package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.CertificateReorderer;
import eu.europa.esig.dss.alert.status.Status;
import eu.europa.esig.dss.enumerations.CertificateSourceType;
import eu.europa.esig.dss.enumerations.RevocationReason;
import eu.europa.esig.dss.enumerations.RevocationType;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.Token;
import eu.europa.esig.dss.model.x509.X500PrincipalHelper;
import eu.europa.esig.dss.model.x509.revocation.Revocation;
import eu.europa.esig.dss.model.x509.revocation.crl.CRL;
import eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSRevocationUtils;
import eu.europa.esig.dss.spi.client.http.DataLoader;
import eu.europa.esig.dss.spi.x509.AlternateUrlsSourceAdapter;
import eu.europa.esig.dss.spi.x509.CertificateRef;
import eu.europa.esig.dss.spi.x509.CertificateValidity;
import eu.europa.esig.dss.spi.x509.CommonTrustedCertificateSource;
import eu.europa.esig.dss.spi.x509.ListCertificateSource;
import eu.europa.esig.dss.spi.x509.ResponderId;
import eu.europa.esig.dss.spi.x509.revocation.RevocationCertificateSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSourceAlternateUrlsSupport;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPToken;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.timestamp.TimestampToken;
import eu.europa.esig.dss.validation.timestamp.TimestampedReference;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/validation/SignatureValidationContext.class */
public class SignatureValidationContext implements ValidationContext {
    private static final Logger LOG = LoggerFactory.getLogger(SignatureValidationContext.class);
    private CertificateVerifier certificateVerifier;
    private DataLoader dataLoader;
    private Map<CertificateToken, List<CertificateToken>> orderedCertificateChains;
    private RevocationSource<OCSP> ocspSource;
    private RevocationSource<CRL> crlSource;
    private ListCertificateSource trustedCertSources;
    private ListCertificateSource adjunctCertSources;
    private ListRevocationSource<CRL> signatureCRLSource;
    private ListRevocationSource<OCSP> signatureOCSPSource;
    private ListCertificateSource signatureCertificateSource;
    private boolean checkRevocationForUntrustedChains;
    private final Set<CertificateToken> processedCertificates = new HashSet();
    private final Set<RevocationToken<Revocation>> processedRevocations = new HashSet();
    private final Set<TimestampToken> processedTimestamps = new HashSet();
    private final Map<Token, Boolean> tokensToProcess = new HashMap();
    private final Map<CertificateToken, Date> lastTimestampCertChainDates = new HashMap();
    private final Map<String, List<Date>> poeTimes = new HashMap();
    private ListCertificateSource aiaCertificateSources = new ListCertificateSource();
    private ListCertificateSource revocationCertificateSources = new ListCertificateSource();
    protected Date currentTime = new Date();

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void initialize(CertificateVerifier certificateVerifier) {
        Objects.requireNonNull(certificateVerifier);
        this.certificateVerifier = certificateVerifier;
        this.crlSource = certificateVerifier.getCrlSource();
        this.ocspSource = certificateVerifier.getOcspSource();
        this.dataLoader = certificateVerifier.getDataLoader();
        this.signatureCRLSource = certificateVerifier.getSignatureCRLSource();
        this.signatureOCSPSource = certificateVerifier.getSignatureOCSPSource();
        this.signatureCertificateSource = certificateVerifier.getSignatureCertificateSource();
        this.adjunctCertSources = certificateVerifier.getAdjunctCertSources();
        this.trustedCertSources = certificateVerifier.getTrustedCertSources();
        this.checkRevocationForUntrustedChains = certificateVerifier.isCheckRevocationForUntrustedChains();
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Date getCurrentTime() {
        return this.currentTime;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void setCurrentTime(Date date) {
        Objects.requireNonNull(date);
        this.currentTime = date;
    }

    private Token getNotYetVerifiedToken() {
        synchronized (this.tokensToProcess) {
            for (Map.Entry<Token, Boolean> entry : this.tokensToProcess.entrySet()) {
                if (entry.getValue() == null) {
                    entry.setValue(true);
                    return entry.getKey();
                }
            }
            return null;
        }
    }

