package dev.fitko.fitconnect.jwkvalidator.x5c;

import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64;
import dev.fitko.fitconnect.jwkvalidator.exceptions.JWKValidationException;
import dev.fitko.fitconnect.jwkvalidator.exceptions.LogLevel;
import dev.fitko.fitconnect.jwkvalidator.x5c.crl.CRLVerifier;
import dev.fitko.fitconnect.jwkvalidator.x5c.ocsp.OCSPVerifier;
import java.net.Proxy;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/x5c/X5CValidator.class */
public class X5CValidator {
    private static final Logger log = LoggerFactory.getLogger(X5CValidator.class);
    private static final int CERTIFICATE_CHAIN_LENGTH = 3;
    private final Set<TrustAnchor> trustAnchors;
    private final OCSPVerifier ocspVerifier;
    private final CRLVerifier crlVerifier;
    private final LogLevel logLevel;

    private X5CValidator(Proxy proxy, Set<TrustAnchor> set, List<String> list, List<String> list2, LogLevel logLevel) {
        this.trustAnchors = set;
        this.crlVerifier = new CRLVerifier(proxy, list2);
        this.ocspVerifier = new OCSPVerifier(proxy, this.crlVerifier, list);
        this.logLevel = logLevel;
    }

    public static X5CValidator of(Proxy proxy, Set<TrustAnchor> set, List<String> list, List<String> list2, LogLevel logLevel) {
        return new X5CValidator(proxy, set, list, list2, logLevel);
    }

    public void validate(RSAKey rSAKey) throws JWKValidationException {
        hasCorrectAmountOfCertificates(rSAKey, rSAKey.getX509CertChain());
        hasNoNullCertificates(rSAKey, rSAKey.getX509CertChain());
        List<X509Certificate> parsedX509CertChain = rSAKey.getParsedX509CertChain();
        hasValidCertPath(rSAKey, parsedX509CertChain);
        hasValidOCSPResponse(rSAKey, parsedX509CertChain.get(0), parsedX509CertChain.get(1));
        hasValidCRLResponse(rSAKey, parsedX509CertChain.get(1), parsedX509CertChain.get(2));
        hasValidCRLResponse(rSAKey, parsedX509CertChain.get(2), parsedX509CertChain.get(2));
    }

    private void hasCorrectAmountOfCertificates(RSAKey rSAKey, Collection<Base64> collection) throws JWKValidationException {
        if (collection.size() != CERTIFICATE_CHAIN_LENGTH) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} has an invalid amount of certificates. Is {} but should be {}.", rSAKey.getKeyID(), Integer.valueOf(collection.size()), Integer.valueOf(CERTIFICATE_CHAIN_LENGTH));
        }
    }

    private void hasNoNullCertificates(RSAKey rSAKey, List<Base64> list) throws JWKValidationException {
        for (int i = 0; i < CERTIFICATE_CHAIN_LENGTH; i++) {
            if (list.get(i) == null) {
                throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} has a null certificate at position {}", rSAKey.getKeyID(), Integer.valueOf(i));
            }
        }
    }

    private void hasValidCertPath(RSAKey rSAKey, List<X509Certificate> list) throws JWKValidationException {
        validate(getPKIXCertPathValidator(rSAKey), generateCertPath(getX509CertificateFactory(rSAKey), rSAKey, list), buildPKIXParameters(rSAKey), rSAKey);
    }

    private void hasValidOCSPResponse(RSAKey rSAKey, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws JWKValidationException {
        log.debug("[hasValidOCSPResponse] - Signing algorithm {} ({}) in peerCert {} and {} ({}) in issuerCert {} for jwk {}", new Object[]{x509Certificate.getSigAlgOID(), x509Certificate.getSigAlgName(), x509Certificate.getSerialNumber(), x509Certificate2.getSigAlgOID(), x509Certificate2.getSigAlgName(), x509Certificate2.getSerialNumber(), rSAKey.getKeyID()});
        CertStatus checkCertStatus = this.ocspVerifier.checkCertStatus(x509Certificate, x509Certificate2);
        if (checkCertStatus != CertStatus.VALID) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} returned certificate status {} for OCSP check", rSAKey.getKeyID(), checkCertStatus);
        }
    }

