package eu.europa.esig.dss.signature;

import eu.europa.esig.dss.AbstractSignatureParameters;
import eu.europa.esig.dss.exception.IllegalInputException;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.AdvancedSignature;
import eu.europa.esig.dss.validation.CertificateVerifier;
import eu.europa.esig.dss.validation.SignatureValidationContext;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/signature/SignatureRequirementsChecker.class */
public class SignatureRequirementsChecker {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SignatureRequirementsChecker.class);
    private final CertificateVerifier certificateVerifier;
    private final AbstractSignatureParameters<?> signatureParameters;

    public SignatureRequirementsChecker(CertificateVerifier certificateVerifier, AbstractSignatureParameters<?> abstractSignatureParameters) {
        this.certificateVerifier = certificateVerifier;
        this.signatureParameters = abstractSignatureParameters;
    }

    public void assertSigningCertificateIsValid(CertificateToken certificateToken) {
        assertSigningCertificateIsYetValid(certificateToken);
        assertSigningCertificateIsNotExpired(certificateToken);
        assertCertificatesAreNotRevoked(certificateToken);
    }

    public void assertSigningCertificateIsValid(AdvancedSignature advancedSignature) {
        if (this.signatureParameters.isGenerateTBSWithoutCertificate() && advancedSignature.getCertificateSource().getNumberOfCertificates() == 0) {
            LOG.debug("Signature has been generated without certificate. Validity of the signing-certificate is not checked.");
            return;
        }
        CertificateToken signingCertificateToken = advancedSignature.getSigningCertificateToken();
        assertSigningCertificateIsYetValid(signingCertificateToken);
        assertSigningCertificateIsNotExpired(signingCertificateToken);
        assertCertificatesAreNotRevoked(advancedSignature);
    }

    private void assertSigningCertificateIsYetValid(CertificateToken certificateToken) {
        if (this.signatureParameters.isSignWithNotYetValidCertificate()) {
            return;
        }
        if (certificateToken == null) {
            throw new IllegalInputException("Signing certificate token was not found! Unable to verify its validity range. Use method setSignWithNotYetValidCertificate(true) to skip the check.");
        }
        Date notBefore = certificateToken.getNotBefore();
        Date notAfter = certificateToken.getNotAfter();
        Date signingDate = this.signatureParameters.bLevel().getSigningDate();
        if (signingDate.before(notBefore)) {
            throw new IllegalArgumentException(String.format("The signing certificate (notBefore : %s, notAfter : %s) is not yet valid at signing time %s! Change signing certificate or use method setSignWithNotYetValidCertificate(true).", DSSUtils.formatDateToRFC(notBefore), DSSUtils.formatDateToRFC(notAfter), DSSUtils.formatDateToRFC(signingDate)));
        }
    }

    private void assertSigningCertificateIsNotExpired(CertificateToken certificateToken) {
        if (this.signatureParameters.isSignWithExpiredCertificate()) {
            return;
        }
        if (certificateToken == null) {
            throw new IllegalInputException("Signing certificate token was not found! Unable to verify its validity range. Use method setSignWithExpiredCertificate(true) to skip the check.");
        }
        Date notBefore = certificateToken.getNotBefore();
        Date notAfter = certificateToken.getNotAfter();
        Date signingDate = this.signatureParameters.bLevel().getSigningDate();
        if (signingDate.after(notAfter)) {
            throw new IllegalArgumentException(String.format("The signing certificate (notBefore : %s, notAfter : %s) is expired at signing time %s! Change signing certificate or use method setSignWithExpiredCertificate(true).", DSSUtils.formatDateToRFC(notBefore), DSSUtils.formatDateToRFC(notAfter), DSSUtils.formatDateToRFC(signingDate)));
        }
    }

    private void assertCertificatesAreNotRevoked(CertificateToken certificateToken) {
        if (this.signatureParameters.isCheckCertificateRevocation()) {
            SignatureValidationContext signatureValidationContext = new SignatureValidationContext();
            signatureValidationContext.initialize(this.certificateVerifier);
            signatureValidationContext.setCurrentTime(this.signatureParameters.bLevel().getSigningDate());
            List<CertificateToken> certificateChain = this.signatureParameters.getCertificateChain();
            if (Utils.isCollectionEmpty(certificateChain)) {
                throw new NullPointerException("Certificate chain shall be provided for a revocation check! Please use parameters.setCertificateChain(...) method to provide a certificate chain.");
            }
            signatureValidationContext.addCertificateTokenForVerification(certificateToken);
            Iterator<CertificateToken> it = certificateChain.iterator();
            while (it.hasNext()) {
                signatureValidationContext.addCertificateTokenForVerification(it.next());
            }
            signatureValidationContext.validate();
            signatureValidationContext.checkAllRequiredRevocationDataPresent();
            signatureValidationContext.checkCertificateNotRevoked(certificateToken);
        }
    }

    private void assertCertificatesAreNotRevoked(AdvancedSignature advancedSignature) {
        if (this.signatureParameters.isCheckCertificateRevocation()) {
            SignatureValidationContext signatureValidationContext = new SignatureValidationContext();
            signatureValidationContext.initialize(this.certificateVerifier);
            signatureValidationContext.setCurrentTime(this.signatureParameters.bLevel().getSigningDate());
            signatureValidationContext.addSignatureForVerification(advancedSignature);
            signatureValidationContext.validate();
            signatureValidationContext.checkAllRequiredRevocationDataPresent();
            signatureValidationContext.checkCertificatesNotRevoked(advancedSignature);
        }
    }
}
