package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.enumerations.RevocationReason;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.model.x509.Token;
import eu.europa.esig.dss.model.x509.X500PrincipalHelper;
import eu.europa.esig.dss.model.x509.revocation.crl.CRL;
import eu.europa.esig.dss.model.x509.revocation.ocsp.OCSP;
import eu.europa.esig.dss.spi.CertificateExtensionsUtils;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.x509.AlternateUrlsSourceAdapter;
import eu.europa.esig.dss.spi.x509.CertificateRef;
import eu.europa.esig.dss.spi.x509.CertificateReorderer;
import eu.europa.esig.dss.spi.x509.CertificateSource;
import eu.europa.esig.dss.spi.x509.CertificateValidity;
import eu.europa.esig.dss.spi.x509.CommonTrustedCertificateSource;
import eu.europa.esig.dss.spi.x509.ListCertificateSource;
import eu.europa.esig.dss.spi.x509.ResponderId;
import eu.europa.esig.dss.spi.x509.TokenIssuerSelector;
import eu.europa.esig.dss.spi.x509.aia.AIASource;
import eu.europa.esig.dss.spi.x509.revocation.ListRevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.OfflineRevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationCertificateSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSource;
import eu.europa.esig.dss.spi.x509.revocation.RevocationSourceAlternateUrlsSupport;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPToken;
import eu.europa.esig.dss.spi.x509.tsp.TimestampToken;
import eu.europa.esig.dss.spi.x509.tsp.TimestampedReference;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.evidencerecord.EvidenceRecord;
import eu.europa.esig.dss.validation.status.RevocationFreshnessStatus;
import eu.europa.esig.dss.validation.status.SignatureStatus;
import eu.europa.esig.dss.validation.status.TokenStatus;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/validation/SignatureValidationContext.class */
public class SignatureValidationContext implements ValidationContext {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SignatureValidationContext.class);
    private CertificateVerifier certificateVerifier;
    private AIASource aiaSource;
    private RevocationSource<OCSP> remoteOCSPSource;
    private RevocationSource<CRL> remoteCRLSource;
    private RevocationDataLoadingStrategyFactory revocationDataLoadingStrategyFactory;
    private RevocationDataVerifier revocationDataVerifier;
    private boolean revocationFallback;
    private ListCertificateSource trustedCertSources;
    private ListCertificateSource adjunctCertSources;
    private boolean checkRevocationForUntrustedChains;
    private boolean extractPOEFromUntrustedChains;
    private final Set<CertificateToken> processedCertificates = new HashSet();
    private final Set<RevocationToken<?>> processedRevocations = new HashSet();
    private final Set<TimestampToken> processedTimestamps = new HashSet();
    private final Map<Token, Boolean> tokensToProcess = new HashMap();
    private final Map<CertificateToken, Date> bestSignatureTimeCertChainDates = new HashMap();
    private final Map<CertificateToken, Date> lastTimestampCertChainDates = new HashMap();
    private final Map<String, List<POE>> poeTimes = new HashMap();
    private final Map<Token, CertificateToken> tokenIssuerMap = new HashMap();
    private final ListCertificateSource documentCertificateSource = new ListCertificateSource();
    private final ListRevocationSource<CRL> documentCRLSource = new ListRevocationSource<>();
    private final ListRevocationSource<OCSP> documentOCSPSource = new ListRevocationSource<>();
    private final ListCertificateSource aiaCertificateSources = new ListCertificateSource();
    private final ListCertificateSource revocationCertificateSources = new ListCertificateSource();
    protected Date currentTime = new Date();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:eu/europa/esig/dss/validation/SignatureValidationContext$POE.class */
    public static class POE {
        private final Date time;
        private TimestampToken timestampToken;

        public POE(Date date) {
            this.time = date;
        }

        public POE(TimestampToken timestampToken) {
            this.timestampToken = timestampToken;
            this.time = timestampToken.getCreationDate();
        }

        public Date getTime() {
            return this.time;
        }

        public TimestampToken getTimestampToken() {
            return this.timestampToken;
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void initialize(CertificateVerifier certificateVerifier) {
        Objects.requireNonNull(certificateVerifier, "CertificateVerifier cannot be null!");
        this.certificateVerifier = certificateVerifier;
        this.remoteCRLSource = certificateVerifier.getCrlSource();
        this.remoteOCSPSource = certificateVerifier.getOcspSource();
        this.aiaSource = certificateVerifier.getAIASource();
        this.adjunctCertSources = certificateVerifier.getAdjunctCertSources();
        this.trustedCertSources = certificateVerifier.getTrustedCertSources();
        this.checkRevocationForUntrustedChains = certificateVerifier.isCheckRevocationForUntrustedChains();
        this.extractPOEFromUntrustedChains = certificateVerifier.isExtractPOEFromUntrustedChains();
        this.revocationDataLoadingStrategyFactory = certificateVerifier.getRevocationDataLoadingStrategyFactory();
        this.revocationDataVerifier = certificateVerifier.getRevocationDataVerifier();
        this.revocationDataVerifier.setTrustedCertificateSource(this.trustedCertSources);
        this.revocationFallback = certificateVerifier.isRevocationFallback();
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addSignatureForVerification(AdvancedSignature advancedSignature) {
        addDocumentCertificateSource(advancedSignature.getCertificateSource());
        addDocumentCRLSource(advancedSignature.getCRLSource());
        addDocumentOCSPSource(advancedSignature.getOCSPSource());
        registerPOE(advancedSignature.getId(), this.currentTime);
        CertificateToken signingCertificateToken = advancedSignature.getSigningCertificateToken();
        if (signingCertificateToken != null) {
            addCertificateTokenForVerification(signingCertificateToken);
        } else {
            List<CertificateValidity> certificateValidityList = advancedSignature.getCandidatesForSigningCertificate().getCertificateValidityList();
            if (Utils.isCollectionNotEmpty(certificateValidityList)) {
                for (CertificateValidity certificateValidity : certificateValidityList) {
                    if (certificateValidity.isValid() && certificateValidity.getCertificateToken() != null) {
                        addCertificateTokenForVerification(certificateValidity.getCertificateToken());
                    }
                }
            }
        }
        prepareTimestamps(advancedSignature.getAllTimestamps());
        Iterator<EvidenceRecord> it = advancedSignature.getAllEvidenceRecords().iterator();
        while (it.hasNext()) {
            addEvidenceRecordForVerification(it.next());
        }
        registerBestSignatureTime(advancedSignature);
        prepareCounterSignatures(advancedSignature.getCounterSignatures());
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addDocumentCertificateSource(CertificateSource certificateSource) {
        addCertificateSource(this.documentCertificateSource, certificateSource);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addDocumentCertificateSource(ListCertificateSource listCertificateSource) {
        Iterator<CertificateSource> it = listCertificateSource.getSources().iterator();
        while (it.hasNext()) {
            addDocumentCertificateSource(it.next());
        }
    }

