package dev.fitko.fitconnect.jwkvalidator.x5c.ocsp;

import dev.fitko.fitconnect.jwkvalidator.x5c.CertStatus;
import dev.fitko.fitconnect.jwkvalidator.x5c.crl.CRLVerifier;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/x5c/ocsp/OCSPResponseSignatureValidator.class */
public class OCSPResponseSignatureValidator {
    private static final Logger log = LoggerFactory.getLogger(OCSPResponseSignatureValidator.class);
    private final CRLVerifier crlVerifier;
    private final List<String> validSignatureAlgOIDs;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OCSPResponseSignatureValidator(CRLVerifier cRLVerifier, List<String> list) {
        this.crlVerifier = cRLVerifier;
        this.validSignatureAlgOIDs = verifySignatureAlgOIDList(list);
    }

    private List<String> verifySignatureAlgOIDList(List<String> list) {
        if (list == null || list.isEmpty()) {
            log.warn("Empty list of signature algorithm OIDs for OCSP Response validation.");
            return Collections.emptyList();
        }
        log.debug("List of valid OCSP Response Signature Algorithms: {}", list);
        return list;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<BasicOCSPResp> validate(BasicOCSPResp basicOCSPResp, String str, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return extractDelegationCertFromResponse(basicOCSPResp, x509Certificate, str).flatMap(x509Certificate3 -> {
            return delegationCertHasCorrectKeyUsages(x509Certificate3, x509Certificate, str);
        }).flatMap(x509Certificate4 -> {
            return delegationCertHasCorrectExtensions(x509Certificate4, x509Certificate, str);
        }).flatMap(x509Certificate5 -> {
            return delegationCertSignedCorrectly(x509Certificate5, x509Certificate2, x509Certificate, str);
        }).flatMap(x509Certificate6 -> {
            return validSignatureAlgorithm(basicOCSPResp, x509Certificate6, x509Certificate, str);
        }).flatMap(x509Certificate7 -> {
            return validSignature(basicOCSPResp, x509Certificate7, x509Certificate, str);
        });
    }

    private Optional<BasicOCSPResp> validSignature(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        try {
            if (basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(x509Certificate))) {
                return Optional.of(basicOCSPResp);
            }
            log.error("Invalid signature in OCSP response for leaf cert {} in url {}", x509Certificate2.getSerialNumber(), str);
            return Optional.empty();
        } catch (OperatorCreationException e) {
            log.error("Could not create ContentVerifierProvider for leaf cert {} in url {}", new Object[]{x509Certificate2.getSerialNumber(), str, e});
            return Optional.empty();
        } catch (OCSPException e2) {
            log.error("Failed verifying signature for leaf cert {} in url {}", new Object[]{x509Certificate2.getSerialNumber(), str, e2});
            return Optional.empty();
        }
    }

    private Optional<X509Certificate> validSignatureAlgorithm(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        log.debug("[validSignatureAlgorithm] - Signature algorithm {} in response for leaf cert {} in url {}", new Object[]{basicOCSPResp.getSignatureAlgOID(), x509Certificate2.getSerialNumber(), str});
        String id = basicOCSPResp.getSignatureAlgOID().getId();
        if (this.validSignatureAlgOIDs.isEmpty()) {
            log.debug("Skipping validation of used signature algorithm in OCSP response");
        } else if (!this.validSignatureAlgOIDs.contains(id)) {
            log.error("Signature algorithm {} in OCSP response not in list of valid signature algorithm OIDs: {}", id, this.validSignatureAlgOIDs);
            return Optional.empty();
        }
        return Optional.of(x509Certificate);
    }

    private Optional<X509Certificate> delegationCertHasCorrectExtensions(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        if (x509Certificate.getNonCriticalExtensionOIDs() == null) {
            log.error("Delegation certificate does not have any non critical extensions for leaf cert {} in url {}", x509Certificate2.getSerialNumber(), str);
            return Optional.empty();
        }
        if (x509Certificate.getNonCriticalExtensionOIDs().contains(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())) {
            return Optional.of(x509Certificate);
        }
        log.debug("Delegation certificate does not have id-pkix-ocsp-nocheck extension for leaf cert {} in url {}", x509Certificate2.getSerialNumber(), str);
        if (OCSPUtils.readAuthorityInformationAccessBytes(x509Certificate).isPresent()) {
            log.warn("Delegation certificate unexpectedly contains OCSP extension {} for leaf cert {} in url {}", new Object[]{Extension.authorityInfoAccess, x509Certificate2.getSerialNumber(), str});
        }
        if (x509Certificate.getNonCriticalExtensionOIDs().contains(Extension.cRLDistributionPoints.toString())) {
            return validateOCSPSignerCertificate(x509Certificate, x509Certificate2, str);
        }
        log.error("Delegation certificate does not have the required CRL Distribution Points extension {} for leaf cert {} in url {}. Signer certificate cannot be verified.", new Object[]{Extension.cRLDistributionPoints, x509Certificate2.getSerialNumber(), str});
        return Optional.empty();
    }

    private Optional<X509Certificate> validateOCSPSignerCertificate(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        CertStatus checkCertStatus = this.crlVerifier.checkCertStatus(x509Certificate, x509Certificate, false);
        if (checkCertStatus == CertStatus.VALID) {
            return Optional.of(x509Certificate);
        }
        log.error("Delegation certificate {} for leaf cert {} in url {} returned status {} for its CRL check.", new Object[]{x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber(), str, checkCertStatus});
        return Optional.empty();
    }