    private TimestampToken getNotYetVerifiedTimestamp() {
        synchronized (this.tokensToProcess) {
            for (Map.Entry<Token, Boolean> entry : this.tokensToProcess.entrySet()) {
                if (entry.getValue() == null && (entry.getKey() instanceof TimestampToken)) {
                    entry.setValue(true);
                    return (TimestampToken) entry.getKey();
                }
            }
            return null;
        }
    }

    private Map<CertificateToken, List<CertificateToken>> getOrderedCertificateChains() {
        if (this.orderedCertificateChains == null) {
            this.orderedCertificateChains = new CertificateReorderer(this.processedCertificates).getOrderedCertificateChains();
        }
        return this.orderedCertificateChains;
    }

    private List<Token> getCertChain(Token token) {
        LinkedList linkedList = new LinkedList();
        Token token2 = token;
        do {
            linkedList.add(token2);
            token2 = getIssuer(token2);
            if (token2 == null) {
                break;
            }
        } while (!linkedList.contains(token2));
        return linkedList;
    }

    private Token getIssuer(Token token) {
        ListCertificateSource allCertificateSources = getAllCertificateSources();
        CertificateToken tokenIssuerFromCandidates = getTokenIssuerFromCandidates(token, getIssuersFromSources(token, allCertificateSources));
        if (tokenIssuerFromCandidates == null && (token instanceof CertificateToken) && this.dataLoader != null) {
            AIACertificateSource aIACertificateSource = new AIACertificateSource((CertificateToken) token, this.dataLoader);
            this.aiaCertificateSources.add(aIACertificateSource);
            tokenIssuerFromCandidates = aIACertificateSource.getIssuerFromAIA();
        }
        if (tokenIssuerFromCandidates == null && (token instanceof OCSPToken)) {
            tokenIssuerFromCandidates = getOCSPIssuer((OCSPToken) token, allCertificateSources);
        }
        if (tokenIssuerFromCandidates == null && (token instanceof TimestampToken)) {
            tokenIssuerFromCandidates = getTSACertificate((TimestampToken) token, allCertificateSources);
        }
        if (tokenIssuerFromCandidates instanceof CertificateToken) {
            addCertificateTokenForVerification(tokenIssuerFromCandidates);
        }
        return tokenIssuerFromCandidates;
    }

    private ListCertificateSource getAllCertificateSources() {
        ListCertificateSource listCertificateSource = new ListCertificateSource();
        listCertificateSource.addAll(this.signatureCertificateSource);
        listCertificateSource.addAll(this.revocationCertificateSources);
        listCertificateSource.addAll(this.aiaCertificateSources);
        listCertificateSource.addAll(this.adjunctCertSources);
        listCertificateSource.addAll(this.trustedCertSources);
        return listCertificateSource;
    }

    private Set<CertificateToken> getIssuersFromSources(Token token, ListCertificateSource listCertificateSource) {
        return token.getPublicKeyOfTheSigner() != null ? listCertificateSource.getByPublicKey(token.getPublicKeyOfTheSigner()) : token.getIssuerX500Principal() != null ? listCertificateSource.getBySubject(new X500PrincipalHelper(token.getIssuerX500Principal())) : Collections.emptySet();
    }

    private CertificateToken getOCSPIssuer(OCSPToken oCSPToken, ListCertificateSource listCertificateSource) {
        ResponderId responderId;
        Set allCertificateRefs = oCSPToken.getCertificateSource().getAllCertificateRefs();
        if (Utils.collectionSize(allCertificateRefs) != 1 || (responderId = ((CertificateRef) allCertificateRefs.iterator().next()).getResponderId()) == null) {
            LOG.warn("Signing certificate is not found for an OCSPToken with id '{}'.", oCSPToken.getDSSIdAsString());
            return null;
        }
        HashSet hashSet = new HashSet();
        if (responderId.getSki() != null) {
            hashSet.addAll(listCertificateSource.getBySki(responderId.getSki()));
        }
        if (responderId.getX500Principal() != null) {
            hashSet.addAll(listCertificateSource.getBySubject(new X500PrincipalHelper(responderId.getX500Principal())));
        }
        return getTokenIssuerFromCandidates(oCSPToken, hashSet);
    }

