package de.rub.nds.tlsscanner.serverscanner.probe;

import de.rub.nds.asn1.model.Asn1EncapsulatingOctetString;
import de.rub.nds.asn1.model.Asn1Field;
import de.rub.nds.asn1.model.Asn1PrimitiveOctetString;
import de.rub.nds.asn1.model.Asn1Sequence;
import de.rub.nds.tlsattacker.core.certificate.ocsp.CertificateInformationExtractor;
import de.rub.nds.tlsattacker.core.certificate.ocsp.OCSPResponse;
import de.rub.nds.tlsattacker.core.certificate.transparency.SignedCertificateTimestamp;
import de.rub.nds.tlsattacker.core.certificate.transparency.SignedCertificateTimestampList;
import de.rub.nds.tlsattacker.core.certificate.transparency.SignedCertificateTimestampListParser;
import de.rub.nds.tlsattacker.core.certificate.transparency.logs.CtLog;
import de.rub.nds.tlsattacker.core.certificate.transparency.logs.CtLogList;
import de.rub.nds.tlsattacker.core.certificate.transparency.logs.CtLogListLoader;
import de.rub.nds.tlsattacker.core.config.Config;
import de.rub.nds.tlsattacker.core.constants.CipherSuite;
import de.rub.nds.tlsattacker.core.constants.ExtensionType;
import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
import de.rub.nds.tlsattacker.core.protocol.message.extension.SignedCertificateTimestampExtensionMessage;
import de.rub.nds.tlsattacker.core.state.State;
import de.rub.nds.tlsattacker.core.workflow.ParallelExecutor;
import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
import de.rub.nds.tlsscanner.serverscanner.config.ScannerConfig;
import de.rub.nds.tlsscanner.serverscanner.constants.ProbeType;
import de.rub.nds.tlsscanner.serverscanner.report.SiteReport;
import de.rub.nds.tlsscanner.serverscanner.report.result.CertificateTransparencyResult;
import de.rub.nds.tlsscanner.serverscanner.report.result.ProbeResult;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.crypto.tls.Certificate;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/probe/CertificateTransparencyProbe.class */
public class CertificateTransparencyProbe extends TlsProbe {
    private Certificate serverCertChain;
    private OCSPResponse stapledOcspResponse;
    private boolean supportsPrecertificateSCTs;
    private boolean supportsHandshakeSCTs;
    private boolean supportsOcspSCTs;
    private boolean meetsChromeCTPolicy;
    private SignedCertificateTimestampList precertificateSctList;
    private SignedCertificateTimestampList handshakeSctList;
    private SignedCertificateTimestampList ocspSctList;

    public CertificateTransparencyProbe(ScannerConfig scannerConfig, ParallelExecutor parallelExecutor) {
        super(parallelExecutor, ProbeType.CERTIFICATE_TRANSPARENCY, scannerConfig);
        this.meetsChromeCTPolicy = false;
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public ProbeResult executeTest() {
        Config initTlsConfig = initTlsConfig();
        if (this.serverCertChain == null) {
            LOGGER.warn("Couldn't fetch certificate chain from server!");
            return getCouldNotExecuteResult();
        }
        getPrecertificateSCTs();
        getTlsHandshakeSCTs(initTlsConfig);
        evaluateChromeCtPolicy();
        return new CertificateTransparencyResult(this.supportsPrecertificateSCTs, this.supportsHandshakeSCTs, this.supportsOcspSCTs, this.meetsChromeCTPolicy, this.precertificateSctList, this.handshakeSctList, this.ocspSctList);
    }

    private Config initTlsConfig() {
        Config createConfig = getScannerConfig().createConfig();
        LinkedList linkedList = new LinkedList();
        linkedList.addAll(Arrays.asList(CipherSuite.values()));
        linkedList.remove(CipherSuite.TLS_FALLBACK_SCSV);
        linkedList.remove(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
        createConfig.setQuickReceive(true);
        createConfig.setDefaultClientSupportedCipherSuites(linkedList);
        createConfig.setHighestProtocolVersion(ProtocolVersion.TLS12);
        createConfig.setEnforceSettings(false);
        createConfig.setEarlyStop(true);
        createConfig.setStopReceivingAfterFatal(true);
        createConfig.setStopActionsAfterFatal(true);
        createConfig.setWorkflowTraceType(WorkflowTraceType.SHORT_HELLO);
        createConfig.setAddSignedCertificateTimestampExtension(true);
        return createConfig;
    }