    private void addCertificateSource(ListCertificateSource listCertificateSource, CertificateSource certificateSource) {
        listCertificateSource.add(certificateSource);
        ListCertificateSource allCertificateSources = getAllCertificateSources();
        for (CertificateToken certificateToken : certificateSource.getCertificates()) {
            Iterator<CertificateToken> it = allCertificateSources.getByPublicKey(certificateToken.getPublicKey()).iterator();
            while (it.hasNext()) {
                if (!certificateToken.getDSSIdAsString().equals(it.next().getDSSIdAsString())) {
                    addCertificateTokenForVerification(certificateToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addDocumentCRLSource(OfflineRevocationSource<CRL> offlineRevocationSource) {
        this.documentCRLSource.add(offlineRevocationSource);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addDocumentCRLSource(ListRevocationSource<CRL> listRevocationSource) {
        this.documentCRLSource.addAll(listRevocationSource);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addDocumentOCSPSource(OfflineRevocationSource<OCSP> offlineRevocationSource) {
        this.documentOCSPSource.add(offlineRevocationSource);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addDocumentOCSPSource(ListRevocationSource<OCSP> listRevocationSource) {
        this.documentOCSPSource.addAll(listRevocationSource);
    }

    private void prepareTimestamps(List<TimestampToken> list) {
        Iterator<TimestampToken> it = list.iterator();
        while (it.hasNext()) {
            addTimestampTokenForVerification(it.next());
        }
    }

    private void registerBestSignatureTime(AdvancedSignature advancedSignature) {
        CertificateToken signingCertificateToken = advancedSignature.getSigningCertificateToken();
        if (signingCertificateToken != null) {
            Date bestSignatureTime = getBestSignatureTime(advancedSignature);
            if (bestSignatureTime == null) {
                bestSignatureTime = this.currentTime;
            }
            for (CertificateToken certificateToken : toCertificateTokenChain(getCertChain(signingCertificateToken))) {
                Date date = this.bestSignatureTimeCertChainDates.get(certificateToken);
                if (date == null || bestSignatureTime.after(date)) {
                    this.bestSignatureTimeCertChainDates.put(certificateToken, bestSignatureTime);
                }
            }
        }
    }

    private Date getBestSignatureTime(AdvancedSignature advancedSignature) {
        Date date = null;
        for (POE poe : this.poeTimes.get(advancedSignature.getId())) {
            if (date == null || date.after(poe.getTime())) {
                date = poe.getTime();
            }
        }
        return date;
    }

    private void prepareCounterSignatures(List<AdvancedSignature> list) {
        Iterator<AdvancedSignature> it = list.iterator();
        while (it.hasNext()) {
            addSignatureForVerification(it.next());
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Date getCurrentTime() {
        return this.currentTime;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void setCurrentTime(Date date) {
        Objects.requireNonNull(date);
        this.currentTime = date;
    }

    private Token getNotYetVerifiedToken() {
        synchronized (this.tokensToProcess) {
            for (Map.Entry<Token, Boolean> entry : this.tokensToProcess.entrySet()) {
                if (entry.getValue() == null) {
                    entry.setValue(true);
                    return entry.getKey();
                }
            }
            return null;
        }
    }

    private TimestampToken getNotYetVerifiedTimestamp() {
        synchronized (this.tokensToProcess) {
            for (Map.Entry<Token, Boolean> entry : this.tokensToProcess.entrySet()) {
                if (entry.getValue() == null && (entry.getKey() instanceof TimestampToken)) {
                    entry.setValue(true);
                    return (TimestampToken) entry.getKey();
                }
            }
            return null;
        }
    }

    private Map<CertificateToken, List<CertificateToken>> getOrderedCertificateChains() {
        return new CertificateReorderer(this.processedCertificates).getOrderedCertificateChains();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private List<Token> getCertChain(Token token) {
        LinkedList linkedList = new LinkedList();
        CertificateToken certificateToken = token;
        do {
            linkedList.add(certificateToken);
            certificateToken = getIssuer(certificateToken);
            if (certificateToken == null) {
                break;
            }
        } while (!linkedList.contains(certificateToken));
        return linkedList;
    }

