package de.rub.nds.tlsscanner.serverscanner.probe.certificate;

import de.rub.nds.tlsattacker.core.certificate.ocsp.CertificateInformationExtractor;
import de.rub.nds.tlsattacker.core.certificate.ocsp.CertificateStatus;
import de.rub.nds.tlsattacker.core.certificate.ocsp.OCSPRequest;
import de.rub.nds.tlsattacker.core.constants.HashAlgorithm;
import de.rub.nds.tlsattacker.core.constants.SignatureAlgorithm;
import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
import de.rub.nds.tlsattacker.core.util.CertificateUtils;
import de.rub.nds.tlsscanner.serverscanner.probe.certificate.roca.BrokenKey;
import de.rub.nds.tlsscanner.serverscanner.trust.TrustAnchorManager;
import java.io.IOException;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateParsingException;
import java.security.interfaces.RSAPublicKey;
import java.util.LinkedList;
import java.util.List;
import javax.xml.bind.DatatypeConverter;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.crypto.tls.Certificate;
import org.bouncycastle.jce.provider.X509CertificateObject;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/probe/certificate/CertificateReportGenerator.class */
public class CertificateReportGenerator {
    private static final Logger LOGGER = LogManager.getLogger(CertificateReportGenerator.class.getName());

    public static List<CertificateReport> generateReports(Certificate certificate) {
        LinkedList linkedList = new LinkedList();
        if (certificate != null) {
            for (org.bouncycastle.asn1.x509.Certificate certificate2 : certificate.getCertificateList()) {
                linkedList.add(generateReport(certificate2));
            }
        }
        return linkedList;
    }

    public static CertificateReport generateReport(org.bouncycastle.asn1.x509.Certificate certificate) {
        CertificateReport certificateReport = new CertificateReport();
        setSubject(certificateReport, certificate);
        setCommonNames(certificateReport, certificate);
        setAlternativeNames(certificateReport, certificate);
        setValidFrom(certificateReport, certificate);
        setValidTo(certificateReport, certificate);
        setPubkey(certificateReport, certificate);
        setWeakDebianKey(certificateReport, certificate);
        setIssuer(certificateReport, certificate);
        setSignatureAndHashAlgorithm(certificateReport, certificate);
        setExtendedValidation(certificateReport, certificate);
        setCeritifcateTransparency(certificateReport, certificate);
        setOcspMustStaple(certificateReport, certificate);
        setCRLSupported(certificateReport, certificate);
        setOcspSupported(certificateReport, certificate);
        setRevoked(certificateReport, certificate);
        setDnsCCA(certificateReport, certificate);
        setSha256Hash(certificateReport, certificate);
        certificateReport.setCertificate(certificate);
        setVulnerableRoca(certificateReport, certificate);
        TrustAnchorManager trustAnchorManager = TrustAnchorManager.getInstance();
        if (trustAnchorManager.isInitialized()) {
            certificateReport.setTrustAnchor(Boolean.valueOf(trustAnchorManager.isTrustAnchor(certificateReport)));
        } else {
            certificateReport.setTrustAnchor(null);
        }
        if (certificateReport.getIssuer().equals(certificateReport.getSubject())) {
            certificateReport.setSelfSigned(true);
        } else {
            certificateReport.setSelfSigned(false);
        }
        return certificateReport;
    }

    private static void setSubject(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        X500Name subject = certificate.getSubject();
        if (subject != null) {
            certificateReport.setSubject(subject.toString());
        } else {
            certificateReport.setSubject("--not specified--");
        }
    }

    private static void setCommonNames(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        StringBuilder sb = new StringBuilder();
        X500Name subject = certificate.getSubject();
        if (subject != null) {
            RDN[] rDNs = subject.getRDNs(BCStyle.CN);
            for (int i = 0; i < rDNs.length; i++) {
                sb.append(IETFUtils.valueToString(rDNs[i].getFirst().getValue()));
                if (i < rDNs.length - 1) {
                    sb.append(" ,");
                }
            }
        }
        certificateReport.setCommonNames(sb.toString());
    }

    private static void setAlternativeNames(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
    }

    private static void setValidFrom(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        if (certificate.getStartDate() != null) {
            certificateReport.setValidFrom(certificate.getStartDate().getDate());
        }
    }

    private static void setValidTo(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        if (certificate.getEndDate() != null) {
            certificateReport.setValidTo(certificate.getEndDate().getDate());
        }
    }

    private static void setPubkey(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        try {
            X509CertificateObject x509CertificateObject = new X509CertificateObject(certificate);
            if (x509CertificateObject.getPublicKey() != null) {
                certificateReport.setPublicKey((PublicKey) CertificateUtils.parseCustomPublicKey(x509CertificateObject.getPublicKey()));
            }
        } catch (CertificateParsingException e) {
            LOGGER.error("Could not parse PublicKey from certificate", e);
        }
    }

    private static void setWeakDebianKey(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
    }

