package de.mtg.jzlint.lints.rfc;

import de.mtg.jzlint.EffectiveDate;
import de.mtg.jzlint.JavaLint;
import de.mtg.jzlint.Lint;
import de.mtg.jzlint.LintResult;
import de.mtg.jzlint.Source;
import de.mtg.jzlint.Status;
import de.mtg.jzlint.utils.Utils;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;

@Lint(name = "n_ecdsa_ee_invalid_ku", description = "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement", citation = "RFC 5480 Section 3", source = Source.RFC5480, effectiveDate = EffectiveDate.CABEffectiveDate)
/* loaded from: input_file:BOOT-INF/lib/jzlint-1.1.0.jar:de/mtg/jzlint/lints/rfc/EcdsaEeInvalidKu.class */
public class EcdsaEeInvalidKu implements JavaLint {
    @Override // de.mtg.jzlint.JavaLint
    public LintResult execute(X509Certificate x509Certificate) {
        KeyUsage keyUsage = KeyUsage.getInstance(ASN1OctetString.getInstance(x509Certificate.getExtensionValue(Extension.keyUsage.getId())).getOctets());
        return (keyUsage.hasUsages(2) || keyUsage.hasUsages(16) || keyUsage.hasUsages(32768) || keyUsage.hasUsages(1) || keyUsage.hasUsages(4) || keyUsage.hasUsages(32)) ? LintResult.of(Status.NOTICE) : LintResult.of(Status.PASS);
    }

    @Override // de.mtg.jzlint.JavaLint
    public boolean checkApplies(X509Certificate x509Certificate) {
        return Utils.isSubscriberCert(x509Certificate) && Utils.hasKeyUsageExtension(x509Certificate) && Utils.isPublicKeyECC(x509Certificate);
    }
}
