package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.model.DSSException;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.revocation.Revocation;
import eu.europa.esig.dss.model.x509.revocation.crl.CRL;
import eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.x509.ListCertificateSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/validation/OCSPAndCRLRevocationSource.class */
public class OCSPAndCRLRevocationSource implements RevocationSource<Revocation> {
    private static final long serialVersionUID = 3205352844337899410L;
    private static final Logger LOG = LoggerFactory.getLogger(OCSPAndCRLRevocationSource.class);
    private final RevocationSource<OCSP> ocspSource;
    private final RevocationSource<CRL> crlSource;
    private ListCertificateSource trustedListCertificateSource;

    public OCSPAndCRLRevocationSource(RevocationSource<CRL> revocationSource, RevocationSource<OCSP> revocationSource2) {
        this.crlSource = revocationSource;
        this.ocspSource = revocationSource2;
    }

    public void setTrustedCertificateSource(ListCertificateSource listCertificateSource) {
        this.trustedListCertificateSource = listCertificateSource;
    }

    public RevocationToken<Revocation> getRevocationToken(CertificateToken certificateToken, CertificateToken certificateToken2) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Check revocation for certificate : {}", certificateToken.getDSSIdAsString());
        }
        RevocationToken<OCSP> checkOCSP = checkOCSP(certificateToken, certificateToken2);
        if (checkOCSP != null) {
            return checkOCSP;
        }
        RevocationToken<CRL> checkCRL = checkCRL(certificateToken, certificateToken2);
        if (checkCRL != null) {
            return checkCRL;
        }
        if (!LOG.isDebugEnabled()) {
            return null;
        }
        LOG.debug("There is no response for {} neither from OCSP nor from CRL!", certificateToken.getDSSIdAsString());
        return null;
    }

    public RevocationToken<OCSP> checkOCSP(CertificateToken certificateToken, CertificateToken certificateToken2) {
        if (this.ocspSource == null) {
            LOG.debug("OCSPSource null");
            return null;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("OCSP request for: {} using: {}", certificateToken.getDSSIdAsString(), this.ocspSource.getClass().getSimpleName());
        }
        try {
            RevocationToken<OCSP> revocationToken = this.ocspSource.getRevocationToken(certificateToken, certificateToken2);
            if (revocationToken != null && containsCertificateStatus(revocationToken) && isAcceptable(revocationToken) && isIssuerValidAtRevocationProductionTime(revocationToken)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("OCSP response for {} retrieved: {}", certificateToken.getDSSIdAsString(), revocationToken.getAbbreviation());
                    LOG.debug("OCSP Response {} status is : {}", revocationToken.getDSSIdAsString(), revocationToken.getStatus());
                }
                return revocationToken;
            }
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("An OCSP response for token {} is not obtained! Return null value.", certificateToken.getDSSIdAsString());
            return null;
        } catch (DSSException e) {
            LOG.error("OCSP DSS Exception: {}", e.getMessage(), e);
            return null;
        }
    }

    public RevocationToken<CRL> checkCRL(CertificateToken certificateToken, CertificateToken certificateToken2) {
        if (this.crlSource == null) {
            LOG.debug("CRLSource is null");
            return null;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("CRL request for: {} using: {}", certificateToken.getDSSIdAsString(), this.crlSource.getClass().getSimpleName());
        }
        try {
            RevocationToken<CRL> revocationToken = this.crlSource.getRevocationToken(certificateToken, certificateToken2);
            if (revocationToken != null && containsCertificateStatus(revocationToken)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("CRL for {} retrieved: {}", certificateToken.getDSSIdAsString(), revocationToken.getAbbreviation());
                }
                return revocationToken;
            }
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("A CRL for token {} is not obtained! Return null value.", certificateToken.getDSSIdAsString());
            return null;
        } catch (DSSException e) {
            LOG.error("CRL DSS Exception: {}", e.getMessage(), e);
            return null;
        }
    }

    private boolean containsCertificateStatus(RevocationToken<?> revocationToken) {
        if (revocationToken.getStatus() != null) {
            return true;
        }
        LOG.warn("The obtained revocation token does not contain the certificate status. The token is skipped.");
        return false;
    }

    private boolean isAcceptable(RevocationToken<OCSP> revocationToken) {
        CertificateToken issuerCertificateToken = revocationToken.getIssuerCertificateToken();
        if (issuerCertificateToken == null) {
            LOG.warn("The issuer certificate is not found for the obtained OCSPToken. The token is skipped.");
            return false;
        }
        if (!doesRequireRevocation(issuerCertificateToken) || hasRevocationAccessPoints(issuerCertificateToken)) {
            return true;
        }
        LOG.warn("The issuer certificate of the obtained OCSPToken requires a revocation data, which is not acceptable due its configuration (no revocation access location points). The token is skipped.");
        return false;
    }

    private boolean doesRequireRevocation(CertificateToken certificateToken) {
        return (certificateToken.isSelfSigned() || isTrusted(certificateToken) || DSSASN1Utils.hasIdPkixOcspNoCheckExtension(certificateToken)) ? false : true;
    }

    private boolean isTrusted(CertificateToken certificateToken) {
        return this.trustedListCertificateSource != null && this.trustedListCertificateSource.isTrusted(certificateToken);
    }

    private boolean hasRevocationAccessPoints(CertificateToken certificateToken) {
        return Utils.isCollectionNotEmpty(DSSASN1Utils.getOCSPAccessLocations(certificateToken)) || Utils.isCollectionNotEmpty(DSSASN1Utils.getCrlUrls(certificateToken));
    }

    private boolean isIssuerValidAtRevocationProductionTime(RevocationToken<?> revocationToken) {
        if (DSSRevocationUtils.checkIssuerValidAtRevocationProductionTime(revocationToken)) {
            return true;
        }
        LOG.warn("The revocation token has been produced outside the issuer certificate's validity range. The token is skipped.");
        return false;
    }
}
