package de.gematik.pki.gemlibpki.tsl;

import de.gematik.pki.gemlibpki.certificate.CertificateProfile;
import de.gematik.pki.gemlibpki.certificate.TucPki018Verifier;
import de.gematik.pki.gemlibpki.error.ErrorCode;
import de.gematik.pki.gemlibpki.exception.GemPkiException;
import de.gematik.pki.gemlibpki.exception.GemPkiRuntimeException;
import de.gematik.pki.gemlibpki.ocsp.OcspRespCache;
import de.gematik.pki.gemlibpki.utils.CertReader;
import de.gematik.pki.gemlibpki.utils.GemLibPkiUtils;
import de.gematik.pki.gemlibpki.utils.ResourceReader;
import de.gematik.pki.gemlibpki.validators.ValidityValidator;
import eu.europa.esig.trustedlist.jaxb.tsl.DigitalIdentityType;
import eu.europa.esig.trustedlist.jaxb.tsl.TSPServiceType;
import eu.europa.esig.trustedlist.jaxb.tsl.TrustStatusListType;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;

/* loaded from: input_file:de/gematik/pki/gemlibpki/tsl/TucPki001Verifier.class */
public class TucPki001Verifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TucPki001Verifier.class);

    @NonNull
    protected final String productType;

    @NonNull
    protected final List<TspService> currentTrustedServices;

    @NonNull
    protected final String currentTslId;

    @NonNull
    protected final BigInteger currentTslSeqNr;
    protected final byte[] tslToCheck;
    protected final boolean withOcspCheck;
    protected final OcspRespCache ocspRespCache;
    protected final int ocspTimeoutSeconds;
    protected final boolean tolerateOcspFailure;
    private ValidityValidator validityValidator;

    /* loaded from: input_file:de/gematik/pki/gemlibpki/tsl/TucPki001Verifier$TrustAnchorUpdate.class */
    public static class TrustAnchorUpdate {
        private X509Certificate futureTrustAnchor;
        private ZonedDateTime statusStartingTime;

        public boolean isToActivateNow() {
            return isToActivate(GemLibPkiUtils.now());
        }

        public boolean isToActivate(ZonedDateTime zonedDateTime) {
            return this.statusStartingTime.isBefore(zonedDateTime);
        }

        @Generated
        public X509Certificate getFutureTrustAnchor() {
            return this.futureTrustAnchor;
        }

        @Generated
        public ZonedDateTime getStatusStartingTime() {
            return this.statusStartingTime;
        }

        @Generated
        public TrustAnchorUpdate(X509Certificate x509Certificate, ZonedDateTime zonedDateTime) {
            this.futureTrustAnchor = x509Certificate;
            this.statusStartingTime = zonedDateTime;
        }
    }

    @Generated
    /* loaded from: input_file:de/gematik/pki/gemlibpki/tsl/TucPki001Verifier$TucPki001VerifierBuilder.class */
    public static class TucPki001VerifierBuilder {

        @Generated
        private String productType;

        @Generated
        private List<TspService> currentTrustedServices;

        @Generated
        private String currentTslId;

        @Generated
        private BigInteger currentTslSeqNr;

        @Generated
        private byte[] tslToCheck;

        @Generated
        private boolean withOcspCheck$set;

        @Generated
        private boolean withOcspCheck$value;

        @Generated
        private OcspRespCache ocspRespCache;

        @Generated
        private boolean ocspTimeoutSeconds$set;

        @Generated
        private int ocspTimeoutSeconds$value;

        @Generated
        private boolean tolerateOcspFailure$set;

        @Generated
        private boolean tolerateOcspFailure$value;

        @Generated
        private boolean validityValidator$set;

        @Generated
        private ValidityValidator validityValidator$value;

        @Generated
        TucPki001VerifierBuilder() {
        }

        @Generated
        public TucPki001VerifierBuilder productType(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("productType is marked non-null but is null");
            }
            this.productType = str;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder currentTrustedServices(@NonNull List<TspService> list) {
            if (list == null) {
                throw new NullPointerException("currentTrustedServices is marked non-null but is null");
            }
            this.currentTrustedServices = list;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder currentTslId(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("currentTslId is marked non-null but is null");
            }
            this.currentTslId = str;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder currentTslSeqNr(@NonNull BigInteger bigInteger) {
            if (bigInteger == null) {
                throw new NullPointerException("currentTslSeqNr is marked non-null but is null");
            }
            this.currentTslSeqNr = bigInteger;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder tslToCheck(byte[] bArr) {
            if (bArr == null) {
                throw new NullPointerException("tslToCheck is marked non-null but is null");
            }
            this.tslToCheck = bArr;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder withOcspCheck(boolean z) {
            this.withOcspCheck$value = z;
            this.withOcspCheck$set = true;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder ocspRespCache(OcspRespCache ocspRespCache) {
            this.ocspRespCache = ocspRespCache;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder ocspTimeoutSeconds(int i) {
            this.ocspTimeoutSeconds$value = i;
            this.ocspTimeoutSeconds$set = true;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder tolerateOcspFailure(boolean z) {
            this.tolerateOcspFailure$value = z;
            this.tolerateOcspFailure$set = true;
            return this;
        }

