package com.itextpdf.signatures.validation;

import com.itextpdf.commons.utils.MessageFormatUtil;
import com.itextpdf.signatures.IssuingCertificateRetriever;
import com.itextpdf.signatures.validation.context.CertificateSource;
import com.itextpdf.signatures.validation.context.ValidationContext;
import com.itextpdf.signatures.validation.context.ValidatorContext;
import com.itextpdf.signatures.validation.extensions.CertificateExtension;
import com.itextpdf.signatures.validation.extensions.DynamicCertificateExtension;
import com.itextpdf.signatures.validation.report.CertificateReportItem;
import com.itextpdf.signatures.validation.report.ReportItem;
import com.itextpdf.signatures.validation.report.ValidationReport;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;

/* loaded from: input_file:com/itextpdf/signatures/validation/CertificateChainValidator.class */
public class CertificateChainValidator {
    static final String CERTIFICATE_CHECK = "Certificate check.";
    static final String VALIDITY_CHECK = "Certificate validity period check.";
    static final String EXTENSIONS_CHECK = "Required certificate extensions check.";
    static final String CERTIFICATE_TRUSTED = "Certificate {0} is trusted, revocation data checks are not required.";
    static final String CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT = "Certificate {0} is trusted for {1}, but it is not used in this context. Validation will continue as usual.";
    static final String EXTENSION_MISSING = "Required extension validation failed: {0}";
    static final String ISSUER_MISSING = "Certificate {0} isn't trusted and issuer certificate isn't provided.";
    static final String EXPIRED_CERTIFICATE = "Certificate {0} is expired.";
    static final String NOT_YET_VALID_CERTIFICATE = "Certificate {0} is not yet valid.";
    static final String ISSUER_CANNOT_BE_VERIFIED = "Issuer certificate {0} for subject certificate {1} cannot be mathematically verified.";
    static final String ISSUER_VERIFICATION_FAILED = "Unexpected exception occurred while verifying issuer certificate.";
    static final String ISSUER_RETRIEVAL_FAILED = "Unexpected exception occurred while retrieving certificate issuer from IssuingCertificateRetriever.";
    static final String TRUSTSTORE_RETRIEVAL_FAILED = "Unexpected exception occurred while retrieving trust store from IssuingCertificateRetriever.";
    static final String REVOCATION_VALIDATION_FAILED = "Unexpected exception occurred while validating certificate revocation.";
    static final String VALIDITY_PERIOD_CHECK_FAILED = "Unexpected exception occurred while validating certificate validity period.";
    private final SignatureValidationProperties properties;
    private final IssuingCertificateRetriever certificateRetriever;
    private final RevocationDataValidator revocationDataValidator;

    /* JADX INFO: Access modifiers changed from: protected */
    public CertificateChainValidator(ValidatorChainBuilder validatorChainBuilder) {
        this.certificateRetriever = validatorChainBuilder.getCertificateRetriever();
        this.properties = validatorChainBuilder.getProperties();
        this.revocationDataValidator = validatorChainBuilder.getRevocationDataValidator();
    }

    public ValidationReport validateCertificate(ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        return validate(new ValidationReport(), validationContext, x509Certificate, date);
    }

    public ValidationReport validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        return validate(validationReport, validationContext, x509Certificate, date, 0);
    }

    private ValidationReport validate(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date, int i) {
        ValidationContext validatorContext = validationContext.setValidatorContext(ValidatorContext.CERTIFICATE_CHAIN_VALIDATOR);
        validateValidityPeriod(validationReport, x509Certificate, date);
        validateRequiredExtensions(validationReport, validatorContext, x509Certificate, i);
        if (!stopValidation(validationReport, validatorContext) && !((Boolean) SafeCalling.onExceptionLog(() -> {
            return Boolean.valueOf(checkIfCertIsTrusted(validationReport, validatorContext, x509Certificate));
        }, Boolean.FALSE, validationReport, exc -> {
            return new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, TRUSTSTORE_RETRIEVAL_FAILED, exc, ReportItem.ReportItemStatus.INFO);
        })).booleanValue()) {
            validateRevocationData(validationReport, validatorContext, x509Certificate, date);
            if (stopValidation(validationReport, validatorContext)) {
                return validationReport;
            }
            validateChain(validationReport, validatorContext, x509Certificate, date, i);
            return validationReport;
        }
        return validationReport;
    }

    private boolean checkIfCertIsTrusted(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate) {
        if (CertificateSource.TRUSTED == validationContext.getCertificateSource()) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INFO));
            return true;
        }
        TrustedCertificatesStore trustedCertificatesStore = this.certificateRetriever.getTrustedCertificatesStore();
        if (trustedCertificatesStore.isCertificateGenerallyTrusted(x509Certificate)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INFO));
            return true;
        }
        if (trustedCertificatesStore.isCertificateTrustedForCA(x509Certificate)) {
            if (CertificateSource.CERT_ISSUER == validationContext.getCertificateSource()) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INFO));
                return true;
            }
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, new Object[]{x509Certificate.getSubjectX500Principal(), "certificates generation"}), ReportItem.ReportItemStatus.INFO));
        }
        if (trustedCertificatesStore.isCertificateTrustedForTimestamp(x509Certificate)) {
            if (ValidationContext.checkIfContextChainContainsCertificateSource(validationContext, CertificateSource.TIMESTAMP)) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INFO));
                return true;
            }
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, new Object[]{x509Certificate.getSubjectX500Principal(), "timestamp generation"}), ReportItem.ReportItemStatus.INFO));
        }
        if (trustedCertificatesStore.isCertificateTrustedForOcsp(x509Certificate)) {
            if (ValidationContext.checkIfContextChainContainsCertificateSource(validationContext, CertificateSource.OCSP_ISSUER)) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INFO));
                return true;
            }
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, new Object[]{x509Certificate.getSubjectX500Principal(), "OCSP response generation"}), ReportItem.ReportItemStatus.INFO));
        }
        if (!trustedCertificatesStore.isCertificateTrustedForCrl(x509Certificate)) {
            return false;
        }
        if (ValidationContext.checkIfContextChainContainsCertificateSource(validationContext, CertificateSource.CRL_ISSUER)) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INFO));
            return true;
        }
        validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(CERTIFICATE_TRUSTED_FOR_DIFFERENT_CONTEXT, new Object[]{x509Certificate.getSubjectX500Principal(), "CRL generation"}), ReportItem.ReportItemStatus.INFO));
        return false;
    }

