package be.fedict.trust;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import org.bouncycastle.x509.extension.X509ExtensionUtil;

/* loaded from: input_file:be/fedict/trust/PublicKeyTrustLinker.class */
public class PublicKeyTrustLinker implements TrustLinker {
    private static final Log LOG = LogFactory.getLog(PublicKeyTrustLinker.class);

    @Override // be.fedict.trust.TrustLinker
    public TrustLinkerResult hasTrustLink(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date, RevocationData revocationData) {
        if (false == x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
            LOG.debug("child certificate issuer not the same as the issuer certificate subject");
            LOG.debug("child certificate: " + x509Certificate.getSubjectX500Principal());
            LOG.debug("certificate: " + x509Certificate2.getSubjectX500Principal());
            LOG.debug("child certificate issuer: " + x509Certificate.getIssuerX500Principal());
            return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "child certificate issuer not the same as the issuer certificate subject");
        }
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            if (true == x509Certificate.getNotAfter().after(x509Certificate2.getNotAfter())) {
                LOG.warn("child certificate validity end is after certificate validity end");
                LOG.warn("child certificate validity end: " + x509Certificate.getNotAfter());
                LOG.warn("certificate validity end: " + x509Certificate2.getNotAfter());
            }
            if (true == x509Certificate.getNotBefore().before(x509Certificate2.getNotBefore())) {
                LOG.warn("child certificate validity begin before certificate validity begin");
                LOG.warn("child certificate validity begin: " + x509Certificate.getNotBefore());
                LOG.warn("certificate validity begin: " + x509Certificate2.getNotBefore());
            }
            if (true == date.before(x509Certificate.getNotBefore())) {
                LOG.debug("certificate is not yet valid");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate is not yet valid");
            }
            if (true == date.after(x509Certificate.getNotAfter())) {
                LOG.debug("certificate already expired");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate already expired");
            }
            if (-1 == x509Certificate2.getBasicConstraints()) {
                LOG.debug("certificate not a CA");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate not a CA");
            }
            if (0 == x509Certificate2.getBasicConstraints() && -1 != x509Certificate.getBasicConstraints()) {
                LOG.debug("child should not be a CA");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "child should not be a CA");
            }
            boolean isCa = isCa(x509Certificate2);
            boolean isCa2 = isCa(x509Certificate);
            byte[] extensionValue = x509Certificate2.getExtensionValue(X509Extensions.SubjectKeyIdentifier.getId());
            byte[] extensionValue2 = x509Certificate.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
            if (isCa && null == extensionValue) {
                LOG.debug("certificate is CA and MUST contain a Subject Key Identifier");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate is CA and  MUST contain a Subject Key Identifier");
            }
            if (isCa2 && null == extensionValue2) {
                LOG.debug("child certificate is CA and MUST contain an Authority Key Identifier");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "child certificate is CA and MUST contain an Authority Key Identifier");
            }
            if (null == extensionValue || null == extensionValue2) {
                return null;
            }
            try {
                try {
                    if (new String(Hex.encodeHex(new SubjectKeyIdentifierStructure(extensionValue).getKeyIdentifier())).equals(new String(Hex.encodeHex(new AuthorityKeyIdentifierStructure(extensionValue2).getKeyIdentifier())))) {
                        return null;
                    }
                    LOG.debug("certificate's subject key identifier does not match child certificate's authority key identifier");
                    return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate's subject key identifier does not match child certificate's authority key identifier");
                } catch (IOException e) {
                    LOG.debug("Error parsing subject key identifier structure");
                    return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "Error parsing subject key identifier structure");
                }
            } catch (IOException e2) {
                LOG.debug("Error parsing authority key identifier structure");
                return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "Error parsing authority key identifier structure");
            }
        } catch (Exception e3) {
            LOG.debug("verification error: " + e3.getMessage(), e3);
            return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "verification error: " + e3.getMessage());
        }
    }

    private boolean isCa(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.BasicConstraints.getId());
        if (null == extensionValue) {
            return false;
        }
        try {
            ASN1Object fromExtensionValue = X509ExtensionUtil.fromExtensionValue(extensionValue);
            if (false != (fromExtensionValue instanceof ASN1Sequence)) {
                return new BasicConstraints((ASN1Sequence) fromExtensionValue).isCA();
            }
            LOG.debug("basic constraints extension is not an ASN1 sequence");
            return false;
        } catch (IOException e) {
            LOG.error("IO error", e);
            return false;
        }
    }
}
