package net.ripe.rpki.commons.crypto.cms.roa;

import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import net.ripe.ipresource.Asn;
import net.ripe.ipresource.IpRange;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectInfo;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser;
import net.ripe.rpki.commons.crypto.rfc3779.AddressFamily;
import net.ripe.rpki.commons.crypto.util.Asn1Util;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Sequence;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/roa/RoaCmsParser.class */
public class RoaCmsParser extends RpkiSignedObjectParser {
    private Asn asn;
    private List<RoaPrefix> prefixes = new ArrayList();

    @Override // net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser
    public void parse(ValidationResult validationResult, byte[] bArr) {
        super.parse(validationResult, bArr);
        validateRoa();
    }

    public boolean isSuccess() {
        return !getValidationResult().hasFailureForCurrentLocation();
    }

    public RoaCms getRoaCms() {
        if (isSuccess()) {
            return new RoaCms(new RpkiSignedObjectInfo(getEncoded(), getResourceCertificate(), getContentType(), getSigningTime()), this.asn, this.prefixes);
        }
        throw new IllegalArgumentException("ROA validation failed: " + getValidationResult().getFailuresForCurrentLocation());
    }

    private void validateRoa() {
        ValidationResult validationResult = getValidationResult();
        if (validationResult.rejectIfFalse(getContentType() != null, ValidationString.ROA_CONTENT_TYPE, new String[0]) && validationResult.rejectIfFalse(RoaCms.CONTENT_TYPE.equals(getContentType()), ValidationString.ROA_CONTENT_TYPE, getContentType().toString())) {
            IpResourceSet ipResourceSet = new IpResourceSet();
            Iterator it = Collections.unmodifiableList(this.prefixes).iterator();
            while (it.hasNext()) {
                ipResourceSet.add(((RoaPrefix) it.next()).getPrefix());
            }
            try {
                validationResult.rejectIfFalse(getResourceCertificate().getResources().contains(ipResourceSet), ValidationString.ROA_RESOURCES, new String[0]);
            } catch (Exception e) {
                validationResult.rejectIfFalse(false, ValidationString.ROA_RESOURCES, new String[0]);
            }
        }
    }

    RoaPrefix parseRoaIpAddressFamily(IpResourceType ipResourceType, ASN1Encodable aSN1Encodable) {
        Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        ASN1Sequence aSN1Sequence = (ASN1Sequence) aSN1Encodable;
        ValidationResult validationResult = getValidationResult();
        if (!validationResult.rejectIfFalse(aSN1Sequence.size() > 0 && aSN1Sequence.size() <= 2, ValidationString.PREFIX_IN_ADDR_FAMILY, new String[0])) {
            throw new IllegalArgumentException("ip address family sequence length invalid");
        }
        IpRange parseIpAddressAsPrefix = Asn1Util.parseIpAddressAsPrefix(ipResourceType, aSN1Sequence.getObjectAt(0));
        BigInteger bigInteger = null;
        if (aSN1Sequence.size() > 1) {
            bigInteger = Asn1Util.expect(aSN1Sequence.getObjectAt(1), ASN1Integer.class).getValue();
            if (!validationResult.rejectIfFalse(bigInteger.compareTo(BigInteger.ZERO) >= 0 && bigInteger.compareTo(BigInteger.valueOf(2147483647L)) <= 0, ValidationString.PREFIX_LENGTH, new String[0])) {
                throw new IllegalArgumentException("prefix max length invalid");
            }
        }
        return new RoaPrefix(parseIpAddressAsPrefix, bigInteger == null ? null : Integer.valueOf(bigInteger.intValue()));
    }

    void parseRouteOriginAttestation(ASN1Encodable aSN1Encodable) {
        ValidationResult validationResult = getValidationResult();
        try {
            ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
            int size = expect.size();
            if (size == 3) {
                BigInteger rpkiObjectVersion = getRpkiObjectVersion(expect);
                if (validationResult.rejectIfFalse(BigInteger.ZERO.equals(rpkiObjectVersion), ValidationString.ROA_ATTESTATION_VERSION, "attestation version must be 0, but is " + rpkiObjectVersion)) {
                    this.asn = Asn1Util.parseAsId(expect.getObjectAt(1));
                    this.prefixes = parseRoaIpAddressFamilySequence(expect.getObjectAt(2));
                }
            } else if (size == 2) {
                this.asn = Asn1Util.parseAsId(expect.getObjectAt(0));
                this.prefixes = parseRoaIpAddressFamilySequence(expect.getObjectAt(1));
            } else {
                validationResult.rejectIfFalse(false, ValidationString.ASN_AND_PREFIXES_IN_DER_SEQ, new String[0]);
            }
        } catch (IllegalArgumentException e) {
            validationResult.error(ValidationString.ROA_CONTENT_STRUCTURE, new String[0]);
        }
    }

    void parseRoaIpAddressFamily(List<RoaPrefix> list, ASN1Encodable aSN1Encodable) {
        RoaPrefix roaPrefix;
        Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        ASN1Sequence aSN1Sequence = (ASN1Sequence) aSN1Encodable;
        ValidationResult validationResult = getValidationResult();
        if (aSN1Sequence.size() != 2) {
            validationResult.rejectIfFalse(false, ValidationString.ADDR_FAMILY_AND_ADDR_IN_DER_SEQ, new String[0]);
            throw new IllegalArgumentException("ROA sequence does not contain address family and addresses");
        }
        AddressFamily fromDer = AddressFamily.fromDer(aSN1Sequence.getObjectAt(0));
        if (!fromDer.equals(AddressFamily.IPV4) && !fromDer.equals(AddressFamily.IPV6)) {
            validationResult.rejectIfFalse(false, ValidationString.ADDR_FAMILY, new String[0]);
            throw new IllegalArgumentException("Address family is neither IPv4 nor IPv6");
        }
        Asn1Util.expect(aSN1Sequence.getObjectAt(1), ASN1Sequence.class);
        ASN1Sequence objectAt = aSN1Sequence.getObjectAt(1);
        for (int i = 0; i < objectAt.size(); i++) {
            try {
                roaPrefix = parseRoaIpAddressFamily(fromDer.toIpResourceType(), objectAt.getObjectAt(i));
            } catch (IllegalArgumentException e) {
                roaPrefix = null;
            }
            if (roaPrefix != null) {
                list.add(roaPrefix);
            }
        }
    }

    List<RoaPrefix> parseRoaIpAddressFamilySequence(ASN1Encodable aSN1Encodable) {
        Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        ASN1Sequence aSN1Sequence = (ASN1Sequence) aSN1Encodable;
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        for (int i = 0; i < aSN1Sequence.size(); i++) {
            try {
                parseRoaIpAddressFamily(arrayList, aSN1Sequence.getObjectAt(i));
            } catch (IllegalArgumentException e) {
                z = true;
            }
        }
        ValidationResult validationResult = getValidationResult();
        if (!z) {
            validationResult.rejectIfFalse(true, ValidationString.ADDR_FAMILY_AND_ADDR_IN_DER_SEQ, new String[0]);
            validationResult.rejectIfFalse(true, ValidationString.ADDR_FAMILY, new String[0]);
        }
        validationResult.rejectIfFalse(arrayList.size() > 0, ValidationString.ROA_PREFIX_LIST, new String[0]);
        return arrayList;
    }

    @Override // net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser
    public void decodeAsn1Content(ASN1Encodable aSN1Encodable) {
        parseRouteOriginAttestation(aSN1Encodable);
    }
}
