package de.mtg.jlintissuer.lints.rfc;

import de.mtg.jlintissuer.JavaCRLIssuerLint;
import de.mtg.jzlint.EffectiveDate;
import de.mtg.jzlint.Lint;
import de.mtg.jzlint.LintResult;
import de.mtg.jzlint.Source;
import de.mtg.jzlint.Status;
import de.mtg.jzlint.utils.CRLUtils;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Optional;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.util.encoders.Hex;

@Lint(name = "e_crl_issuer_lint_key_identifier_mismatch", description = "Check if the key identifier in the AKI extension of the CRL matches the key identifier calculated from the public key of the issuer.", citation = "Sec. 5.2.1 RFC 5280", source = Source.RFC5280, effectiveDate = EffectiveDate.ZERO)
/* loaded from: input_file:BOOT-INF/lib/jlint-issuer-1.1.0.jar:de/mtg/jlintissuer/lints/rfc/CRLIssuerLintKeyIdentifierMismatch.class */
public class CRLIssuerLintKeyIdentifierMismatch implements JavaCRLIssuerLint {
    @Override // de.mtg.jlintissuer.JavaCRLIssuerLint
    public LintResult execute(X509CRL x509crl, X509Certificate x509Certificate) {
        byte[] bArr = getAKIKeyIdentifier(x509crl).get();
        try {
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            byte[] keyIdentifier = jcaX509ExtensionUtils.createTruncatedSubjectKeyIdentifier(x509Certificate.getPublicKey()).getKeyIdentifier();
            if (Arrays.equals(keyIdentifier, bArr)) {
                return LintResult.of(Status.PASS);
            }
            byte[] keyIdentifier2 = jcaX509ExtensionUtils.createSubjectKeyIdentifier(x509Certificate.getPublicKey()).getKeyIdentifier();
            return Arrays.equals(keyIdentifier2, bArr) ? LintResult.of(Status.PASS) : LintResult.of(Status.ERROR, String.format("Certificate has AKI key identifier %s while issuer's public key has %s or %s in truncated form.", new String(Hex.encode(bArr)), new String(Hex.encode(keyIdentifier2)), new String(Hex.encode(keyIdentifier))));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // de.mtg.jlintissuer.JavaCRLIssuerLint
    public boolean checkApplies(X509CRL x509crl, X509Certificate x509Certificate) {
        return getAKIKeyIdentifier(x509crl).isPresent();
    }

    private static Optional<byte[]> getAKIKeyIdentifier(X509CRL x509crl) {
        return !CRLUtils.hasExtension(x509crl, Extension.authorityKeyIdentifier.getId()) ? Optional.empty() : Optional.ofNullable(AuthorityKeyIdentifier.getInstance(ASN1OctetString.getInstance(x509crl.getExtensionValue(Extension.authorityKeyIdentifier.getId())).getOctets()).getKeyIdentifier());
    }
}
