package de.gematik.pki.ocsp;

import de.gematik.pki.exception.GemPkiRuntimeException;
import de.gematik.pki.utils.P12Container;
import de.gematik.pki.utils.Utils;
import java.io.IOException;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Date;
import lombok.Generated;
import lombok.NonNull;
import org.bouncycastle.asn1.isismtt.ocsp.CertHash;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import org.bouncycastle.cert.ocsp.Req;
import org.bouncycastle.internal.asn1.isismtt.ISISMTTObjectIdentifiers;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/pki/ocsp/OcspResponseGenerator.class */
public class OcspResponseGenerator {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OcspResponseGenerator.class);

    @NonNull
    private final P12Container signer;
    private final boolean withCertHash;
    private final boolean validCertHash;

    @Generated
    /* loaded from: input_file:de/gematik/pki/ocsp/OcspResponseGenerator$OcspResponseGeneratorBuilder.class */
    public static class OcspResponseGeneratorBuilder {

        @Generated
        private P12Container signer;

        @Generated
        private boolean withCertHash$set;

        @Generated
        private boolean withCertHash$value;

        @Generated
        private boolean validCertHash$set;

        @Generated
        private boolean validCertHash$value;

        @Generated
        OcspResponseGeneratorBuilder() {
        }

        @Generated
        public OcspResponseGeneratorBuilder signer(@NonNull P12Container p12Container) {
            if (p12Container == null) {
                throw new NullPointerException("signer is marked non-null but is null");
            }
            this.signer = p12Container;
            return this;
        }

        @Generated
        public OcspResponseGeneratorBuilder withCertHash(boolean z) {
            this.withCertHash$value = z;
            this.withCertHash$set = true;
            return this;
        }

        @Generated
        public OcspResponseGeneratorBuilder validCertHash(boolean z) {
            this.validCertHash$value = z;
            this.validCertHash$set = true;
            return this;
        }

        @Generated
        public OcspResponseGenerator build() {
            boolean z = this.withCertHash$value;
            if (!this.withCertHash$set) {
                z = OcspResponseGenerator.$default$withCertHash();
            }
            boolean z2 = this.validCertHash$value;
            if (!this.validCertHash$set) {
                z2 = OcspResponseGenerator.$default$validCertHash();
            }
            return new OcspResponseGenerator(this.signer, z, z2);
        }

        @Generated
        public String toString() {
            return "OcspResponseGenerator.OcspResponseGeneratorBuilder(signer=" + this.signer + ", withCertHash$value=" + this.withCertHash$value + ", validCertHash$value=" + this.validCertHash$value + ")";
        }
    }

    public OCSPResp gen(@NonNull OCSPReq oCSPReq, @NonNull X509Certificate x509Certificate) {
        if (oCSPReq == null) {
            throw new NullPointerException("ocspReq is marked non-null but is null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("eeCert is marked non-null but is null");
        }
        Security.addProvider(new BouncyCastleProvider());
        try {
            return gen(oCSPReq, x509Certificate, this.signer.getCertificate(), ZonedDateTime.now());
        } catch (OperatorCreationException | IOException | OCSPException | CertificateEncodingException e) {
            throw new GemPkiRuntimeException("Generieren der OCSP Response fehlgeschlagen.", e);
        }
    }

    private OCSPResp gen(OCSPReq oCSPReq, X509Certificate x509Certificate, X509Certificate x509Certificate2, ZonedDateTime zonedDateTime) throws OperatorCreationException, IOException, OCSPException, CertificateEncodingException {
        String str;
        byte[] calculateSha256;
        BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(SubjectPublicKeyInfo.getInstance(x509Certificate2.getPublicKey().getEncoded()), new BcDigestCalculatorProvider().get(CertificateID.HASH_SHA1));
        ArrayList arrayList = new ArrayList();
        if (this.withCertHash) {
            if (this.validCertHash) {
                calculateSha256 = Utils.calculateSha256(x509Certificate.getEncoded());
            } else {
                log.warn("Invalid CertHash is generated because of user request. Parameter 'validCertHash' is set to false.");
                calculateSha256 = Utils.calculateSha256("notAValidCertHash".getBytes());
            }
            arrayList.add(new Extension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash, false, new CertHash(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256), calculateSha256).getEncoded()));
        } else {
            log.warn("CertHash generation disabled because of user request. Parameter 'withCertHash' is set to false.");
        }
        Extensions extensions = new Extensions((Extension[]) arrayList.toArray(i -> {
            return new Extension[i];
        }));
        for (Req req : oCSPReq.getRequestList()) {
            addSingleResponseWithStatusGood(basicOCSPRespBuilder, req, extensions);
        }
        X509CertificateHolder[] x509CertificateHolderArr = {new X509CertificateHolder(x509Certificate2.getEncoded())};
        String algorithm = this.signer.getPrivateKey().getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str = "SHA256withRSA";
                break;
            case true:
                str = "SHA256WITHECDSA";
                break;
            default:
                throw new GemPkiRuntimeException("Signaturalgorithmus nicht unterstützt: " + this.signer.getPrivateKey().getAlgorithm());
        }
        return new OCSPRespBuilder().build(0, basicOCSPRespBuilder.build(new JcaContentSignerBuilder(str).setProvider("BC").build(this.signer.getPrivateKey()), x509CertificateHolderArr, new Date(zonedDateTime.toInstant().toEpochMilli())));
    }

    private static void addSingleResponseWithStatusGood(BasicOCSPRespBuilder basicOCSPRespBuilder, Req req, Extensions extensions) {
        basicOCSPRespBuilder.addResponse(req.getCertID(), CertificateStatus.GOOD, new Date(), (Date) null, extensions);
    }

    @Generated
    private static boolean $default$withCertHash() {
        return true;
    }

    @Generated
    private static boolean $default$validCertHash() {
        return true;
    }

    @Generated
    OcspResponseGenerator(@NonNull P12Container p12Container, boolean z, boolean z2) {
        if (p12Container == null) {
            throw new NullPointerException("signer is marked non-null but is null");
        }
        this.signer = p12Container;
        this.withCertHash = z;
        this.validCertHash = z2;
    }

    @Generated
    public static OcspResponseGeneratorBuilder builder() {
        return new OcspResponseGeneratorBuilder();
    }
}
