package net.ripe.rpki.commons.crypto.x509cert;

import java.io.IOException;
import java.net.URI;
import java.util.Set;
import java.util.regex.Pattern;
import net.ripe.rpki.commons.validation.ValidationString;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.x509.extension.X509ExtensionUtil;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateParser.class */
public class X509ResourceCertificateParser extends X509CertificateParser<X509ResourceCertificate> {
    private static final Pattern PRINTABLE_STRING = Pattern.compile("[-A-Za-z0-9 '()+,./:=?]+");

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // net.ripe.rpki.commons.crypto.x509cert.X509CertificateParser
    public X509ResourceCertificate getCertificate() {
        if (isSuccess()) {
            return new X509ResourceCertificate(getX509Certificate());
        }
        throw new IllegalArgumentException("Resource Certificate validation failed");
    }

    @Override // net.ripe.rpki.commons.crypto.x509cert.X509CertificateParser
    protected void doTypeSpecificValidation() {
        validateIssuerAndSubjectDN();
        validateCertificatePolicy();
        validateResourceExtensions();
        validateCrlDistributionPoints();
    }

    private void validateIssuerAndSubjectDN() {
        getValidationResult().warnIfFalse(isValidName(X500Name.getInstance(this.certificate.getIssuerX500Principal().getEncoded())), ValidationString.CERT_ISSUER_CORRECT, this.certificate.getIssuerX500Principal().toString());
        getValidationResult().warnIfFalse(isValidName(X500Name.getInstance(this.certificate.getSubjectX500Principal().getEncoded())), ValidationString.CERT_SUBJECT_CORRECT, this.certificate.getSubjectX500Principal().toString());
    }

    private boolean isValidName(X500Name x500Name) {
        return hasOneValidCn(x500Name) && mayHaveOneValidSerialNumber(x500Name);
    }

    public boolean mayHaveOneValidSerialNumber(X500Name x500Name) {
        return x500Name.getRDNs(BCStyle.SERIALNUMBER).length <= 1;
    }

    private boolean hasOneValidCn(X500Name x500Name) {
        AttributeTypeAndValue first;
        ASN1Encodable value;
        RDN[] rDNs = x500Name.getRDNs(BCStyle.CN);
        return rDNs.length == 1 && (first = rDNs[0].getFirst()) != null && (value = first.getValue()) != null && isPrintableString(value);
    }

    private boolean isPrintableString(ASN1Encodable aSN1Encodable) {
        return aSN1Encodable instanceof DERPrintableString;
    }

    private void validateCertificatePolicy() {
        Set<String> criticalExtensionOIDs = this.certificate.getCriticalExtensionOIDs();
        if (this.result.rejectIfNull(criticalExtensionOIDs, ValidationString.CRITICAL_EXT_PRESENT)) {
            this.result.rejectIfFalse(criticalExtensionOIDs.contains(Extension.certificatePolicies.getId()), ValidationString.POLICY_EXT_CRITICAL);
            try {
                byte[] extensionValue = this.certificate.getExtensionValue(Extension.certificatePolicies.getId());
                if (this.result.rejectIfNull(extensionValue, ValidationString.POLICY_EXT_VALUE)) {
                    ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue));
                    if (this.result.rejectIfFalse(aSN1Sequence.size() == 1, ValidationString.SINGLE_CERT_POLICY)) {
                        PolicyInformation policyInformation = PolicyInformation.getInstance(aSN1Sequence.getObjectAt(0));
                        if (this.result.rejectIfNull(policyInformation.getPolicyIdentifier(), ValidationString.POLICY_ID_PRESENT)) {
                            this.result.rejectIfFalse(AbstractX509CertificateWrapper.POLICY_OID.equals(policyInformation.getPolicyIdentifier()), ValidationString.POLICY_ID_VERSION);
                        }
                    }
                }
            } catch (IOException e) {
                this.result.rejectIfFalse(false, ValidationString.POLICY_VALIDATION);
            }
        }
    }

    private void validateResourceExtensions() {
        if (this.result.rejectIfFalse(isResourceExtensionPresent(), ValidationString.RESOURCE_EXT_PRESENT)) {
            this.result.rejectIfTrue(false, ValidationString.AS_OR_IP_RESOURCE_PRESENT);
        }
    }

    private void validateCrlDistributionPoints() {
        byte[] extensionValue = this.certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (X509CertificateUtil.isRoot(this.certificate)) {
            this.result.warnIfNotNull(extensionValue, ValidationString.CRLDP_OMITTED);
            return;
        }
        if (this.result.rejectIfNull(extensionValue, ValidationString.CRLDP_PRESENT)) {
            try {
                CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue));
                this.result.pass(ValidationString.CRLDP_EXTENSION_PARSED);
                testCrlDistributionPointsToUrisConversion(cRLDistPoint);
                if (this.result.hasFailureForCurrentLocation()) {
                    return;
                }
                this.result.rejectIfNull(X509CertificateUtil.findFirstRsyncCrlDistributionPoint(this.certificate), ValidationString.CRLDP_RSYNC_URI_PRESENT);
            } catch (IOException e) {
                this.result.error(ValidationString.CRLDP_EXTENSION_PARSED);
            }
        }
    }

    private void testCrlDistributionPointsToUrisConversion(CRLDistPoint cRLDistPoint) {
        for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
            this.result.rejectIfNotNull(distributionPoint.getCRLIssuer(), ValidationString.CRLDP_ISSUER_OMITTED);
            this.result.rejectIfNotNull(distributionPoint.getReasons(), ValidationString.CRLDP_REASONS_OMITTED);
            if (!this.result.rejectIfNull(distributionPoint.getDistributionPoint(), ValidationString.CRLDP_PRESENT)) {
                return;
            }
            if (!this.result.rejectIfFalse(distributionPoint.getDistributionPoint().getType() == 0, ValidationString.CRLDP_TYPE_FULL_NAME)) {
                return;
            }
            for (GeneralName generalName : distributionPoint.getDistributionPoint().getName().getNames()) {
                if (!this.result.rejectIfFalse(generalName.getTagNo() == 6, ValidationString.CRLDP_NAME_IS_A_URI)) {
                    return;
                }
                try {
                    URI.create(generalName.getName().getString());
                } catch (IllegalArgumentException e) {
                    this.result.error(ValidationString.CRLDP_URI_SYNTAX);
                    return;
                }
            }
        }
    }
}
