package org.xipki.ca.api;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.sec.SECObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionSpec;
import org.xipki.ca.api.profile.KeyParametersOption;
import org.xipki.security.EdECConstants;
import org.xipki.security.HashAlgo;
import org.xipki.security.KeyUsage;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SignAlgo;
import org.xipki.util.CollectionUtil;
import org.xipki.util.TripleState;
import org.xipki.util.Validity;

/* loaded from: input_file:org/xipki/ca/api/CertprofileValidator.class */
public class CertprofileValidator {
    private static final Validity maxCabEeValidity = new Validity(397, Validity.Unit.DAY);

    public static void validate(Certprofile certprofile) throws CertprofileException {
        List asList;
        StringBuilder sb = new StringBuilder();
        Map<ASN1ObjectIdentifier, Certprofile.ExtensionControl> extensionControls = certprofile.getExtensionControls();
        HashSet<ASN1ObjectIdentifier> hashSet = new HashSet(extensionControls.keySet());
        Certprofile.CertLevel certLevel = certprofile.getCertLevel();
        Certprofile.CertDomain certDomain = certprofile.getCertDomain();
        ExtensionSpec extensionSpec = ExtensionSpec.getExtensionSpec(certDomain, certLevel);
        HashSet hashSet2 = new HashSet();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : hashSet) {
            if (extensionControls.get(aSN1ObjectIdentifier).isPermittedInRequest() && extensionSpec.isNonRequest(aSN1ObjectIdentifier)) {
                hashSet2.add(aSN1ObjectIdentifier);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("extensions ").append(toString(hashSet2)).append(" must not be contained in request, ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier2 : hashSet) {
            if (extensionSpec.isNotPermitted(aSN1ObjectIdentifier2)) {
                hashSet2.add(aSN1ObjectIdentifier2);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("extensions ").append(toString(hashSet2)).append(" must not be contained, ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier3 : hashSet) {
            if (extensionControls.get(aSN1ObjectIdentifier3).isCritical() && extensionSpec.isNonCriticalOnly(aSN1ObjectIdentifier3)) {
                hashSet2.add(aSN1ObjectIdentifier3);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("critical only extensions are marked as non-critical ").append(toString(hashSet2)).append(", ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier4 : hashSet) {
            if (!extensionControls.get(aSN1ObjectIdentifier4).isCritical() && extensionSpec.isCriticalOnly(aSN1ObjectIdentifier4)) {
                hashSet2.add(aSN1ObjectIdentifier4);
            }
        }
        if (CollectionUtil.isNotEmpty(hashSet2)) {
            sb.append("non-critical only extensions are marked as critical ").append(toString(hashSet2)).append(", ");
        }
        hashSet2.clear();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier5 : extensionSpec.getRequiredExtensions()) {
            Certprofile.ExtensionControl extensionControl = extensionControls.get(aSN1ObjectIdentifier5);
            if (extensionControl == null || !extensionControl.isRequired()) {
                hashSet2.add(aSN1ObjectIdentifier5);
            }
        }
        if (!hashSet2.isEmpty()) {
            sb.append("required extensions are not configured or not marked as required ").append(toString(hashSet2)).append(", ");
        }
        Set<Certprofile.KeyUsageControl> keyUsage = certprofile.getKeyUsage();
        if (certLevel == Certprofile.CertLevel.EndEntity) {
            KeyUsage[] keyUsageArr = {KeyUsage.keyCertSign};
            HashSet hashSet3 = new HashSet();
            for (KeyUsage keyUsage2 : keyUsageArr) {
                if (containsKeyusage(keyUsage, keyUsage2)) {
                    hashSet3.add(keyUsage2);
                }
            }
            if (CollectionUtil.isNotEmpty(hashSet3)) {
                sb.append("EndEntity profile must not contain CA-only keyUsage ").append(hashSet3).append(", ");
            }
        } else if (!(containsKeyusage(keyUsage, KeyUsage.keyCertSign) || containsKeyusage(keyUsage, KeyUsage.cRLSign))) {
            sb.append("CA profile does not contain any of keyCertSign and cRLSign, ");
        }
        if (certLevel == Certprofile.CertLevel.CROSS) {
            Map<ASN1ObjectIdentifier, Certprofile.ExtensionControl> extensionControls2 = certprofile.getExtensionControls();
