package no.difi.certvalidator.rule;

import java.io.IOException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import no.difi.certvalidator.api.CertificateBucket;
import no.difi.certvalidator.api.CertificateValidationException;
import no.difi.certvalidator.api.FailedValidationException;
import no.difi.certvalidator.api.ValidatorRule;
import org.bouncycastle.asn1.x509.Extension;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.provider.certpath.OCSP;

/* loaded from: input_file:no/difi/certvalidator/rule/OCSPRule.class */
public class OCSPRule implements ValidatorRule {
    private static final Logger logger = LoggerFactory.getLogger(OCSPRule.class);
    private CertificateBucket intermediateCertificates;

    public OCSPRule(CertificateBucket certificateBucket) {
        this.intermediateCertificates = certificateBucket;
    }

    @Override // no.difi.certvalidator.api.ValidatorRule
    public void validate(X509Certificate x509Certificate) throws CertificateValidationException {
        try {
            if (x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId()) == null) {
                return;
            }
            X509Certificate findBySubject = this.intermediateCertificates.findBySubject(x509Certificate.getIssuerX500Principal());
            if (findBySubject == null) {
                throw new FailedValidationException(String.format("Unable to find issuer certificate '%s'", x509Certificate.getIssuerX500Principal().getName()));
            }
            if (!getRevocationStatus(x509Certificate, findBySubject).getCertStatus().equals(OCSP.RevocationStatus.CertStatus.GOOD)) {
                throw new FailedValidationException("Certificate status is not reported as GOOD by OCSP.");
            }
        } catch (CertificateValidationException e) {
            logger.debug("{} ({})", e.getMessage(), x509Certificate.getSerialNumber());
            throw e;
        } catch (Exception e2) {
            logger.debug("{} ({})", e2.getMessage(), x509Certificate.getSerialNumber());
            throw new CertificateValidationException(e2.getMessage(), e2);
        }
    }

    public OCSP.RevocationStatus getRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws IOException, CertPathValidatorException {
        return OCSP.check(x509Certificate, x509Certificate2);
    }
}