    private CertificateToken getIssuer(Token token) {
        CertificateToken issuerFromProcessedCertificates = getIssuerFromProcessedCertificates(token);
        if (issuerFromProcessedCertificates != null) {
            return issuerFromProcessedCertificates;
        }
        Set<CertificateToken> emptySet = Collections.emptySet();
        if (!this.tokenIssuerMap.containsKey(token)) {
            if (token instanceof OCSPToken) {
                emptySet = getIssuersFromSource(token, ((OCSPToken) token).getCertificateSource());
            }
            if (token instanceof TimestampToken) {
                emptySet = getIssuersFromSource(token, ((TimestampToken) token).getCertificateSource());
            }
            if (Utils.isCollectionEmpty(emptySet)) {
                emptySet = getIssuersFromSources(token, this.documentCertificateSource);
            }
        }
        ListCertificateSource allCertificateSources = getAllCertificateSources();
        if (Utils.isCollectionEmpty(emptySet)) {
            emptySet = getIssuersFromSources(token, allCertificateSources);
        }
        if (Utils.isCollectionEmpty(emptySet)) {
            emptySet = this.processedCertificates;
        }
        CertificateToken issuer = new TokenIssuerSelector(token, emptySet).getIssuer();
        if (issuer == null && (token instanceof CertificateToken) && this.aiaSource != null && !this.tokenIssuerMap.containsKey(token)) {
            AIACertificateSource aIACertificateSource = new AIACertificateSource((CertificateToken) token, this.aiaSource);
            issuer = aIACertificateSource.getIssuerFromAIA();
            addCertificateSource(this.aiaCertificateSources, aIACertificateSource);
        }
        if (issuer == null && (token instanceof OCSPToken)) {
            issuer = getOCSPIssuer((OCSPToken) token, allCertificateSources);
        }
        if (issuer == null && (token instanceof TimestampToken)) {
            issuer = getTSACertificate((TimestampToken) token, allCertificateSources);
        }
        if (issuer != null) {
            addCertificateTokenForVerification(issuer);
        }
        this.tokenIssuerMap.put(token, issuer);
        return issuer;
    }

    private CertificateToken getIssuerFromProcessedCertificates(Token token) {
        CertificateToken certificateToken = this.tokenIssuerMap.get(token);
        if (certificateToken == null) {
            return null;
        }
        if (token.getPublicKeyOfTheSigner() != null || token.isSignedBy(certificateToken)) {
            return certificateToken;
        }
        return null;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public ListCertificateSource getAllCertificateSources() {
        ListCertificateSource listCertificateSource = new ListCertificateSource();
        listCertificateSource.addAll(this.documentCertificateSource);
        listCertificateSource.addAll(this.revocationCertificateSources);
        listCertificateSource.addAll(this.aiaCertificateSources);
        listCertificateSource.addAll(this.adjunctCertSources);
        listCertificateSource.addAll(this.trustedCertSources);
        return listCertificateSource;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public ListCertificateSource getDocumentCertificateSource() {
        return this.documentCertificateSource;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public ListRevocationSource<CRL> getDocumentCRLSource() {
        return this.documentCRLSource;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public ListRevocationSource<OCSP> getDocumentOCSPSource() {
        return this.documentOCSPSource;
    }

    private Set<CertificateToken> getIssuersFromSources(Token token, ListCertificateSource listCertificateSource) {
        return token.getPublicKeyOfTheSigner() != null ? listCertificateSource.getByPublicKey(token.getPublicKeyOfTheSigner()) : token.getIssuerX500Principal() != null ? listCertificateSource.getBySubject(new X500PrincipalHelper(token.getIssuerX500Principal())) : Collections.emptySet();
    }

    private Set<CertificateToken> getIssuersFromSource(Token token, CertificateSource certificateSource) {
        return token.getPublicKeyOfTheSigner() != null ? certificateSource.getByPublicKey(token.getPublicKeyOfTheSigner()) : token.getIssuerX500Principal() != null ? certificateSource.getBySubject(new X500PrincipalHelper(token.getIssuerX500Principal())) : Collections.emptySet();
    }

    private CertificateToken getOCSPIssuer(OCSPToken oCSPToken, ListCertificateSource listCertificateSource) {
        ResponderId responderId;
        Set<CertificateRef> allCertificateRefs = oCSPToken.getCertificateSource().getAllCertificateRefs();
        if (Utils.collectionSize(allCertificateRefs) != 1 || (responderId = allCertificateRefs.iterator().next().getResponderId()) == null) {
            LOG.warn("Signing certificate is not found for an OCSPToken with id '{}'.", oCSPToken.getDSSIdAsString());
            return null;
        }
        HashSet hashSet = new HashSet();
        if (responderId.getSki() != null) {
            hashSet.addAll(listCertificateSource.getBySki(responderId.getSki()));
        }
        if (responderId.getX500Principal() != null) {
            hashSet.addAll(listCertificateSource.getBySubject(new X500PrincipalHelper(responderId.getX500Principal())));
        }
        return new TokenIssuerSelector(oCSPToken, hashSet).getIssuer();
    }

    private CertificateToken getTSACertificate(TimestampToken timestampToken, ListCertificateSource listCertificateSource) {
        CertificateValidity theBestCandidate = timestampToken.getCandidatesForSigningCertificate().getTheBestCandidate();
        if (theBestCandidate == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        CertificateToken certificateToken = theBestCandidate.getCertificateToken();
        if (certificateToken == null) {
            hashSet.addAll(listCertificateSource.getBySignerIdentifier(theBestCandidate.getSignerInfo()));
        } else {
            hashSet.add(certificateToken);
        }
        return new TokenIssuerSelector(timestampToken, hashSet).getIssuer();
    }

