package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.DSSASN1Utils;
import eu.europa.esig.dss.DSSException;
import eu.europa.esig.dss.DSSUtils;
import eu.europa.esig.dss.client.http.DataLoader;
import eu.europa.esig.dss.tsl.ServiceInfo;
import eu.europa.esig.dss.x509.CertificatePool;
import eu.europa.esig.dss.x509.CertificateSourceType;
import eu.europa.esig.dss.x509.CertificateToken;
import eu.europa.esig.dss.x509.RevocationToken;
import eu.europa.esig.dss.x509.Token;
import eu.europa.esig.dss.x509.crl.CRLSource;
import eu.europa.esig.dss.x509.ocsp.OCSPSource;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/validation/SignatureValidationContext.class */
public class SignatureValidationContext implements ValidationContext {
    private static final Logger logger = LoggerFactory.getLogger(SignatureValidationContext.class);
    private DataLoader dataLoader;
    protected CertificatePool validationCertificatePool;
    private OCSPSource ocspSource;
    private CRLSource crlSource;
    private CRLSource signatureCRLSource;
    private OCSPSource signatureOCSPSource;
    private List<TimestampReference> timestampedReferences;
    private final Set<CertificateToken> processedCertificates = new HashSet();
    private final Set<RevocationToken> processedRevocations = new HashSet();
    private final Set<TimestampToken> processedTimestamps = new HashSet();
    private final Map<Token, Boolean> tokensToProcess = new HashMap();
    protected Date currentTime = new Date();

    public SignatureValidationContext() {
    }

    public SignatureValidationContext(CertificatePool certificatePool) {
        if (certificatePool == null) {
            throw new NullPointerException();
        }
        this.validationCertificatePool = certificatePool;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void initialize(CertificateVerifier certificateVerifier) {
        if (certificateVerifier == null) {
            throw new NullPointerException();
        }
        if (this.validationCertificatePool == null) {
            this.validationCertificatePool = certificateVerifier.createValidationPool();
        }
        this.crlSource = certificateVerifier.getCrlSource();
        this.ocspSource = certificateVerifier.getOcspSource();
        this.dataLoader = certificateVerifier.getDataLoader();
        this.signatureCRLSource = certificateVerifier.getSignatureCRLSource();
        this.signatureOCSPSource = certificateVerifier.getSignatureOCSPSource();
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Date getCurrentTime() {
        return this.currentTime;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void setCurrentTime(Date date) {
        if (date == null) {
            throw new NullPointerException();
        }
        this.currentTime = date;
    }

    private Token getNotYetVerifiedToken() {
        synchronized (this.tokensToProcess) {
            for (Map.Entry<Token, Boolean> entry : this.tokensToProcess.entrySet()) {
                if (entry.getValue() == null) {
                    entry.setValue(true);
                    return entry.getKey();
                }
            }
            return null;
        }
    }

    private CertificateToken getIssuerCertificate(Token token) throws DSSException {
        if (token.isTrusted()) {
            return null;
        }
        if (token.getIssuerToken() != null) {
            return token.getIssuerToken();
        }
        CertificateToken issuerFromPool = getIssuerFromPool(token, token.getIssuerX500Principal());
        if (issuerFromPool == null && (token instanceof CertificateToken)) {
            issuerFromPool = getIssuerFromAIA((CertificateToken) token);
        }
        if (issuerFromPool == null) {
            token.extraInfo().infoTheSigningCertNotFound();
        }
        if (issuerFromPool != null && !issuerFromPool.isTrusted() && !issuerFromPool.isSelfSigned()) {
            getIssuerCertificate(issuerFromPool);
        }
        return issuerFromPool;
    }