    private boolean stopValidation(ValidationReport validationReport, ValidationContext validationContext) {
        return !this.properties.getContinueAfterFailure(validationContext) && validationReport.getValidationResult() == ValidationReport.ValidationResult.INVALID;
    }

    private void validateValidityPeriod(ValidationReport validationReport, X509Certificate x509Certificate, Date date) {
        try {
            x509Certificate.checkValidity(date);
        } catch (RuntimeException e) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, VALIDITY_CHECK, MessageFormatUtil.format(VALIDITY_PERIOD_CHECK_FAILED, new Object[]{x509Certificate.getSubjectX500Principal()}), e, ReportItem.ReportItemStatus.INVALID));
        } catch (CertificateExpiredException e2) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, VALIDITY_CHECK, MessageFormatUtil.format(EXPIRED_CERTIFICATE, new Object[]{x509Certificate.getSubjectX500Principal()}), e2, ReportItem.ReportItemStatus.INVALID));
        } catch (CertificateNotYetValidException e3) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, VALIDITY_CHECK, MessageFormatUtil.format(NOT_YET_VALID_CERTIFICATE, new Object[]{x509Certificate.getSubjectX500Principal()}), e3, ReportItem.ReportItemStatus.INVALID));
        }
    }

    private void validateRequiredExtensions(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, int i) {
        List<CertificateExtension> requiredExtensions = this.properties.getRequiredExtensions(validationContext);
        if (requiredExtensions != null) {
            for (CertificateExtension certificateExtension : requiredExtensions) {
                if (certificateExtension instanceof DynamicCertificateExtension) {
                    ((DynamicCertificateExtension) certificateExtension).withCertificateChainSize(i);
                }
                if (!certificateExtension.existsInCertificate(x509Certificate)) {
                    validationReport.addReportItem(new CertificateReportItem(x509Certificate, EXTENSIONS_CHECK, MessageFormatUtil.format(EXTENSION_MISSING, new Object[]{certificateExtension.getMessage()}), ReportItem.ReportItemStatus.INVALID));
                }
            }
        }
    }

    private void validateRevocationData(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date) {
        SafeCalling.onRuntimeExceptionLog(() -> {
            this.revocationDataValidator.validate(validationReport, validationContext, x509Certificate, date);
        }, validationReport, exc -> {
            return new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, REVOCATION_VALIDATION_FAILED, exc, ReportItem.ReportItemStatus.INDETERMINATE);
        });
    }

    private void validateChain(ValidationReport validationReport, ValidationContext validationContext, X509Certificate x509Certificate, Date date, int i) {
        try {
            List<X509Certificate> retrieveIssuerCertificate = this.certificateRetriever.retrieveIssuerCertificate(x509Certificate);
            if (retrieveIssuerCertificate.isEmpty()) {
                validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(ISSUER_MISSING, new Object[]{x509Certificate.getSubjectX500Principal()}), ReportItem.ReportItemStatus.INDETERMINATE));
                return;
            }
            ValidationReport[] validationReportArr = new ValidationReport[retrieveIssuerCertificate.size()];
            for (int i2 = 0; i2 < retrieveIssuerCertificate.size(); i2++) {
                validationReportArr[i2] = new ValidationReport();
                try {
                    x509Certificate.verify(retrieveIssuerCertificate.get(i2).getPublicKey());
                    validate(validationReportArr[i2], validationContext.setCertificateSource(CertificateSource.CERT_ISSUER), retrieveIssuerCertificate.get(i2), date, i + 1);
                } catch (RuntimeException e) {
                    validationReportArr[i2].addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(ISSUER_VERIFICATION_FAILED, new Object[]{retrieveIssuerCertificate.get(i2).getSubjectX500Principal(), x509Certificate.getSubjectX500Principal()}), e, ReportItem.ReportItemStatus.INVALID));
                } catch (GeneralSecurityException e2) {
                    validationReportArr[i2].addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, MessageFormatUtil.format(ISSUER_CANNOT_BE_VERIFIED, new Object[]{retrieveIssuerCertificate.get(i2).getSubjectX500Principal(), x509Certificate.getSubjectX500Principal()}), e2, ReportItem.ReportItemStatus.INVALID));
                }
                if (validationReportArr[i2].getValidationResult() == ValidationReport.ValidationResult.VALID) {
                    validationReport.merge(validationReportArr[i2]);
                    return;
                }
            }
            for (ValidationReport validationReport2 : validationReportArr) {
                validationReport.merge(validationReport2);
            }
        } catch (RuntimeException e3) {
            validationReport.addReportItem(new CertificateReportItem(x509Certificate, CERTIFICATE_CHECK, ISSUER_RETRIEVAL_FAILED, e3, ReportItem.ReportItemStatus.INDETERMINATE));
        }
    }
}
