package de.gematik.pki.gemlibpki.certificate;

import de.gematik.pki.gemlibpki.exception.GemPkiException;
import de.gematik.pki.gemlibpki.exception.GemPkiParsingException;
import de.gematik.pki.gemlibpki.exception.GemPkiRuntimeException;
import de.gematik.pki.gemlibpki.ocsp.OcspRespCache;
import de.gematik.pki.gemlibpki.tsl.TspInformationProvider;
import de.gematik.pki.gemlibpki.tsl.TspService;
import de.gematik.pki.gemlibpki.tsl.TspServiceSubset;
import de.gematik.pki.gemlibpki.validators.OcspValidator;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.EnumMap;
import java.util.List;
import java.util.Set;
import lombok.Generated;
import lombok.NonNull;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/pki/gemlibpki/certificate/TucPki018Verifier.class */
public class TucPki018Verifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TucPki018Verifier.class);

    @NonNull
    protected final String productType;

    @NonNull
    protected final List<TspService> tspServiceList;

    @NonNull
    protected final List<CertificateProfile> certificateProfiles;
    protected final boolean withOcspCheck;
    protected final OCSPResp ocspResponse;
    protected final OcspRespCache ocspRespCache;
    protected final int ocspTimeoutSeconds;
    protected final boolean tolerateOcspFailure;
    private OcspValidator ocspValidator;

    @Generated
    /* loaded from: input_file:de/gematik/pki/gemlibpki/certificate/TucPki018Verifier$TucPki018VerifierBuilder.class */
    public static class TucPki018VerifierBuilder {

        @Generated
        private String productType;

        @Generated
        private List<TspService> tspServiceList;

        @Generated
        private List<CertificateProfile> certificateProfiles;

        @Generated
        private boolean withOcspCheck$set;

        @Generated
        private boolean withOcspCheck$value;

        @Generated
        private OCSPResp ocspResponse;

        @Generated
        private OcspRespCache ocspRespCache;

        @Generated
        private boolean ocspTimeoutSeconds$set;

        @Generated
        private int ocspTimeoutSeconds$value;

        @Generated
        private boolean tolerateOcspFailure$set;

        @Generated
        private boolean tolerateOcspFailure$value;

        @Generated
        private boolean ocspValidator$set;

        @Generated
        private OcspValidator ocspValidator$value;

        @Generated
        TucPki018VerifierBuilder() {
        }

        @Generated
        public TucPki018VerifierBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder tspServiceList(@NonNull List<TspService> list) {
            if (list == null) {
                throw new NullPointerException("tspServiceList is marked non-null but is null");
            }
            this.tspServiceList = list;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder certificateProfiles(@NonNull List<CertificateProfile> list) {
            if (list == null) {
                throw new NullPointerException("certificateProfiles is marked non-null but is null");
            }
            this.certificateProfiles = list;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder withOcspCheck(boolean z) {
            this.withOcspCheck$value = z;
            this.withOcspCheck$set = true;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder ocspResponse(OCSPResp oCSPResp) {
            this.ocspResponse = oCSPResp;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder ocspRespCache(OcspRespCache ocspRespCache) {
            this.ocspRespCache = ocspRespCache;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder ocspTimeoutSeconds(int i) {
            this.ocspTimeoutSeconds$value = i;
            this.ocspTimeoutSeconds$set = true;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder tolerateOcspFailure(boolean z) {
            this.tolerateOcspFailure$value = z;
            this.tolerateOcspFailure$set = true;
            return this;
        }

        @Generated
        public TucPki018VerifierBuilder ocspValidator(OcspValidator ocspValidator) {
            this.ocspValidator$value = ocspValidator;
            this.ocspValidator$set = true;
            return this;
        }