    private void getPrecertificateSCTs() {
        this.supportsPrecertificateSCTs = false;
        try {
            Asn1Sequence precertificateSCTs = new CertificateInformationExtractor(this.serverCertChain.getCertificateAt(0)).getPrecertificateSCTs();
            if (precertificateSCTs != null) {
                this.supportsPrecertificateSCTs = true;
                byte[] bArr = null;
                Asn1PrimitiveOctetString asn1PrimitiveOctetString = (Asn1Field) ((Asn1EncapsulatingOctetString) precertificateSCTs.getChildren().get(1)).getChildren().get(0);
                if (asn1PrimitiveOctetString instanceof Asn1PrimitiveOctetString) {
                    bArr = asn1PrimitiveOctetString.getValue();
                } else if (asn1PrimitiveOctetString instanceof Asn1EncapsulatingOctetString) {
                    bArr = ((Asn1EncapsulatingOctetString) asn1PrimitiveOctetString).getContent().getOriginalValue();
                }
                this.precertificateSctList = new SignedCertificateTimestampListParser(0, bArr, this.serverCertChain, true).parse();
            }
        } catch (Exception e) {
            LOGGER.warn("Couldn't determine Signed Certificate Timestamp Extension in certificate.", e);
        }
    }

    private void getTlsHandshakeSCTs(Config config) {
        ServerHelloMessage firstReceivedMessage;
        this.supportsHandshakeSCTs = false;
        State state = new State(config);
        executeState(state);
        try {
            if (new ArrayList(state.getTlsContext().getNegotiatedExtensionSet()).contains(ExtensionType.SIGNED_CERTIFICATE_TIMESTAMP) && WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, state.getWorkflowTrace()) && (firstReceivedMessage = WorkflowTraceUtil.getFirstReceivedMessage(HandshakeMessageType.SERVER_HELLO, state.getWorkflowTrace())) != null && firstReceivedMessage.containsExtension(ExtensionType.SIGNED_CERTIFICATE_TIMESTAMP)) {
                this.handshakeSctList = new SignedCertificateTimestampListParser(0, firstReceivedMessage.getExtension(SignedCertificateTimestampExtensionMessage.class).getSignedTimestamp().getOriginalValue(), this.serverCertChain, false).parse();
                this.supportsHandshakeSCTs = true;
            }
        } catch (Exception e) {
            LOGGER.warn("Couldn't parse Signed Certificate Timestamp List from signed_certificate_timestamp extension data.");
        }
    }

    private void evaluateChromeCtPolicy() {
        boolean z;
        if (!this.supportsPrecertificateSCTs) {
            ArrayList arrayList = new ArrayList();
            if (this.supportsHandshakeSCTs) {
                arrayList.addAll(this.handshakeSctList.getCertificateTimestampList());
            }
            if (this.supportsOcspSCTs) {
                arrayList.addAll(this.ocspSctList.getCertificateTimestampList());
            }
            this.meetsChromeCTPolicy = hasGoogleAndNonGoogleScts(arrayList);
            return;
        }
        Duration between = Duration.between(this.serverCertChain.getCertificateAt(0).getStartDate().getDate().toInstant(), this.serverCertChain.getCertificateAt(0).getEndDate().getDate().toInstant());
        if (between.minusDays(450L).isNegative()) {
            z = this.precertificateSctList.getCertificateTimestampList().size() >= 2;
        } else if (between.minusDays(810L).isNegative()) {
            z = this.precertificateSctList.getCertificateTimestampList().size() >= 3;
        } else if (between.minusDays(1170L).isNegative()) {
            z = this.precertificateSctList.getCertificateTimestampList().size() >= 4;
        } else {
            z = this.precertificateSctList.getCertificateTimestampList().size() >= 5;
        }
        this.meetsChromeCTPolicy = hasGoogleAndNonGoogleScts(this.precertificateSctList.getCertificateTimestampList()) && z;
    }

    private boolean hasGoogleAndNonGoogleScts(List<SignedCertificateTimestamp> list) {
        CtLogList loadLogList = CtLogListLoader.loadLogList();
        boolean z = false;
        boolean z2 = false;
        Iterator<SignedCertificateTimestamp> it = list.iterator();
        while (it.hasNext()) {
            CtLog ctLog = loadLogList.getCtLog(it.next().getLogId());
            if (ctLog != null) {
                if ("Google".equals(ctLog.getOperator())) {
                    z = true;
                } else {
                    z2 = true;
                }
            }
        }
        return z && z2;
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public boolean canBeExecuted(SiteReport siteReport) {
        return siteReport.getCertificateChainList() != null && siteReport.isProbeAlreadyExecuted(ProbeType.OCSP);
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public ProbeResult getCouldNotExecuteResult() {
        return new CertificateTransparencyResult(false, false, false, false, null, null, null);
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public void adjustConfig(SiteReport siteReport) {
        this.serverCertChain = siteReport.getCertificateChainList().get(0).getCertificate();
    }
}