    private CertificateToken getTSACertificate(TimestampToken timestampToken, ListCertificateSource listCertificateSource) {
        CertificateValidity theBestCandidate = timestampToken.getCandidatesForSigningCertificate().getTheBestCandidate();
        if (theBestCandidate == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        CertificateToken certificateToken = theBestCandidate.getCertificateToken();
        if (certificateToken == null) {
            hashSet.addAll(listCertificateSource.getByCertificateIdentifier(theBestCandidate.getSignerInfo()));
        } else {
            hashSet.add(certificateToken);
        }
        return getTokenIssuerFromCandidates(timestampToken, hashSet);
    }

    private CertificateToken getTokenIssuerFromCandidates(Token token, Collection<CertificateToken> collection) {
        ArrayList arrayList = new ArrayList();
        for (CertificateToken certificateToken : collection) {
            if (token.isSignedBy(certificateToken)) {
                arrayList.add(certificateToken);
                if (certificateToken.isValidOn(token.getCreationDate())) {
                    return certificateToken;
                }
            }
        }
        if (!Utils.isCollectionNotEmpty(arrayList)) {
            return null;
        }
        LOG.warn("No issuer found for the token creation date. The process continues with an issuer which has the same public key.");
        return (CertificateToken) arrayList.iterator().next();
    }

    private boolean addTokenForVerification(Token token) {
        if (token == null) {
            return false;
        }
        boolean isTraceEnabled = LOG.isTraceEnabled();
        if (isTraceEnabled) {
            LOG.trace("addTokenForVerification: trying to acquire synchronized block");
        }
        synchronized (this.tokensToProcess) {
            try {
                if (this.tokensToProcess.containsKey(token)) {
                    if (isTraceEnabled) {
                        LOG.trace("Token was already in the list {}:{}", token.getClass().getSimpleName(), token.getAbbreviation());
                    }
                    return false;
                }
                this.tokensToProcess.put(token, null);
                registerPOE(token.getDSSIdAsString(), this.currentTime);
                if (isTraceEnabled) {
                    LOG.trace("+ New {} to check: {}", token.getClass().getSimpleName(), token.getAbbreviation());
                }
                if (isTraceEnabled) {
                    LOG.trace("addTokenForVerification: almost left synchronized block");
                }
                return true;
            } finally {
                if (isTraceEnabled) {
                    LOG.trace("addTokenForVerification: almost left synchronized block");
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addRevocationTokenForVerification(RevocationToken<Revocation> revocationToken) {
        if (addTokenForVerification(revocationToken)) {
            RevocationCertificateSource certificateSource = revocationToken.getCertificateSource();
            if (certificateSource != null) {
                this.revocationCertificateSources.add(certificateSource);
                Iterator it = certificateSource.getCertificates().iterator();
                while (it.hasNext()) {
                    addCertificateTokenForVerification((CertificateToken) it.next());
                }
            }
            boolean add = this.processedRevocations.add(revocationToken);
            if (LOG.isTraceEnabled()) {
                if (add) {
                    LOG.trace("RevocationToken added to processedRevocations: {} ", revocationToken);
                } else {
                    LOG.trace("RevocationToken already present processedRevocations: {} ", revocationToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addCertificateTokenForVerification(CertificateToken certificateToken) {
        if (addTokenForVerification(certificateToken)) {
            boolean add = this.processedCertificates.add(certificateToken);
            if (LOG.isTraceEnabled()) {
                if (add) {
                    LOG.trace("CertificateToken added to processedCertificates: {} ", certificateToken);
                } else {
                    LOG.trace("CertificateToken already present processedCertificates: {} ", certificateToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addTimestampTokenForVerification(TimestampToken timestampToken) {
        if (addTokenForVerification(timestampToken)) {
            Iterator<CertificateToken> it = timestampToken.getCertificates().iterator();
            while (it.hasNext()) {
                addCertificateTokenForVerification(it.next());
            }
            boolean add = this.processedTimestamps.add(timestampToken);
            if (LOG.isTraceEnabled()) {
                if (add) {
                    LOG.trace("TimestampToken added to processedTimestamps: {} ", this.processedTimestamps);
                } else {
                    LOG.trace("TimestampToken already present processedTimestamps: {} ", this.processedTimestamps);
                }
            }
        }
    }

