package no.digipost.security.cert;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import no.digipost.security.DigipostSecurity;
import no.digipost.security.DigipostSecurityException;
import no.digipost.security.ocsp.OcspLookup;
import no.digipost.security.ocsp.OcspUtils;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/digipost/security/cert/CertificateValidator.class */
public class CertificateValidator {
    private static final Logger LOG = LoggerFactory.getLogger(CertificateValidator.class);
    private final CertificateValidatorConfig config;
    private final CloseableHttpClient client;
    private final Map<X509Certificate, ResultWithTime> cache;
    private final Trust trust;
    private final Clock clock;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:no/digipost/security/cert/CertificateValidator$ResultWithTime.class */
    public static class ResultWithTime {
        public final CertStatus status;
        private final Instant reallyExpires;
        private final Instant warnAfter;
        private Instant expires;

        public ResultWithTime(Instant instant, CertStatus certStatus) {
            this.status = certStatus;
            if (certStatus == CertStatus.UNDECIDED) {
                this.expires = instant.plus(1L, (TemporalUnit) ChronoUnit.MINUTES);
                this.reallyExpires = this.expires;
                this.warnAfter = this.expires;
            } else {
                this.expires = instant.plus(5L, (TemporalUnit) ChronoUnit.MINUTES);
                this.reallyExpires = instant.plus(48L, (TemporalUnit) ChronoUnit.HOURS);
                this.warnAfter = instant.plus(2L, (TemporalUnit) ChronoUnit.HOURS);
            }
        }

        void setUnexpiredFrom(Instant instant) {
            this.expires = instant.plus(1L, (TemporalUnit) ChronoUnit.MINUTES);
        }

        boolean isExpiredAt(Instant instant) {
            return !instant.isBefore(this.expires);
        }

        boolean isValidAsStaleValueForFailedResolvingOfNewValue(Instant instant) {
            return instant.isBefore(this.reallyExpires);
        }

        boolean shouldLogIfUsedAsStaleValue(Instant instant) {
            return instant.isAfter(this.warnAfter);
        }
    }

    public CertificateValidator(Trust trust, CloseableHttpClient closeableHttpClient) {
        this(CertificateValidatorConfig.MOST_STRICT, trust, closeableHttpClient);
    }

    public CertificateValidator(CertificateValidatorConfig certificateValidatorConfig, Trust trust, CloseableHttpClient closeableHttpClient) {
        this.cache = new HashMap();
        this.config = certificateValidatorConfig;
        this.trust = trust;
        this.client = closeableHttpClient;
        this.clock = trust.clock;
    }

    public CertStatus validateCert(Certificate certificate) {
        return validateCert(certificate, this.config);
    }

    private CertStatus validateCert(Certificate certificate, CertificateValidatorConfig certificateValidatorConfig) {
        ResultWithTime resultWithTime;
        if (!(certificate instanceof X509Certificate)) {
            LOG.warn("Tried to validate a non-" + X509Certificate.class.getSimpleName() + ": " + certificate.getType() + "(" + certificate.getClass().getName() + ")");
            return CertStatus.UNTRUSTED;
        }
        X509Certificate requireX509 = DigipostSecurity.requireX509(certificate);
        if (this.cache.containsKey(requireX509)) {
            resultWithTime = this.cache.get(requireX509);
            if (!resultWithTime.isExpiredAt(this.clock.instant()) || resultWithTime.status == CertStatus.REVOKED) {
                return resultWithTime.status;
            }
        } else {
            resultWithTime = null;
        }
        ReviewedCertPath resolveCertPath = this.trust.resolveCertPath(requireX509);
        if (!resolveCertPath.isTrusted()) {
            return CertStatus.UNTRUSTED;
        }
        TrustedCertificateAndIssuer trustedCertificateAndIssuer = resolveCertPath.getTrustedCertificateAndIssuer();
        if (certificateValidatorConfig.ocspPolicy.decideFor(trustedCertificateAndIssuer) != OcspDecision.LOOKUP_OCSP) {
            this.cache.put(requireX509, new ResultWithTime(this.clock.instant(), CertStatus.OK));
            return CertStatus.OK;
        }
        CertStatus ocspLookup = ocspLookup(trustedCertificateAndIssuer, certificateValidatorConfig);
        if (ocspLookup != CertStatus.OK && certificateValidatorConfig.allowsOcspResult(ocspLookup)) {
            LOG.info("Status {} for certificate {} is configured as {}", new Object[]{ocspLookup, DigipostSecurity.describe(certificate), CertStatus.OK});
            ocspLookup = CertStatus.OK;
        }
        if (ocspLookup != CertStatus.UNDECIDED || resultWithTime == null || !resultWithTime.isValidAsStaleValueForFailedResolvingOfNewValue(this.clock.instant())) {
            this.cache.put(requireX509, new ResultWithTime(this.clock.instant(), ocspLookup));
            return ocspLookup;
        }
        if (resultWithTime.shouldLogIfUsedAsStaleValue(this.clock.instant())) {
            LOG.error("OCSP older than 2 hours: {}", DigipostSecurity.describe(requireX509));
        }
        resultWithTime.setUnexpiredFrom(this.clock.instant());
        return resultWithTime.status;
    }

