package de.gematik.pki.gemlibpki.tsl;

import de.gematik.pki.gemlibpki.error.ErrorCode;
import de.gematik.pki.gemlibpki.exception.GemPkiException;
import de.gematik.pki.gemlibpki.utils.CertReader;
import eu.europa.esig.trustedlist.jaxb.tsl.AttributedNonEmptyURIType;
import eu.europa.esig.trustedlist.jaxb.tsl.DigitalIdentityType;
import eu.europa.esig.trustedlist.jaxb.tsl.MultiLangNormStringType;
import eu.europa.esig.trustedlist.jaxb.tsl.ServiceSupplyPointsType;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.function.BiFunction;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/pki/gemlibpki/tsl/TspInformationProvider.class */
public class TspInformationProvider {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TspInformationProvider.class);
    private final List<TspService> tspServices;
    private final String productType;

    private static boolean verifyAkiMatchesSki(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        BiFunction biFunction = (x509Certificate3, aSN1ObjectIdentifier) -> {
            return Optional.ofNullable(ASN1OctetString.getInstance(x509Certificate3.getExtensionValue(aSN1ObjectIdentifier.getId())));
        };
        Optional optional = (Optional) biFunction.apply(x509Certificate2, Extension.subjectKeyIdentifier);
        if (optional.isEmpty()) {
            log.debug("Extension SUBJECT_KEY_IDENTIFIER_OID: {} konnte in {} nicht gefunden werden.", Extension.subjectKeyIdentifier.getId(), x509Certificate2.getSubjectX500Principal());
            return false;
        }
        SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier.getInstance(((ASN1OctetString) optional.get()).getOctets());
        Optional optional2 = (Optional) biFunction.apply(x509Certificate, Extension.authorityKeyIdentifier);
        if (optional2.isEmpty()) {
            log.debug("Extension AUTHORITY_KEY_IDENTIFIER_OID: {} konnte in {} nicht gefunden werden.", Extension.authorityKeyIdentifier.getId(), x509Certificate.getSubjectX500Principal());
            return false;
        }
        try {
            return Arrays.equals(subjectKeyIdentifier.getKeyIdentifier(), AuthorityKeyIdentifier.getInstance(ASN1Primitive.fromByteArray(((ASN1OctetString) optional2.get()).getOctets())).getKeyIdentifier());
        } catch (IOException e) {
            log.debug("Octets des AUTHORITY_KEY_IDENTIFIER konnten in {} nicht gefunden werden.", x509Certificate.getSubjectX500Principal());
            log.trace("{}", e.toString());
            return false;
        }
    }

    private static ZonedDateTime getCertificateAuthorityStatusStartingTime(TspService tspService) {
        return tspService.getTspServiceType().getServiceInformation().getStatusStartingTime().toGregorianCalendar().toZonedDateTime();
    }

    public TspServiceSubset getIssuerTspServiceSubset(@NonNull X509Certificate x509Certificate) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        Pair<TspService, X509Certificate> issuerTspServiceAndIssuerCert = getIssuerTspServiceAndIssuerCert(x509Certificate);
        TspService tspService = (TspService) issuerTspServiceAndIssuerCert.getLeft();
        return TspServiceSubset.builder().x509IssuerCert((X509Certificate) issuerTspServiceAndIssuerCert.getRight()).serviceStatus(tspService.getTspServiceType().getServiceInformation().getServiceStatus()).statusStartingTime(getCertificateAuthorityStatusStartingTime(tspService)).serviceSupplyPoint(getFirstServiceSupplyPointFromTspService(tspService)).extensions(tspService.getTspServiceType().getServiceInformation().getServiceInformationExtensions().getExtension()).build();
    }

    private Pair<TspService, X509Certificate> getIssuerTspServiceAndIssuerCert(@NonNull X509Certificate x509Certificate) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        Optional empty = Optional.empty();
        log.info("Looking for issuer {} in trust store.", x509Certificate.getIssuerX500Principal().getName());
        for (TspService tspService : this.tspServices) {
            try {
                Iterator it = tspService.getTspServiceType().getServiceInformation().getServiceDigitalIdentity().getDigitalId().iterator();
                while (it.hasNext()) {
                    X509Certificate readX509 = CertReader.readX509(this.productType, ((DigitalIdentityType) it.next()).getX509Certificate());
                    if (x509Certificate.getIssuerX500Principal().equals(readX509.getSubjectX500Principal())) {
                        if (verifyAkiMatchesSki(x509Certificate, readX509)) {
                            return Pair.of(tspService, readX509);
                        }
                        empty = Optional.of(readX509);
                    }
                }
            } catch (NullPointerException e) {
                log.debug("skipped {} due to missing tsp information", ((MultiLangNormStringType) tspService.getTspServiceType().getServiceInformation().getServiceName().getName().get(0)).getValue());
            }
        }
        if (empty.isEmpty()) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1027_CA_CERT_MISSING);
        }
        throw new GemPkiException(this.productType, ErrorCode.SE_1023_AUTHORITYKEYID_DIFFERENT);
    }

    public TspService getIssuerTspService(@NonNull X509Certificate x509Certificate) throws GemPkiException {
        if (x509Certificate == null) {
            throw new NullPointerException("x509EeCert is marked non-null but is null");
        }
        return (TspService) getIssuerTspServiceAndIssuerCert(x509Certificate).getLeft();
    }

    private String getFirstServiceSupplyPointFromTspService(TspService tspService) throws GemPkiException {
        Optional ofNullable = Optional.ofNullable(tspService.getTspServiceType().getServiceInformation().getServiceSupplyPoints());
        if (ofNullable.isEmpty()) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1026_SERVICESUPPLYPOINT_MISSING);
        }
        List serviceSupplyPoint = ((ServiceSupplyPointsType) ofNullable.get()).getServiceSupplyPoint();
        if (serviceSupplyPoint.isEmpty()) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1026_SERVICESUPPLYPOINT_MISSING);
        }
        String value = ((AttributedNonEmptyURIType) serviceSupplyPoint.get(0)).getValue();
        if (value.isBlank()) {
            throw new GemPkiException(this.productType, ErrorCode.TE_1026_SERVICESUPPLYPOINT_MISSING);
        }
        log.debug("First ServiceSupplyPoint was identified: {}", value);
        return value;
    }

    @Generated
    public TspInformationProvider(List<TspService> list, String str) {
        this.tspServices = list;
        this.productType = str;
    }
}