    private void registerUsageDate(TimestampToken timestampToken) {
        CertificateToken tSACertificate = getTSACertificate(timestampToken, getAllCertificateSources());
        if (tSACertificate == null) {
            LOG.warn("No Timestamp Certificate found. Chain is skipped.");
            return;
        }
        Map<CertificateToken, List<CertificateToken>> orderedCertificateChains = getOrderedCertificateChains();
        List<CertificateToken> list = orderedCertificateChains.get(tSACertificate);
        if (list == null) {
            list = toCertificateTokenChain(getCertChain(tSACertificate));
            orderedCertificateChains.put(tSACertificate, list);
        }
        Date creationDate = timestampToken.getCreationDate();
        for (CertificateToken certificateToken : list) {
            if (isSelfSignedOrTrusted(certificateToken)) {
                break;
            }
            Date date = this.lastTimestampCertChainDates.get(certificateToken);
            if (date == null || date.before(creationDate)) {
                this.lastTimestampCertChainDates.put(certificateToken, creationDate);
            }
        }
        Iterator<TimestampedReference> it = timestampToken.getTimestampedReferences().iterator();
        while (it.hasNext()) {
            registerPOE(it.next().getObjectId(), creationDate);
        }
    }

    private void registerPOE(String str, Date date) {
        List<Date> list = this.poeTimes.get(str);
        if (Utils.isCollectionEmpty(list)) {
            list = new ArrayList();
            this.poeTimes.put(str, list);
        }
        list.add(date);
    }

    private List<CertificateToken> toCertificateTokenChain(List<Token> list) {
        LinkedList linkedList = new LinkedList();
        Iterator<Token> it = list.iterator();
        while (it.hasNext()) {
            CertificateToken certificateToken = (Token) it.next();
            if (certificateToken instanceof CertificateToken) {
                linkedList.add(certificateToken);
            }
        }
        return linkedList;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void validate() {
        TimestampToken notYetVerifiedTimestamp = getNotYetVerifiedTimestamp();
        while (true) {
            TimestampToken timestampToken = notYetVerifiedTimestamp;
            if (timestampToken == null) {
                break;
            }
            getCertChain(timestampToken);
            registerUsageDate(timestampToken);
            notYetVerifiedTimestamp = getNotYetVerifiedTimestamp();
        }
        Token notYetVerifiedToken = getNotYetVerifiedToken();
        while (true) {
            Token token = notYetVerifiedToken;
            if (token == null) {
                return;
            }
            List<Token> certChain = getCertChain(token);
            if (token instanceof CertificateToken) {
                getRevocationData((CertificateToken) token, certChain);
            }
            notYetVerifiedToken = getNotYetVerifiedToken();
        }
    }