    private boolean addTokenForVerification(Token token) {
        if (token == null) {
            return false;
        }
        boolean isTraceEnabled = LOG.isTraceEnabled();
        if (isTraceEnabled) {
            LOG.trace("addTokenForVerification: trying to acquire synchronized block");
        }
        synchronized (this.tokensToProcess) {
            try {
                if (this.tokensToProcess.containsKey(token)) {
                    if (isTraceEnabled) {
                        LOG.trace("Token was already in the list {}:{}", token.getClass().getSimpleName(), token.getAbbreviation());
                    }
                    return false;
                }
                this.tokensToProcess.put(token, null);
                registerPOE(token.getDSSIdAsString(), this.currentTime);
                if (isTraceEnabled) {
                    LOG.trace("+ New {} to check: {}", token.getClass().getSimpleName(), token.getAbbreviation());
                }
                if (isTraceEnabled) {
                    LOG.trace("addTokenForVerification: almost left synchronized block");
                }
                return true;
            } finally {
                if (isTraceEnabled) {
                    LOG.trace("addTokenForVerification: almost left synchronized block");
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addRevocationTokenForVerification(RevocationToken<?> revocationToken) {
        if (addTokenForVerification(revocationToken)) {
            RevocationCertificateSource certificateSource = revocationToken.getCertificateSource();
            if (certificateSource != null) {
                addCertificateSource(this.revocationCertificateSources, certificateSource);
            }
            CertificateToken issuerCertificateToken = revocationToken.getIssuerCertificateToken();
            if (issuerCertificateToken != null) {
                addCertificateTokenForVerification(issuerCertificateToken);
            }
            boolean add = this.processedRevocations.add(revocationToken);
            if (LOG.isTraceEnabled()) {
                if (add) {
                    LOG.trace("RevocationToken added to processedRevocations: {} ", revocationToken);
                } else {
                    LOG.trace("RevocationToken already present processedRevocations: {} ", revocationToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addCertificateTokenForVerification(CertificateToken certificateToken) {
        if (addTokenForVerification(certificateToken)) {
            boolean add = this.processedCertificates.add(certificateToken);
            if (LOG.isTraceEnabled()) {
                if (add) {
                    LOG.trace("CertificateToken added to processedCertificates: {} ", certificateToken);
                } else {
                    LOG.trace("CertificateToken already present processedCertificates: {} ", certificateToken);
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addTimestampTokenForVerification(TimestampToken timestampToken) {
        if (addTokenForVerification(timestampToken)) {
            addDocumentCertificateSource(timestampToken.getCertificateSource());
            addDocumentCRLSource(timestampToken.getCRLSource());
            addDocumentOCSPSource(timestampToken.getOCSPSource());
            List<CertificateValidity> certificateValidityList = timestampToken.getCandidatesForSigningCertificate().getCertificateValidityList();
            if (Utils.isCollectionNotEmpty(certificateValidityList)) {
                for (CertificateValidity certificateValidity : certificateValidityList) {
                    if (certificateValidity.isValid() && certificateValidity.getCertificateToken() != null) {
                        addCertificateTokenForVerification(certificateValidity.getCertificateToken());
                    }
                }
            }
            registerTimestampUsageDate(timestampToken);
            boolean add = this.processedTimestamps.add(timestampToken);
            if (LOG.isTraceEnabled()) {
                if (add) {
                    LOG.trace("TimestampToken added to processedTimestamps: {} ", this.processedTimestamps);
                } else {
                    LOG.trace("TimestampToken already present processedTimestamps: {} ", this.processedTimestamps);
                }
            }
        }
    }

    private void registerTimestampUsageDate(TimestampToken timestampToken) {
        CertificateToken tSACertificate = getTSACertificate(timestampToken, getAllCertificateSources());
        if (tSACertificate == null) {
            LOG.warn("No Timestamp Certificate found. Chain is skipped.");
            return;
        }
        List<CertificateToken> certificateTokenChain = toCertificateTokenChain(getCertChain(tSACertificate));
        Date creationDate = timestampToken.getCreationDate();
        for (CertificateToken certificateToken : certificateTokenChain) {
            Date date = this.lastTimestampCertChainDates.get(certificateToken);
            if (date == null || date.before(creationDate)) {
                this.lastTimestampCertChainDates.put(certificateToken, creationDate);
            }
        }
        if (isTimestampValid(timestampToken)) {
            LOG.debug("Extracting POE from timestamp : {}", timestampToken.getDSSIdAsString());
            Iterator<TimestampedReference> it = timestampToken.getTimestampedReferences().iterator();
            while (it.hasNext()) {
                registerPOE(it.next().getObjectId(), timestampToken);
            }
        }
    }

    protected boolean isTimestampValid(TimestampToken timestampToken) {
        if (!this.extractPOEFromUntrustedChains && !containsTrustAnchor(getCertChain(timestampToken))) {
            LOG.warn("POE extraction is skipped for untrusted timestamp : {}.", timestampToken.getDSSIdAsString());
            return false;
        }
        if (!timestampToken.isMessageImprintDataIntact()) {
            LOG.warn("POE extraction is skipped for timestamp : {}. The message-imprint is not intact!", timestampToken.getDSSIdAsString());
            return false;
        }
        if (timestampToken.isSignatureIntact()) {
            return true;
        }
        LOG.warn("POE extraction is skipped for timestamp : {}. The signature is not intact!", timestampToken.getDSSIdAsString());
        return false;
    }

    private void registerPOE(String str, TimestampToken timestampToken) {
        List<POE> list = this.poeTimes.get(str);
        if (Utils.isCollectionEmpty(list)) {
            list = new ArrayList();
            this.poeTimes.put(str, list);
        }
        list.add(new POE(timestampToken));
    }

    private void registerPOE(String str, Date date) {
        List<POE> list = this.poeTimes.get(str);
        if (Utils.isCollectionEmpty(list)) {
            list = new ArrayList();
            this.poeTimes.put(str, list);
        }
        list.add(new POE(date));
    }

    private List<CertificateToken> toCertificateTokenChain(List<Token> list) {
        LinkedList linkedList = new LinkedList();
        for (Token token : list) {
            if (token instanceof CertificateToken) {
                linkedList.add((CertificateToken) token);
            }
        }
        return linkedList;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void addEvidenceRecordForVerification(EvidenceRecord evidenceRecord) {
        addDocumentCertificateSource(evidenceRecord.getCertificateSource());
        addDocumentCRLSource(evidenceRecord.getCRLSource());
        addDocumentOCSPSource(evidenceRecord.getOCSPSource());
        prepareTimestamps(evidenceRecord.getTimestamps());
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public void validate() {
        TimestampToken notYetVerifiedTimestamp = getNotYetVerifiedTimestamp();
        while (true) {
            TimestampToken timestampToken = notYetVerifiedTimestamp;
            if (timestampToken == null) {
                break;
            }
            getCertChain(timestampToken);
            notYetVerifiedTimestamp = getNotYetVerifiedTimestamp();
        }
        Token notYetVerifiedToken = getNotYetVerifiedToken();
        while (true) {
            Token token = notYetVerifiedToken;
            if (token == null) {
                return;
            }
            List<Token> certChain = getCertChain(token);
            if (token instanceof CertificateToken) {
                getRevocationData((CertificateToken) token, certChain);
            }
            notYetVerifiedToken = getNotYetVerifiedToken();
        }
    }

