package de.gematik.pki.gemlibpki.ocsp;

import de.gematik.pki.gemlibpki.error.ErrorCode;
import de.gematik.pki.gemlibpki.exception.GemPkiException;
import de.gematik.pki.gemlibpki.exception.GemPkiRuntimeException;
import de.gematik.pki.gemlibpki.tsl.TspService;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import kong.unirest.HttpResponse;
import kong.unirest.Unirest;
import kong.unirest.UnirestException;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/pki/gemlibpki/ocsp/OcspTransceiver.class */
public final class OcspTransceiver {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OcspTransceiver.class);
    public static final String OCSP_SEND_RECEIVE_FAILED = "OCSP senden/empfangen fehlgeschlagen.";

    @NonNull
    private final String productType;

    @NonNull
    private final List<TspService> tspServiceList;

    @NonNull
    private final X509Certificate x509EeCert;

    @NonNull
    private final X509Certificate x509IssuerCert;

    @NonNull
    private final String ssp;
    private final int ocspTimeoutSeconds;
    private final boolean tolerateOcspFailure;

    @Generated
    /* loaded from: input_file:de/gematik/pki/gemlibpki/ocsp/OcspTransceiver$OcspTransceiverBuilder.class */
    public static class OcspTransceiverBuilder {

        @Generated
        private String productType;

        @Generated
        private List<TspService> tspServiceList;

        @Generated
        private X509Certificate x509EeCert;

        @Generated
        private X509Certificate x509IssuerCert;

        @Generated
        private String ssp;

        @Generated
        private boolean ocspTimeoutSeconds$set;

        @Generated
        private int ocspTimeoutSeconds$value;

        @Generated
        private boolean tolerateOcspFailure$set;

        @Generated
        private boolean tolerateOcspFailure$value;

        @Generated
        OcspTransceiverBuilder() {
        }

        @Generated
        public OcspTransceiverBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public OcspTransceiverBuilder tspServiceList(@NonNull List<TspService> list) {
            if (list == null) {
                throw new NullPointerException("tspServiceList is marked non-null but is null");
            }
            this.tspServiceList = list;
            return this;
        }

        @Generated
        public OcspTransceiverBuilder x509EeCert(@NonNull X509Certificate x509Certificate) {
            if (x509Certificate == null) {
                throw new NullPointerException("x509EeCert is marked non-null but is null");
            }
            this.x509EeCert = x509Certificate;
            return this;
        }

        @Generated
        public OcspTransceiverBuilder x509IssuerCert(@NonNull X509Certificate x509Certificate) {
            if (x509Certificate == null) {
                throw new NullPointerException("x509IssuerCert is marked non-null but is null");
            }
            this.x509IssuerCert = x509Certificate;
            return this;
        }

        @Generated
        public OcspTransceiverBuilder ssp(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("ssp is marked non-null but is null");
            }
            this.ssp = str;
            return this;
        }

        @Generated
        public OcspTransceiverBuilder ocspTimeoutSeconds(int i) {
            this.ocspTimeoutSeconds$value = i;
            this.ocspTimeoutSeconds$set = true;
            return this;
        }

        @Generated
        public OcspTransceiverBuilder tolerateOcspFailure(boolean z) {
            this.tolerateOcspFailure$value = z;
            this.tolerateOcspFailure$set = true;
            return this;
        }

        @Generated
        public OcspTransceiver build() {
            int i = this.ocspTimeoutSeconds$value;
            if (!this.ocspTimeoutSeconds$set) {
                i = OcspTransceiver.$default$ocspTimeoutSeconds();
            }
            boolean z = this.tolerateOcspFailure$value;
            if (!this.tolerateOcspFailure$set) {
                z = OcspTransceiver.$default$tolerateOcspFailure();
            }
            return new OcspTransceiver(this.productType, this.tspServiceList, this.x509EeCert, this.x509IssuerCert, this.ssp, i, z);
        }

        @Generated
        public String toString() {
            return "OcspTransceiver.OcspTransceiverBuilder(productType=" + this.productType + ", tspServiceList=" + this.tspServiceList + ", x509EeCert=" + this.x509EeCert + ", x509IssuerCert=" + this.x509IssuerCert + ", ssp=" + this.ssp + ", ocspTimeoutSeconds$value=" + this.ocspTimeoutSeconds$value + ", tolerateOcspFailure$value=" + this.tolerateOcspFailure$value + ")";
        }
    }

    public TucPki006OcspVerifier getTucPki006Verifier(OCSPResp oCSPResp) {
        return TucPki006OcspVerifier.builder().productType(this.productType).tspServiceList(this.tspServiceList).eeCert(this.x509EeCert).ocspResponse(oCSPResp).build();
    }

    public void verifyOcspResponse(OcspRespCache ocspRespCache, ZonedDateTime zonedDateTime) throws GemPkiException {
        OCSPReq generateSingleOcspRequest = OcspRequestGenerator.generateSingleOcspRequest(this.x509EeCert, this.x509IssuerCert);
        if (ocspRespCache == null) {
            log.debug("Send Ocsp req because no cache.");
            Optional<OCSPResp> sendOcspRequest = sendOcspRequest(generateSingleOcspRequest);
            if (sendOcspRequest.isEmpty()) {
                return;
            }
            log.debug("Ocsp resp from server, because no cache.");
            getTucPki006Verifier(sendOcspRequest.get()).performTucPki006Checks(zonedDateTime);
            return;
        }
        if (ocspRespCache.getResponse(this.x509EeCert.getSerialNumber()).isPresent()) {
            log.debug("Ocsp resp from cache: verification is not performed");
            return;
        }
        log.debug("Send Ocsp req, because not in cache.");
        Optional<OCSPResp> sendOcspRequest2 = sendOcspRequest(generateSingleOcspRequest);
        if (sendOcspRequest2.isEmpty()) {
            log.debug("No Ocsp resp received.");
            return;
        }
        getTucPki006Verifier(sendOcspRequest2.get()).performTucPki006Checks(zonedDateTime);
        ocspRespCache.saveResponse(this.x509EeCert.getSerialNumber(), sendOcspRequest2.get());
        log.debug("Ocsp resp from server saved to cache.");
    }

