package no.difi.certvalidator.rule;

import java.io.IOException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import no.difi.certvalidator.api.CertificateBucket;
import no.difi.certvalidator.api.CertificateValidationException;
import no.difi.certvalidator.api.FailedValidationException;
import no.difi.certvalidator.api.ValidatorRule;
import org.bouncycastle.asn1.x509.Extension;
import sun.security.provider.certpath.OCSP;

/* loaded from: input_file:WEB-INF/lib/commons-certvalidator-2.1.0.jar:no/difi/certvalidator/rule/OCSPRule.class */
public class OCSPRule implements ValidatorRule {
    private CertificateBucket intermediateCertificates;

    public OCSPRule(CertificateBucket certificateBucket) {
        this.intermediateCertificates = certificateBucket;
    }

    @Override // no.difi.certvalidator.api.ValidatorRule
    public void validate(X509Certificate x509Certificate) throws CertificateValidationException {
        try {
            if (x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId()) == null) {
                return;
            }
            X509Certificate findBySubject = this.intermediateCertificates.findBySubject(x509Certificate.getIssuerX500Principal());
            if (findBySubject == null) {
                throw new FailedValidationException(String.format("Unable to find issuer certificate '%s'", x509Certificate.getIssuerX500Principal().getName()));
            }
            OCSP.RevocationStatus.CertStatus certStatus = getRevocationStatus(x509Certificate, findBySubject).getCertStatus();
            if (!certStatus.equals(OCSP.RevocationStatus.CertStatus.GOOD)) {
                throw new FailedValidationException(String.format("Certificate status is reported as %s by OCSP.", certStatus.name()));
            }
        } catch (IOException | NullPointerException | CertPathValidatorException e) {
            throw new CertificateValidationException(e.getMessage(), e);
        }
    }

    public OCSP.RevocationStatus getRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws IOException, CertPathValidatorException {
        return OCSP.check(x509Certificate, x509Certificate2);
    }
}