    private Set<RevocationToken<?>> getRevocationData(CertificateToken certificateToken, List<Token> list) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Checking revocation data for : {}", certificateToken.getDSSIdAsString());
        }
        if (isRevocationDataNotRequired(certificateToken)) {
            LOG.debug("Revocation data is not required for certificate : {}", certificateToken.getDSSIdAsString());
            return Collections.emptySet();
        }
        CertificateToken issuer = getIssuer(certificateToken);
        if (issuer == null) {
            LOG.warn("Issuer not found for certificate {}", certificateToken.getDSSIdAsString());
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        for (RevocationToken<CRL> revocationToken : this.documentCRLSource.getRevocationTokens(certificateToken, issuer)) {
            hashSet.add(revocationToken);
            addRevocationTokenForVerification(revocationToken);
        }
        for (RevocationToken<OCSP> revocationToken2 : this.documentOCSPSource.getRevocationTokens(certificateToken, issuer)) {
            hashSet.add(revocationToken2);
            addRevocationTokenForVerification(revocationToken2);
            addDocumentCertificateSource(revocationToken2.getCertificateSource());
        }
        hashSet.addAll(getRelatedRevocationTokens(certificateToken));
        if ((this.remoteOCSPSource != null || this.remoteCRLSource != null) && (Utils.isCollectionEmpty(hashSet) || isRevocationDataRefreshNeeded(certificateToken, hashSet))) {
            LOG.debug("The signature does not contain relative revocation data.");
            if (this.checkRevocationForUntrustedChains || containsTrustAnchor(list)) {
                LOG.trace("Revocation update is in progress for certificate : {}", certificateToken.getDSSIdAsString());
                RevocationToken<?> revocationToken3 = getRevocationToken(certificateToken, issuer, (CertificateToken) getFirstTrustAnchor(list));
                if (revocationToken3 != null && !hashSet.contains(revocationToken3)) {
                    LOG.debug("Obtained a new revocation data : {}, for certificate : {}", revocationToken3.getDSSIdAsString(), certificateToken.getDSSIdAsString());
                    hashSet.add(revocationToken3);
                    addRevocationTokenForVerification(revocationToken3);
                }
            } else {
                LOG.warn("External revocation check is skipped for untrusted certificate : {}", certificateToken.getDSSIdAsString());
            }
        }
        if (hashSet.isEmpty()) {
            LOG.warn("No revocation found for the certificate {}", certificateToken.getDSSIdAsString());
        }
        return hashSet;
    }

    private <T extends Token> boolean containsTrustAnchor(List<T> list) {
        return getFirstTrustAnchor(list) != null;
    }

    private <T extends Token> Token getFirstTrustAnchor(List<T> list) {
        if (!Utils.isCollectionNotEmpty(list)) {
            return null;
        }
        for (T t : list) {
            if (isTrusted(t)) {
                return t;
            }
        }
        return null;
    }

    private RevocationToken<?> getRevocationToken(CertificateToken certificateToken, CertificateToken certificateToken2, CertificateToken certificateToken3) {
        RevocationSource<OCSP> revocationSource;
        RevocationSource<CRL> revocationSource2;
        if (this.trustedCertSources.isEmpty() || certificateToken3 == null) {
            LOG.trace("Initializing a revocation verifier for not trusted chain...");
            revocationSource = this.remoteOCSPSource;
            revocationSource2 = this.remoteCRLSource;
        } else {
            LOG.trace("Initializing a revocation verifier for a trusted chain...");
            revocationSource = instantiateOCSPWithTrustServices(certificateToken3);
            revocationSource2 = instantiateCRLWithTrustServices(certificateToken3);
        }
        RevocationDataLoadingStrategy create = this.revocationDataLoadingStrategyFactory.create();
        create.setCrlSource(revocationSource2);
        create.setOcspSource(revocationSource);
        create.setRevocationDataVerifier(this.revocationDataVerifier);
        create.setFallbackEnabled(this.revocationFallback);
        return create.getRevocationToken(certificateToken, certificateToken2);
    }

    private RevocationSource<OCSP> instantiateOCSPWithTrustServices(CertificateToken certificateToken) {
        List<String> alternativeOCSPUrls = getAlternativeOCSPUrls(certificateToken);
        return (Utils.isCollectionNotEmpty(alternativeOCSPUrls) && (this.remoteOCSPSource instanceof RevocationSourceAlternateUrlsSupport)) ? new AlternateUrlsSourceAdapter((RevocationSourceAlternateUrlsSupport) this.remoteOCSPSource, alternativeOCSPUrls) : this.remoteOCSPSource;
    }

    private RevocationSource<CRL> instantiateCRLWithTrustServices(CertificateToken certificateToken) {
        List<String> alternativeCRLUrls = getAlternativeCRLUrls(certificateToken);
        return (Utils.isCollectionNotEmpty(alternativeCRLUrls) && (this.remoteCRLSource instanceof RevocationSourceAlternateUrlsSupport)) ? new AlternateUrlsSourceAdapter((RevocationSourceAlternateUrlsSupport) this.remoteCRLSource, alternativeCRLUrls) : this.remoteCRLSource;
    }

    private List<String> getAlternativeOCSPUrls(CertificateToken certificateToken) {
        ArrayList arrayList = new ArrayList();
        for (CertificateSource certificateSource : this.trustedCertSources.getSources()) {
            if (certificateSource instanceof CommonTrustedCertificateSource) {
                arrayList.addAll(((CommonTrustedCertificateSource) certificateSource).getAlternativeOCSPUrls(certificateToken));
            }
        }
        return arrayList;
    }