        @Generated
        public TucPki001VerifierBuilder validityValidator(ValidityValidator validityValidator) {
            this.validityValidator$value = validityValidator;
            this.validityValidator$set = true;
            return this;
        }

        @Generated
        public TucPki001Verifier build() {
            boolean z = this.withOcspCheck$value;
            if (!this.withOcspCheck$set) {
                z = TucPki001Verifier.$default$withOcspCheck();
            }
            int i = this.ocspTimeoutSeconds$value;
            if (!this.ocspTimeoutSeconds$set) {
                i = TucPki001Verifier.$default$ocspTimeoutSeconds();
            }
            boolean z2 = this.tolerateOcspFailure$value;
            if (!this.tolerateOcspFailure$set) {
                z2 = TucPki001Verifier.$default$tolerateOcspFailure();
            }
            ValidityValidator validityValidator = this.validityValidator$value;
            if (!this.validityValidator$set) {
                validityValidator = TucPki001Verifier.$default$validityValidator();
            }
            return new TucPki001Verifier(this.productType, this.currentTrustedServices, this.currentTslId, this.currentTslSeqNr, this.tslToCheck, z, this.ocspRespCache, i, z2, validityValidator);
        }

        @Generated
        public String toString() {
            return "TucPki001Verifier.TucPki001VerifierBuilder(productType=" + this.productType + ", currentTrustedServices=" + this.currentTrustedServices + ", currentTslId=" + this.currentTslId + ", currentTslSeqNr=" + this.currentTslSeqNr + ", tslToCheck=" + Arrays.toString(this.tslToCheck) + ", withOcspCheck$value=" + this.withOcspCheck$value + ", ocspRespCache=" + this.ocspRespCache + ", ocspTimeoutSeconds$value=" + this.ocspTimeoutSeconds$value + ", tolerateOcspFailure$value=" + this.tolerateOcspFailure$value + ", validityValidator$value=" + this.validityValidator$value + ")";
        }
    }

    public static void verifyTslValidity(ZonedDateTime zonedDateTime, int i, TrustStatusListType trustStatusListType, String str) throws GemPkiException {
        ZonedDateTime ofInstant = ZonedDateTime.ofInstant(trustStatusListType.getSchemeInformation().getNextUpdate().getDateTime().toGregorianCalendar().toInstant(), ZoneOffset.UTC);
        ZonedDateTime minusDays = zonedDateTime.minusDays(i);
        if (ofInstant.isAfter(zonedDateTime)) {
            return;
        }
        if (!ofInstant.isAfter(minusDays)) {
            throw new GemPkiException(str, ErrorCode.SW_1009_VALIDITY_WARNING_2);
        }
        log.warn(ErrorCode.SW_1008_VALIDITY_WARNING_1.getErrorMessage(str));
    }

    public Optional<TrustAnchorUpdate> performTucPki001Checks() throws GemPkiException {
        log.debug("TUC_PKI_001 Checks...");
        validateWellFormedXml();
        validateAgainstXsdSchemas();
        X509Certificate tslSignerCertificate = getTslSignerCertificate();
        TucPki018Verifier.builder().productType(this.productType).ocspRespCache(this.ocspRespCache).tspServiceList(this.currentTrustedServices).certificateProfiles(List.of(CertificateProfile.CERT_PROFILE_C_TSL_SIG)).withOcspCheck(this.withOcspCheck).ocspTimeoutSeconds(this.ocspTimeoutSeconds).tolerateOcspFailure(this.tolerateOcspFailure).build().performTucPki018Checks(tslSignerCertificate);
        checkTslSignature(tslSignerCertificate);
        checkTslIdAndTslSeqNr();
        return getVerifiedAnnouncedTrustAnchorUpdate();
    }

    protected void validateWellFormedXml() throws GemPkiException {
        try {
            TslConverter.bytesToDoc(this.tslToCheck);
        } catch (GemPkiRuntimeException e) {
            if (!(e.getCause() instanceof SAXException)) {
                throw e;
            }
            throw new GemPkiException(this.productType, ErrorCode.TE_1011_TSL_NOT_WELLFORMED);
        }
    }

    protected void validateAgainstXsdSchemas() throws GemPkiException {
        validateXsd();
        validateAdditionalTypes();
        validateSie();
        log.info("Schema validation successful!");
    }

