package eu.europa.esig.dss.signature;

import eu.europa.esig.dss.model.signature.SignatureCryptographicVerification;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.exception.IllegalInputException;
import eu.europa.esig.dss.spi.signature.AdvancedSignature;
import eu.europa.esig.dss.spi.validation.CertificateVerifier;
import eu.europa.esig.dss.spi.validation.SignatureValidationContext;
import eu.europa.esig.dss.spi.validation.status.SignatureStatus;
import eu.europa.esig.dss.spi.validation.status.TokenStatus;
import eu.europa.esig.dss.utils.Utils;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/signature/SignatureRequirementsChecker.class */
public class SignatureRequirementsChecker {
    private static final Logger LOG = LoggerFactory.getLogger(SignatureRequirementsChecker.class);
    protected final CertificateVerifier certificateVerifier;
    protected final AbstractSignatureParameters<?> signatureParameters;

    public SignatureRequirementsChecker(CertificateVerifier certificateVerifier, AbstractSignatureParameters<?> abstractSignatureParameters) {
        this.certificateVerifier = certificateVerifier;
        this.signatureParameters = abstractSignatureParameters;
    }

    public void assertSigningCertificateIsValid(CertificateToken certificateToken) {
        assertCertificatesAreYetValid(certificateToken);
        assertSigningCertificateIsNotExpired(certificateToken);
        assertCertificatesAreNotRevoked(certificateToken);
    }

    public void assertSigningCertificateIsValid(AdvancedSignature advancedSignature) {
        assertSigningCertificateIsValid(Collections.singletonList(advancedSignature));
    }

    public void assertSigningCertificateIsValid(Collection<AdvancedSignature> collection) {
        List list = (List) collection.stream().filter(advancedSignature -> {
            return !isSignatureGeneratedWithoutCertificate(advancedSignature);
        }).collect(Collectors.toList());
        if (Utils.isCollectionEmpty(list)) {
            return;
        }
        List list2 = (List) list.stream().map((v0) -> {
            return v0.getSigningCertificateToken();
        }).collect(Collectors.toList());
        assertCertificatesAreYetValid(list2, false);
        assertCertificatesAreNotExpired(list2, false);
        assertCertificatesAreNotRevoked(collection);
    }

    private boolean isSignatureGeneratedWithoutCertificate(AdvancedSignature advancedSignature) {
        if (!this.signatureParameters.isGenerateTBSWithoutCertificate() || advancedSignature.getCertificateSource().getNumberOfCertificates() != 0) {
            return false;
        }
        LOG.debug("Signature with Id '{}' has been generated without certificate. Validity of the signing-certificate is not checked.", advancedSignature.getId());
        return true;
    }

    private void assertCertificatesAreYetValid(CertificateToken certificateToken) {
        assertCertificatesAreYetValid(Collections.singletonList(certificateToken), true);
    }

    private void assertCertificatesAreYetValid(Collection<CertificateToken> collection, boolean z) {
        if (Utils.isCollectionEmpty(collection)) {
            return;
        }
        if (this.signatureParameters.isSignWithNotYetValidCertificate()) {
            LOG.warn("Use of a deprecated parameter #signWithNotYetValidCertificate. Please configure instead #alertOnNotYetValidCertificate within CertificateVerifier.");
            return;
        }
        TokenStatus tokenStatus = new TokenStatus();
        Iterator<CertificateToken> it = collection.iterator();
        while (it.hasNext()) {
            checkCertificateNotYetValid(it.next(), tokenStatus);
        }
        if (tokenStatus.isEmpty()) {
            return;
        }
        if (z) {
            tokenStatus.setMessage("Error on signature creation.");
        } else {
            tokenStatus.setMessage("Error on signature augmentation.");
        }
        this.certificateVerifier.getAlertOnNotYetValidCertificate().alert(tokenStatus);
    }

    private void checkCertificateNotYetValid(CertificateToken certificateToken, TokenStatus tokenStatus) {
        if (certificateToken == null) {
            throw new IllegalInputException("Signing-certificate token was not found! Unable to verify its validity range. Provide signing-certificate or use method #setGenerateTBSWithoutCertificate(true) for signature creation without signing-certificate.");
        }
        if (isCertificateNotYetValid(certificateToken)) {
            tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, String.format("The signing-certificate (notBefore : %s, notAfter : %s) is not yet valid at signing time %s!", DSSUtils.formatDateToRFC(certificateToken.getNotBefore()), DSSUtils.formatDateToRFC(certificateToken.getNotAfter()), DSSUtils.formatDateToRFC(this.signatureParameters.bLevel().getSigningDate())));
        }
    }