    private CertStatus ocspLookup(TrustedCertificateAndIssuer trustedCertificateAndIssuer, CertificateValidatorConfig certificateValidatorConfig) {
        return (CertStatus) trustedCertificateAndIssuer.ocspLookupRequest.map(OcspLookup::new).flatMap(ocspLookup -> {
            try {
                return Optional.of(ocspLookup.executeUsing(this.client));
            } catch (RuntimeException e) {
                LOG.warn("Failed {} for {}: {} '{}'", new Object[]{ocspLookup, trustedCertificateAndIssuer, e.getClass().getSimpleName(), e.getMessage()});
                if (LOG.isDebugEnabled()) {
                    LOG.debug(e.getClass().getSimpleName() + ": '" + e.getMessage() + "'", e);
                }
                return Optional.empty();
            }
        }).map(ocspResult -> {
            X509Certificate x509Certificate;
            try {
                if (!ocspResult.isOkResponse()) {
                    LOG.warn("Unexpected {} for {}.", ocspResult, trustedCertificateAndIssuer);
                    return CertStatus.UNDECIDED;
                }
                try {
                    BasicOCSPResp responseObject = ocspResult.getResponseObject();
                    Optional<X509Certificate> findOcspSigningCertificate = findOcspSigningCertificate(responseObject, certificateValidatorConfig);
                    if (findOcspSigningCertificate.isPresent()) {
                        x509Certificate = findOcspSigningCertificate.get();
                        CertStatus validateCert = validateCert(x509Certificate, certificateValidatorConfig.withOcspPolicy(OcspPolicy.NEVER_DO_OCSP_LOOKUP));
                        if (validateCert != CertStatus.OK) {
                            LOG.warn("OCSP signing certificate is '{}': {}", validateCert, DigipostSecurity.describe(x509Certificate));
                            return validateCert;
                        }
                    } else {
                        x509Certificate = trustedCertificateAndIssuer.issuer;
                    }
                    if (!certificateValidatorConfig.ocspSignatureValidator.isValidSignature(responseObject, x509Certificate)) {
                        LOG.warn("OCSP response for {} failed signature validation", trustedCertificateAndIssuer);
                        return CertStatus.UNDECIDED;
                    }
                    for (SingleResp singleResp : responseObject.getResponses()) {
                        if (singleResp.getCertStatus() != CertificateStatus.GOOD) {
                            if (!(singleResp.getCertStatus() instanceof RevokedStatus)) {
                                LOG.info("OCSP response for {} returned status {}", trustedCertificateAndIssuer, singleResp.getCertStatus().getClass().getSimpleName());
                                return CertStatus.UNDECIDED;
                            }
                            RevokedStatus certStatus = singleResp.getCertStatus();
                            LOG.info("OCSP response for {} returned status revoked: {}, reason: '{}'", new Object[]{trustedCertificateAndIssuer, certStatus.getRevocationTime(), (RevocationReason) Optional.of(certStatus).filter((v0) -> {
                                return v0.hasRevocationReason();
                            }).map(revokedStatus -> {
                                return RevocationReason.resolve(revokedStatus.getRevocationReason());
                            }).orElse(RevocationReason.unspecified)});
                            return CertStatus.REVOKED;
                        }
                    }
                    LOG.debug("OCSP response for {} returned status GOOD", trustedCertificateAndIssuer);
                    return CertStatus.OK;
                } catch (DigipostSecurityException e) {
                    LOG.warn("OCSP response for {}, error reading the response because {} '{}'", new Object[]{trustedCertificateAndIssuer, e.getClass().getSimpleName(), e.getMessage()});
                    return CertStatus.UNDECIDED;
                }
            } catch (OCSPException e2) {
                throw new DigipostSecurityException((Throwable) e2);
            }
        }).orElse(CertStatus.UNDECIDED);
    }

    private static Optional<X509Certificate> findOcspSigningCertificate(BasicOCSPResp basicOCSPResp, CertificateValidatorConfig certificateValidatorConfig) {
        Optional<X509Certificate> empty;
        if (certificateValidatorConfig.ignoreCustomSigningCertificatesInOcspResponses) {
            return Optional.empty();
        }
        try {
            empty = OcspUtils.findOscpSigningCertificate(basicOCSPResp);
        } catch (Exception e) {
            LOG.warn("Unexpected error while loooking for OCSP signing certificate in OCSP-response. {}: '{}'", new Object[]{e.getClass().getSimpleName(), e.getMessage(), e});
            empty = Optional.empty();
        }
        return empty;
    }
}