    private static void setIssuer(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        if (certificate.getIssuer() != null) {
            certificateReport.setIssuer(certificate.getIssuer().toString());
        }
    }

    private static void setSignatureAndHashAlgorithm(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        try {
            String sigAlgName = new X509CertificateObject(certificate).getSigAlgName();
            if (sigAlgName != null) {
                String[] split = sigAlgName.toUpperCase().split("WITH");
                if (split.length != 2) {
                    LOGGER.warn("Could not parse " + sigAlgName + " into a reasonable SignatureAndHashAlgorithm");
                    return;
                }
                SignatureAlgorithm valueOf = SignatureAlgorithm.valueOf(split[1]);
                HashAlgorithm valueOf2 = HashAlgorithm.valueOf(split[0]);
                if (valueOf2 == null) {
                    LOGGER.warn("Parsed an unknown HashAlgorithm");
                } else {
                    if (valueOf == null) {
                        LOGGER.warn("Parsed an unknown SignatureAlgorithm");
                        return;
                    }
                    certificateReport.setSignatureAndHashAlgorithm(SignatureAndHashAlgorithm.getSignatureAndHashAlgorithm(valueOf, valueOf2));
                }
            }
        } catch (Exception e) {
            LOGGER.debug("Could not extraxt SignatureAndHashAlgorithm from String:" + ((String) null), e);
        }
    }

    private static void setExtendedValidation(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
    }

    private static void setCeritifcateTransparency(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
    }

    private static void setOcspMustStaple(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        try {
            Boolean mustStaple = new CertificateInformationExtractor(certificate).getMustStaple();
            if (mustStaple != null) {
                certificateReport.setOcspMustStaple(mustStaple);
            }
        } catch (Exception e) {
            LOGGER.debug("Could not extract OCSP 'must-staple' information from certificate.");
        }
    }

    private static void setCRLSupported(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
    }

    private static void setOcspSupported(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        try {
            if (new CertificateInformationExtractor(certificate).getOcspServerUrl() != null) {
                certificateReport.setOcspSupported(true);
            }
        } catch (NoSuchFieldException e) {
            certificateReport.setOcspSupported(false);
            LOGGER.debug("OCSP is not supported for this certificate.");
        } catch (Exception e2) {
            certificateReport.setOcspSupported(false);
            LOGGER.error("An error happened during retrieving OCSP information for this certificate.");
        }
    }

    private static void setRevoked(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        org.bouncycastle.asn1.x509.Certificate trustAnchorCertificate;
        if (certificateReport.getOcspSupported().booleanValue()) {
            CertificateInformationExtractor certificateInformationExtractor = new CertificateInformationExtractor(certificate);
            try {
                trustAnchorCertificate = certificateInformationExtractor.retrieveIssuerCertificate();
            } catch (Exception e) {
                LOGGER.debug("Didn't find issuer entry in certificate, trying TrustAnchor.");
                TrustAnchorManager trustAnchorManager = TrustAnchorManager.getInstance();
                try {
                    if (!trustAnchorManager.isInitialized()) {
                        return;
                    } else {
                        trustAnchorCertificate = trustAnchorManager.getTrustAnchorCertificate(new X509CertificateObject(certificate).getIssuerX500Principal());
                    }
                } catch (CertificateParsingException e2) {
                    LOGGER.error("Certificate conversion to X509CertificateObject failed. Aborting OCSP revocation check.");
                    return;
                }
            }
            try {
                int intValue = ((CertificateStatus) new OCSPRequest(certificate, trustAnchorCertificate, new URL(certificateInformationExtractor.getOcspServerUrl())).makeRequest().getCertificateStatusList().get(0)).getCertificateStatus().intValue();
                if (intValue == 0) {
                    certificateReport.setRevoked(false);
                } else if (intValue == 1) {
                    certificateReport.setRevoked(true);
                }
            } catch (Exception e3) {
                LOGGER.error("Failed to get certificate revocation status via OCSP.");
            }
        }
    }

    private static void setDnsCCA(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
    }

    private static void setSha256Hash(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        try {
            certificateReport.setSha256Fingerprint(DatatypeConverter.printHexBinary(MessageDigest.getInstance("SHA-256").digest(certificate.getEncoded())).toLowerCase());
        } catch (IOException | NoSuchAlgorithmException e) {
            LOGGER.warn("Could not create SHA-256 Hash", e);
        }
    }

    private static boolean rocaIsAvailable() {
        return false;
    }

    private static void setVulnerableRoca(CertificateReport certificateReport, org.bouncycastle.asn1.x509.Certificate certificate) {
        if (certificateReport.getPublicKey() == null || !(certificateReport.getPublicKey() instanceof RSAPublicKey)) {
            certificateReport.setRocaVulnerable(false);
        } else {
            certificateReport.setRocaVulnerable(Boolean.valueOf(BrokenKey.isAffected((RSAPublicKey) certificateReport.getPublicKey())));
        }
    }
}