    private boolean isCertificateNotYetValid(CertificateToken certificateToken) {
        return this.signatureParameters.bLevel().getSigningDate().before(certificateToken.getNotBefore());
    }

    private void assertSigningCertificateIsNotExpired(CertificateToken certificateToken) {
        assertCertificatesAreNotExpired(Collections.singletonList(certificateToken), true);
    }

    private void assertCertificatesAreNotExpired(Collection<CertificateToken> collection, boolean z) {
        if (Utils.isCollectionEmpty(collection)) {
            return;
        }
        if (this.signatureParameters.isSignWithExpiredCertificate()) {
            LOG.warn("Use of a deprecated parameter #signWithNotYetValidCertificate. Please configure instead #alertOnExpiredCertificate within CertificateVerifier.");
            return;
        }
        TokenStatus tokenStatus = new TokenStatus();
        Iterator<CertificateToken> it = collection.iterator();
        while (it.hasNext()) {
            checkCertificateExpired(it.next(), tokenStatus);
        }
        if (tokenStatus.isEmpty()) {
            return;
        }
        if (z) {
            tokenStatus.setMessage("Error on signature creation.");
        } else {
            tokenStatus.setMessage("Error on signature augmentation.");
        }
        this.certificateVerifier.getAlertOnExpiredCertificate().alert(tokenStatus);
    }

    private void checkCertificateExpired(CertificateToken certificateToken, TokenStatus tokenStatus) {
        if (certificateToken == null) {
            throw new IllegalInputException("Signing-certificate token was not found! Unable to verify its validity range. Provide signing-certificate or use method #setGenerateTBSWithoutCertificate(true) for signature creation without signing-certificate.");
        }
        if (isCertificateExpired(certificateToken)) {
            tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, String.format("The signing-certificate (notBefore : %s, notAfter : %s) is expired at signing time %s!", DSSUtils.formatDateToRFC(certificateToken.getNotBefore()), DSSUtils.formatDateToRFC(certificateToken.getNotAfter()), DSSUtils.formatDateToRFC(this.signatureParameters.bLevel().getSigningDate())));
        }
    }

    private boolean isCertificateExpired(CertificateToken certificateToken) {
        return this.signatureParameters.bLevel().getSigningDate().after(certificateToken.getNotAfter());
    }

    private void assertCertificatesAreNotRevoked(CertificateToken certificateToken) {
        if (this.signatureParameters.isCheckCertificateRevocation()) {
            SignatureValidationContext signatureValidationContext = new SignatureValidationContext(this.signatureParameters.bLevel().getSigningDate());
            signatureValidationContext.initialize(this.certificateVerifier);
            List<CertificateToken> certificateChain = this.signatureParameters.getCertificateChain();
            if (Utils.isCollectionEmpty(certificateChain)) {
                throw new NullPointerException("Certificate chain shall be provided for a revocation check! Please use parameters.setCertificateChain(...) method to provide a certificate chain.");
            }
            signatureValidationContext.addCertificateTokenForVerification(certificateToken);
            Iterator<CertificateToken> it = certificateChain.iterator();
            while (it.hasNext()) {
                signatureValidationContext.addCertificateTokenForVerification(it.next());
            }
            signatureValidationContext.validate();
            signatureValidationContext.checkAllRequiredRevocationDataPresent();
            signatureValidationContext.checkCertificateNotRevoked(certificateToken);
        }
    }

    private void assertCertificatesAreNotRevoked(Collection<AdvancedSignature> collection) {
        if (this.signatureParameters.isCheckCertificateRevocation()) {
            SignatureValidationContext signatureValidationContext = new SignatureValidationContext(this.signatureParameters.bLevel().getSigningDate());
            signatureValidationContext.initialize(this.certificateVerifier);
            Iterator<AdvancedSignature> it = collection.iterator();
            while (it.hasNext()) {
                signatureValidationContext.addSignatureForVerification(it.next());
            }
            signatureValidationContext.validate();
            signatureValidationContext.checkAllRequiredRevocationDataPresent();
            signatureValidationContext.checkAllSignatureCertificatesNotRevoked();
        }
    }

