package org.xipki.ca.qa;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1StreamParser;
import org.bouncycastle.asn1.ASN1UTCTime;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.asn1.x509.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.profile.CertValidity;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.Range;
import org.xipki.ca.api.profile.x509.X509CertVersion;
import org.xipki.ca.certprofile.XmlX509Certprofile;
import org.xipki.ca.certprofile.XmlX509CertprofileUtil;
import org.xipki.ca.certprofile.x509.jaxb.ConstantExtValue;
import org.xipki.ca.certprofile.x509.jaxb.ExtensionType;
import org.xipki.ca.certprofile.x509.jaxb.ExtensionsType;
import org.xipki.ca.certprofile.x509.jaxb.RangeType;
import org.xipki.ca.certprofile.x509.jaxb.RangesType;
import org.xipki.ca.certprofile.x509.jaxb.X509ProfileType;
import org.xipki.ca.qa.internal.QaExtensionValue;
import org.xipki.common.qa.ValidationIssue;
import org.xipki.common.qa.ValidationResult;
import org.xipki.common.util.CollectionUtil;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.X509Util;

/* loaded from: input_file:org/xipki/ca/qa/X509CertprofileQa.class */
public class X509CertprofileQa {
    private static final Logger LOG = LoggerFactory.getLogger(X509CertprofileQa.class);
    private static final TimeZone UTC = TimeZone.getTimeZone("UTC");
    private static final long SECOND = 1000;
    private static final long MAX_CERT_TIME_MS = 253402300799982L;
    private static final long EPOCHTIME_2050010100 = 2524608000L;
    private final SubjectChecker subjectChecker;
    private final PublicKeyChecker publicKeyChecker;
    private final ExtensionsChecker extensionsChecker;
    private final XmlX509Certprofile certProfile;

    public X509CertprofileQa(String str) throws CertprofileException {
        this(((String) ParamUtil.requireNonNull("data", str)).getBytes());
    }

    public X509CertprofileQa(byte[] bArr) throws CertprofileException {
        ParamUtil.requireNonNull("dataBytes", bArr);
        try {
            X509ProfileType parse = XmlX509CertprofileUtil.parse(new ByteArrayInputStream(bArr));
            this.certProfile = new XmlX509Certprofile();
            this.certProfile.initialize(parse);
            this.publicKeyChecker = new PublicKeyChecker(this.certProfile.keyAlgorithms());
            this.subjectChecker = new SubjectChecker(this.certProfile.specialBehavior(), this.certProfile.subjectControl());
            this.extensionsChecker = new ExtensionsChecker(parse, this.certProfile);
        } catch (RuntimeException e) {
            LogUtil.error(LOG, e);
            throw new CertprofileException("RuntimeException thrown while initializing certprofile: " + e.getMessage());
        }
    }