    private List<RevocationToken> getRevocationData(CertificateToken certificateToken, List<Token> list) {
        OCSPAndCRLRevocationSource oCSPAndCRLRevocationSource;
        if (LOG.isTraceEnabled()) {
            LOG.trace("Checking revocation data for : {}", certificateToken.getDSSIdAsString());
        }
        if (isRevocationDataNotRequired(certificateToken)) {
            LOG.debug("Revocation data is not required for certificate : {}", certificateToken.getDSSIdAsString());
            return Collections.emptyList();
        }
        CertificateToken certificateToken2 = (CertificateToken) getIssuer(certificateToken);
        if (certificateToken2 == null) {
            LOG.warn("Issuer not found for certificate {}", certificateToken.getDSSIdAsString());
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        if (this.signatureCRLSource != null) {
            for (RevocationToken<CRL> revocationToken : this.signatureCRLSource.getRevocationTokens(certificateToken, certificateToken2)) {
                arrayList.add(revocationToken);
                addRevocationTokenForVerification(revocationToken);
            }
        }
        if (this.signatureOCSPSource != null) {
            for (RevocationToken<OCSP> revocationToken2 : this.signatureOCSPSource.getRevocationTokens(certificateToken, certificateToken2)) {
                arrayList.add(revocationToken2);
                addRevocationTokenForVerification(revocationToken2);
            }
        }
        if (Utils.isCollectionEmpty(arrayList) || isRevocationDataRefreshNeeded(certificateToken, arrayList)) {
            LOG.debug("The signature does not contain relative revocation data.");
            if (this.checkRevocationForUntrustedChains || containsTrustAnchor(list)) {
                LOG.trace("Revocation update is in progress for certificate : {}", certificateToken.getDSSIdAsString());
                CertificateToken certificateToken3 = (CertificateToken) getFirstTrustAnchor(list);
                if (this.trustedCertSources.isEmpty() || certificateToken3 == null) {
                    LOG.trace("Initializing a revocation verifier for not trusted chain...");
                    oCSPAndCRLRevocationSource = new OCSPAndCRLRevocationSource(this.crlSource, this.ocspSource);
                } else {
                    LOG.trace("Initializing a revocation verifier for a trusted chain...");
                    oCSPAndCRLRevocationSource = instantiateWithTrustServices(certificateToken3);
                }
                RevocationToken<Revocation> revocationToken3 = oCSPAndCRLRevocationSource.getRevocationToken(certificateToken, certificateToken2);
                if (revocationToken3 != null && !arrayList.contains(revocationToken3)) {
                    LOG.debug("Obtained a new revocation data : {}, for certificate : {}", revocationToken3.getDSSIdAsString(), certificateToken.getDSSIdAsString());
                    arrayList.add(revocationToken3);
                    addRevocationTokenForVerification(revocationToken3);
                }
            } else {
                LOG.warn("External revocation check is skipped for untrusted certificate : {}", certificateToken.getDSSIdAsString());
            }
        }
        if (arrayList.isEmpty()) {
            LOG.warn("No revocation found for the certificate {}", certificateToken.getDSSIdAsString());
        }
        return arrayList;
    }

    private <T extends Token> boolean containsTrustAnchor(List<T> list) {
        return getFirstTrustAnchor(list) != null;
    }

    private <T extends Token> Token getFirstTrustAnchor(List<T> list) {
        for (T t : list) {
            if (isTrusted(t)) {
                return t;
            }
        }
        return null;
    }

    private OCSPAndCRLRevocationSource instantiateWithTrustServices(CertificateToken certificateToken) {
        List<String> alternativeOCSPUrls = getAlternativeOCSPUrls(certificateToken);
        AlternateUrlsSourceAdapter alternateUrlsSourceAdapter = (Utils.isCollectionNotEmpty(alternativeOCSPUrls) && (this.ocspSource instanceof RevocationSourceAlternateUrlsSupport)) ? new AlternateUrlsSourceAdapter(this.ocspSource, alternativeOCSPUrls) : this.ocspSource;
        List<String> alternativeCRLUrls = getAlternativeCRLUrls(certificateToken);
        OCSPAndCRLRevocationSource oCSPAndCRLRevocationSource = new OCSPAndCRLRevocationSource((Utils.isCollectionNotEmpty(alternativeCRLUrls) && (this.crlSource instanceof RevocationSourceAlternateUrlsSupport)) ? new AlternateUrlsSourceAdapter(this.crlSource, alternativeCRLUrls) : this.crlSource, alternateUrlsSourceAdapter);
        oCSPAndCRLRevocationSource.setTrustedCertificateSource(this.trustedCertSources);
        return oCSPAndCRLRevocationSource;
    }