    Validator getValidator(String str) {
        try {
            return SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema").newSchema(ResourceReader.getUrlFromResources(str, TucPki001Verifier.class)).newValidator();
        } catch (SAXException e) {
            throw new GemPkiRuntimeException("Error during parsing of schema file.", e);
        }
    }

    void validateAgainstXsd(String str) throws GemPkiException {
        try {
            getValidator(str).validate(new DOMSource(TslConverter.bytesToDoc(this.tslToCheck)));
        } catch (IOException e) {
            throw new GemPkiRuntimeException("Error reading schema file.", e);
        } catch (SAXException e2) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1012_TSL_SCHEMA_NOT_VALID, e2);
        }
    }

    private void validateAdditionalTypes() throws GemPkiException {
        validateAgainstXsd("schemas/ts_102231v030102_additionaltypes_xsd.xsd");
    }

    private void validateXsd() throws GemPkiException {
        validateAgainstXsd("schemas/ts_102231v030102_xsd.xsd");
    }

    private void validateSie() throws GemPkiException {
        validateAgainstXsd("schemas/ts_102231v030102_sie_xsd.xsd");
    }

    private static List<TSPServiceType> getTrustAnchorTspServices(byte[] bArr) {
        return new TslInformationProvider(TslConverter.bytesToTslUnsigned(bArr)).getFilteredTspServices(List.of(TslConstants.STI_SRV_CERT_CHANGE)).stream().map((v0) -> {
            return v0.getTspServiceType();
        }).toList();
    }

    protected Optional<TrustAnchorUpdate> getVerifiedAnnouncedTrustAnchorUpdate() {
        return getVerifiedAnnouncedTrustAnchorUpdate(GemLibPkiUtils.now());
    }

    private void initializeValidator() {
        if (this.validityValidator != null) {
            return;
        }
        this.validityValidator = new ValidityValidator(this.productType);
    }

    private Optional<TrustAnchorUpdate> getVerifiedAnnouncedTrustAnchorUpdate(ZonedDateTime zonedDateTime) {
        log.debug("check for a trust anchor for update");
        try {
            List<TSPServiceType> trustAnchorTspServices = getTrustAnchorTspServices(this.tslToCheck);
            if (trustAnchorTspServices.isEmpty()) {
                log.debug("no trust anchors for update found");
                return Optional.empty();
            }
            if (trustAnchorTspServices.size() > 1) {
                log.debug("multiple trust anchors for update found -> ignoring trust anchor update");
                log.warn(ErrorCode.SE_1003_MULTIPLE_TRUST_ANCHOR.getErrorMessage(this.productType));
                return Optional.empty();
            }
            log.debug("one trust anchor for update found: starting its verification");
            TSPServiceType tSPServiceType = trustAnchorTspServices.get(0);
            ZonedDateTime zonedDateTime2 = tSPServiceType.getServiceInformation().getStatusStartingTime().toGregorianCalendar().toZonedDateTime();
            X509Certificate readX509 = CertReader.readX509(this.productType, ((DigitalIdentityType) tSPServiceType.getServiceInformation().getServiceDigitalIdentity().getDigitalId().get(0)).getX509Certificate());
            initializeValidator();
            this.validityValidator.validateCertificate(readX509, zonedDateTime);
            log.debug("verification of the trust anchor successful: certSerialNr {}, statusStartingTime {}", readX509.getSerialNumber(), zonedDateTime2);
            return Optional.of(new TrustAnchorUpdate(readX509, zonedDateTime2));
        } catch (GemPkiException e) {
            log.info(e.getError().getErrorMessage(this.productType));
            log.info("Verification of the trust anchor for update anchor failed.", e);
            return Optional.empty();
        } catch (RuntimeException e2) {
            log.info("Extraction and processing of the trust anchor for update failed.", e2);
            return Optional.empty();
        }
    }

    protected X509Certificate getTslSignerCertificate() throws GemPkiException {
        try {
            return TslUtils.getFirstTslSignerCertificate(TslConverter.bytesToTslUnsigned(this.tslToCheck));
        } catch (RuntimeException e) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1002_TSL_CERT_EXTRACTION_ERROR);
        }
    }

