package de.mtg.jzlint.lints.cabf_br;

import de.mtg.jzlint.EffectiveDate;
import de.mtg.jzlint.JavaLint;
import de.mtg.jzlint.Lint;
import de.mtg.jzlint.LintResult;
import de.mtg.jzlint.Source;
import de.mtg.jzlint.Status;
import de.mtg.jzlint.utils.Utils;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;

@Lint(name = "e_sub_cert_aia_does_not_contain_ocsp_url", description = "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", citation = "BRs: 7.1.2.3", source = Source.CABF_BASELINE_REQUIREMENTS, effectiveDate = EffectiveDate.CABEffectiveDate)
/* loaded from: input_file:BOOT-INF/lib/jzlint-1.1.0.jar:de/mtg/jzlint/lints/cabf_br/SubCertAiaDoesNotContainOcspUrl.class */
public class SubCertAiaDoesNotContainOcspUrl implements JavaLint {
    @Override // de.mtg.jzlint.JavaLint
    public LintResult execute(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            return LintResult.of(Status.ERROR);
        }
        for (AccessDescription accessDescription : AuthorityInformationAccess.getInstance(ASN1OctetString.getInstance(extensionValue).getOctets()).getAccessDescriptions()) {
            if (AccessDescription.id_ad_ocsp.equals((ASN1Primitive) accessDescription.getAccessMethod()) && startsWithCorrectPrefix(accessDescription.getAccessLocation())) {
                return LintResult.of(Status.PASS);
            }
        }
        return LintResult.of(Status.ERROR);
    }

    @Override // de.mtg.jzlint.JavaLint
    public boolean checkApplies(X509Certificate x509Certificate) {
        return Utils.isSubscriberCert(x509Certificate);
    }

    private boolean startsWithCorrectPrefix(GeneralName generalName) {
        boolean z = false;
        if (generalName.getTagNo() == 6 && ((ASN1IA5String) generalName.getName()).getString().startsWith("http://")) {
            z = true;
        }
        return z;
    }
}