    private List<String> getAlternativeOCSPUrls(CertificateToken certificateToken) {
        ArrayList arrayList = new ArrayList();
        for (CommonTrustedCertificateSource commonTrustedCertificateSource : this.trustedCertSources.getSources()) {
            if (commonTrustedCertificateSource instanceof CommonTrustedCertificateSource) {
                arrayList.addAll(commonTrustedCertificateSource.getAlternativeOCSPUrls(certificateToken));
            }
        }
        return arrayList;
    }

    private List<String> getAlternativeCRLUrls(CertificateToken certificateToken) {
        ArrayList arrayList = new ArrayList();
        for (CommonTrustedCertificateSource commonTrustedCertificateSource : this.trustedCertSources.getSources()) {
            if (commonTrustedCertificateSource instanceof CommonTrustedCertificateSource) {
                arrayList.addAll(commonTrustedCertificateSource.getAlternativeCRLUrls(certificateToken));
            }
        }
        return arrayList;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllRequiredRevocationDataPresent() {
        ArrayList arrayList = new ArrayList();
        Iterator<List<CertificateToken>> it = getOrderedCertificateChains().values().iterator();
        while (it.hasNext()) {
            checkRevocationForCertificateChainAgainstBestSignatureTime(it.next(), null, arrayList);
        }
        if (!arrayList.isEmpty()) {
            this.certificateVerifier.getAlertOnMissingRevocationData().alert(new Status("Revocation data is missing for one or more certificate(s).", arrayList));
        }
        return arrayList.isEmpty();
    }

    private void checkRevocationForCertificateChainAgainstBestSignatureTime(List<CertificateToken> list, Date date, List<String> list2) {
        for (CertificateToken certificateToken : list) {
            if (isSelfSignedOrTrusted(certificateToken)) {
                return;
            }
            if (!isOCSPNoCheckExtension(certificateToken)) {
                boolean z = false;
                Date date2 = null;
                for (RevocationToken<Revocation> revocationToken : this.processedRevocations) {
                    if (Utils.areStringsEqual(certificateToken.getDSSIdAsString(), revocationToken.getRelatedCertificateID())) {
                        if (date == null || revocationToken.getThisUpdate().after(date)) {
                            z = true;
                            break;
                        } else if (revocationToken.getNextUpdate() != null && (date2 == null || revocationToken.getNextUpdate().before(date2))) {
                            date2 = revocationToken.getNextUpdate();
                        }
                    }
                }
                if (!z) {
                    if (!this.certificateVerifier.isCheckRevocationForUntrustedChains() && !containsTrustAnchor(list)) {
                        list2.add(String.format("Revocation data is skipped for untrusted certificate chain for the token : '%s'", certificateToken.getDSSIdAsString()));
                    } else if (date == null) {
                        list2.add(String.format("No revocation data found for certificate : %s", certificateToken.getDSSIdAsString()));
                    } else if (date2 != null) {
                        list2.add(String.format("No revocation data found after the best signature time [%s] for the certificate : %s. \n The nextUpdate available after : [%s]", date, certificateToken.getDSSIdAsString(), date2));
                    } else {
                        list2.add(String.format("No revocation data found after the best signature time [%s] for the certificate : %s", date, certificateToken.getDSSIdAsString()));
                    }
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllPOECoveredByRevocationData() {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<CertificateToken, Date> entry : this.lastTimestampCertChainDates.entrySet()) {
            Date value = entry.getValue();
            CertificateToken key = entry.getKey();
            if (!isRevocationDataNotRequired(key)) {
                boolean z = false;
                Date date = null;
                Iterator<RevocationToken<Revocation>> it = this.processedRevocations.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RevocationToken<Revocation> next = it.next();
                    if (Utils.areStringsEqual(key.getDSSIdAsString(), next.getRelatedCertificateID())) {
                        if (next.getProductionDate().after(value)) {
                            z = true;
                            break;
                        }
                        Date nextUpdate = next.getNextUpdate();
                        if (date == null || (nextUpdate != null && date.before(nextUpdate))) {
                            date = nextUpdate;
                        }
                    }
                }
                if (!z) {
                    arrayList.add(String.format("POE '%s' not covered by a valid revocation data (nextUpdate : %s)", key.getDSSIdAsString(), date));
                }
            }
        }
        if (!arrayList.isEmpty()) {
            this.certificateVerifier.getAlertOnUncoveredPOE().alert(new Status("Revocation data is missing for one or more POE(s).", arrayList));
        }
        return arrayList.isEmpty();
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllTimestampsValid() {
        HashSet hashSet = new HashSet();
        for (TimestampToken timestampToken : this.processedTimestamps) {
            if (!timestampToken.isSignatureValid() || !timestampToken.isMessageImprintDataFound().booleanValue() || !timestampToken.isMessageImprintDataIntact().booleanValue()) {
                hashSet.add(timestampToken.getDSSIdAsString());
            }
        }
        if (!hashSet.isEmpty()) {
            this.certificateVerifier.getAlertOnInvalidTimestamp().alert(new Status("Broken timestamp(s) detected.", hashSet));
        }
        return hashSet.isEmpty();
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllCertificatesValid() {
        HashSet hashSet = new HashSet();
        for (CertificateToken certificateToken : this.processedCertificates) {
            if (!isRevocationDataNotRequired(certificateToken)) {
                for (RevocationToken<Revocation> revocationToken : this.processedRevocations) {
                    if (Utils.areStringsEqual(certificateToken.getDSSIdAsString(), revocationToken.getRelatedCertificateID()) && !revocationToken.getStatus().isGood()) {
                        hashSet.add(certificateToken.getDSSIdAsString());
                    }
                }
            }
        }
        if (!hashSet.isEmpty()) {
            this.certificateVerifier.getAlertOnRevokedCertificate().alert(new Status("Revoked/Suspended certificate(s) detected.", hashSet));
        }
        return hashSet.isEmpty();
    }