        @Generated
        public TucPki018Verifier build() {
            boolean z = this.withOcspCheck$value;
            if (!this.withOcspCheck$set) {
                z = TucPki018Verifier.$default$withOcspCheck();
            }
            int i = this.ocspTimeoutSeconds$value;
            if (!this.ocspTimeoutSeconds$set) {
                i = TucPki018Verifier.$default$ocspTimeoutSeconds();
            }
            boolean z2 = this.tolerateOcspFailure$value;
            if (!this.tolerateOcspFailure$set) {
                z2 = TucPki018Verifier.$default$tolerateOcspFailure();
            }
            OcspValidator ocspValidator = this.ocspValidator$value;
            if (!this.ocspValidator$set) {
                ocspValidator = TucPki018Verifier.$default$ocspValidator();
            }
            return new TucPki018Verifier(this.productType, this.tspServiceList, this.certificateProfiles, z, this.ocspResponse, this.ocspRespCache, i, z2, ocspValidator);
        }

        @Generated
        public String toString() {
            return "TucPki018Verifier.TucPki018VerifierBuilder(productType=" + this.productType + ", tspServiceList=" + this.tspServiceList + ", certificateProfiles=" + this.certificateProfiles + ", withOcspCheck$value=" + this.withOcspCheck$value + ", ocspResponse=" + this.ocspResponse + ", ocspRespCache=" + this.ocspRespCache + ", ocspTimeoutSeconds$value=" + this.ocspTimeoutSeconds$value + ", tolerateOcspFailure$value=" + this.tolerateOcspFailure$value + ", ocspValidator$value=" + this.ocspValidator$value + ")";
        }
    }

    public Admission performTucPki018Checks(@NonNull X509Certificate x509Certificate) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        return performTucPki018Checks(x509Certificate, ZonedDateTime.now(ZoneOffset.UTC));
    }

    public Admission performTucPki018Checks(@NonNull X509Certificate x509Certificate, @NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        log.debug("TUC_PKI_018 Checks...");
        TspServiceSubset issuerTspServiceSubset = new TspInformationProvider(this.tspServiceList, this.productType).getIssuerTspServiceSubset(x509Certificate);
        commonChecks(x509Certificate, issuerTspServiceSubset, zonedDateTime);
        doOcspIfConfigured(x509Certificate, zonedDateTime);
        return tucPki018ProfileChecks(x509Certificate, issuerTspServiceSubset);
    }

    private void initializeValidator() {
        if (this.ocspValidator != null) {
            return;
        }
        this.ocspValidator = OcspValidator.builder().productType(this.productType).tspServiceList(this.tspServiceList).withOcspCheck(this.withOcspCheck).ocspResponse(this.ocspResponse).ocspRespCache(this.ocspRespCache).ocspTimeoutSeconds(this.ocspTimeoutSeconds).tolerateOcspFailure(this.tolerateOcspFailure).build();
    }

    protected void doOcspIfConfigured(@NonNull X509Certificate x509Certificate, @NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        initializeValidator();
        this.ocspValidator.validateCertificate(x509Certificate, zonedDateTime);
    }

    protected Admission tucPki018ProfileChecks(@NonNull X509Certificate x509Certificate, @NonNull TspServiceSubset tspServiceSubset) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        if (this.certificateProfiles.isEmpty()) {
            throw new GemPkiRuntimeException("Liste der konfigurierten Zertifikatsprofile ist leer.");
        }
        EnumMap enumMap = new EnumMap(CertificateProfile.class);
        for (CertificateProfile certificateProfile : this.certificateProfiles) {
            try {
                tucPki018ChecksForProfile(x509Certificate, certificateProfile, tspServiceSubset);
                log.debug("Übergebenes Zertifikat wurde erfolgreich gegen das Zertifikatsprofil {} getestet.", certificateProfile);
                Admission admission = new Admission(x509Certificate);
                if (!admission.getProfessionOids().isEmpty()) {
                    log.debug("Gefundene Rolle(n): {}", admission.getProfessionItems());
                }
                return admission;
            } catch (GemPkiException e) {
                enumMap.put((EnumMap) certificateProfile, (CertificateProfile) e);
            } catch (IOException e2) {
                throw new GemPkiRuntimeException("Error in processing the admission of the end entity certificate.", e2);
            }
        }
        throw new GemPkiParsingException(this.productType, enumMap);
    }

