package se.idsec.sigval.xml.policy.impl;

import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.idsec.signservice.security.sign.SignatureValidationResult;
import se.idsec.sigval.cert.chain.PathValidationResult;
import se.idsec.sigval.cert.validity.ValidationStatus;
import se.idsec.sigval.commons.data.PolicyValidationResult;
import se.idsec.sigval.commons.data.TimeValidationResult;
import se.idsec.sigval.commons.timestamp.TimeStamp;
import se.idsec.sigval.svt.claims.PolicyValidationClaims;
import se.idsec.sigval.svt.claims.ValidationConclusion;
import se.idsec.sigval.xml.data.ExtendedXmlSigvalResult;

/* loaded from: input_file:se/idsec/sigval/xml/policy/impl/PkixXmlSignaturePolicyValidator.class */
public class PkixXmlSignaturePolicyValidator extends AbstractBasicXMLSignaturePolicyChecks {
    private static final Logger log = LoggerFactory.getLogger(PkixXmlSignaturePolicyValidator.class);
    private boolean enforceCurrentTimeValidation;
    private long revocationGracePeriod;

    public PkixXmlSignaturePolicyValidator(boolean z) {
        this.enforceCurrentTimeValidation = false;
        this.revocationGracePeriod = 86400000L;
        this.enforceCurrentTimeValidation = z;
    }

    @Override // se.idsec.sigval.xml.policy.impl.AbstractBasicXMLSignaturePolicyChecks
    protected PolicyValidationResult performAdditionalValidityChecks(ExtendedXmlSigvalResult extendedXmlSigvalResult) {
        PolicyValidationClaims.PolicyValidationClaimsBuilder builder = PolicyValidationClaims.builder();
        builder.pol(getValidationPolicy());
        try {
            PathValidationResult certificateValidationResult = extendedXmlSigvalResult.getCertificateValidationResult();
            List validationStatusList = certificateValidationResult.getValidationStatusList();
            if (validationStatusList.stream().filter(validationStatus -> {
                return validationStatus.getValidity().equals(ValidationStatus.CertificateValidity.INVALID);
            }).findFirst().isPresent()) {
                return new PolicyValidationResult(builder.res(ValidationConclusion.FAILED).msg("Invalid certificate in certificate path").build(), SignatureValidationResult.Status.ERROR_SIGNER_INVALID);
            }
            if (certificateValidationResult.getValidationStatusList().stream().filter(validationStatus2 -> {
                return validationStatus2.getValidity().equals(ValidationStatus.CertificateValidity.UNKNOWN);
            }).findFirst().isPresent()) {
                return new PolicyValidationResult(builder.res(ValidationConclusion.INDETERMINATE).msg("Validity of the signature could not be determined").build(), SignatureValidationResult.Status.ERROR_NOT_TRUSTED);
            }
            if (!this.enforceCurrentTimeValidation) {
                log.debug("Processing without enforcing current time validation. Looking for valid time stamps");
                List list = (List) validationStatusList.stream().filter(validationStatus3 -> {
                    return validationStatus3.getValidity().equals(ValidationStatus.CertificateValidity.REVOKED);
                }).collect(Collectors.toList());
                if (!list.isEmpty()) {
                    log.debug("Found {} revoked certificates in the cert path", Integer.valueOf(list.size()));
                    Iterator it = list.iterator();
                    while (it.hasNext()) {
                        if (!checkRevocationTime((ValidationStatus) it.next(), extendedXmlSigvalResult.getTimeValidationResults())) {
                            log.debug("certificate was revoked before signing time or within graceperiod of signing time");
                            return new PolicyValidationResult(builder.res(ValidationConclusion.FAILED).msg("Certificate revoked").build(), SignatureValidationResult.Status.ERROR_SIGNER_INVALID);
                        }
                    }
                    return new PolicyValidationResult(builder.res(ValidationConclusion.PASSED).msg("Certificate revoked after trusted timestamp time").build(), SignatureValidationResult.Status.ERROR_SIGNER_INVALID);
                }
            }
            return extendedXmlSigvalResult.getException() != null ? new PolicyValidationResult(builder.res(ValidationConclusion.FAILED).msg(extendedXmlSigvalResult.getException().getMessage()).build(), SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE) : new PolicyValidationResult(builder.res(ValidationConclusion.PASSED).msg("OK").build(), SignatureValidationResult.Status.SUCCESS);
        } catch (Exception e) {
            return new PolicyValidationResult(builder.res(ValidationConclusion.FAILED).msg("Unable to obtain path validation results: " + e.getMessage()).build(), SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE);
        }
    }

    @Override // se.idsec.sigval.xml.policy.impl.AbstractBasicXMLSignaturePolicyChecks
    protected String getValidationPolicy() {
        return this.enforceCurrentTimeValidation ? "http://id.swedenconnect.se/svt/sigval-policy/pkix/01" : "http://id.swedenconnect.se/svt/sigval-policy/ts-pkix/01";
    }

    private boolean checkRevocationTime(ValidationStatus validationStatus, List<TimeValidationResult> list) {
        if (list == null) {
            log.debug("No timestamps available for this signature");
            return false;
        }
        Date revocationTime = validationStatus.getRevocationTime();
        if (revocationTime == null) {
            log.debug("No revocation time available");
            return false;
        }
        List list2 = (List) list.stream().map(timeValidationResult -> {
            return timeValidationResult.getTimeStamp();
        }).filter(timeStamp -> {
            return timeStamp.hasVerifiedTimestamp();
        }).collect(Collectors.toList());
        log.debug("Found {} valid timestamps", Integer.valueOf(list2.size()));
        Date date = new Date();
        Iterator it = list2.iterator();
        while (it.hasNext()) {
            try {
                Date date2 = ((TimeStamp) it.next()).getTstInfo().getGenTime().getDate();
                if (date2.before(date)) {
                    date = date2;
                }
            } catch (ParseException e) {
            }
        }
        log.debug("Earliest timstamp for this signature: {}", date);
        Date date3 = new Date(date.getTime() + this.revocationGracePeriod);
        log.debug("Earliest allowed revocation time: {}", date3);
        log.debug("Actual revocation time: {}", revocationTime);
        boolean before = date3.before(revocationTime);
        log.debug("Certificate valid: {}", Boolean.valueOf(before));
        return before;
    }

    public PkixXmlSignaturePolicyValidator() {
        this.enforceCurrentTimeValidation = false;
        this.revocationGracePeriod = 86400000L;
    }

    public PkixXmlSignaturePolicyValidator(boolean z, long j) {
        this.enforceCurrentTimeValidation = false;
        this.revocationGracePeriod = 86400000L;
        this.enforceCurrentTimeValidation = z;
        this.revocationGracePeriod = j;
    }

    public void setRevocationGracePeriod(long j) {
        this.revocationGracePeriod = j;
    }
}
