package net.ripe.rpki.commons.crypto.rfc3779;

import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Map;
import java.util.SortedMap;
import java.util.TreeMap;
import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpRange;
import net.ripe.ipresource.IpResource;
import net.ripe.ipresource.IpResourceRange;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.ipresource.UniqueIpResource;
import net.ripe.rpki.commons.crypto.util.Asn1Util;
import org.apache.commons.lang3.Validate;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Null;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERBitString;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionParser.class */
public class ResourceExtensionParser {
    private static final AddressFamily[] SUPPORTED_ADDRESS_FAMILIES = {AddressFamily.IPV4, AddressFamily.IPV6};

    public ResourceExtension parse(X509Certificate x509Certificate) {
        EnumSet noneOf = EnumSet.noneOf(IpResourceType.class);
        ImmutableResourceSet.Builder builder = new ImmutableResourceSet.Builder();
        byte[] extensionValue = x509Certificate.getExtensionValue(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS.getId());
        if (extensionValue != null) {
            for (Map.Entry<AddressFamily, IpResourceSet> entry : parseIpAddressBlocks(extensionValue).entrySet()) {
                if (entry.getValue() == null) {
                    noneOf.add(entry.getKey().toIpResourceType());
                } else {
                    builder.addAll(entry.getValue());
                }
            }
        }
        byte[] extensionValue2 = x509Certificate.getExtensionValue(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS.getId());
        if (extensionValue2 != null) {
            IpResourceSet parseAsIdentifiers = parseAsIdentifiers(extensionValue2);
            if (parseAsIdentifiers == null) {
                noneOf.add(IpResourceType.ASN);
            } else {
                builder.addAll(parseAsIdentifiers);
            }
        }
        return ResourceExtension.of(noneOf, builder.build());
    }

    public SortedMap<AddressFamily, IpResourceSet> parseIpAddressBlocks(byte[] bArr) {
        ASN1OctetString decode = Asn1Util.decode(bArr);
        Asn1Util.expect(decode, ASN1OctetString.class);
        SortedMap<AddressFamily, IpResourceSet> derToIpAddressBlocks = derToIpAddressBlocks(Asn1Util.decode(decode.getOctets()));
        for (AddressFamily addressFamily : SUPPORTED_ADDRESS_FAMILIES) {
            if (!derToIpAddressBlocks.containsKey(addressFamily)) {
                derToIpAddressBlocks.put(addressFamily, new IpResourceSet());
            }
        }
        Iterator<AddressFamily> it = derToIpAddressBlocks.keySet().iterator();
        while (it.hasNext()) {
            Validate.isTrue(!it.next().hasSubsequentAddressFamilyIdentifier(), "SAFI not supported", new Object[0]);
        }
        return derToIpAddressBlocks;
    }

    public IpResourceSet parseAsIdentifiers(byte[] bArr) {
        ASN1OctetString decode = Asn1Util.decode(bArr);
        Asn1Util.expect(decode, ASN1OctetString.class);
        IpResourceSet[] derToAsIdentifiers = derToAsIdentifiers(Asn1Util.decode(decode.getOctets()));
        Validate.notNull(derToAsIdentifiers[1], "inheritance of resources has not been implemented yet", new Object[0]);
        Validate.isTrue(derToAsIdentifiers[1].isEmpty(), "routing domain identifiers (RDI) not supported", new Object[0]);
        return derToAsIdentifiers[0];
    }

    SortedMap<AddressFamily, IpResourceSet> derToIpAddressBlocks(ASN1Encodable aSN1Encodable) {
        ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        TreeMap treeMap = new TreeMap();
        for (int i = 0; i < expect.size(); i++) {
            derToIpAddressFamily(expect.getObjectAt(i), treeMap);
        }
        return treeMap;
    }

    void derToIpAddressFamily(ASN1Encodable aSN1Encodable, SortedMap<AddressFamily, IpResourceSet> sortedMap) {
        ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        Validate.isTrue(expect.size() == 2, "IpAddressFamily must have exactly two entries: addressFamily and IpAddressChoice", new Object[0]);
        AddressFamily fromDer = AddressFamily.fromDer(expect.getObjectAt(0));
        sortedMap.put(fromDer, derToIpAddressChoice(fromDer.toIpResourceType(), expect.getObjectAt(1)));
    }

    IpResourceSet derToIpAddressChoice(IpResourceType ipResourceType, ASN1Encodable aSN1Encodable) {
        if (aSN1Encodable instanceof ASN1Null) {
            return null;
        }
        if (!(aSN1Encodable instanceof ASN1Sequence)) {
            throw new IllegalArgumentException("ASN1Null or ASN1Sequence expected, got: " + aSN1Encodable);
        }
        IpResourceSet ipResourceSet = new IpResourceSet();
        ASN1Sequence aSN1Sequence = (ASN1Sequence) aSN1Encodable;
        IpResource ipResource = null;
        for (int i = 0; i < aSN1Sequence.size(); i++) {
            IpResource derToIpAddressOrRange = derToIpAddressOrRange(ipResourceType, aSN1Sequence.getObjectAt(i));
            if (ipResource != null) {
                Validate.isTrue(!ipResource.adjacent(derToIpAddressOrRange), "IP resources in extension MUST NOT be adjacent", new Object[0]);
                Validate.isTrue(ipResource.getEnd().compareTo(derToIpAddressOrRange.getStart()) < 0, "addressOrRanges MUST be sorted", new Object[0]);
            }
            ipResourceSet.add(derToIpAddressOrRange);
            ipResource = derToIpAddressOrRange;
        }
        return ipResourceSet;
    }