    private CertificateToken getIssuerFromAIA(CertificateToken certificateToken) {
        try {
            logger.info("Retrieving {} certificate's issuer using AIA.", certificateToken.getAbbreviation());
            CertificateToken loadIssuerCertificate = DSSUtils.loadIssuerCertificate(certificateToken, this.dataLoader);
            if (loadIssuerCertificate != null) {
                CertificateToken certificatePool = this.validationCertificatePool.getInstance(loadIssuerCertificate, CertificateSourceType.AIA);
                if (certificateToken.isSignedBy(certificatePool)) {
                    return certificatePool;
                }
                logger.info("The retrieved certificate using AIA does not sign the certificate {}.", certificateToken.getAbbreviation());
            } else {
                logger.info("The issuer certificate cannot be loaded using AIA.");
            }
            return null;
        } catch (DSSException e) {
            logger.error(e.getMessage());
            return null;
        }
    }

    private CertificateToken getIssuerFromPool(Token token, X500Principal x500Principal) {
        for (CertificateToken certificateToken : this.validationCertificatePool.get(x500Principal)) {
            if (token.isSignedBy(certificateToken)) {
                return certificateToken;
            }
        }
        return null;
    }

    private boolean addTokenForVerification(Token token) {
        boolean isTraceEnabled = logger.isTraceEnabled();
        synchronized (this.tokensToProcess) {
            if (isTraceEnabled) {
                logger.trace("addTokenForVerification: trying to acquire synchronized block");
            }
            if (token == null) {
                return false;
            }
            try {
                if (this.tokensToProcess.containsKey(token)) {
                    if (isTraceEnabled) {
                        logger.trace("Token was already in the list {}:{}", new Object[]{token.getClass().getSimpleName(), token.getAbbreviation()});
                    }
                    if (isTraceEnabled) {
                        logger.trace("addTokenForVerification: almost left synchronized block");
                    }
                    return false;
                }
                this.tokensToProcess.put(token, null);
                if (isTraceEnabled) {
                    logger.trace("+ New {} to check: {}", new Object[]{token.getClass().getSimpleName(), token.getAbbreviation()});
                }
                if (isTraceEnabled) {
                    logger.trace("addTokenForVerification: almost left synchronized block");
                }
                return true;
            } finally {
                if (isTraceEnabled) {
                    logger.trace("addTokenForVerification: almost left synchronized block");
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addRevocationTokenForVerification(RevocationToken revocationToken) {
        if (addTokenForVerification(revocationToken)) {
            boolean add = this.processedRevocations.add(revocationToken);
            if (logger.isTraceEnabled()) {
                if (add) {
                    logger.trace("RevocationToken added to processedRevocations: {} ", revocationToken);
                } else {
                    logger.trace("RevocationToken already present processedRevocations: {} ", revocationToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addCertificateTokenForVerification(CertificateToken certificateToken) {
        if (addTokenForVerification(certificateToken)) {
            boolean add = this.processedCertificates.add(certificateToken);
            if (logger.isTraceEnabled()) {
                if (add) {
                    logger.trace("CertificateToken added to processedRevocations: {} ", certificateToken);
                } else {
                    logger.trace("CertificateToken already present processedRevocations: {} ", certificateToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addTimestampTokenForVerification(TimestampToken timestampToken) {
        if (addTokenForVerification(timestampToken)) {
            boolean add = this.processedTimestamps.add(timestampToken);
            if (logger.isTraceEnabled()) {
                if (add) {
                    logger.trace("TimestampToken added to processedRevocations: {} ", this.processedTimestamps);
                } else {
                    logger.trace("TimestampToken already present processedRevocations: {} ", this.processedTimestamps);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void validate() throws DSSException {
        Token notYetVerifiedToken;
        do {
            notYetVerifiedToken = getNotYetVerifiedToken();
            if (notYetVerifiedToken != null) {
                CertificateToken issuerCertificate = getIssuerCertificate(notYetVerifiedToken);
                if (issuerCertificate != null) {
                    addCertificateTokenForVerification(issuerCertificate);
                }
                if (notYetVerifiedToken instanceof CertificateToken) {
                    addRevocationTokenForVerification(getRevocationData((CertificateToken) notYetVerifiedToken));
                }
            }
        } while (notYetVerifiedToken != null);
    }