    public ValidationResult checkCert(byte[] bArr, X509IssuerInfo x509IssuerInfo, X500Name x500Name, SubjectPublicKeyInfo subjectPublicKeyInfo, Extensions extensions) {
        int length;
        ParamUtil.requireNonNull("certBytes", bArr);
        ParamUtil.requireNonNull("issuerInfo", x509IssuerInfo);
        ParamUtil.requireNonNull("requestedSubject", x500Name);
        ParamUtil.requireNonNull("requestedPublicKey", subjectPublicKeyInfo);
        LinkedList linkedList = new LinkedList();
        ValidationIssue validationIssue = new ValidationIssue("X509.SIZE", "certificate size");
        linkedList.add(validationIssue);
        Integer maxSize = this.certProfile.maxSize();
        if (maxSize.intValue() != 0 && (length = bArr.length) > maxSize.intValue()) {
            validationIssue.setFailureMessage(String.format("certificate exceeds the maximal allowed size: %d > %d", Integer.valueOf(length), maxSize));
        }
        ValidationIssue validationIssue2 = new ValidationIssue("X509.ENCODING", "certificate encoding");
        linkedList.add(validationIssue2);
        try {
            Certificate certificate = Certificate.getInstance(bArr);
            TBSCertificate tBSCertificate = certificate.getTBSCertificate();
            X509Certificate parseCert = X509Util.parseCert(bArr);
            ValidationIssue validationIssue3 = new ValidationIssue("X509.VERSION", "certificate version");
            linkedList.add(validationIssue3);
            int versionNumber = tBSCertificate.getVersionNumber();
            X509CertVersion version = this.certProfile.version();
            if (versionNumber != version.versionNumber()) {
                validationIssue3.setFailureMessage("is '" + versionNumber + "' but expected '" + version.versionNumber() + "'");
            }
            ValidationIssue validationIssue4 = new ValidationIssue("X509.serialNumber", "certificate serial number");
            linkedList.add(validationIssue4);
            BigInteger value = tBSCertificate.getSerialNumber().getValue();
            if (value.signum() != 1) {
                validationIssue4.setFailureMessage("not positive");
            } else if (value.bitLength() >= 160) {
                validationIssue4.setFailureMessage("serial number has more than 20 octets");
            }
            List signatureAlgorithms = this.certProfile.signatureAlgorithms();
            if (CollectionUtil.isNonEmpty(signatureAlgorithms)) {
                ValidationIssue validationIssue5 = new ValidationIssue("X509.SIGALG", "signature algorithm");
                linkedList.add(validationIssue5);
                AlgorithmIdentifier signatureAlgorithm = certificate.getSignatureAlgorithm();
                if (!tBSCertificate.getSignature().equals(signatureAlgorithm)) {
                    validationIssue5.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm");
                }
                try {
                    String signatureAlgoName = AlgorithmUtil.getSignatureAlgoName(signatureAlgorithm);
                    if (!validationIssue5.isFailed() && !signatureAlgorithms.contains(signatureAlgoName)) {
                        validationIssue5.setFailureMessage("signatureAlgorithm '" + signatureAlgoName + "' is not allowed");
                    }
                    if (!validationIssue5.isFailed() && !AlgorithmUtil.getSigAlgId(signatureAlgoName).equals(signatureAlgorithm)) {
                        validationIssue5.setFailureMessage("invalid parameters");
                    }
                } catch (NoSuchAlgorithmException e) {
                    validationIssue5.setFailureMessage("unsupported signature algorithm " + signatureAlgorithm.getAlgorithm().getId());
                }
            }
            checkTime(tBSCertificate.getStartDate(), new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding"));
            checkTime(tBSCertificate.getStartDate(), new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding"));
            if (this.certProfile.isNotBeforeMidnight()) {
                ValidationIssue validationIssue6 = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight");
                linkedList.add(validationIssue6);
                Calendar calendar = Calendar.getInstance(UTC);
                calendar.setTime(parseCert.getNotBefore());
                int i = calendar.get(11);
                int i2 = calendar.get(12);
                int i3 = calendar.get(13);
                if (i != 0 || i2 != 0 || i3 != 0) {
                    validationIssue6.setFailureMessage(" '" + parseCert.getNotBefore() + "' is not midnight time (UTC)");
                }
            }
            ValidationIssue validationIssue7 = new ValidationIssue("X509.VALIDITY", "cert validity");
            linkedList.add(validationIssue7);
            if (parseCert.getNotAfter().before(parseCert.getNotBefore())) {
                validationIssue7.setFailureMessage("notAfter must not be before notBefore");
            } else if (parseCert.getNotBefore().before(x509IssuerInfo.caNotBefore())) {
                validationIssue7.setFailureMessage("notBefore must not be before CA's notBefore");
            } else {
                CertValidity validity = this.certProfile.validity();
                Date add = validity.add(parseCert.getNotBefore());
                if (add.getTime() > MAX_CERT_TIME_MS) {
                    add = new Date(MAX_CERT_TIME_MS);
                }
                if (x509IssuerInfo.isCutoffNotAfter() && add.after(x509IssuerInfo.caNotAfter())) {
                    add = x509IssuerInfo.caNotAfter();
                }
                if (Math.abs(add.getTime() - parseCert.getNotAfter().getTime()) > 60000) {
                    validationIssue7.setFailureMessage("cert validity is not within " + validity.toString());
                }
            }
            linkedList.addAll(this.publicKeyChecker.checkPublicKey(certificate.getSubjectPublicKeyInfo(), subjectPublicKeyInfo));
            ValidationIssue validationIssue8 = new ValidationIssue("X509.SIG", "whether certificate is signed by CA");
            linkedList.add(validationIssue8);
            try {
                parseCert.verify(x509IssuerInfo.cert().getPublicKey(), "BC");
            } catch (Exception e2) {
                validationIssue8.setFailureMessage("invalid signature");
            }
            ValidationIssue validationIssue9 = new ValidationIssue("X509.ISSUER", "certificate issuer");
            linkedList.add(validationIssue9);
            if (!parseCert.getIssuerX500Principal().equals(x509IssuerInfo.cert().getSubjectX500Principal())) {
                validationIssue9.setFailureMessage("issue in certificate does not equal the subject of CA certificate");
            }
            linkedList.addAll(this.subjectChecker.checkSubject(certificate.getSubject(), x500Name));
            ValidationIssue validationIssue10 = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID");
            linkedList.add(validationIssue10);
            if (tBSCertificate.getIssuerUniqueId() != null) {
                validationIssue10.setFailureMessage("is present but not permitted");
            }
            ValidationIssue validationIssue11 = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID");
            linkedList.add(validationIssue11);
            if (tBSCertificate.getSubjectUniqueId() != null) {
                validationIssue11.setFailureMessage("is present but not permitted");
            }
            linkedList.add(new ValidationIssue("X509.GrantedSubject", "grantedSubject"));
            linkedList.addAll(this.extensionsChecker.checkExtensions(certificate, x509IssuerInfo, extensions, x500Name));
            return new ValidationResult(linkedList);
        } catch (CertificateException e3) {
            validationIssue2.setFailureMessage("certificate is not corrected encoded");
            return new ValidationResult(linkedList);
        }
    }

