package net.ripe.rpki.commons.crypto.cms.aspa;

import com.google.common.base.Joiner;
import com.google.common.collect.ImmutableSortedSet;
import java.util.Comparator;
import java.util.Optional;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.annotation.CheckForNull;
import net.ripe.ipresource.Asn;
import net.ripe.ipresource.IpResource;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectInfo;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser;
import net.ripe.rpki.commons.crypto.rfc3779.AddressFamily;
import net.ripe.rpki.commons.crypto.util.Asn1Util;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERTaggedObject;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/aspa/AspaCmsParser.class */
public class AspaCmsParser extends RpkiSignedObjectParser {
    private int version;

    @CheckForNull
    private Asn customerAsn;
    private ImmutableSortedSet<ProviderAS> providerASSet = ImmutableSortedSet.of();

    @Override // net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser
    public void parse(ValidationResult validationResult, byte[] bArr) {
        super.parse(validationResult, bArr);
        validateAspa();
    }

    public AspaCms getAspa() {
        if (isSuccess()) {
            return new AspaCms(new RpkiSignedObjectInfo(getEncoded(), getResourceCertificate(), getContentType(), getSigningTime()), this.version, this.customerAsn, this.providerASSet);
        }
        throw new IllegalArgumentException("ASPA record validation failed: " + getValidationResult().getFailuresForCurrentLocation());
    }

    public boolean isSuccess() {
        return !getValidationResult().hasFailureForCurrentLocation();
    }

    private void validateAspa() {
        ValidationResult validationResult = getValidationResult();
        validationResult.rejectIfFalse(AspaCms.CONTENT_TYPE.equals(getContentType()), ValidationString.ASPA_CONTENT_TYPE, String.valueOf(getContentType()));
        X509ResourceCertificate certificate = getCertificate();
        validationResult.rejectIfFalse((this.customerAsn == null || certificate == null || !certificate.containsResources(new IpResourceSet(new IpResource[]{this.customerAsn}))) ? false : true, ValidationString.ASPA_CUSTOMER_ASN_CERTIFIED);
        if (this.customerAsn != null) {
            Stream map = this.providerASSet.stream().map((v0) -> {
                return v0.getProviderAsn();
            });
            Asn asn = this.customerAsn;
            asn.getClass();
            validationResult.rejectIfTrue(map.anyMatch((v1) -> {
                return r1.equals(v1);
            }), ValidationString.ASPA_CUSTOMER_ASN_NOT_IN_PROVIDER_ASNS, String.valueOf(this.customerAsn), Joiner.on(", ").join(this.providerASSet));
        }
    }

    @Override // net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectParser
    public void decodeAsn1Content(ASN1Encodable aSN1Encodable) {
        ValidationResult validationResult = getValidationResult();
        try {
            ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
            int size = expect.size();
            if (size < 2 || size > 3) {
                validationResult.error(ValidationString.ASPA_CONTENT_STRUCTURE);
                return;
            }
            int i = 0;
            ASN1Encodable objectAt = expect.getObjectAt(0);
            if (objectAt instanceof DERTaggedObject) {
                decodeVersion(validationResult, (DERTaggedObject) objectAt);
                i = 0 + 1;
            } else {
                this.version = 0;
            }
            validationResult.rejectIfFalse(i < size && (expect.getObjectAt(i) instanceof ASN1Integer), ValidationString.ASPA_CUSTOMER_ASN_PRESENT);
            if (validationResult.hasFailureForCurrentLocation()) {
                return;
            }
            this.customerAsn = Asn1Util.parseAsId(expect.getObjectAt(i));
            int i2 = i + 1;
            if (i2 >= size) {
                validationResult.error(ValidationString.ASPA_CONTENT_STRUCTURE);
            } else {
                this.providerASSet = (ImmutableSortedSet) StreamSupport.stream(Asn1Util.expect(expect.getObjectAt(i2), ASN1Sequence.class).spliterator(), false).map(this::parseProviderAS).collect(ImmutableSortedSet.toImmutableSortedSet(Comparator.naturalOrder()));
                validationResult.rejectIfTrue(this.providerASSet.isEmpty(), ValidationString.ASPA_PROVIDER_AS_SET_NOT_EMPTY);
            }
        } catch (IllegalArgumentException e) {
            validationResult.error(ValidationString.ASPA_CONTENT_STRUCTURE);
        }
    }

    private void decodeVersion(ValidationResult validationResult, DERTaggedObject dERTaggedObject) {
        validationResult.rejectIfFalse(dERTaggedObject.getTagNo() == 0, ValidationString.ASPA_CONTENT_STRUCTURE);
        try {
            this.version = Asn1Util.expect(dERTaggedObject.getBaseObject(), ASN1Integer.class).intValueExact();
            validationResult.rejectIfFalse(this.version == 0, ValidationString.ASPA_VERSION, String.valueOf(this.version));
        } catch (ArithmeticException e) {
            validationResult.error(ValidationString.ASPA_VERSION, "out-of-bounds");
        }
    }

    private ProviderAS parseProviderAS(ASN1Encodable aSN1Encodable) {
        ValidationResult validationResult = getValidationResult();
        ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        validationResult.rejectIfTrue(expect.size() < 1 || expect.size() > 2, ValidationString.ASPA_PROVIDER_AS_SEQUENCE_SIZE);
        if (validationResult.hasFailureForCurrentLocation()) {
            throw new IllegalArgumentException("invalid sequence length");
        }
        Asn parseAsId = Asn1Util.parseAsId(expect.getObjectAt(0));
        AddressFamily addressFamily = null;
        if (expect.size() > 1) {
            addressFamily = AddressFamily.fromDer(expect.getObjectAt(1));
            validationResult.rejectIfFalse(addressFamily.equals(AddressFamily.IPV4) || addressFamily.equals(AddressFamily.IPV6), ValidationString.ASPA_ADDR_FAMILY);
        }
        return new ProviderAS(parseAsId, Optional.ofNullable(addressFamily));
    }
}
