package org.xipki.ocsp.server.impl;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.xipki.common.InvalidConfException;
import org.xipki.common.TripleState;
import org.xipki.common.util.IoUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.ocsp.server.impl.jaxb.CertCollectionType;
import org.xipki.ocsp.server.impl.jaxb.NonceType;
import org.xipki.ocsp.server.impl.jaxb.RequestOptionType;
import org.xipki.ocsp.server.impl.jaxb.VersionsType;
import org.xipki.security.CertpathValidationModel;
import org.xipki.security.HashAlgoType;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;

/* loaded from: input_file:org/xipki/ocsp/server/impl/RequestOption.class */
class RequestOption {
    static final Set<HashAlgoType> SUPPORTED_HASH_ALGORITHMS = new HashSet();
    private final boolean supportsHttpGet;
    private final boolean signatureRequired;
    private final boolean validateSignature;
    private final int maxRequestListCount;
    private final int maxRequestSize;
    private final Collection<Integer> versions;
    private final TripleState nonceOccurrence;
    private final int nonceMinLen;
    private final int nonceMaxLen;
    private final Set<HashAlgoType> hashAlgos;
    private final Set<CertWithEncoded> trustAnchors;
    private final Set<X509Certificate> certs;
    private final CertpathValidationModel certpathValidationModel;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RequestOption(RequestOptionType requestOptionType) throws InvalidConfException {
        Set<X509Certificate> certs;
        ParamUtil.requireNonNull("conf", requestOptionType);
        this.supportsHttpGet = requestOptionType.isSupportsHttpGet().booleanValue();
        this.signatureRequired = requestOptionType.isSignatureRequired();
        this.validateSignature = requestOptionType.isValidateSignature();
        NonceType nonce = requestOptionType.getNonce();
        int i = 4;
        int i2 = 32;
        String lowerCase = nonce.getOccurrence().toLowerCase();
        if ("forbidden".equals(lowerCase)) {
            this.nonceOccurrence = TripleState.FORBIDDEN;
        } else if ("optional".equals(lowerCase)) {
            this.nonceOccurrence = TripleState.OPTIONAL;
        } else {
            if (!"required".equals(lowerCase)) {
                throw new InvalidConfException("invalid nonce.occurrence '" + lowerCase + "', only forbidded, optional, and required are allowed");
            }
            this.nonceOccurrence = TripleState.REQUIRED;
        }
        i = nonce.getMinLen() != null ? nonce.getMinLen().intValue() : i;
        i2 = nonce.getMaxLen() != null ? nonce.getMaxLen().intValue() : i2;
        this.maxRequestListCount = requestOptionType.getMaxRequestListCount();
        if (this.maxRequestListCount < 1) {
            throw new InvalidConfException("invalid maxRequestListCount " + this.maxRequestListCount);
        }
        this.maxRequestSize = requestOptionType.getMaxRequestSize();
        if (this.maxRequestSize < 100) {
            throw new InvalidConfException("invalid maxRequestSize " + this.maxRequestSize);
        }
        this.nonceMinLen = i;
        this.nonceMaxLen = i2;
        VersionsType versions = requestOptionType.getVersions();
        this.versions = new HashSet();
        for (String str : versions.getVersion()) {
            if (!"v1".equalsIgnoreCase(str)) {
                throw new InvalidConfException("invalid OCSP request version '" + str + "'");
            }
            this.versions.add(0);
        }
        this.hashAlgos = new HashSet();
        RequestOptionType.HashAlgorithms hashAlgorithms = requestOptionType.getHashAlgorithms();
        if (hashAlgorithms != null) {
            for (String str2 : hashAlgorithms.getAlgorithm()) {
                HashAlgoType hashAlgoType = HashAlgoType.getHashAlgoType(str2);
                if (hashAlgoType == null || !SUPPORTED_HASH_ALGORITHMS.contains(hashAlgoType)) {
                    throw new InvalidConfException("hash algorithm " + str2 + " is unsupported");
                }
                this.hashAlgos.add(hashAlgoType);
            }
        } else {
            this.hashAlgos.addAll(SUPPORTED_HASH_ALGORITHMS);
        }
        RequestOptionType.CertpathValidation certpathValidation = requestOptionType.getCertpathValidation();
        if (certpathValidation == null) {
            if (this.validateSignature) {
                throw new InvalidConfException("certpathValidation is not specified");
            }
            this.trustAnchors = null;
            this.certs = null;
            this.certpathValidationModel = CertpathValidationModel.PKIX;
            return;
        }
        switch (certpathValidation.getValidationModel()) {
            case CHAIN:
                this.certpathValidationModel = CertpathValidationModel.CHAIN;
                break;
            case PKIX:
                this.certpathValidationModel = CertpathValidationModel.PKIX;
                break;
            default:
                throw new RuntimeException("should not reach here, unknown ValidationModel " + certpathValidation.getValidationModel());
        }
        try {
            Set<X509Certificate> certs2 = getCerts(certpathValidation.getTrustAnchors());
            this.trustAnchors = new HashSet(certs2.size());
            Iterator<X509Certificate> it = certs2.iterator();
            while (it.hasNext()) {
                this.trustAnchors.add(new CertWithEncoded(it.next()));
            }
            CertCollectionType certs3 = certpathValidation.getCerts();
            if (certs3 == null) {
                certs = null;
            } else {
                try {
                    certs = getCerts(certs3);
                } catch (Exception e) {
                    throw new InvalidConfException("could not initialize the certs: " + e.getMessage(), e);
                }
            }
            this.certs = certs;
        } catch (Exception e2) {
            throw new InvalidConfException("could not initialize the trustAnchors: " + e2.getMessage(), e2);
        }
    }

