package de.gematik.pki.certificate;

import de.gematik.pki.error.ErrorCode;
import de.gematik.pki.exception.GemPkiException;
import de.gematik.pki.exception.GemPkiParsingException;
import de.gematik.pki.exception.GemPkiRuntimeException;
import de.gematik.pki.ocsp.OcspRespCache;
import de.gematik.pki.ocsp.OcspTransceiver;
import de.gematik.pki.tsl.TspInformationProvider;
import de.gematik.pki.tsl.TspService;
import de.gematik.pki.tsl.TspServiceSubset;
import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.EnumMap;
import java.util.List;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/pki/certificate/TucPki018Verifier.class */
public class TucPki018Verifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TucPki018Verifier.class);

    @NonNull
    protected final String productType;

    @NonNull
    protected final List<TspService> tspServiceList;

    @NonNull
    protected final List<CertificateProfile> certificateProfiles;
    protected final boolean withOcspCheck;
    protected final OcspRespCache ocspRespCache;

    @Generated
    /* loaded from: input_file:de/gematik/pki/certificate/TucPki018Verifier$TucPki018VerifierBuilder.class */
    public static class TucPki018VerifierBuilder {

        @Generated
        private String productType;

        @Generated
        private List<TspService> tspServiceList;

        @Generated
        private List<CertificateProfile> certificateProfiles;

        @Generated
        private boolean withOcspCheck$set;

        @Generated
        private boolean withOcspCheck$value;

        @Generated
        private OcspRespCache ocspRespCache;

        @Generated
        TucPki018VerifierBuilder() {
        }

        @Generated
        public TucPki018VerifierBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder tspServiceList(@NonNull List<TspService> list) {
            if (list == null) {
                throw new NullPointerException("tspServiceList is marked non-null but is null");
            }
            this.tspServiceList = list;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder certificateProfiles(@NonNull List<CertificateProfile> list) {
            if (list == null) {
                throw new NullPointerException("certificateProfiles is marked non-null but is null");
            }
            this.certificateProfiles = list;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder withOcspCheck(boolean z) {
            this.withOcspCheck$value = z;
            this.withOcspCheck$set = true;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder ocspRespCache(OcspRespCache ocspRespCache) {
            this.ocspRespCache = ocspRespCache;
            return this;
        }

        @Generated
        public TucPki018Verifier build() {
            boolean z = this.withOcspCheck$value;
            if (!this.withOcspCheck$set) {
                z = TucPki018Verifier.$default$withOcspCheck();
            }
            return new TucPki018Verifier(this.productType, this.tspServiceList, this.certificateProfiles, z, this.ocspRespCache);
        }

        @Generated
        public String toString() {
            return "TucPki018Verifier.TucPki018VerifierBuilder(productType=" + this.productType + ", tspServiceList=" + this.tspServiceList + ", certificateProfiles=" + this.certificateProfiles + ", withOcspCheck$value=" + this.withOcspCheck$value + ", ocspRespCache=" + this.ocspRespCache + ")";
        }
    }

    public Admission performTucPki18Checks(@NonNull X509Certificate x509Certificate) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        log.debug("TucPki018Checks...");
        TspServiceSubset tspServiceSubset = new TspInformationProvider(this.tspServiceList, this.productType).getTspServiceSubset(x509Certificate);
        doOcspIfConfigured(x509Certificate, tspServiceSubset);
        commonChecks(x509Certificate, tspServiceSubset);
        return tucPki018ProfileChecks(x509Certificate, tspServiceSubset);
    }

    protected void doOcspIfConfigured(X509Certificate x509Certificate, TspServiceSubset tspServiceSubset) throws GemPkiException {
        if (this.withOcspCheck) {
            OcspTransceiver.builder().productType(this.productType).x509EeCert(x509Certificate).x509IssuerCert(tspServiceSubset.getX509IssuerCert()).ssp(tspServiceSubset.getServiceSupplyPoint()).build().verifyOcspResponse(this.ocspRespCache);
        } else {
            log.warn(ErrorCode.SW_1039.getErrorMessage(this.productType));
        }
    }

    protected Admission tucPki018ProfileChecks(@NonNull X509Certificate x509Certificate, @NonNull TspServiceSubset tspServiceSubset) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        if (this.certificateProfiles.isEmpty()) {
            throw new GemPkiRuntimeException("Liste der konfigurierten Zertifikatsprofile ist leer.");
        }
        EnumMap enumMap = new EnumMap(CertificateProfile.class);
        for (CertificateProfile certificateProfile : this.certificateProfiles) {
            try {
                tucPki018ChecksForProfile(x509Certificate, certificateProfile, tspServiceSubset);
                log.debug("Übergebenes Zertifikat wurde erfolgreich gegen das Zertifikatsprofil {} getestet.", certificateProfile);
                log.debug("Rolle(n): {}", new Admission(x509Certificate).getProfessionItems());
                return new Admission(x509Certificate);
            } catch (GemPkiException e) {
                enumMap.put((EnumMap) certificateProfile, (CertificateProfile) e);
            } catch (IOException | CertificateEncodingException e2) {
                throw new GemPkiRuntimeException("Fehler bei der Verarbeitung der Admission des Zertifikats: " + x509Certificate.getSubjectX500Principal().getName(), e2);
            }
        }
        throw new GemPkiParsingException(this.productType, enumMap);
    }

    protected void tucPki018ChecksForProfile(@NonNull X509Certificate x509Certificate, @NonNull CertificateProfile certificateProfile, @NonNull TspServiceSubset tspServiceSubset) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (certificateProfile == null) {
            throw new NullPointerException("certificateProfile is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        CertificateProfileVerification build = CertificateProfileVerification.builder().x509EeCert(x509Certificate).certificateProfile(certificateProfile).tspServiceSubset(tspServiceSubset).productType(this.productType).build();
        build.verifyKeyUsage();
        build.verifyExtendedKeyUsage();
        build.verifyCertificateType();
    }

    protected void commonChecks(@NonNull X509Certificate x509Certificate, @NonNull TspServiceSubset tspServiceSubset) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        CertificateCommonVerification build = CertificateCommonVerification.builder().x509EeCert(x509Certificate).tspServiceSubset(tspServiceSubset).productType(this.productType).build();
        build.verifyValidity();
        build.verifySignature(tspServiceSubset.getX509IssuerCert());
        build.verifyIssuerServiceStatus();
    }

    @Generated
    private static boolean $default$withOcspCheck() {
        return true;
    }

    @Generated
    public static TucPki018VerifierBuilder builder() {
        return new TucPki018VerifierBuilder();
    }

    @Generated
    protected TucPki018Verifier(@NonNull String str, @NonNull List<TspService> list, @NonNull List<CertificateProfile> list2, boolean z, OcspRespCache ocspRespCache) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("tspServiceList is marked non-null but is null");
        }
        if (list2 == null) {
            throw new NullPointerException("certificateProfiles is marked non-null but is null");
        }
        this.productType = str;
        this.tspServiceList = list;
        this.certificateProfiles = list2;
        this.withOcspCheck = z;
        this.ocspRespCache = ocspRespCache;
    }
}
