package com.itextpdf.signatures.validation.v1;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.cert.ocsp.ISingleResp;
import com.itextpdf.signatures.CertificateUtil;
import com.itextpdf.signatures.CrlClientOnline;
import com.itextpdf.signatures.ICrlClient;
import com.itextpdf.signatures.IOcspClient;
import com.itextpdf.signatures.IssuingCertificateRetriever;
import com.itextpdf.signatures.OID;
import com.itextpdf.signatures.OcspClientBouncyCastle;
import com.itextpdf.signatures.validation.v1.SignatureValidationProperties;
import com.itextpdf.signatures.validation.v1.context.CertificateSource;
import com.itextpdf.signatures.validation.v1.context.ValidationContext;
import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
import com.itextpdf.signatures.validation.v1.report.ReportItem;
import com.itextpdf.signatures.validation.v1.report.ValidationReport;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

/* loaded from: input_file:com/itextpdf/signatures/validation/v1/RevocationDataValidator.class */
public class RevocationDataValidator {
    static final String REVOCATION_DATA_CHECK = "Revocation data check.";
    static final String CRL_PARSING_ERROR = "CRL is incorrectly formatted.";
    static final String NO_REVOCATION_DATA = "Certificate revocation status cannot be checked: no revocation data available or the status cannot be determined.";
    static final String SELF_SIGNED_CERTIFICATE = "Certificate is self-signed: it cannot be revoked.";
    static final String TRUSTED_OCSP_RESPONDER = "Authorized OCSP Responder certificate has id-pkix-ocsp-nocheck extension so it is trusted by the definition and no revocation checking is performed.";
    static final String VALIDITY_ASSURED = "Certificate is trusted due to validity assured - short term extension.";
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();
    private final List<IOcspClient> ocspClients = new ArrayList();
    private final List<ICrlClient> crlClients = new ArrayList();
    private final SignatureValidationProperties properties;
    private final IssuingCertificateRetriever certificateRetriever;
    private final OCSPValidator ocspValidator;
    private final CRLValidator crlValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RevocationDataValidator(ValidatorChainBuilder validatorChainBuilder) {
        this.certificateRetriever = validatorChainBuilder.getCertificateRetriever();
        this.properties = validatorChainBuilder.getProperties();
        this.ocspValidator = validatorChainBuilder.getOCSPValidator();
        this.crlValidator = validatorChainBuilder.getCRLValidator();
    }

    public RevocationDataValidator addCrlClient(ICrlClient iCrlClient) {
        this.crlClients.add(iCrlClient);
        return this;
    }

    public RevocationDataValidator addOcspClient(IOcspClient iOcspClient) {
        this.ocspClients.add(iOcspClient);
        return this;
    }

    public void validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        ValidationContext validatorContext = validationContext.setValidatorContext(ValidatorContext.REVOCATION_DATA_VALIDATOR);
        if (CertificateUtil.isSelfSigned(x509Certificate)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, REVOCATION_DATA_CHECK, SELF_SIGNED_CERTIFICATE, ReportItem.ReportItemStatus.INFO));
            return;
        }
        if (CertificateUtil.getExtensionValueByOid(x509Certificate, OID.X509Extensions.VALIDITY_ASSURED_SHORT_TERM) != null) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, REVOCATION_DATA_CHECK, VALIDITY_ASSURED, ReportItem.ReportItemStatus.INFO));
        } else if (CertificateSource.OCSP_ISSUER == validationContext.getCertificateSource() && CertificateUtil.getExtensionValueByOid(x509Certificate, BOUNCY_CASTLE_FACTORY.createOCSPObjectIdentifiers().getIdPkixOcspNoCheck().getId()) != null) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, REVOCATION_DATA_CHECK, TRUSTED_OCSP_RESPONDER, ReportItem.ReportItemStatus.INFO));
        } else {
            Map<ISingleResp, IBasicOCSPResp> retrieveAllOCSPResponses = retrieveAllOCSPResponses(validatorContext, x509Certificate);
            validateRevocationData(validationReport, validatorContext, x509Certificate, date, (List) retrieveAllOCSPResponses.keySet().stream().sorted((iSingleResp, iSingleResp2) -> {
                return iSingleResp2.getThisUpdate().compareTo(iSingleResp.getThisUpdate());
            }).collect(Collectors.toList()), retrieveAllOCSPResponses, retrieveAllCRLResponses(validationReport, validatorContext, x509Certificate));
        }
    }

