package at.gv.egovernment.moa.spss.util;

import at.gv.egovernment.moa.sig.tsl.TslConstants;
import at.gv.egovernment.moa.sig.tsl.engine.data.ITslEndEntityResult;
import at.gv.egovernment.moa.sig.tsl.exception.TslException;
import at.gv.egovernment.moa.spss.api.impl.TslInfosImpl;
import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
import at.gv.egovernment.moa.spss.tsl.TSLServiceFactory;
import at.gv.egovernment.moaspss.logging.LogMsg;
import at.gv.egovernment.moaspss.logging.Logger;
import iaik.asn1.ObjectID;
import iaik.asn1.structures.PolicyInformation;
import iaik.utils.RFC2253NameParser;
import iaik.utils.RFC2253NameParserException;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import iaik.x509.extensions.CertificatePolicies;
import iaik.x509.extensions.qualified.QCStatements;
import iaik.x509.extensions.qualified.structures.etsi.QcEuCompliance;
import iaik.x509.extensions.qualified.structures.etsi.QcEuSSCD;
import java.net.URI;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:at/gv/egovernment/moa/spss/util/CertificateUtils.class */
public class CertificateUtils {
    private static boolean checkQCPPlus(X509Certificate x509Certificate) {
        Logger.debug("Checking QCP+ extension");
        try {
            CertificatePolicies extension = x509Certificate.getExtension(CertificatePolicies.oid);
            if (extension == null) {
                Logger.debug("No CertificatePolicies extension found");
                return false;
            }
            PolicyInformation[] policyInformation = extension.getPolicyInformation();
            if (policyInformation == null) {
                Logger.debug("No policy information found");
                return false;
            }
            for (PolicyInformation policyInformation2 : policyInformation) {
                if (policyInformation2.getPolicyIdentifier().getID().compareToIgnoreCase("0.4.0.1456.1.1") == 0) {
                    Logger.debug("QCP+ extension found");
                    return true;
                }
            }
            Logger.debug("No QCP+ extension found");
            return false;
        } catch (X509ExtensionInitException e) {
            Logger.debug("No QCP+ extension found");
            return false;
        }
    }

    private static boolean checkQCP(X509Certificate x509Certificate) {
        Logger.debug("Checking QCP extension");
        try {
            CertificatePolicies extension = x509Certificate.getExtension(CertificatePolicies.oid);
            if (extension == null) {
                Logger.debug("No CertificatePolicies extension found");
                return false;
            }
            PolicyInformation[] policyInformation = extension.getPolicyInformation();
            if (policyInformation == null) {
                Logger.debug("No policy information found");
                return false;
            }
            for (PolicyInformation policyInformation2 : policyInformation) {
                if (policyInformation2.getPolicyIdentifier().getID().compareToIgnoreCase("0.4.0.1456.1.2") == 0) {
                    Logger.debug("QCP extension found");
                    return true;
                }
            }
            Logger.debug("No QCP extension found");
            return false;
        } catch (X509ExtensionInitException e) {
            Logger.debug("No QCP extension found");
            return false;
        }
    }

    private static boolean checkQcEuCompliance(X509Certificate x509Certificate) {
        Logger.debug("Checking QcEUCompliance extension");
        try {
            QCStatements extension = x509Certificate.getExtension(QCStatements.oid);
            if (extension == null) {
                Logger.debug("No QcStatements extension found");
                return false;
            }
            if (extension.getQCStatements(QcEuCompliance.statementID) != null) {
                Logger.debug("QcEuCompliance extension found");
                return true;
            }
            Logger.debug("No QcEuCompliance extension found");
            return false;
        } catch (X509ExtensionInitException e) {
            Logger.debug("No QcEuCompliance extension found");
            return false;
        }
    }

    private static boolean checkQcEuSSCD(X509Certificate x509Certificate) {
        Logger.debug("Checking QcEuSSCD extension");
        try {
            QCStatements extension = x509Certificate.getExtension(QCStatements.oid);
            if (extension == null) {
                Logger.debug("No QcStatements extension found");
                return false;
            }
            if (extension.getQCStatements(QcEuSSCD.statementID) != null) {
                Logger.debug("QcEuSSCD extension found");
                return true;
            }
            Logger.debug("No QcEuSSCD extension found");
            return false;
        } catch (X509ExtensionInitException e) {
            Logger.debug("No QcEuSSCD extension found");
            return false;
        }
    }