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier6 : new ASN1ObjectIdentifier[]{Extension.subjectKeyIdentifier, Extension.basicConstraints}) {
                Certprofile.ExtensionControl extensionControl2 = extensionControls2.get(aSN1ObjectIdentifier6);
                if (extensionControl2 == null) {
                    sb.append("Mandatory extension ").append(ObjectIdentifiers.getName(aSN1ObjectIdentifier6)).append(" is not set, ");
                } else {
                    TripleState inRequest = extensionControl2.getInRequest();
                    if (inRequest != TripleState.required && inRequest != TripleState.optional) {
                        sb.append("Extension ").append(ObjectIdentifiers.getName(aSN1ObjectIdentifier6)).append(" must be allowed in the request, ");
                    }
                }
            }
        }
        if (certLevel == Certprofile.CertLevel.RootCA && certprofile.getPathLenBasicConstraint() != null) {
            sb.append("Root CA must not set PathLen, ");
        }
        if (certDomain == Certprofile.CertDomain.CABForumBR) {
            validateCABForumBR(certprofile, sb);
        }
        Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = certprofile.getKeyAlgorithms();
        boolean z = keyAlgorithms.containsKey(EdECConstants.id_ED25519) || keyAlgorithms.containsKey(EdECConstants.id_ED448);
        boolean z2 = keyAlgorithms.containsKey(EdECConstants.id_X25519) || keyAlgorithms.containsKey(EdECConstants.id_X448);
        if (z || z2) {
            HashSet hashSet4 = new HashSet();
            HashSet hashSet5 = new HashSet();
            for (Certprofile.KeyUsageControl keyUsageControl : keyUsage) {
                if (keyUsageControl.isRequired()) {
                    hashSet4.add(keyUsageControl.getKeyUsage());
                } else {
                    hashSet5.add(keyUsageControl.getKeyUsage());
                }
            }
            if (z2) {
                if (certLevel != Certprofile.CertLevel.EndEntity) {
                    sb.append("montgomery curves are not permitted in CA certificates, ");
                }
                if (!hashSet4.contains(KeyUsage.keyAgreement)) {
                    sb.append("required KeyUsage KeyAgreement is not marked as 'required', ");
                }
                asList = Arrays.asList(KeyUsage.keyAgreement, KeyUsage.encipherOnly, KeyUsage.decipherOnly);
            } else if (certLevel == Certprofile.CertLevel.EndEntity) {
                if (!hashSet4.contains(KeyUsage.digitalSignature) && !hashSet4.contains(KeyUsage.contentCommitment)) {
                    sb.append("required KeyUsage digitalSignature or contentCommitment is not marked as 'required', ");
                }
                asList = Arrays.asList(KeyUsage.digitalSignature, KeyUsage.contentCommitment);
            } else {
                asList = Arrays.asList(KeyUsage.digitalSignature, KeyUsage.contentCommitment, KeyUsage.keyCertSign, KeyUsage.cRLSign);
            }
            Objects.requireNonNull(hashSet4);
            asList.forEach((v1) -> {
                r1.remove(v1);
            });
            Objects.requireNonNull(hashSet5);
            asList.forEach((v1) -> {
                r1.remove(v1);
            });
            if (!hashSet4.isEmpty()) {
                sb.append("Required KeyUsage items ").append(hashSet4).append(" are not permitted, ");
            }
            if (!hashSet5.isEmpty()) {
                sb.append("Optional KeyUsage items ").append(hashSet4).append(" are not permitted, ");
            }
        }
        int length = sb.length();
        if (length > 2) {
            sb.delete(length - 2, length);
            throw new CertprofileException(sb.toString());
        }
    }

    private static void validateCABForumBR(Certprofile certprofile, StringBuilder sb) {
        Set<String> protocols;
        Set<String> protocols2;
        Certprofile.SubjectControl subjectControl = certprofile.getSubjectControl();
        if (CollectionUtil.isNotEmpty(subjectControl.getGroups())) {
            sb.append("multiple AttributeAndTypes in one RDN is not permitted, ");
        }
        Iterator<ASN1ObjectIdentifier> it = subjectControl.getTypes().iterator();
        while (it.hasNext()) {
            if (subjectControl.getControl(it.next()).getMaxOccurs() > 1) {
                sb.append("multiple RDNs of the same type are not permitted, ");
            }
        }
        Certprofile.CertLevel certLevel = certprofile.getCertLevel();