    private List<String> getAlternativeCRLUrls(CertificateToken certificateToken) {
        ArrayList arrayList = new ArrayList();
        for (CertificateSource certificateSource : this.trustedCertSources.getSources()) {
            if (certificateSource instanceof CommonTrustedCertificateSource) {
                arrayList.addAll(((CommonTrustedCertificateSource) certificateSource).getAlternativeCRLUrls(certificateToken));
            }
        }
        return arrayList;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllRequiredRevocationDataPresent() {
        TokenStatus tokenStatus = new TokenStatus();
        Iterator<List<CertificateToken>> it = getOrderedCertificateChains().values().iterator();
        while (it.hasNext()) {
            checkRevocationForCertificateChainAgainstBestSignatureTime(it.next(), null, tokenStatus);
        }
        boolean isEmpty = tokenStatus.isEmpty();
        if (!isEmpty) {
            tokenStatus.setMessage("Revocation data is missing for one or more certificate(s).");
            this.certificateVerifier.getAlertOnMissingRevocationData().alert(tokenStatus);
        }
        return isEmpty;
    }

    private void checkRevocationForCertificateChainAgainstBestSignatureTime(List<CertificateToken> list, Date date, TokenStatus tokenStatus) {
        Date lowestPOETime;
        for (CertificateToken certificateToken : list) {
            if (isSelfSignedOrTrusted(certificateToken)) {
                return;
            }
            if (!isOCSPNoCheckExtension(certificateToken)) {
                boolean z = false;
                Date date2 = null;
                List<RevocationToken<?>> relatedRevocationTokens = getRelatedRevocationTokens(certificateToken);
                for (RevocationToken<?> revocationToken : relatedRevocationTokens) {
                    if (date == null || date.before(revocationToken.getThisUpdate())) {
                        z = true;
                        break;
                    } else if (revocationToken.getNextUpdate() != null && (date2 == null || date2.after(revocationToken.getNextUpdate()))) {
                        date2 = revocationToken.getNextUpdate();
                    }
                }
                if (!z) {
                    if (!this.certificateVerifier.isCheckRevocationForUntrustedChains() && !containsTrustAnchor(list)) {
                        tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, "Revocation data is skipped for untrusted certificate chain!");
                    } else if (Utils.isCollectionEmpty(relatedRevocationTokens) || date == null) {
                        tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, "No revocation data found for certificate!");
                    } else if (date2 != null) {
                        tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, String.format("No revocation data found after the best signature time [%s]! The nextUpdate available after : [%s]", DSSUtils.formatDateToRFC(date), DSSUtils.formatDateToRFC(date2)));
                    } else {
                        tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, String.format("No revocation data found after the best signature time [%s]!", DSSUtils.formatDateToRFC(date)));
                    }
                    if (tokenStatus instanceof RevocationFreshnessStatus) {
                        if (Utils.isCollectionNotEmpty(relatedRevocationTokens) && date2 == null && (lowestPOETime = getLowestPOETime(certificateToken)) != null) {
                            date2 = new Date(lowestPOETime.getTime() + 1000);
                        }
                        if (date2 != null) {
                            ((RevocationFreshnessStatus) tokenStatus).addTokenAndRevocationNextUpdateTime(certificateToken, date2);
                        }
                    }
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllPOECoveredByRevocationData() {
        RevocationFreshnessStatus revocationFreshnessStatus = new RevocationFreshnessStatus();
        for (Map.Entry<CertificateToken, List<CertificateToken>> entry : getOrderedCertificateChains().entrySet()) {
            Date date = this.lastTimestampCertChainDates.get(entry.getKey());
            if (date != null) {
                checkRevocationForCertificateChainAgainstBestSignatureTime(entry.getValue(), date, revocationFreshnessStatus);
            }
        }
        boolean isEmpty = revocationFreshnessStatus.isEmpty();
        if (!isEmpty) {
            revocationFreshnessStatus.setMessage("Revocation data is missing for one or more POE(s).");
            this.certificateVerifier.getAlertOnUncoveredPOE().alert(revocationFreshnessStatus);
        }
        return isEmpty;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAllTimestampsValid() {
        TokenStatus tokenStatus = new TokenStatus();
        for (TimestampToken timestampToken : this.processedTimestamps) {
            if (!timestampToken.isSignatureIntact() || !timestampToken.isMessageImprintDataFound() || !timestampToken.isMessageImprintDataIntact()) {
                tokenStatus.addRelatedTokenAndErrorMessage(timestampToken, "Signature is not intact!");
            }
        }
        boolean isEmpty = tokenStatus.isEmpty();
        if (!isEmpty) {
            tokenStatus.setMessage("Broken timestamp(s) detected.");
            this.certificateVerifier.getAlertOnInvalidTimestamp().alert(tokenStatus);
        }
        return isEmpty;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkCertificateNotRevoked(CertificateToken certificateToken) {
        TokenStatus tokenStatus = new TokenStatus();
        checkCertificateIsNotRevokedRecursively(certificateToken, this.poeTimes.get(certificateToken.getDSSIdAsString()), tokenStatus);
        boolean isEmpty = tokenStatus.isEmpty();
        if (!isEmpty) {
            tokenStatus.setMessage("Revoked/Suspended certificate(s) detected.");
            this.certificateVerifier.getAlertOnRevokedCertificate().alert(tokenStatus);
        }
        return isEmpty;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkCertificatesNotRevoked(AdvancedSignature advancedSignature) {
        TokenStatus tokenStatus = new TokenStatus();
        CertificateToken signingCertificateToken = advancedSignature.getSigningCertificateToken();
        if (signingCertificateToken != null) {
            checkCertificateIsNotRevokedRecursively(signingCertificateToken, this.poeTimes.get(advancedSignature.getId()), tokenStatus);
        }
        boolean isEmpty = tokenStatus.isEmpty();
        if (!isEmpty) {
            tokenStatus.setMessage("Revoked/Suspended certificate(s) detected.");
            this.certificateVerifier.getAlertOnRevokedCertificate().alert(tokenStatus);
        }
        return isEmpty;
    }