    public static QCSSCDResult checkQCSSCD(X509Certificate[] x509CertificateArr, Date date, boolean z, ConfigurationProvider configurationProvider) {
        try {
            if (!z) {
                Logger.info("TSL support is not enabled - checking certificate extensions with QC evaluation ");
                return parseInfosFromCertificate(x509CertificateArr, true);
            }
            if (date == null) {
                date = new Date();
                Logger.debug("TSL check without signingTime --> use current time for evaluation");
            }
            ITslEndEntityResult evaluate = TSLServiceFactory.getTSLServiceClient().evaluate(Arrays.asList(x509CertificateArr), date, TslConstants.PKIX_MODEL);
            if (evaluate == null) {
                Logger.debug("Qualifier check via TSL return null - checking certificate extensions without QC evaluation");
                return parseInfosFromCertificate(x509CertificateArr, false);
            }
            URI evaluatedServiceTypeIdentifier = evaluate.getEvaluatedServiceTypeIdentifier();
            List<URI> evaluatedQualifier = evaluate.getEvaluatedQualifier();
            boolean z2 = false;
            boolean z3 = false;
            boolean z4 = false;
            boolean z5 = false;
            Iterator<URI> it = configurationProvider.getTSLConfiguration().getQualifierForQC().iterator();
            while (it.hasNext()) {
                if (it.next().equals(evaluatedServiceTypeIdentifier)) {
                    z3 = true;
                    z2 = true;
                }
            }
            List<URI> qualifierForSSCD = configurationProvider.getTSLConfiguration().getQualifierForSSCD();
            if (evaluatedQualifier != null && qualifierForSSCD != null) {
                for (URI uri : qualifierForSSCD) {
                    Iterator it2 = evaluatedQualifier.iterator();
                    while (it2.hasNext()) {
                        if (uri.equals((URI) it2.next())) {
                            z5 = true;
                            z4 = true;
                        }
                    }
                }
            }
            if (evaluatedQualifier != null) {
                for (URI uri2 : evaluatedQualifier) {
                    if (uri2.equals(TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(TslConstants.SSCD_QUALIFIER_SHORT.QCQSCDStatusAsInCert)) || uri2.equals(TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(TslConstants.SSCD_QUALIFIER_SHORT.QCSSCDStatusAsInCert))) {
                        z5 = false;
                        z4 = false;
                    } else if (uri2.equals(TslConstants.SSCD_QUALIFIER_SORT_TO_URI.get(TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) {
                        z2 = false;
                        z3 = false;
                        Logger.info("TSL mark this certificate explicitly as 'NotQualified'!");
                    }
                }
            }
            if (z5) {
                Logger.debug("Certificate is SSCD (Source: TSL)");
            } else {
                Logger.debug("SSCD check via TSL returned false - checking certificate extensions");
                boolean checkQCPPlus = checkQCPPlus(x509CertificateArr[0]);
                boolean checkQcEuSSCD = checkQcEuSSCD(x509CertificateArr[0]);
                if (checkQCPPlus || checkQcEuSSCD) {
                    Logger.debug("Certificate is SSCD (Source: Certificate)");
                    z4 = true;
                }
            }
            QCSSCDResult qCSSCDResult = new QCSSCDResult(z2, z3, z4, z5);
            qCSSCDResult.setTslInfos(new TslInfosImpl(evaluate.getTerritory(), evaluate.getTspStatus(), evaluatedServiceTypeIdentifier.toString(), evaluatedQualifier, evaluate.getAdditionalServiceInformation()));
            return qCSSCDResult;
        } catch (TslException e) {
            Logger.error(new LogMsg(MessageProvider.getInstance().getMessage("tsl.01", null)), e);
            return new QCSSCDResult();
        }
    }

    private static QCSSCDResult parseInfosFromCertificate(X509Certificate[] x509CertificateArr, boolean z) {
        boolean z2 = false;
        boolean z3 = false;
        if (z) {
            boolean checkQCP = checkQCP(x509CertificateArr[0]);
            boolean checkQcEuCompliance = checkQcEuCompliance(x509CertificateArr[0]);
            if (checkQCP || checkQcEuCompliance) {
                z2 = true;
            }
        }
        boolean checkQCPPlus = checkQCPPlus(x509CertificateArr[0]);
        boolean checkQcEuSSCD = checkQcEuSSCD(x509CertificateArr[0]);
        if (checkQCPPlus || checkQcEuSSCD) {
            z3 = true;
        }
        return new QCSSCDResult(z2, false, z3, false);
    }

    public static String getIssuerCountry(X509Certificate x509Certificate) {
        String str = null;
        try {
            str = new RFC2253NameParser(x509Certificate.getIssuerX500Principal().getName()).parse().getRDN(ObjectID.country);
        } catch (RFC2253NameParserException e) {
            Logger.warn("Could not get country code from issuer.");
        }
        return str;
    }
}