    private void validateRevocationData(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date, List<ISingleResp> list, Map<ISingleResp, IBasicOCSPResp> map, List<X509CRL> list2) {
        int i = 0;
        int i2 = 0;
        while (true) {
            if (i >= list.size() && i2 >= list2.size()) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, REVOCATION_DATA_CHECK, NO_REVOCATION_DATA, ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            ValidationReport validationReport2 = new ValidationReport();
            if (i >= list.size() || (i2 < list2.size() && !list.get(i).getThisUpdate().after(list2.get(i2).getThisUpdate()))) {
                this.crlValidator.validate(validationReport2, validationContext, x509Certificate, list2.get(i2), date);
                i2++;
            } else {
                this.ocspValidator.validate(validationReport2, validationContext, x509Certificate, list.get(i), map.get(list.get(i)), date);
                i++;
            }
            if (ValidationReport.ValidationResult.INDETERMINATE != validationReport2.getValidationResult()) {
                Iterator<ReportItem> it = validationReport2.getLogs().iterator();
                while (it.hasNext()) {
                    validationReport.addReportItem(it.next());
                }
                return;
            } else {
                Iterator<ReportItem> it2 = validationReport2.getLogs().iterator();
                while (it2.hasNext()) {
                    validationReport.addReportItem(it2.next().setStatus(ReportItem.ReportItemStatus.INFO));
                }
            }
        }
    }

    private Map<ISingleResp, IBasicOCSPResp> retrieveAllOCSPResponses(ValidationContext validationContext, X509Certificate x509Certificate) {
        HashMap hashMap = new HashMap();
        Iterator<IOcspClient> it = this.ocspClients.iterator();
        while (it.hasNext()) {
            byte[] encoded = it.next().getEncoded(x509Certificate, (X509Certificate) this.certificateRetriever.retrieveIssuerCertificate(x509Certificate), null);
            if (encoded != null) {
                try {
                    fillOcspResponsesMap(hashMap, BOUNCY_CASTLE_FACTORY.createBasicOCSPResp(BOUNCY_CASTLE_FACTORY.createBasicOCSPResponse(BOUNCY_CASTLE_FACTORY.createASN1Primitive(encoded))));
                } catch (IOException e) {
                }
            }
        }
        SignatureValidationProperties.OnlineFetching revocationOnlineFetching = this.properties.getRevocationOnlineFetching(validationContext.setValidatorContext(ValidatorContext.OCSP_VALIDATOR));
        if (SignatureValidationProperties.OnlineFetching.ALWAYS_FETCH == revocationOnlineFetching || (SignatureValidationProperties.OnlineFetching.FETCH_IF_NO_OTHER_DATA_AVAILABLE == revocationOnlineFetching && hashMap.isEmpty())) {
            fillOcspResponsesMap(hashMap, new OcspClientBouncyCastle(null).getBasicOCSPResp(x509Certificate, (X509Certificate) this.certificateRetriever.retrieveIssuerCertificate(x509Certificate), null));
        }
        return hashMap;
    }

    private void fillOcspResponsesMap(Map<ISingleResp, IBasicOCSPResp> map, IBasicOCSPResp iBasicOCSPResp) {
        if (iBasicOCSPResp != null) {
            for (ISingleResp iSingleResp : iBasicOCSPResp.getResponses()) {
                map.put(iSingleResp, iBasicOCSPResp);
            }
        }
    }

    private List<X509CRL> retrieveAllCRLResponses(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        Iterator<ICrlClient> it = this.crlClients.iterator();
        while (it.hasNext()) {
            arrayList.addAll(retrieveAllCRLResponsesUsingClient(validationReport, x509Certificate, it.next()));
        }
        SignatureValidationProperties.OnlineFetching revocationOnlineFetching = this.properties.getRevocationOnlineFetching(validationContext.setValidatorContext(ValidatorContext.CRL_VALIDATOR));
        if (SignatureValidationProperties.OnlineFetching.ALWAYS_FETCH == revocationOnlineFetching || (SignatureValidationProperties.OnlineFetching.FETCH_IF_NO_OTHER_DATA_AVAILABLE == revocationOnlineFetching && arrayList.isEmpty())) {
            arrayList.addAll(retrieveAllCRLResponsesUsingClient(validationReport, x509Certificate, new CrlClientOnline()));
        }
        return (List) arrayList.stream().sorted((x509crl, x509crl2) -> {
            return x509crl2.getThisUpdate().compareTo(x509crl.getThisUpdate());
        }).collect(Collectors.toList());
    }

    private List<X509CRL> retrieveAllCRLResponsesUsingClient(ValidationReport validationReport, X509Certificate x509Certificate, ICrlClient iCrlClient) {
        ArrayList arrayList = new ArrayList();
        try {
            Iterator<byte[]> it = iCrlClient.getEncoded(x509Certificate, null).iterator();
            while (it.hasNext()) {
                try {
                    arrayList.add((X509CRL) CertificateUtil.parseCrlFromStream(new ByteArrayInputStream(it.next())));
                } catch (Exception e) {
                    validationReport.addReportItem(new CertificateReportItem(x509Certificate, REVOCATION_DATA_CHECK, CRL_PARSING_ERROR, ReportItem.ReportItemStatus.INFO));
                }
            }
        } catch (GeneralSecurityException e2) {
        }
        return arrayList;
    }
}