        if (certLevel == Certprofile.CertLevel.EndEntity && certprofile.getValidity().compareTo(maxCabEeValidity) > 0) {
            sb.append("validity exceeds the maximal validity of subscriber certificate, ");
        }
        List<SignAlgo> signatureAlgorithms = certprofile.getSignatureAlgorithms();
        if (signatureAlgorithms == null) {
            sb.append("signature algorithms not defined, ");
        } else {
            List asList = Arrays.asList(HashAlgo.SHA256, HashAlgo.SHA384, HashAlgo.SHA512);
            Iterator<SignAlgo> it2 = signatureAlgorithms.iterator();
            while (it2.hasNext()) {
                HashAlgo hashAlgo = it2.next().getHashAlgo();
                if (!asList.contains(hashAlgo)) {
                    sb.append("unpermitted hash algorithm ").append(hashAlgo).append(", ");
                }
            }
        }
        Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = certprofile.getKeyAlgorithms();
        if (CollectionUtil.isEmpty(keyAlgorithms)) {
            sb.append("keyAlgorithms is not configured, ");
        } else {
            for (Map.Entry<ASN1ObjectIdentifier, KeyParametersOption> entry : keyAlgorithms.entrySet()) {
                ASN1ObjectIdentifier key = entry.getKey();
                KeyParametersOption value = entry.getValue();
                if (key.equals(PKCSObjectIdentifiers.rsaEncryption)) {
                    if (!(value instanceof KeyParametersOption.RSAParametersOption)) {
                        sb.append("unpermitted RSA modulus are configured, ");
                    } else if (((KeyParametersOption.RSAParametersOption) value).allowsModulusLength(2047)) {
                        sb.append("minimum RSA modulus size 2048 bit not satisfied, ");
                    }
                } else if (key.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
                    if (value instanceof KeyParametersOption.ECParamatersOption) {
                        HashSet hashSet = new HashSet(((KeyParametersOption.ECParamatersOption) value).getCurveOids());
                        hashSet.remove(SECObjectIdentifiers.secp256r1);
                        hashSet.remove(SECObjectIdentifiers.secp384r1);
                        hashSet.remove(SECObjectIdentifiers.secp521r1);
                        if (!hashSet.isEmpty()) {
                            sb.append("EC curves ").append(hashSet).append(" are not permitted, ");
                        }
                    } else {
                        sb.append("unpermitted EC curves are configured, ");
                    }
                } else if (!key.equals(X9ObjectIdentifiers.id_dsa)) {
                    sb.append("keyAlgorithm ").append(key.getId()).append(" is not permitted, ");
                } else if (value instanceof KeyParametersOption.DSAParametersOption) {
                    KeyParametersOption.DSAParametersOption dSAParametersOption = (KeyParametersOption.DSAParametersOption) value;
                    if (dSAParametersOption.allowsPlength(2047)) {
                        sb.append("minimum L (2048) not satisfied, ");
                    }
                    if (dSAParametersOption.allowsQlength(223)) {
                        sb.append("minimum N (224) not satisfied, ");
                    }
                } else {
                    sb.append("unpermitted DSA (p,q) are configured, ");
                }
            }
        }
        if (certLevel != Certprofile.CertLevel.RootCA) {
            Certprofile.CrlDistributionPointsControl crlDpControl = certprofile.getCrlDpControl();
            if (crlDpControl != null && ((protocols2 = crlDpControl.getProtocols()) == null || protocols2.size() != 1 || !protocols2.contains("http"))) {
                sb.append("CRLDistributionPoints allows protocol other than http, ");
            }
            Certprofile.CrlDistributionPointsControl freshestCrlControl = certprofile.getFreshestCrlControl();
            if (freshestCrlControl != null && ((protocols = freshestCrlControl.getProtocols()) == null || protocols.size() != 1 || !protocols.contains("http"))) {
                sb.append("FreshestCRL allows protocol other than http, ");
            }
            Certprofile.AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
            if (aiaControl != null) {
                if (aiaControl.isIncludesOcsp()) {
                    Set<String> ocspProtocols = aiaControl.getOcspProtocols();
