package dev.fitko.fitconnect.jwkvalidator.x5c.ocsp;

import com.nimbusds.jose.util.Pair;
import dev.fitko.fitconnect.jwkvalidator.x5c.CertStatus;
import dev.fitko.fitconnect.jwkvalidator.x5c.crl.CRLVerifier;
import java.net.Proxy;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Optional;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/x5c/ocsp/OCSPLocationEvaluator.class */
class OCSPLocationEvaluator {
    private static final Logger log = LoggerFactory.getLogger(OCSPLocationEvaluator.class);
    private final OCSPCacheManager cache;
    private final OCSPResponseManager ocspResponseManager;
    private final OCSPTimestampValidator ocspTimestampValidator = new OCSPTimestampValidator();
    private final OCSPResponseSignatureValidator ocspResponseSignatureValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPLocationEvaluator(OCSPCacheManager oCSPCacheManager, CRLVerifier cRLVerifier, List<String> list, Proxy proxy) {
        this.cache = oCSPCacheManager;
        this.ocspResponseManager = new OCSPResponseManager(proxy);
        this.ocspResponseSignatureValidator = new OCSPResponseSignatureValidator(cRLVerifier, list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertStatus checkCertStatusForLocations(OCSPReq oCSPReq, List<String> list, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        for (String str : list) {
            Optional flatMap = this.ocspResponseManager.obtainValidatedBasicOcspResponse(oCSPReq, str, x509Certificate).flatMap(basicOCSPResp -> {
                return this.ocspTimestampValidator.validate(basicOCSPResp, str, x509Certificate);
            }).flatMap(basicOCSPResp2 -> {
                return this.ocspResponseSignatureValidator.validate(basicOCSPResp2, str, x509Certificate, x509Certificate2);
            }).flatMap(this::convertToCertStatus);
            if (flatMap.isPresent()) {
                Pair pair = (Pair) flatMap.get();
                return this.cache.saveToCache((CertStatus) pair.getLeft(), (BasicOCSPResp) pair.getRight(), x509Certificate, x509Certificate2);
            }
        }
        log.error("No valid OCSP response for leaf cert {} from any of the following locations: {}", x509Certificate.getSerialNumber(), list);
        return null;
    }

    private Optional<Pair<CertStatus, BasicOCSPResp>> convertToCertStatus(BasicOCSPResp basicOCSPResp) {
        CertificateStatus certStatus = basicOCSPResp.getResponses()[0].getCertStatus();
        return certStatus == CertificateStatus.GOOD ? Optional.of(Pair.of(CertStatus.VALID, basicOCSPResp)) : certStatus instanceof RevokedStatus ? Optional.of(Pair.of(CertStatus.REVOKED, basicOCSPResp)) : Optional.of(Pair.of(CertStatus.UNKNOWN, basicOCSPResp));
    }
}