    private void checkTslSignature(X509Certificate x509Certificate) throws GemPkiException {
        if (!TslValidator.checkSignature(TslConverter.bytesToDoc(this.tslToCheck), new TspInformationProvider(this.currentTrustedServices, this.productType).getIssuerTspServiceSubset(x509Certificate).getX509IssuerCert())) {
            throw new GemPkiException(this.productType, ErrorCode.SE_1013_XML_SIGNATURE_ERROR);
        }
    }

    private void checkTslIdAndTslSeqNr() throws GemPkiException {
        TrustStatusListType bytesToTslUnsigned = TslConverter.bytesToTslUnsigned(this.tslToCheck);
        String id = bytesToTslUnsigned.getId();
        BigInteger tslSeqNr = TslReader.getTslSeqNr(bytesToTslUnsigned);
        if (tslSeqNr.compareTo(this.currentTslSeqNr) <= 0 || this.currentTslId.equals(id)) {
            String errorMessage = getErrorMessage(tslSeqNr, id);
            log.debug("irregular differences between new and current TSLs were detected");
            log.debug("  currentTsl: tslSeqNr {}, id {}", this.currentTslSeqNr, this.currentTslId);
            log.debug("  newTsl:     tslSeqNr {}, id {}", tslSeqNr, id);
            log.debug("  --> {}", errorMessage);
            throw new GemPkiException(this.productType, ErrorCode.SE_1007_TSL_ID_INCORRECT);
        }
    }

    private String getErrorMessage(BigInteger bigInteger, String str) {
        return (bigInteger.compareTo(this.currentTslSeqNr) == 0 && this.currentTslId.equals(str)) ? "check0: no changes in new tslSeqNr and tslId" : (bigInteger.compareTo(this.currentTslSeqNr) != 0 || this.currentTslId.equals(str)) ? (bigInteger.compareTo(this.currentTslSeqNr) <= 0 || !this.currentTslId.equals(str)) ? "check1: new tslSeqNr is smaller than current tslSeqNr" : "check3: new tslSeqNr greater than current tslSeqNr, but ids are equal" : "check2: new tslSeqNr and current tslSeqNr are equal, but ids differ";
    }

    @Generated
    private static boolean $default$withOcspCheck() {
        return true;
    }

    @Generated
    private static int $default$ocspTimeoutSeconds() {
        return 10;
    }

    @Generated
    private static boolean $default$tolerateOcspFailure() {
        return false;
    }

    @Generated
    private static ValidityValidator $default$validityValidator() {
        return null;
    }

    @Generated
    public static TucPki001VerifierBuilder builder() {
        return new TucPki001VerifierBuilder();
    }

    @Generated
    protected TucPki001Verifier(@NonNull String str, @NonNull List<TspService> list, @NonNull String str2, @NonNull BigInteger bigInteger, byte[] bArr, boolean z, OcspRespCache ocspRespCache, int i, boolean z2) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("currentTrustedServices is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("currentTslId is marked non-null but is null");
        }
        if (bigInteger == null) {
            throw new NullPointerException("currentTslSeqNr is marked non-null but is null");
        }
        if (bArr == null) {
            throw new NullPointerException("tslToCheck is marked non-null but is null");
        }
        this.productType = str;
        this.currentTrustedServices = list;
        this.currentTslId = str2;
        this.currentTslSeqNr = bigInteger;
        this.tslToCheck = bArr;
        this.withOcspCheck = z;
        this.ocspRespCache = ocspRespCache;
        this.ocspTimeoutSeconds = i;
        this.tolerateOcspFailure = z2;
        this.validityValidator = $default$validityValidator();
    }

    @Generated
    private TucPki001Verifier(@NonNull String str, @NonNull List<TspService> list, @NonNull String str2, @NonNull BigInteger bigInteger, byte[] bArr, boolean z, OcspRespCache ocspRespCache, int i, boolean z2, ValidityValidator validityValidator) {
        if (str == null) {
            throw new NullPointerException("productType is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("currentTrustedServices is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("currentTslId is marked non-null but is null");
        }
        if (bigInteger == null) {
            throw new NullPointerException("currentTslSeqNr is marked non-null but is null");
        }
        if (bArr == null) {
            throw new NullPointerException("tslToCheck is marked non-null but is null");
        }
        this.productType = str;
        this.currentTrustedServices = list;
        this.currentTslId = str2;
        this.currentTslSeqNr = bigInteger;
        this.tslToCheck = bArr;
        this.withOcspCheck = z;
        this.ocspRespCache = ocspRespCache;
        this.ocspTimeoutSeconds = i;
        this.tolerateOcspFailure = z2;
        this.validityValidator = validityValidator;
    }
}
