.x509EeCert.getKeyUsage()) {
            if (z) {
                i++;
            }
        }
        List<KeyUsage> intendedKeyUsagesFromCertificateProfile = getIntendedKeyUsagesFromCertificateProfile(this.certificateProfile);
        if (i != intendedKeyUsagesFromCertificateProfile.size()) {
            throw new GemPkiException(this.productType, ErrorCode.SE_1016);
        }
        Iterator<KeyUsage> it = intendedKeyUsagesFromCertificateProfile.iterator();
        while (it.hasNext()) {
            if (!this.x509EeCert.getKeyUsage()[it.next().getBit()]) {
                throw new GemPkiException(this.productType, ErrorCode.SE_1016);
            }
        }
    }

    private static List<KeyUsage> getIntendedKeyUsagesFromCertificateProfile(CertificateProfile certificateProfile) {
        return CertificateProfile.valueOf(certificateProfile.name()).getKeyUsages();
    }

    public void verifyExtendedKeyUsage() throws GemPkiException {
        try {
            List<String> extendedKeyUsage = this.x509EeCert.getExtendedKeyUsage();
            List<String> oidOfIntendedExtendedKeyUsagesFromCertificateProfile = getOidOfIntendedExtendedKeyUsagesFromCertificateProfile(this.certificateProfile);
            if (extendedKeyUsage == null) {
                if (!oidOfIntendedExtendedKeyUsagesFromCertificateProfile.isEmpty() && this.certificateProfile.isFailOnMissingEku()) {
                    throw new GemPkiException(this.productType, ErrorCode.SE_1017);
                }
            } else if (((List) extendedKeyUsage.stream().filter(str -> {
                return oidOfIntendedExtendedKeyUsagesFromCertificateProfile.stream().anyMatch(str -> {
                    return str.equals(str);
                });
            }).collect(Collectors.toList())).isEmpty() || extendedKeyUsage.size() != oidOfIntendedExtendedKeyUsagesFromCertificateProfile.size()) {
                log.debug(ErrorCode.SE_1017.getErrorMessage(this.productType));
                throw new GemPkiException(this.productType, ErrorCode.SE_1017);
            }
        } catch (CertificateParsingException e) {
            throw new GemPkiRuntimeException("Fehler beim Lesen der ExtendedKeyUsages des Zertifikats: " + this.x509EeCert.getSubjectX500Principal().getName(), e);
        }
    }

    private static List<String> getOidOfIntendedExtendedKeyUsagesFromCertificateProfile(CertificateProfile certificateProfile) {
        return (List) CertificateProfile.valueOf(certificateProfile.name()).getExtKeyUsages().stream().map((v0) -> {
            return v0.getOid();
        }).collect(Collectors.toList());
    }

    public void verifyCertificateType() throws GemPkiException {
        Set<String> certificatePolicyOids = getCertificatePolicyOids(this.x509EeCert);
        verifyCertificateProfileByCertificateTypeOid(certificatePolicyOids);
        verifyCertificateTypeOidInIssuerTspServiceExtension(certificatePolicyOids);
    }

    private void verifyCertificateProfileByCertificateTypeOid(Set<String> set) throws GemPkiException {
        if (set.contains(this.certificateProfile.getCertificateType().getOid())) {
            return;
        }
        log.debug("ZertifikatsTypOids im Zertifikat: {}", set);
        log.debug("Erwartete ZertifikatsTypOid: {}", this.certificateProfile.getCertificateType().getOid());
        throw new GemPkiException(this.productType, ErrorCode.SE_1018);
    }

    private void verifyCertificateTypeOidInIssuerTspServiceExtension(Set<String> set) throws GemPkiException {
        log.debug("Prüfe CA Authorisierung für die Herausgabe des Zertifikatstyps {} ", this.certificateProfile.getCertificateType().getOidReference());
        Iterator<ExtensionType> it = this.tspServiceSubset.getExtensions().iterator();
        while (it.hasNext()) {
            for (Object obj : it.next().getContent()) {
                if ((obj instanceof Node) && set.contains(((Node) obj).getFirstChild().getNodeValue().trim())) {
                    return;
                }
            }
        }
        throw new GemPkiException(this.productType, ErrorCode.SE_1061);
    }

    private Set<String> getCertificatePolicyOids(X509Certificate x509Certificate) throws GemPkiException {
        try {
            Policies policies = new Policies(x509Certificate);
            if (policies.getPolicyOids().isEmpty()) {
                throw new GemPkiException(this.productType, ErrorCode.SE_1033);
            }
            return policies.getPolicyOids();
        } catch (IOException | CertificateEncodingException e) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1019);
        } catch (IllegalArgumentException e2) {
            throw new GemPkiException(this.productType, ErrorCode.SE_1033);
        }
    }

    @Generated
    public static CertificateProfileVerificationBuilder builder() {
        return new CertificateProfileVerificationBuilder();
    }

    @Generated
    private CertificateProfileVerification(@NonNull String str, @NonNull TspServiceSubset tspServiceSubset, @NonNull CertificateProfile certificateProfile, @NonNull X509Certificate x509Certificate) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        if (certificateProfile == null) {
            throw new NullPointerException("certificateProfile is marked non-null but is null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        this.productType = str;
        this.tspServiceSubset = tspServiceSubset;
        this.certificateProfile = certificateProfile;
        this.x509EeCert = x509Certificate;
    }
}