    private boolean checkCertificateIsNotRevokedRecursively(CertificateToken certificateToken, List<POE> list) {
        return checkCertificateIsNotRevokedRecursively(certificateToken, list, null);
    }

    private boolean checkCertificateIsNotRevokedRecursively(CertificateToken certificateToken, List<POE> list, TokenStatus tokenStatus) {
        if (isSelfSignedOrTrusted(certificateToken)) {
            return true;
        }
        if (!isOCSPNoCheckExtension(certificateToken)) {
            List<RevocationToken<?>> relatedRevocationTokens = getRelatedRevocationTokens(certificateToken);
            if (Utils.isCollectionNotEmpty(relatedRevocationTokens)) {
                for (RevocationToken<?> revocationToken : relatedRevocationTokens) {
                    if ((revocationToken.getStatus().isRevoked() && !hasPOEBeforeRevocationDate(revocationToken.getRevocationDate(), list)) || !revocationToken.getStatus().isKnown()) {
                        if (tokenStatus == null) {
                            return false;
                        }
                        tokenStatus.addRelatedTokenAndErrorMessage(certificateToken, "Certificate is revoked/suspended!");
                        return false;
                    }
                }
            }
        }
        CertificateToken issuer = getIssuer(certificateToken);
        if (issuer != null) {
            return checkCertificateIsNotRevokedRecursively(issuer, list, tokenStatus);
        }
        return true;
    }

    private boolean hasPOEBeforeRevocationDate(Date date, List<POE> list) {
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        for (POE poe : list) {
            if (verifyPOE(poe) && poe.getTime().before(date)) {
                return true;
            }
        }
        return false;
    }

    private boolean isRevocationDataNotRequired(CertificateToken certificateToken) {
        return isSelfSignedOrTrusted(certificateToken) || isOCSPNoCheckExtension(certificateToken);
    }

    private boolean isSelfSignedOrTrusted(CertificateToken certificateToken) {
        return certificateToken.isSelfSigned() || isTrusted(certificateToken);
    }

    private boolean isOCSPNoCheckExtension(CertificateToken certificateToken) {
        return CertificateExtensionsUtils.hasOcspNoCheckExtension(certificateToken);
    }

    private List<RevocationToken<?>> getRelatedRevocationTokens(CertificateToken certificateToken) {
        ArrayList arrayList = new ArrayList();
        for (RevocationToken<?> revocationToken : this.processedRevocations) {
            if (Utils.areStringsEqual(certificateToken.getDSSIdAsString(), revocationToken.getRelatedCertificateId())) {
                arrayList.add(revocationToken);
            }
        }
        return arrayList;
    }

    private boolean isRevocationDataRefreshNeeded(CertificateToken certificateToken, Collection<RevocationToken<?>> collection) {
        Date date = this.bestSignatureTimeCertChainDates.get(certificateToken);
        Date date2 = this.lastTimestampCertChainDates.get(certificateToken);
        if (date2 != null && (date == null || date2.after(date))) {
            date = date2;
        }
        if (date == null) {
            date = getLowestPOETime(certificateToken);
        }
        boolean z = false;
        Iterator<RevocationToken<?>> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RevocationToken<?> next = it.next();
            List<CertificateToken> certificateTokenChain = toCertificateTokenChain(getCertChain(next));
            if (!Utils.isCollectionEmpty(certificateTokenChain)) {
                CertificateToken next2 = certificateTokenChain.iterator().next();
                if (date != null && date.before(next.getThisUpdate()) && RevocationReason.CERTIFICATE_HOLD != next.getReason() && isRevocationAcceptable(next, next2) && hasValidPOE(next, certificateToken, next2)) {
                    z = true;
                    break;
                }
            } else {
                LOG.debug("Certificate chain is not found for a revocation data '{}'!", next.getDSSIdAsString());
            }
        }
        if (z) {
            return false;
        }
        LOG.debug("Revocation data refresh is needed");
        return true;
    }

    private Date getLowestPOETime(Token token) {
        Date date = null;
        List<POE> list = this.poeTimes.get(token.getDSSIdAsString());
        if (Utils.isCollectionEmpty(list)) {
            throw new IllegalStateException("POE shall be defined before accessing the 'poeTimes' list!");
        }
        Iterator<POE> it = list.iterator();
        while (it.hasNext()) {
            Date time = it.next().getTime();
            if (date == null || time.before(date)) {
                date = time;
            }
        }
        return date;
    }

    private boolean isRevocationAcceptable(RevocationToken<?> revocationToken, CertificateToken certificateToken) {
        return this.revocationDataVerifier.isAcceptable(revocationToken, certificateToken);
    }

    private boolean hasValidPOE(RevocationToken<?> revocationToken, CertificateToken certificateToken, CertificateToken certificateToken2) {
        if (revocationToken.getNextUpdate() != null && !hasPOEAfterProductionAndBeforeNextUpdate(revocationToken)) {
            LOG.debug("There is no POE for the revocation '{}' after its production time and before the nextUpdate! Certificate: {}", revocationToken.getDSSIdAsString(), certificateToken.getDSSIdAsString());
            return false;
        }
        if (certificateToken2 == null || isTrusted(certificateToken2) || hasPOEInTheValidityRange(certificateToken2)) {
            LOG.debug("The revocation '{}' has a valid POE. Certificate: {}", revocationToken.getDSSIdAsString(), certificateToken.getDSSIdAsString());
            return true;
        }
        LOG.debug("There is no POE for the revocation issuer '{}' for revocation '{}' within its validity range! Certificate: {}", certificateToken2.getDSSIdAsString(), revocationToken.getDSSIdAsString(), certificateToken.getDSSIdAsString());
        return false;
    }