    private void hasValidCRLResponse(RSAKey rSAKey, X509Certificate x509Certificate, X509Certificate x509Certificate2) throws JWKValidationException {
        log.debug("[hasValidCRLResponse] - Signing algorithm {} ({}) in cert {} and {} ({}) in signingCert {} for jwk {}", new Object[]{x509Certificate.getSigAlgOID(), x509Certificate.getSigAlgName(), x509Certificate.getSerialNumber(), x509Certificate2.getSigAlgOID(), x509Certificate2.getSigAlgName(), x509Certificate2.getSerialNumber(), rSAKey.getKeyID()});
        CertStatus checkCertStatus = this.crlVerifier.checkCertStatus(x509Certificate, x509Certificate2);
        if (checkCertStatus != CertStatus.VALID) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} returned certificate status {} for CRL check of certificate {} with signing cert {}", rSAKey.getKeyID(), checkCertStatus, x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber());
        }
    }

    private CertificateFactory getX509CertificateFactory(RSAKey rSAKey) throws JWKValidationException {
        try {
            return CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "X.509 CertificateFactory not supported", e, new Object[0]);
        }
    }

    private CertPath generateCertPath(CertificateFactory certificateFactory, RSAKey rSAKey, List<X509Certificate> list) throws JWKValidationException {
        try {
            return certificateFactory.generateCertPath(list);
        } catch (CertificateException e) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "Failed generating cert path from x5c", e, new Object[0]);
        }
    }

    private PKIXParameters buildPKIXParameters(RSAKey rSAKey) throws JWKValidationException {
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(this.trustAnchors);
            pKIXParameters.setRevocationEnabled(false);
            return pKIXParameters;
        } catch (ClassCastException e) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "TrustAnchor does not contain TrustAnchors", e, new Object[0]);
        } catch (NullPointerException e2) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "TrustAnchors are null", e2, new Object[0]);
        } catch (InvalidAlgorithmParameterException e3) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "Empty trust anchors", e3, new Object[0]);
        }
    }

    private CertPathValidator getPKIXCertPathValidator(RSAKey rSAKey) throws JWKValidationException {
        try {
            return CertPathValidator.getInstance("PKIX");
        } catch (NoSuchAlgorithmException e) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "PKIX CertPathValidator not supported", e, new Object[0]);
        }
    }

    private void validate(CertPathValidator certPathValidator, CertPath certPath, PKIXParameters pKIXParameters, RSAKey rSAKey) throws JWKValidationException {
        try {
            certPathValidator.validate(certPath, pKIXParameters);
        } catch (InvalidAlgorithmParameterException e) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "CertPathValidator does not support specified algorithm", e, new Object[0]);
        } catch (CertPathValidatorException e2) {
            evaluateCertPathValidatorException(e2, rSAKey);
        }
    }

    private void evaluateCertPathValidatorException(CertPathValidatorException certPathValidatorException, RSAKey rSAKey) throws JWKValidationException {
        Throwable hasCause = hasCause(certPathValidatorException, CertificateExpiredException.class);
        if (hasCause == null) {
            throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} has invalid certificate chain", certPathValidatorException, rSAKey.getKeyID());
        }
        throw JWKValidationException.build(rSAKey, log, this.logLevel, "JWK with id {} failed because certificate expired: {}", certPathValidatorException, rSAKey.getKeyID(), hasCause.getMessage());
    }

    private Throwable hasCause(Throwable th, Class<? extends Throwable> cls) {
        if (th == null) {
            return null;
        }
        return cls.isAssignableFrom(th.getClass()) ? th : hasCause(th.getCause(), cls);
    }
}
