package de.gematik.pki.gemlibpki.ocsp;

import de.gematik.pki.gemlibpki.error.ErrorCode;
import de.gematik.pki.gemlibpki.exception.GemPkiException;
import de.gematik.pki.gemlibpki.exception.GemPkiRuntimeException;
import de.gematik.pki.gemlibpki.tsl.TslConstants;
import de.gematik.pki.gemlibpki.tsl.TspInformationProvider;
import de.gematik.pki.gemlibpki.tsl.TspService;
import de.gematik.pki.gemlibpki.utils.CertReader;
import de.gematik.pki.gemlibpki.utils.GemLibPkiUtils;
import eu.europa.esig.trustedlist.jaxb.tsl.DigitalIdentityType;
import eu.europa.esig.trustedlist.jaxb.tsl.TSPServiceType;
import java.security.MessageDigest;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import lombok.Generated;
import lombok.NonNull;
import org.bouncycastle.asn1.isismtt.ocsp.CertHash;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.internal.asn1.isismtt.ISISMTTObjectIdentifiers;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/pki/gemlibpki/ocsp/TucPki006OcspVerifier.class */
public class TucPki006OcspVerifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TucPki006OcspVerifier.class);

    @NonNull
    protected final String productType;

    @NonNull
    protected final List<TspService> tspServiceList;

    @NonNull
    protected final X509Certificate eeCert;

    @NonNull
    protected final OCSPResp ocspResponse;
    protected final boolean enforceCertHashCheck;

    @Generated
    /* loaded from: input_file:de/gematik/pki/gemlibpki/ocsp/TucPki006OcspVerifier$TucPki006OcspVerifierBuilder.class */
    public static class TucPki006OcspVerifierBuilder {

        @Generated
        private String productType;

        @Generated
        private List<TspService> tspServiceList;

        @Generated
        private X509Certificate eeCert;

        @Generated
        private OCSPResp ocspResponse;

        @Generated
        private boolean enforceCertHashCheck$set;

        @Generated
        private boolean enforceCertHashCheck$value;

        @Generated
        TucPki006OcspVerifierBuilder() {
        }

        @Generated
        public TucPki006OcspVerifierBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public TucPki006OcspVerifierBuilder tspServiceList(@NonNull List<TspService> list) {
            if (list == null) {
                throw new NullPointerException("tspServiceList is marked non-null but is null");
            }
            this.tspServiceList = list;
            return this;
        }

        @Generated
        public TucPki006OcspVerifierBuilder eeCert(@NonNull X509Certificate x509Certificate) {
            if (x509Certificate == null) {
                throw new NullPointerException("eeCert is marked non-null but is null");
            }
            this.eeCert = x509Certificate;
            return this;
        }

        @Generated
        public TucPki006OcspVerifierBuilder ocspResponse(@NonNull OCSPResp oCSPResp) {
            if (oCSPResp == null) {
                throw new NullPointerException("ocspResponse is marked non-null but is null");
            }
            this.ocspResponse = oCSPResp;
            return this;
        }

        @Generated
        public TucPki006OcspVerifierBuilder enforceCertHashCheck(boolean z) {
            this.enforceCertHashCheck$value = z;
            this.enforceCertHashCheck$set = true;
            return this;
        }

        @Generated
        public TucPki006OcspVerifier build() {
            boolean z = this.enforceCertHashCheck$value;
            if (!this.enforceCertHashCheck$set) {
                z = TucPki006OcspVerifier.$default$enforceCertHashCheck();
            }
            return new TucPki006OcspVerifier(this.productType, this.tspServiceList, this.eeCert, this.ocspResponse, z);
        }

        @Generated
        public String toString() {
            return "TucPki006OcspVerifier.TucPki006OcspVerifierBuilder(productType=" + this.productType + ", tspServiceList=" + this.tspServiceList + ", eeCert=" + this.eeCert + ", ocspResponse=" + this.ocspResponse + ", enforceCertHashCheck$value=" + this.enforceCertHashCheck$value + ")";
        }
    }

    public void performTucPki006Checks() throws GemPkiException {
        performTucPki006Checks(GemLibPkiUtils.now());
    }

    public void performTucPki006Checks(@NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        log.info("Performing OCSP checks...");
        verifyOcspResponseSignature();
        verifyStatus(zonedDateTime);
        verifyCertHash();
        verifyThisUpdate(zonedDateTime);
        verifyProducedAt(zonedDateTime);
        verifyNextUpdate(zonedDateTime);
        verifyOcspResponseCertId();
        log.info("OCSP validation successfully finished.");
    }