    private Optional<X509Certificate> delegationCertHasCorrectKeyUsages(X509Certificate x509Certificate, X509Certificate x509Certificate2, String str) {
        try {
            if (x509Certificate.getExtendedKeyUsage() == null) {
                log.error("Delegation certificate does not have any extended key usages for leaf cert {} in url {}", x509Certificate2.getSerialNumber(), str);
                return Optional.empty();
            }
            if (x509Certificate.getExtendedKeyUsage().contains(KeyPurposeId.id_kp_OCSPSigning.getId())) {
                return Optional.of(x509Certificate);
            }
            log.error("Delegation certificate does not have id-kp-OCSPSigning extension for leaf cert {} in url {}", x509Certificate2.getSerialNumber(), str);
            return Optional.empty();
        } catch (CertificateParsingException e) {
            log.error("Cannot extract extended key usage form delegation cert for leaf cert {} in url {}", new Object[]{x509Certificate2.getSerialNumber(), str, e});
            return Optional.empty();
        }
    }

    private Optional<X509Certificate> delegationCertSignedCorrectly(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, String str) {
        try {
            log.debug("[delegationCertSignedCorrectly] - Signature algorithm {} ({}) in delegation cert {} for leaf cert {} in url {}", new Object[]{x509Certificate.getSigAlgOID(), x509Certificate.getSigAlgName(), x509Certificate.getSerialNumber(), x509Certificate3.getSerialNumber(), str});
            x509Certificate.verify(x509Certificate2.getPublicKey());
            return Optional.of(x509Certificate);
        } catch (InvalidKeyException e) {
            log.error("Incorrect key in delegation cert check with leaf cert {} in url {}", new Object[]{x509Certificate3.getSerialNumber(), str, e});
            return Optional.empty();
        } catch (NoSuchAlgorithmException e2) {
            log.error("Signature algorithm in delegation cert is not supported for leaf cert {} in url {}", new Object[]{x509Certificate3.getSerialNumber(), str, e2});
            return Optional.empty();
        } catch (NoSuchProviderException e3) {
            log.error("No provider found for signature check with leaf cert {} in url {}", new Object[]{x509Certificate3.getSerialNumber(), str, e3});
            return Optional.empty();
        } catch (SignatureException e4) {
            log.error("Incorrect signature for delegation cert with leaf cert {} in url {}", new Object[]{x509Certificate3.getSerialNumber(), str, e4});
            return Optional.empty();
        } catch (CertificateException e5) {
            log.error("Delegation cert has wrong encoding for leaf cert {} in url {}", new Object[]{x509Certificate3.getSerialNumber(), str, e5});
            return Optional.empty();
        }
    }

    private Optional<X509Certificate> extractDelegationCertFromResponse(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, String str) {
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        ResponderID aSN1Primitive = basicOCSPResp.getResponderId().toASN1Primitive();
        X509Certificate extractSignatureCertFromResponseByKeyHash = extractSignatureCertFromResponseByKeyHash(basicOCSPResp, x509Certificate, str, aSN1Primitive, jcaX509CertificateConverter);
        if (extractSignatureCertFromResponseByKeyHash != null) {
            return Optional.of(extractSignatureCertFromResponseByKeyHash);
        }
        X509Certificate extractSignatureCertFromResponseByName = extractSignatureCertFromResponseByName(basicOCSPResp, x509Certificate, str, aSN1Primitive, jcaX509CertificateConverter);
        if (extractSignatureCertFromResponseByName != null) {
            return Optional.of(extractSignatureCertFromResponseByName);
        }
        log.error("Cannot extract signature cert from response for leaf cert {} in url {}", x509Certificate.getSerialNumber(), str);
        return Optional.empty();
    }

    private X509Certificate extractSignatureCertFromResponseByName(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, String str, ResponderID responderID, JcaX509CertificateConverter jcaX509CertificateConverter) {
        X500Name name = responderID.getName();
        if (name == null) {
            return null;
        }
        for (X509CertificateHolder x509CertificateHolder : basicOCSPResp.getCerts()) {
            if (name.equals(x509CertificateHolder.getSubject())) {
                try {
                    return jcaX509CertificateConverter.getCertificate(x509CertificateHolder);
                } catch (CertificateException e) {
                    log.warn("Failed converting signature cert based on name for leaf cert {} in url {}", new Object[]{x509Certificate.getSerialNumber(), str, e});
                }
            }
        }
        return null;
    }

    private X509Certificate extractSignatureCertFromResponseByKeyHash(BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate, String str, ResponderID responderID, JcaX509CertificateConverter jcaX509CertificateConverter) {
        byte[] keyHash = responderID.getKeyHash();
        if (keyHash == null) {
            return null;
        }
        for (X509CertificateHolder x509CertificateHolder : basicOCSPResp.getCerts()) {
            if (Arrays.equals(keyHash, getKeyHashFromCertHolder(x509CertificateHolder))) {
                try {
                    return jcaX509CertificateConverter.getCertificate(x509CertificateHolder);
                } catch (CertificateException e) {
                    log.warn("Failed converting signature cert based on key hash for leaf cert {} in url {}", new Object[]{x509Certificate.getSerialNumber(), str, e});
                }
            }
        }
        return null;
    }

    private byte[] getKeyHashFromCertHolder(X509CertificateHolder x509CertificateHolder) {
        try {
            return MessageDigest.getInstance("SHA-1").digest(x509CertificateHolder.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
        } catch (NoSuchAlgorithmException e) {
            log.error("No algorithm of type SHA-1", e);
            return null;
        }
    }
}
