package de.mtg.jzlint.lints.apple;

import de.mtg.jzlint.EffectiveDate;
import de.mtg.jzlint.JavaLint;
import de.mtg.jzlint.Lint;
import de.mtg.jzlint.LintResult;
import de.mtg.jzlint.Source;
import de.mtg.jzlint.Status;
import de.mtg.jzlint.utils.DateUtils;
import de.mtg.jzlint.utils.Utils;
import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.util.encoders.Hex;

@Lint(name = "w_ct_sct_policy_count_unsatisfied", description = "Check if certificate has enough embedded SCTs to meet Apple CT Policy", citation = "https://support.apple.com/en-us/HT205280", source = Source.APPLE_ROOT_STORE_POLICY, effectiveDate = EffectiveDate.AppleCTPolicyDate)
/* loaded from: input_file:BOOT-INF/lib/jzlint-1.1.0.jar:de/mtg/jzlint/lints/apple/CtSctPolicyCountUnsatisfied.class */
public class CtSctPolicyCountUnsatisfied implements JavaLint {
    private static final String POISON_EXTENSION_OID = "1.3.6.1.4.1.11129.2.4.3";
    private static final String SCT_EXTENSION_OID = "1.3.6.1.4.1.11129.2.4.2";

    @Override // de.mtg.jzlint.JavaLint
    public LintResult execute(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(SCT_EXTENSION_OID);
        if (extensionValue == null) {
            return LintResult.of(Status.NOTICE);
        }
        return numberOfRequiredSCTs(x509Certificate) <= numberOfDistinctSCTs(extensionValue) ? LintResult.of(Status.PASS) : LintResult.of(Status.NOTICE);
    }

    @Override // de.mtg.jzlint.JavaLint
    public boolean checkApplies(X509Certificate x509Certificate) {
        return Utils.isSubscriberCert(x509Certificate) && !Utils.hasExtension(x509Certificate, POISON_EXTENSION_OID);
    }

    private static int numberOfDistinctSCTs(byte[] bArr) {
        byte[] octets = ASN1OctetString.getInstance(ASN1OctetString.getInstance(bArr).getOctets()).getOctets();
        byte[] bArr2 = new byte[2];
        byte[] bArr3 = new byte[octets.length - 2];
        System.arraycopy(octets, 0, bArr2, 0, 2);
        System.arraycopy(octets, 2, bArr3, 0, octets.length - 2);
        int intValue = new BigInteger(1, bArr2).intValue();
        int i = 0;
        HashMap hashMap = new HashMap();
        while (i < intValue) {
            byte[] bArr4 = new byte[2];
            byte[] bArr5 = new byte[32];
            System.arraycopy(bArr3, i, bArr4, 0, 2);
            System.arraycopy(bArr3, i + 3, bArr5, 0, 32);
            i = i + new BigInteger(1, bArr4).intValue() + 2;
            hashMap.put(new String(Hex.encode(bArr5)), new String(Hex.encode(bArr5)));
        }
        return hashMap.size();
    }

    private static int numberOfRequiredSCTs(X509Certificate x509Certificate) {
        int validityInMonths = DateUtils.getValidityInMonths(x509Certificate);
        if (validityInMonths < 15) {
            return 2;
        }
        if (validityInMonths < 15 || validityInMonths > 27) {
            return (validityInMonths < 28 || validityInMonths > 39) ? 5 : 4;
        }
        return 3;
    }
}