    static Set<Range> buildParametersMap(RangesType rangesType) {
        if (rangesType == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        for (RangeType rangeType : rangesType.getRange()) {
            if (rangeType.getMin() != null || rangeType.getMax() != null) {
                hashSet.add(new Range(rangeType.getMin(), rangeType.getMax()));
            }
        }
        return hashSet;
    }

    public static Map<ASN1ObjectIdentifier, QaExtensionValue> buildConstantExtesions(ExtensionsType extensionsType) throws CertprofileException {
        if (extensionsType == null) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (ExtensionType extensionType : extensionsType.getExtension()) {
            if (extensionType.getValue() != null && (extensionType.getValue().getAny() instanceof ConstantExtValue)) {
                ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(extensionType.getType().getValue());
                if (!Extension.subjectAlternativeName.equals(aSN1ObjectIdentifier) && !Extension.subjectInfoAccess.equals(aSN1ObjectIdentifier) && !Extension.biometricInfo.equals(aSN1ObjectIdentifier)) {
                    byte[] value = ((ConstantExtValue) extensionType.getValue().getAny()).getValue();
                    try {
                        new ASN1StreamParser(value).readObject();
                        hashMap.put(aSN1ObjectIdentifier, new QaExtensionValue(extensionType.isCritical(), value));
                    } catch (IOException e) {
                        throw new CertprofileException("could not parse the constant extension value", e);
                    }
                }
            }
        }
        if (CollectionUtil.isEmpty(hashMap)) {
            return null;
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private static void checkTime(Time time, ValidationIssue validationIssue) {
        ASN1Primitive aSN1Primitive = time.toASN1Primitive();
        if (time.getDate().getTime() / SECOND < EPOCHTIME_2050010100) {
            if (aSN1Primitive instanceof ASN1UTCTime) {
                return;
            }
            validationIssue.setFailureMessage("not encoded as UTCTime");
        } else {
            if (aSN1Primitive instanceof ASN1GeneralizedTime) {
                return;
            }
            validationIssue.setFailureMessage("not encoded as GeneralizedTime");
        }
    }
}