    protected void tucPki018ChecksForProfile(@NonNull X509Certificate x509Certificate, @NonNull CertificateProfile certificateProfile, @NonNull TspServiceSubset tspServiceSubset) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (certificateProfile == null) {
            throw new NullPointerException("certificateProfile is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        CertificateProfileVerification.builder().productType(this.productType).x509EeCert(x509Certificate).certificateProfile(certificateProfile).tspServiceSubset(tspServiceSubset).build().verifyAll();
    }

    protected void commonChecks(@NonNull X509Certificate x509Certificate, @NonNull TspServiceSubset tspServiceSubset, @NonNull ZonedDateTime zonedDateTime) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (tspServiceSubset == null) {
            throw new NullPointerException("tspServiceSubset is marked non-null but is null");
        }
        if (zonedDateTime == null) {
            throw new NullPointerException("referenceDate is marked non-null but is null");
        }
        CertificateCommonVerification.builder().productType(this.productType).x509EeCert(x509Certificate).tspServiceSubset(tspServiceSubset).referenceDate(zonedDateTime).build().verifyAll();
    }

    public static boolean checkAllowedProfessionOids(Admission admission, @NonNull Set<String> set) {
        if (set == null) {
            throw new NullPointerException("allowedProfessionOids is marked non-null but is null");
        }
        if (admission == null || admission.getProfessionOids().isEmpty()) {
            return false;
        }
        return isPresent(admission.getProfessionOids(), set);
    }

    private static boolean isPresent(Set<String> set, Set<String> set2) {
        return set.removeAll(set2);
    }

    @Generated
    private static boolean $default$withOcspCheck() {
        return true;
    }

    @Generated
    private static int $default$ocspTimeoutSeconds() {
        return 10;
    }

    @Generated
    private static boolean $default$tolerateOcspFailure() {
        return false;
    }

    @Generated
    private static OcspValidator $default$ocspValidator() {
        return null;
    }

    @Generated
    public static TucPki018VerifierBuilder builder() {
        return new TucPki018VerifierBuilder();
    }

    @Generated
    protected TucPki018Verifier(@NonNull String str, @NonNull List<TspService> list, @NonNull List<CertificateProfile> list2, boolean z, OCSPResp oCSPResp, OcspRespCache ocspRespCache, int i, boolean z2) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("tspServiceList is marked non-null but is null");
        }
        if (list2 == null) {
            throw new NullPointerException("certificateProfiles is marked non-null but is null");
        }
        this.productType = str;
        this.tspServiceList = list;
        this.certificateProfiles = list2;
        this.withOcspCheck = z;
        this.ocspResponse = oCSPResp;
        this.ocspRespCache = ocspRespCache;
        this.ocspTimeoutSeconds = i;
        this.tolerateOcspFailure = z2;
        this.ocspValidator = $default$ocspValidator();
    }

    @Generated
    protected TucPki018Verifier(@NonNull String str, @NonNull List<TspService> list, @NonNull List<CertificateProfile> list2, boolean z, OCSPResp oCSPResp, OcspRespCache ocspRespCache, int i, boolean z2, OcspValidator ocspValidator) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("tspServiceList is marked non-null but is null");
        }
        if (list2 == null) {
            throw new NullPointerException("certificateProfiles is marked non-null but is null");
        }
        this.productType = str;
        this.tspServiceList = list;
        this.certificateProfiles = list2;
        this.withOcspCheck = z;
        this.ocspResponse = oCSPResp;
        this.ocspRespCache = ocspRespCache;
        this.ocspTimeoutSeconds = i;
        this.tolerateOcspFailure = z2;
        this.ocspValidator = ocspValidator;
    }
}
