package eu.peppol.security;

import eu.peppol.util.Util;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/peppol/security/OxalisCertificateValidator.class */
public enum OxalisCertificateValidator {
    INSTANCE;

    private final CertificateFactory certificateFactory;
    private int cacheHits = 0;
    public static final Logger log = LoggerFactory.getLogger(OxalisCertificateValidator.class);
    public static final OcspValidatorCache cache = OcspValidatorCache.getInstance();

    OxalisCertificateValidator() {
        try {
            this.certificateFactory = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new IllegalStateException("Unable to create CertificateFactory " + e.getMessage(), e);
        }
    }

    public static OxalisCertificateValidator getInstance() {
        return INSTANCE;
    }

    public boolean validate(X509Certificate x509Certificate) {
        return validateUsingCache(x509Certificate, KeystoreManager.getInstance().getPeppolTruststore());
    }

    public boolean validateUsingCache(X509Certificate x509Certificate, KeyStore keyStore) {
        return doValidation(x509Certificate, keyStore, true);
    }

    public boolean validateWithoutCache(X509Certificate x509Certificate, KeyStore keyStore) {
        return doValidation(x509Certificate, keyStore, false);
    }

    boolean doValidation(X509Certificate x509Certificate, KeyStore keyStore, boolean z) {
        String certificateInfo = certificateInfo(x509Certificate);
        log.debug("Validation of certificate " + certificateInfo + " requested");
        BigInteger createThumPrint = createThumPrint(x509Certificate);
        if (z && hasEntryInValidatedCache(createThumPrint)) {
            return true;
        }
        log.debug("Performing OCSP and CRLDP (optional) validation");
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
            pKIXParameters.setRevocationEnabled(true);
            Security.setProperty("ocsp.enable", "true");
            System.setProperty("com.sun.security.enableCRLDP", "true");
            try {
                try {
                    CertPathValidator.getInstance("PKIX").validate(this.certificateFactory.generateCertPath(Arrays.asList(x509Certificate)), pKIXParameters);
                    cache.setKnownValidCertificate(createThumPrint);
                    log.debug("Certificate " + certificateInfo + ", validated OK");
                    return true;
                } catch (InvalidAlgorithmParameterException e) {
                    throw new IllegalStateException("Error during certificate validation: " + e.getMessage(), e);
                } catch (CertPathValidatorException e2) {
                    log.debug("Certificate " + certificateInfo + " failed validation: " + e2.getMessage());
                    return false;
                } catch (CertificateException e3) {
                    throw new IllegalStateException("Unable to establish cert path for certificate " + x509Certificate, e3);
                }
            } catch (NoSuchAlgorithmException e4) {
                throw new IllegalStateException("Unable to create instance of certificate path valdiator");
            }
        } catch (InvalidAlgorithmParameterException e5) {
            throw new IllegalStateException("Unable to create PKIXParameters; " + e5.getMessage(), e5);
        } catch (KeyStoreException e6) {
            throw new IllegalStateException("Unable to create PKIXParameters from current PEPPOL truststore" + e6.getMessage(), e6);
        }
    }

    private String certificateInfo(X509Certificate x509Certificate) {
        return x509Certificate.getSerialNumber() + " " + x509Certificate.getSubjectDN().getName();
    }

    private BigInteger createThumPrint(X509Certificate x509Certificate) {
        try {
            return new BigInteger(1, Util.calculateSHA256(x509Certificate.getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Unable to calculate certificate thumbprint for certificate " + certificateInfo(x509Certificate), e);
        } catch (CertificateEncodingException e2) {
            throw new IllegalStateException("Unable to encode certificate " + certificateInfo(x509Certificate) + " for thumbprint calculation ", e2);
        }
    }

    boolean hasEntryInValidatedCache(BigInteger bigInteger) {
        if (!cache.isKnownValidCertificate(bigInteger)) {
            return false;
        }
        this.cacheHits++;
        log.debug("Certificate thumbprint found in cache of trusted certificates.");
        return true;
    }

    public int getCacheHits() {
        return this.cacheHits;
    }
}