    private RevocationToken getRevocationData(CertificateToken certificateToken) {
        RevocationToken check;
        if (logger.isTraceEnabled()) {
            logger.trace("Checking revocation data for: " + certificateToken.getDSSIdAsString());
        }
        if (certificateToken.isSelfSigned() || certificateToken.isTrusted() || certificateToken.getIssuerToken() == null) {
            return null;
        }
        if (!DSSASN1Utils.isOCSPSigning(certificateToken) || !DSSASN1Utils.hasIdPkixOcspNoCheckExtension(certificateToken)) {
            return (!shouldCheckOnLine(certificateToken) || (check = new OCSPAndCRLCertificateVerifier(this.crlSource, this.ocspSource, this.validationCertificatePool).check(certificateToken)) == null) ? new OCSPAndCRLCertificateVerifier(this.signatureCRLSource, this.signatureOCSPSource, this.validationCertificatePool).check(certificateToken) : check;
        }
        certificateToken.extraInfo().addInfo("OCSP check not needed: id-pkix-ocsp-nocheck extension present.");
        return null;
    }

    private boolean shouldCheckOnLine(CertificateToken certificateToken) {
        if (!certificateToken.isExpiredOn(this.currentTime)) {
            return true;
        }
        if (DSSASN1Utils.hasExpiredCertOnCRLExtension(certificateToken.getIssuerToken())) {
            certificateToken.extraInfo().addInfo("Certificate is expired but the issuer certificate has ExpiredCertOnCRL extension.");
            return true;
        }
        Date expiredCertsRevocationFromDate = getExpiredCertsRevocationFromDate(certificateToken);
        if (expiredCertsRevocationFromDate == null) {
            return false;
        }
        certificateToken.extraInfo().addInfo("Certificate is expired but the TSL extension 'expiredCertsRevocationInfo' is present: " + expiredCertsRevocationFromDate);
        return true;
    }

    private Date getExpiredCertsRevocationFromDate(CertificateToken certificateToken) {
        Set<ServiceInfo> associatedTSPS;
        CertificateToken trustAnchor = certificateToken.getTrustAnchor();
        if (trustAnchor == null || (associatedTSPS = trustAnchor.getAssociatedTSPS()) == null) {
            return null;
        }
        Date notAfter = certificateToken.getNotAfter();
        for (ServiceInfo serviceInfo : associatedTSPS) {
            Date expiredCertsRevocationInfo = serviceInfo.getExpiredCertsRevocationInfo();
            if (expiredCertsRevocationInfo != null && expiredCertsRevocationInfo.before(notAfter) && serviceInfo.getStatusEndDate() == null) {
                return expiredCertsRevocationInfo;
            }
        }
        return null;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<CertificateToken> getProcessedCertificates() {
        return Collections.unmodifiableSet(this.processedCertificates);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<RevocationToken> getProcessedRevocations() {
        return Collections.unmodifiableSet(this.processedRevocations);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<TimestampToken> getProcessedTimestamps() {
        return Collections.unmodifiableSet(this.processedTimestamps);
    }

    public List<TimestampReference> getTimestampedReferences() {
        return this.timestampedReferences;
    }

    public String toString(String str) {
        try {
            StringBuilder sb = new StringBuilder();
            sb.append(str).append("ValidationContext[").append('\n');
            String str2 = str + "\t";
            sb.append(str2).append("Certificates[").append('\n');
            String str3 = str2 + "\t";
            Iterator<CertificateToken> it = this.processedCertificates.iterator();
            while (it.hasNext()) {
                sb.append(it.next().toString(str3));
            }
            String substring = str3.substring(1);
            sb.append(substring).append("],\n");
            sb.append(substring.substring(1)).append("],\n");
            return sb.toString();
        } catch (Exception e) {
            return super.toString();
        }
    }

    public String toString() {
        return toString("");
    }
}