    public void assertExtendToTLevelPossible(List<AdvancedSignature> list) {
        assertTLevelIsHighest(list);
    }

    protected void assertTLevelIsHighest(List<AdvancedSignature> list) {
        SignatureStatus signatureStatus = new SignatureStatus();
        Iterator<AdvancedSignature> it = list.iterator();
        while (it.hasNext()) {
            checkTLevelIsHighest(it.next(), signatureStatus);
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage("Error on signature augmentation to T-level.");
        this.certificateVerifier.getAugmentationAlertOnHigherSignatureLevel().alert(signatureStatus);
    }

    protected void checkTLevelIsHighest(AdvancedSignature advancedSignature, SignatureStatus signatureStatus) {
        if (hasLTLevelOrHigher(advancedSignature)) {
            signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature is already extended with a higher level.");
        }
    }

    public boolean hasLTLevelOrHigher(AdvancedSignature advancedSignature) {
        return advancedSignature.hasLTAProfile() || ((advancedSignature.hasLTProfile() || advancedSignature.hasCProfile()) && !advancedSignature.areAllSelfSignedCertificates() && advancedSignature.hasTProfile());
    }

    public void assertExtendToLTLevelPossible(List<AdvancedSignature> list) {
        assertLTLevelIsHighest(list);
    }

    protected void assertLTLevelIsHighest(List<AdvancedSignature> list) {
        SignatureStatus signatureStatus = new SignatureStatus();
        Iterator<AdvancedSignature> it = list.iterator();
        while (it.hasNext()) {
            checkLTLevelIsHighest(it.next(), signatureStatus);
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage("Error on signature augmentation to LT-level.");
        this.certificateVerifier.getAugmentationAlertOnHigherSignatureLevel().alert(signatureStatus);
    }

    protected void checkLTLevelIsHighest(AdvancedSignature advancedSignature, SignatureStatus signatureStatus) {
        if (hasLTALevelOrHigher(advancedSignature)) {
            signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature is already extended with a higher level.");
        }
    }

    public boolean hasLTALevelOrHigher(AdvancedSignature advancedSignature) {
        return advancedSignature.hasLTAProfile();
    }

    public void assertCertificateChainValidForLTLevel(List<AdvancedSignature> list) {
        assertCertificateChainValid(list, "LT");
    }

    public void assertCertificateChainValidForCLevel(List<AdvancedSignature> list) {
        assertCertificateChainValid(list, "C");
    }

    public void assertCertificateChainValidForXLLevel(List<AdvancedSignature> list) {
        assertCertificateChainValid(list, "XL");
    }

    private void assertCertificateChainValid(List<AdvancedSignature> list, String str) {
        assertCertificatePresent(list, str);
        assertCertificatesAreNotSelfSigned(list, str);
    }

    private void assertCertificatePresent(List<AdvancedSignature> list, String str) {
        SignatureStatus signatureStatus = new SignatureStatus();
        for (AdvancedSignature advancedSignature : list) {
            if (advancedSignature.getCertificateSource().getNumberOfCertificates() == 0) {
                signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature does not contain certificates.");
            }
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage(String.format("Error on signature augmentation to %s-level.", str));
        this.certificateVerifier.getAugmentationAlertOnSignatureWithoutCertificates().alert(signatureStatus);
    }

    private void assertCertificatesAreNotSelfSigned(List<AdvancedSignature> list, String str) {
        SignatureStatus signatureStatus = new SignatureStatus();
        for (AdvancedSignature advancedSignature : list) {
            if (advancedSignature.areAllSelfSignedCertificates()) {
                signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature contains only self-signed certificate chains.");
            }
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage(String.format("Error on signature augmentation to %s-level.", str));
        this.certificateVerifier.getAugmentationAlertOnSelfSignedCertificateChains().alert(signatureStatus);
    }

    public void assertExtendToCLevelPossible(List<AdvancedSignature> list) {
        assertCLevelIsHighest(list);
    }