    private boolean isRevocationDataNotRequired(CertificateToken certificateToken) {
        return isSelfSignedOrTrusted(certificateToken) || isOCSPNoCheckExtension(certificateToken);
    }

    private boolean isSelfSignedOrTrusted(CertificateToken certificateToken) {
        return certificateToken.isSelfSigned() || isTrusted(certificateToken);
    }

    private boolean isOCSPNoCheckExtension(CertificateToken certificateToken) {
        return DSSASN1Utils.hasIdPkixOcspNoCheckExtension(certificateToken);
    }

    private boolean isRevocationDataRefreshNeeded(CertificateToken certificateToken, List<RevocationToken> list) {
        Date date = this.lastTimestampCertChainDates.get(certificateToken);
        if (date == null) {
            date = getLowestPOETime(certificateToken.getDSSIdAsString());
        }
        boolean z = false;
        Iterator<RevocationToken> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RevocationToken next = it.next();
            if (date != null && date.before(next.getProductionDate()) && RevocationReason.CERTIFICATE_HOLD != next.getReason() && isConsistent(next, certificateToken)) {
                z = true;
                break;
            }
        }
        if (z) {
            return false;
        }
        LOG.debug("Revocation data refresh is needed");
        return true;
    }

    private Date getLowestPOETime(String str) {
        Date date = null;
        List<Date> list = this.poeTimes.get(str);
        if (Utils.isCollectionNotEmpty(list)) {
            for (Date date2 : list) {
                if (date == null || date2.before(date)) {
                    date = date2;
                }
            }
        }
        return date;
    }