    public void verifyOcspResponse(OcspRespCache ocspRespCache) throws GemPkiException {
        verifyOcspResponse(ocspRespCache, ZonedDateTime.now(ZoneOffset.UTC));
    }

    private void handleWithTolerateOcspFailure() throws GemPkiException {
        if (!this.tolerateOcspFailure) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1029_OCSP_CHECK_REVOCATION_ERROR);
        }
        log.warn(ErrorCode.TW_1028_OCSP_CHECK_REVOCATION_FAILED.getErrorMessage(this.productType));
    }

    private void handleWithTolerateOcspFailure(Exception exc) throws GemPkiException {
        if (!this.tolerateOcspFailure) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1029_OCSP_CHECK_REVOCATION_ERROR, exc);
        }
        log.warn(ErrorCode.TW_1028_OCSP_CHECK_REVOCATION_FAILED.getErrorMessage(this.productType), exc);
    }

    Future<Pair<HttpResponse<byte[]>, Exception>> getFuture(ExecutorService executorService, Callable<Pair<HttpResponse<byte[]>, Exception>> callable) {
        return executorService.submit(callable);
    }

    OCSPResp getOcspRespForBody(byte[] bArr) throws IOException {
        return new OCSPResp(bArr);
    }

    public Optional<OCSPResp> sendOcspRequest(@NonNull OCSPReq oCSPReq) throws GemPkiException {
        if (oCSPReq == null) {
            throw new NullPointerException("ocspReq is marked non-null but is null");
        }
        log.info("Sending OCSP Request for end entity certificate to: {}", this.ssp);
        try {
            byte[] encoded = oCSPReq.getEncoded();
            Callable<Pair<HttpResponse<byte[]>, Exception>> callable = () -> {
                return sendOcspRequest(this.ssp, encoded);
            };
            ExecutorService newSingleThreadExecutor = Executors.newSingleThreadExecutor();
            try {
                try {
                    try {
                        Pair<HttpResponse<byte[]>, Exception> pair = getFuture(newSingleThreadExecutor, callable).get(this.ocspTimeoutSeconds, TimeUnit.SECONDS);
                        newSingleThreadExecutor.shutdown();
                        Exception exc = (Exception) pair.getRight();
                        if (exc != null) {
                            handleWithTolerateOcspFailure(exc);
                            return Optional.empty();
                        }
                        HttpResponse httpResponse = (HttpResponse) pair.getLeft();
                        if (httpResponse.getStatus() != 200) {
                            handleWithTolerateOcspFailure();
                            return Optional.empty();
                        }
                        try {
                            return Optional.of(getOcspRespForBody((byte[]) httpResponse.getBody()));
                        } catch (IOException e) {
                            throw new GemPkiRuntimeException(OCSP_SEND_RECEIVE_FAILED, e);
                        }
                    } catch (ExecutionException e2) {
                        handleWithTolerateOcspFailure(e2);
                        Optional<OCSPResp> empty = Optional.empty();
                        newSingleThreadExecutor.shutdown();
                        return empty;
                    }
                } catch (InterruptedException e3) {
                    Thread.currentThread().interrupt();
                    handleWithTolerateOcspFailure(e3);
                    Optional<OCSPResp> empty2 = Optional.empty();
                    newSingleThreadExecutor.shutdown();
                    return empty2;
                } catch (TimeoutException e4) {
                    throw new GemPkiException(this.productType, ErrorCode.TE_1032_OCSP_NOT_AVAILABLE, e4);
                }
            } catch (Throwable th) {
                newSingleThreadExecutor.shutdown();
                throw th;
            }
        } catch (IOException e5) {
            throw new GemPkiRuntimeException(OCSP_SEND_RECEIVE_FAILED, e5);
        }
    }

    private Pair<HttpResponse<byte[]>, Exception> sendOcspRequest(String str, byte[] bArr) {
        try {
            return Pair.of(Unirest.post(str).header("Content-Type", OcspConstants.MEDIA_TYPE_APPLICATION_OCSP_REQUEST).body(bArr).asBytes(), (Object) null);
        } catch (UnirestException e) {
            return Pair.of((Object) null, e);
        }
    }

    @Generated
    private static int $default$ocspTimeoutSeconds() {
        return 10;
    }

    @Generated
    private static boolean $default$tolerateOcspFailure() {
        return false;
    }

    @Generated
    public static OcspTransceiverBuilder builder() {
        return new OcspTransceiverBuilder();
    }

    @Generated
    private OcspTransceiver(@NonNull String str, @NonNull List<TspService> list, @NonNull X509Certificate x509Certificate, @NonNull X509Certificate x509Certificate2, @NonNull String str2, int i, boolean z) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("tspServiceList is marked non-null but is null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        if (x509Certificate2 == null) {
            throw new NullPointerException("x509IssuerCert is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("ssp is marked non-null but is null");
        }
        this.productType = str;
        this.tspServiceList = list;
        this.x509EeCert = x509Certificate;
        this.x509IssuerCert = x509Certificate2;
        this.ssp = str2;
        this.ocspTimeoutSeconds = i;
        this.tolerateOcspFailure = z;
    }
}