    IpResource derToIpAddressOrRange(IpResourceType ipResourceType, ASN1Encodable aSN1Encodable) {
        if (aSN1Encodable instanceof ASN1Sequence) {
            return derToIpRange(ipResourceType, aSN1Encodable);
        }
        if (aSN1Encodable instanceof DERBitString) {
            return Asn1Util.parseIpAddressAsPrefix(ipResourceType, aSN1Encodable);
        }
        throw new IllegalArgumentException("ASN1Sequence or DERBitString expected, got: " + aSN1Encodable);
    }

    IpResource derToIpRange(IpResourceType ipResourceType, ASN1Encodable aSN1Encodable) {
        ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        Validate.isTrue(expect.size() == 2, "IPRange MUST consist of two entries (start and end)", new Object[0]);
        return IpRange.range(Asn1Util.parseIpAddress(ipResourceType, expect.getObjectAt(0), false), Asn1Util.parseIpAddress(ipResourceType, expect.getObjectAt(1), true));
    }

    IpResourceRange derToAsRange(ASN1Encodable aSN1Encodable) {
        ASN1Sequence expect = Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        Validate.isTrue(expect.size() == 2, "ASN1Sequence with two elements expected", new Object[0]);
        return Asn1Util.parseAsId(expect.getObjectAt(0)).upTo(Asn1Util.parseAsId(expect.getObjectAt(1)));
    }

    IpResource derToAsIdOrRange(ASN1Encodable aSN1Encodable) {
        if (aSN1Encodable instanceof ASN1Integer) {
            return Asn1Util.parseAsId(aSN1Encodable);
        }
        if (aSN1Encodable instanceof ASN1Sequence) {
            return derToAsRange(aSN1Encodable);
        }
        throw new IllegalArgumentException("ASN1Integer or ASN1Sequence expected, got: " + aSN1Encodable);
    }

    IpResourceSet derToAsIdsOrRanges(ASN1Encodable aSN1Encodable) {
        Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        ASN1Sequence aSN1Sequence = (ASN1Sequence) aSN1Encodable;
        IpResourceSet ipResourceSet = new IpResourceSet();
        IpResource ipResource = null;
        for (int i = 0; i < aSN1Sequence.size(); i++) {
            IpResource derToAsIdOrRange = derToAsIdOrRange(aSN1Sequence.getObjectAt(i));
            if (ipResource != null) {
                UniqueIpResource start = derToAsIdOrRange.getStart();
                Validate.isTrue(!start.adjacent(ipResource.getEnd()), "ASIdOrRange entries MUST NOT be adjacent", new Object[0]);
                Validate.isTrue(start.max(ipResource.getEnd()).equals(start), "ASIdOrRange entries MUST be sorted by increasing numeric value", new Object[0]);
            }
            ipResourceSet.add(derToAsIdOrRange);
            ipResource = derToAsIdOrRange;
        }
        return ipResourceSet;
    }

    IpResourceSet derToAsIdentifierChoice(ASN1Encodable aSN1Encodable) {
        if (aSN1Encodable instanceof ASN1Null) {
            return null;
        }
        if (aSN1Encodable instanceof ASN1Sequence) {
            return derToAsIdsOrRanges(aSN1Encodable);
        }
        throw new IllegalArgumentException("ASN1Null or ASN1Sequence expected, got: " + aSN1Encodable);
    }

    IpResourceSet[] derToAsIdentifiers(ASN1Encodable aSN1Encodable) {
        Asn1Util.expect(aSN1Encodable, ASN1Sequence.class);
        ASN1Sequence aSN1Sequence = (ASN1Sequence) aSN1Encodable;
        Validate.isTrue(aSN1Sequence.size() <= 2, "ASN1Sequence with 2 or fewer elements expected", new Object[0]);
        IpResourceSet[] ipResourceSetArr = new IpResourceSet[2];
        ipResourceSetArr[0] = new IpResourceSet();
        ipResourceSetArr[1] = new IpResourceSet();
        for (int i = 0; i < aSN1Sequence.size(); i++) {
            Asn1Util.expect(aSN1Sequence.getObjectAt(i), ASN1TaggedObject.class);
            ASN1TaggedObject objectAt = aSN1Sequence.getObjectAt(i);
            Validate.isTrue(objectAt.getTagNo() == 0 || objectAt.getTagNo() == 1, "unknown tag no: " + objectAt.getTagNo(), new Object[0]);
            ipResourceSetArr[objectAt.getTagNo()] = derToAsIdentifierChoice(objectAt.getObject());
        }
        return ipResourceSetArr;
    }
}