                    if (ocspProtocols == null || ocspProtocols.size() != 1 || !ocspProtocols.contains("http")) {
                        sb.append("AIA OCSP allows protocol other than http, ");
                    }
                } else {
                    sb.append("access method id-ad-ocsp is not configured, ");
                }
                if (aiaControl.isIncludesCaIssuers()) {
                    Set<String> caIssuersProtocols = aiaControl.getCaIssuersProtocols();
                    if (caIssuersProtocols == null || caIssuersProtocols.size() != 1 || !caIssuersProtocols.contains("http")) {
                        sb.append("AIA CAIssuers allows protocol other than http, ");
                    }
                } else {
                    sb.append("access method id-ad-caIssuers is not configured, ");
                }
            }
        }
        if ((certLevel == Certprofile.CertLevel.SubCA || certLevel == Certprofile.CertLevel.EndEntity) && certprofile.getCertificatePolicies() == null) {
            sb.append("CertificatePolicies is not configured, ");
        }
        Set<Certprofile.KeyUsageControl> keyUsage = certprofile.getKeyUsage();
        if (certLevel == Certprofile.CertLevel.RootCA || certLevel == Certprofile.CertLevel.SubCA) {
            if (!containsKeyusage(keyUsage, KeyUsage.cRLSign)) {
                sb.append("CA profile does contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
            }
        } else if (certLevel == Certprofile.CertLevel.EndEntity && containsKeyusage(keyUsage, KeyUsage.cRLSign)) {
            sb.append("EndEntity profile must not contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
        }
        Set<Certprofile.ExtKeyUsageControl> extendedKeyUsages = certprofile.getExtendedKeyUsages();
        if (certLevel != Certprofile.CertLevel.EndEntity) {
            if (extendedKeyUsages != null) {
                Iterator<Certprofile.ExtKeyUsageControl> it3 = extendedKeyUsages.iterator();
                while (it3.hasNext()) {
                    if (it3.next().getExtKeyUsage().equals(ObjectIdentifiers.XKU.id_kp_anyExtendedKeyUsage)) {
                        sb.append(ObjectIdentifiers.XKU.id_kp_clientAuth).append(" is not allowed, ");
                    }
                }
                return;
            }
            return;
        }
        boolean z = false;
        boolean z2 = false;
        for (Certprofile.ExtKeyUsageControl extKeyUsageControl : extendedKeyUsages) {
            ASN1ObjectIdentifier extKeyUsage = extKeyUsageControl.getExtKeyUsage();
            if (extKeyUsageControl.isRequired()) {
                if (ObjectIdentifiers.XKU.id_kp_serverAuth.equals(extKeyUsage)) {
                    z = true;
                } else if (ObjectIdentifiers.XKU.id_kp_clientAuth.equals(extKeyUsage)) {
                    z2 = true;
                }
            }
            if (!ObjectIdentifiers.XKU.id_kp_serverAuth.equals(extKeyUsage) && !ObjectIdentifiers.XKU.id_kp_clientAuth.equals(extKeyUsage) && !ObjectIdentifiers.XKU.id_kp_emailProtection.equals(extKeyUsage)) {
                sb.append("extendedKeyUsage ").append(extKeyUsage.getId()).append(" is not permitted, ");
            }
        }
        if (!z2 && !z) {
            sb.append("none of ").append(ObjectIdentifiers.XKU.id_kp_clientAuth).append(" and ").append(ObjectIdentifiers.XKU.id_kp_serverAuth).append(" is not configured, ");
        }
    }

    private static boolean containsKeyusage(Set<Certprofile.KeyUsageControl> set, KeyUsage keyUsage) {
        Iterator<Certprofile.KeyUsageControl> it = set.iterator();
        while (it.hasNext()) {
            if (keyUsage == it.next().getKeyUsage()) {
                return true;
            }
        }
        return false;
    }

    private static String toString(Set<ASN1ObjectIdentifier> set) {
        if (set == null) {
            return "null";
        }
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : set) {
            String name = ObjectIdentifiers.getName(aSN1ObjectIdentifier);
            if (name != null) {
                sb.append(name);
                sb.append(" (").append(aSN1ObjectIdentifier.getId()).append(")");
            } else {
                sb.append(aSN1ObjectIdentifier.getId());
            }
            sb.append(", ");
        }
        if (CollectionUtil.isNotEmpty(set)) {
            int length = sb.length();
            sb.delete(length - 2, length);
        }
        sb.append("]");
        return sb.toString();
    }
}