    protected void verifyStatus(@NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        if (this.ocspResponse.getStatus() != 0) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1058_OCSP_STATUS_ERROR);
        }
        RevokedStatus certStatus = OcspUtils.getFirstSingleResp(this.ocspResponse).getCertStatus();
        if (CertificateStatus.GOOD == certStatus) {
            return;
        }
        if (!(certStatus instanceof RevokedStatus)) {
            throw new GemPkiException(this.productType, ErrorCode.TW_1044_CERT_UNKNOWN);
        }
        if (!ZonedDateTime.ofInstant(certStatus.getRevocationTime().toInstant(), ZoneOffset.UTC).isAfter(zonedDateTime)) {
            throw new GemPkiException(this.productType, ErrorCode.SW_1047_CERT_REVOKED);
        }
    }

    protected void verifyStatus() throws GemPkiException {
        verifyStatus(GemLibPkiUtils.now());
    }

    protected void verifyThisUpdate(@NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        verifyToleranceForFuture(ZonedDateTime.ofInstant(OcspUtils.getFirstSingleResp(this.ocspResponse).getThisUpdate().toInstant(), ZoneOffset.UTC), zonedDateTime, "thisUpdate");
    }

    protected void verifyProducedAt(@NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        ZonedDateTime ofInstant = ZonedDateTime.ofInstant(OcspUtils.getBasicOcspResp(this.ocspResponse).getProducedAt().toInstant(), ZoneOffset.UTC);
        verifyToleranceForPast(ofInstant, zonedDateTime, "producedAt");
        verifyToleranceForFuture(ofInstant, zonedDateTime, "producedAt");
    }

    protected void verifyNextUpdate(@NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        SingleResp firstSingleResp = OcspUtils.getFirstSingleResp(this.ocspResponse);
        if (firstSingleResp.getNextUpdate() == null) {
            log.info("nextUpdate is not set: its verification is not performed");
        } else {
            verifyToleranceForPast(ZonedDateTime.ofInstant(firstSingleResp.getNextUpdate().toInstant(), ZoneOffset.UTC), zonedDateTime, "nextUpdate");
        }
    }

    private void verifyToleranceForFuture(ZonedDateTime zonedDateTime, ZonedDateTime zonedDateTime2, String str) throws GemPkiException {
        if (zonedDateTime.isAfter(zonedDateTime2.plus(37500L, (TemporalUnit) ChronoUnit.MILLIS))) {
            log.error("The interval for {} of the OCSP response {} is outside of the allowed {} seconds in the future {}.", new Object[]{str, zonedDateTime, Long.valueOf(TimeUnit.MILLISECONDS.toSeconds(37500L)), zonedDateTime2});
            throw new GemPkiException(this.productType, ErrorCode.TE_1029_OCSP_CHECK_REVOCATION_ERROR);
        }
    }

    private void verifyToleranceForPast(ZonedDateTime zonedDateTime, ZonedDateTime zonedDateTime2, String str) throws GemPkiException {
        if (zonedDateTime.isBefore(zonedDateTime2.minus(37500L, (TemporalUnit) ChronoUnit.MILLIS))) {
            log.error("The interval for {} of the OCSP response {} is outside of the allowed {} seconds in the past {}.", new Object[]{str, zonedDateTime, Long.valueOf(TimeUnit.MILLISECONDS.toSeconds(37500L)), zonedDateTime2});
            throw new GemPkiException(this.productType, ErrorCode.TE_1029_OCSP_CHECK_REVOCATION_ERROR);
        }
    }

    protected void verifyCertHash() throws GemPkiException {
        if (!this.enforceCertHashCheck) {
            log.info("enforceCertHashCheck=false: verifyCertHash is not performed");
            return;
        }
        try {
            if (MessageDigest.isEqual(CertHash.getInstance(OcspUtils.getFirstSingleResp(this.ocspResponse).getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash).getParsedValue()).getCertificateHash(), GemLibPkiUtils.calculateSha256(GemLibPkiUtils.certToBytes(this.eeCert)))) {
            } else {
                throw new GemPkiException(this.productType, ErrorCode.SE_1041_CERTHASH_MISMATCH);
            }
        } catch (NullPointerException e) {
            throw new GemPkiException(this.productType, ErrorCode.SE_1040_CERTHASH_EXTENSION_MISSING);
        }
    }

    private X509Certificate getFirstCertificate(TSPServiceType tSPServiceType) {
        return CertReader.readX509(((DigitalIdentityType) tSPServiceType.getServiceInformation().getServiceDigitalIdentity().getDigitalId().get(0)).getX509Certificate());
    }