    protected void assertCLevelIsHighest(List<AdvancedSignature> list) {
        SignatureStatus signatureStatus = new SignatureStatus();
        Iterator<AdvancedSignature> it = list.iterator();
        while (it.hasNext()) {
            checkCLevelIsHighest(it.next(), signatureStatus);
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage("Error on signature augmentation to C-level.");
        this.certificateVerifier.getAugmentationAlertOnHigherSignatureLevel().alert(signatureStatus);
    }

    protected void checkCLevelIsHighest(AdvancedSignature advancedSignature, SignatureStatus signatureStatus) {
        if (hasXLevelOrHigher(advancedSignature)) {
            signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature is already extended with a higher level.");
        }
    }

    public boolean hasXLevelOrHigher(AdvancedSignature advancedSignature) {
        return advancedSignature.hasXProfile() || advancedSignature.hasAProfile() || (advancedSignature.hasXLProfile() && !advancedSignature.areAllSelfSignedCertificates() && advancedSignature.hasTProfile());
    }

    public void assertExtendToXLevelPossible(List<AdvancedSignature> list) {
        assertXLevelIsHighest(list);
    }

    protected void assertXLevelIsHighest(List<AdvancedSignature> list) {
        SignatureStatus signatureStatus = new SignatureStatus();
        Iterator<AdvancedSignature> it = list.iterator();
        while (it.hasNext()) {
            checkXLevelIsHighest(it.next(), signatureStatus);
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage("Error on signature augmentation to X-level.");
        this.certificateVerifier.getAugmentationAlertOnHigherSignatureLevel().alert(signatureStatus);
    }

    protected void checkXLevelIsHighest(AdvancedSignature advancedSignature, SignatureStatus signatureStatus) {
        if (hasXLLevelOrHigher(advancedSignature)) {
            signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature is already extended with a higher level.");
        }
    }

    public boolean hasXLLevelOrHigher(AdvancedSignature advancedSignature) {
        return advancedSignature.hasAProfile() || (advancedSignature.hasXLProfile() && !advancedSignature.areAllSelfSignedCertificates() && advancedSignature.hasTProfile() && advancedSignature.hasXProfile());
    }

    public void assertExtendToXLLevelPossible(List<AdvancedSignature> list) {
        assertXLLevelIsHighest(list);
    }

    protected void assertXLLevelIsHighest(List<AdvancedSignature> list) {
        SignatureStatus signatureStatus = new SignatureStatus();
        Iterator<AdvancedSignature> it = list.iterator();
        while (it.hasNext()) {
            checkXLLevelIsHighest(it.next(), signatureStatus);
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage("Error on signature augmentation to XL-level.");
        this.certificateVerifier.getAugmentationAlertOnHigherSignatureLevel().alert(signatureStatus);
    }

    protected void checkXLLevelIsHighest(AdvancedSignature advancedSignature, SignatureStatus signatureStatus) {
        if (hasALevelOrHigher(advancedSignature)) {
            signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, "The signature is already extended with a higher level.");
        }
    }

    public boolean hasALevelOrHigher(AdvancedSignature advancedSignature) {
        return hasLTALevelOrHigher(advancedSignature);
    }

    public void assertSignaturesValid(Collection<AdvancedSignature> collection) {
        List<AdvancedSignature> list = (List) collection.stream().filter(advancedSignature -> {
            return !isSignatureGeneratedWithoutCertificate(advancedSignature);
        }).collect(Collectors.toList());
        if (Utils.isCollectionEmpty(list)) {
            return;
        }
        SignatureStatus signatureStatus = new SignatureStatus();
        for (AdvancedSignature advancedSignature2 : list) {
            SignatureCryptographicVerification signatureCryptographicVerification = advancedSignature2.getSignatureCryptographicVerification();
            if (!signatureCryptographicVerification.isSignatureIntact()) {
                String errorMessage = signatureCryptographicVerification.getErrorMessage();
                signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature2, "Cryptographic signature verification has failed" + (errorMessage.isEmpty() ? "." : " / " + errorMessage));
            }
        }
        if (signatureStatus.isEmpty()) {
            return;
        }
        signatureStatus.setMessage("Error on signature augmentation.");
        this.certificateVerifier.getAlertOnInvalidSignature().alert(signatureStatus);
    }
}