    private boolean hasPOEAfterProductionAndBeforeNextUpdate(RevocationToken<?> revocationToken) {
        List<POE> list = this.poeTimes.get(revocationToken.getDSSIdAsString());
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        Iterator<POE> it = list.iterator();
        while (it.hasNext()) {
            if (isConsistentAtTime(revocationToken, it.next().getTime())) {
                return true;
            }
        }
        return false;
    }

    private boolean hasPOEInTheValidityRange(CertificateToken certificateToken) {
        List<POE> list = this.poeTimes.get(certificateToken.getDSSIdAsString());
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        Iterator<POE> it = list.iterator();
        while (it.hasNext()) {
            if (certificateToken.isValidOn(it.next().getTime())) {
                return true;
            }
        }
        return false;
    }

    private boolean isConsistentAtTime(RevocationToken<?> revocationToken, Date date) {
        return date.compareTo(revocationToken.getProductionDate()) >= 0 && date.compareTo(revocationToken.getNextUpdate()) <= 0;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkAtLeastOneRevocationDataPresentAfterBestSignatureTime(AdvancedSignature advancedSignature) {
        RevocationFreshnessStatus revocationFreshnessStatus = new RevocationFreshnessStatus();
        CertificateToken signingCertificateToken = advancedSignature.getSigningCertificateToken();
        for (Map.Entry<CertificateToken, List<CertificateToken>> entry : getOrderedCertificateChains().entrySet()) {
            if (entry.getKey().equals(signingCertificateToken)) {
                checkRevocationForCertificateChainAgainstBestSignatureTime(entry.getValue(), getEarliestTimestampTime(), revocationFreshnessStatus);
            }
        }
        boolean isEmpty = revocationFreshnessStatus.isEmpty();
        if (!isEmpty) {
            revocationFreshnessStatus.setMessage("Fresh revocation data is missing for one or more certificate(s).");
            this.certificateVerifier.getAlertOnNoRevocationAfterBestSignatureTime().alert(revocationFreshnessStatus);
        }
        return isEmpty;
    }

    private Date getEarliestTimestampTime() {
        Date date = null;
        for (TimestampToken timestampToken : getProcessedTimestamps()) {
            if (timestampToken.getTimeStampType().coversSignature()) {
                Date creationDate = timestampToken.getCreationDate();
                if (date == null || creationDate.before(date)) {
                    date = creationDate;
                }
            }
        }
        return date;
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public boolean checkSignatureNotExpired(AdvancedSignature advancedSignature) {
        SignatureStatus signatureStatus = new SignatureStatus();
        CertificateToken signingCertificateToken = advancedSignature.getSigningCertificateToken();
        if (signingCertificateToken == null) {
            return true;
        }
        boolean verifyCertificateTokenHasPOERecursively = verifyCertificateTokenHasPOERecursively(signingCertificateToken, this.poeTimes.get(advancedSignature.getId()));
        if (!verifyCertificateTokenHasPOERecursively) {
            signatureStatus.addRelatedTokenAndErrorMessage(advancedSignature, String.format("The signing certificate has expired and there is no POE during its validity range : [%s - %s]!", DSSUtils.formatDateToRFC(signingCertificateToken.getNotBefore()), DSSUtils.formatDateToRFC(signingCertificateToken.getNotAfter())));
            signatureStatus.setMessage("Expired signature found.");
            this.certificateVerifier.getAlertOnExpiredSignature().alert(signatureStatus);
        }
        return verifyCertificateTokenHasPOERecursively;
    }

    private boolean verifyCertificateTokenHasPOERecursively(CertificateToken certificateToken, List<POE> list) {
        if (!Utils.isCollectionNotEmpty(list)) {
            return false;
        }
        for (POE poe : list) {
            if (certificateToken.isValidOn(poe.getTime()) && verifyPOE(poe)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyPOE(POE poe) {
        TimestampToken timestampToken = poe.getTimestampToken();
        if (timestampToken == null) {
            return true;
        }
        CertificateToken issuer = getIssuer(timestampToken);
        List<POE> list = this.poeTimes.get(timestampToken.getDSSIdAsString());
        return issuer != null && timestampToken.isValid() && verifyCertificateTokenHasPOERecursively(issuer, list) && checkCertificateIsNotRevokedRecursively(issuer, list);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<CertificateToken> getProcessedCertificates() {
        return Collections.unmodifiableSet(this.processedCertificates);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<RevocationToken> getProcessedRevocations() {
        return Collections.unmodifiableSet(this.processedRevocations);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public Set<TimestampToken> getProcessedTimestamps() {
        return Collections.unmodifiableSet(this.processedTimestamps);
    }

    private <T extends Token> boolean isTrusted(T t) {
        return (t instanceof CertificateToken) && this.trustedCertSources.isTrusted((CertificateToken) t);
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public ValidationData getValidationData(AdvancedSignature advancedSignature) {
        return getValidationData(advancedSignature.getSigningCertificateToken());
    }

    @Override // eu.europa.esig.dss.validation.ValidationContext
    public ValidationData getValidationData(TimestampToken timestampToken) {
        return getValidationData(getIssuer(timestampToken));
    }

    private ValidationData getValidationData(CertificateToken certificateToken) {
        ValidationData validationData = new ValidationData();
        if (certificateToken != null) {
            populateValidationDataRecursively(certificateToken, validationData);
        }
        return validationData;
    }

    private void populateValidationDataRecursively(Token token, ValidationData validationData) {
        if (validationData.addToken(token)) {
            if (token instanceof CertificateToken) {
                Iterator<RevocationToken<?>> it = getRelatedRevocationTokens((CertificateToken) token).iterator();
                while (it.hasNext()) {
                    populateValidationDataRecursively(it.next(), validationData);
                }
            }
            CertificateToken issuer = getIssuer(token);
            if (issuer != null) {
                populateValidationDataRecursively(issuer, validationData);
            }
        }
    }
}