    private boolean isServiceTypeIdentifierOcsp(TSPServiceType tSPServiceType) {
        return tSPServiceType.getServiceInformation().getServiceTypeIdentifier().equals(TslConstants.STI_OCSP);
    }

    private boolean isSameCertificate(TSPServiceType tSPServiceType, byte[] bArr) {
        return tSPServiceType.getServiceInformation().getServiceDigitalIdentity().getDigitalId().stream().filter(digitalIdentityType -> {
            return Arrays.equals(bArr, GemLibPkiUtils.calculateSha256(digitalIdentityType.getX509Certificate()));
        }).findAny().isPresent();
    }

    private X509Certificate getOcspSignerFromTsl(X509Certificate x509Certificate) throws GemPkiException {
        try {
            byte[] calculateSha256 = GemLibPkiUtils.calculateSha256(x509Certificate.getEncoded());
            return getFirstCertificate(this.tspServiceList.stream().filter(tspService -> {
                return isServiceTypeIdentifierOcsp(tspService.getTspServiceType()) && isSameCertificate(tspService.getTspServiceType(), calculateSha256);
            }).findAny().orElseThrow(() -> {
                return new GemPkiException(this.productType, ErrorCode.SE_1030_OCSP_CERT_MISSING);
            }).getTspServiceType());
        } catch (CertificateEncodingException e) {
            throw new GemPkiRuntimeException("Fehler beim lesen des OCSP Signers aus der Response.", e);
        }
    }

    private X509Certificate getSignerFromOcspResponse() {
        BasicOCSPResp basicOcspResp = OcspUtils.getBasicOcspResp(this.ocspResponse);
        if (basicOcspResp.getCerts().length != 1) {
            throw new GemPkiRuntimeException("Nicht genau 1 Zertifikat in OCSP-Response gefunden.");
        }
        try {
            return new JcaX509CertificateConverter().getCertificate(basicOcspResp.getCerts()[0]);
        } catch (CertificateException e) {
            throw new GemPkiRuntimeException("Fehler beim lesen der OCSP Signer Zertifikates aus der OCSP Response.", e);
        }
    }

    protected void verifyOcspResponseSignature() throws GemPkiException {
        X509Certificate ocspSignerFromTsl = getOcspSignerFromTsl(getSignerFromOcspResponse());
        try {
            if (OcspUtils.getBasicOcspResp(this.ocspResponse).isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(ocspSignerFromTsl.getPublicKey()))) {
            } else {
                throw new GemPkiException(this.productType, ErrorCode.SE_1031_OCSP_SIGNATURE_ERROR);
            }
        } catch (OCSPException | OperatorCreationException e) {
            throw new GemPkiRuntimeException("Interner Fehler beim verifizieren der Ocsp Response Signatur.", e);
        }
    }

    protected void verifyOcspResponseCertId() throws GemPkiException {
        CertificateID certID = OcspUtils.getFirstSingleResp(this.ocspResponse).getCertID();
        AlgorithmIdentifier hashAlgorithm = certID.toASN1Primitive().getHashAlgorithm();
        CertificateID createCertificateId = OcspRequestGenerator.createCertificateId(this.eeCert.getSerialNumber(), new TspInformationProvider(this.tspServiceList, this.productType).getIssuerTspServiceSubset(this.eeCert).getX509IssuerCert(), hashAlgorithm);
        try {
            OcspResponseGenerator.verifyHashAlgoSupported(hashAlgorithm.getAlgorithm());
            if (!certID.equals(createCertificateId)) {
                throw new GemPkiException(this.productType, ErrorCode.TE_1029_OCSP_CHECK_REVOCATION_ERROR);
            }
        } catch (GemPkiRuntimeException e) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1029_OCSP_CHECK_REVOCATION_ERROR);
        }
    }

    @Generated
    private static boolean $default$enforceCertHashCheck() {
        return true;
    }

    @Generated
    public static TucPki006OcspVerifierBuilder builder() {
        return new TucPki006OcspVerifierBuilder();
    }

    @Generated
    protected TucPki006OcspVerifier(@NonNull String str, @NonNull List<TspService> list, @NonNull X509Certificate x509Certificate, @NonNull OCSPResp oCSPResp, boolean z) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("tspServiceList is marked non-null but is null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("eeCert is marked non-null but is null");
        }
        if (oCSPResp == null) {
            throw new NullPointerException("ocspResponse is marked non-null but is null");
        }
        this.productType = str;
        this.tspServiceList = list;
        this.eeCert = x509Certificate;
        this.ocspResponse = oCSPResp;
        this.enforceCertHashCheck = z;
    }
}