    public Set<HashAlgoType> hashAlgos() {
        return this.hashAlgos;
    }

    public boolean isSignatureRequired() {
        return this.signatureRequired;
    }

    public boolean isValidateSignature() {
        return this.validateSignature;
    }

    public boolean supportsHttpGet() {
        return this.supportsHttpGet;
    }

    public TripleState nonceOccurrence() {
        return this.nonceOccurrence;
    }

    public int maxRequestListCount() {
        return this.maxRequestListCount;
    }

    public int maxRequestSize() {
        return this.maxRequestSize;
    }

    public int nonceMinLen() {
        return this.nonceMinLen;
    }

    public int nonceMaxLen() {
        return this.nonceMaxLen;
    }

    public boolean allows(HashAlgoType hashAlgoType) {
        if (hashAlgoType == null) {
            return false;
        }
        return this.hashAlgos.contains(hashAlgoType);
    }

    public CertpathValidationModel certpathValidationModel() {
        return this.certpathValidationModel;
    }

    public Set<CertWithEncoded> trustAnchors() {
        return this.trustAnchors;
    }

    public Set<X509Certificate> certs() {
        return this.certs;
    }

    public boolean isVersionAllowed(Integer num) {
        return this.versions == null || this.versions.contains(num);
    }

    private static Set<X509Certificate> getCerts(CertCollectionType certCollectionType) throws KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException, IOException {
        ParamUtil.requireNonNull("conf", certCollectionType);
        HashSet hashSet = new HashSet();
        if (certCollectionType.getKeystore() != null) {
            CertCollectionType.Keystore keystore = certCollectionType.getKeystore();
            KeyStore keyStore = KeyUtil.getKeyStore(keystore.getType());
            String file = keystore.getKeystore().getFile();
            keyStore.load(file != null ? new FileInputStream(IoUtil.expandFilepath(file)) : new ByteArrayInputStream(keystore.getKeystore().getValue()), keystore.getPassword() == null ? null : keystore.getPassword().toCharArray());
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    hashSet.add((X509Certificate) keyStore.getCertificate(nextElement));
                }
            }
        } else {
            if (certCollectionType.getDir() == null) {
                throw new RuntimeException("should not happen, neither keystore nor dir is defined");
            }
            File[] listFiles = new File(certCollectionType.getDir()).listFiles();
            if (listFiles != null) {
                for (File file2 : listFiles) {
                    if (file2.exists() && file2.isFile()) {
                        hashSet.add(X509Util.parseCert(file2));
                    }
                }
            }
        }
        return hashSet;
    }

    static {
        SUPPORTED_HASH_ALGORITHMS.add(HashAlgoType.SHA1);
        SUPPORTED_HASH_ALGORITHMS.add(HashAlgoType.SHA224);
        SUPPORTED_HASH_ALGORITHMS.add(HashAlgoType.SHA256);
        SUPPORTED_HASH_ALGORITHMS.add(HashAlgoType.SHA384);
        SUPPORTED_HASH_ALGORITHMS.add(HashAlgoType.SHA512);
    }
}