    private boolean isConsistent(RevocationToken<Revocation> revocationToken, CertificateToken certificateToken) {
        List<CertificateToken> certificateTokenChain = toCertificateTokenChain(getCertChain(revocationToken));
        if (Utils.isCollectionEmpty(certificateTokenChain)) {
            LOG.debug("The revocation {} is not consistent! Issuer CertificateToken is not found.", revocationToken.getDSSIdAsString());
            return false;
        }
        if (RevocationType.OCSP.equals(revocationToken.getRevocationType()) && !DSSRevocationUtils.checkIssuerValidAtRevocationProductionTime(revocationToken)) {
            LOG.debug("The revocation {} is not consistent! The revocation has been produced outside the issuer certificate's validity range!", revocationToken.getDSSIdAsString());
            return false;
        }
        if (!RevocationType.CRL.equals(revocationToken.getRevocationType()) || isInCertificateValidityRange(revocationToken, certificateToken)) {
            return revocationToken.getNextUpdate() != null ? hasPOEAfterProductionAndBeforeNextUpdate(revocationToken) : hasPOEInTheValidityRange(certificateTokenChain.iterator().next());
        }
        LOG.debug("The revocation '{}' was not issued during the validity period of the certificate! Certificate: {}", revocationToken.getDSSIdAsString(), certificateToken.getDSSIdAsString());
        return false;
    }

    private boolean isInCertificateValidityRange(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        Date thisUpdate = revocationToken.getThisUpdate();
        Date nextUpdate = revocationToken.getNextUpdate();
        return thisUpdate.compareTo(certificateToken.getNotAfter()) <= 0 && nextUpdate != null && nextUpdate.compareTo(certificateToken.getNotBefore()) >= 0;
    }

    private boolean hasPOEAfterProductionAndBeforeNextUpdate(RevocationToken<Revocation> revocationToken) {
        List<Date> list = this.poeTimes.get(revocationToken.getDSSIdAsString());
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        Iterator<Date> it = list.iterator();
        while (it.hasNext()) {
            if (isConsistentOnTime(revocationToken, it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean hasPOEInTheValidityRange(CertificateToken certificateToken) {
        List<Date> list = this.poeTimes.get(certificateToken.getDSSIdAsString());
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        Iterator<Date> it = list.iterator();
        while (it.hasNext()) {
            if (certificateToken.isValidOn(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean isConsistentOnTime(RevocationToken<Revocation> revocationToken, Date date) {
        return date.compareTo(revocationToken.getProductionDate()) >= 0 && date.compareTo(revocationToken.getNextUpdate()) <= 0;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAtLeastOneRevocationDataPresentAfterBestSignatureTime(CertificateToken certificateToken) {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<CertificateToken, List<CertificateToken>> entry : getOrderedCertificateChains().entrySet()) {
            CertificateToken key = entry.getKey();
            checkRevocationForCertificateChainAgainstBestSignatureTime(entry.getValue(), key.equals(certificateToken) ? getEarliestTimestampTime() : this.lastTimestampCertChainDates.get(key), arrayList);
        }
        if (!arrayList.isEmpty()) {
            this.certificateVerifier.getAlertOnNoRevocationAfterBestSignatureTime().alert(new Status("Fresh revocation data is missing for one or more certificate(s).", arrayList));
        }
        return arrayList.isEmpty();
    }

    private Date getEarliestTimestampTime() {
        Date date = null;
        for (TimestampToken timestampToken : getProcessedTimestamps()) {
            if (timestampToken.getTimeStampType().coversSignature()) {
                Date creationDate = timestampToken.getCreationDate();
                if (date == null || creationDate.before(date)) {
                    date = creationDate;
                }
            }
        }
        return date;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<CertificateToken> getProcessedCertificates() {
        return Collections.unmodifiableSet(this.processedCertificates);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Map<CertificateToken, Set<CertificateSourceType>> getCertificateSourceTypes() {
        ListCertificateSource allCertificateSources = getAllCertificateSources();
        HashMap hashMap = new HashMap();
        for (CertificateToken certificateToken : getProcessedCertificates()) {
            hashMap.put(certificateToken, allCertificateSources.getCertificateSource(certificateToken));
        }
        return hashMap;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<RevocationToken<Revocation>> getProcessedRevocations() {
        return Collections.unmodifiableSet(this.processedRevocations);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<TimestampToken> getProcessedTimestamps() {
        return Collections.unmodifiableSet(this.processedTimestamps);
    }

    private <T extends Token> boolean isTrusted(T t) {
        return (t instanceof CertificateToken) && this.trustedCertSources.isTrusted((CertificateToken) t);
    }
}
