package org.openoces.ooapi.validation;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import javax.security.auth.x500.X500Principal;
import org.openoces.ooapi.TimeService;
import org.openoces.ooapi.certificate.CA;
import org.openoces.ooapi.certificate.OcesCertificateFacade;
import org.openoces.ooapi.certificate.PKILightPKICertificate;
import org.openoces.ooapi.exceptions.CrlExpiredException;
import org.openoces.ooapi.exceptions.CrlNotYetValidException;
import org.openoces.ooapi.exceptions.InvalidCrlException;
import org.openoces.ooapi.exceptions.InvalidSignatureException;

/* loaded from: input_file:org/openoces/ooapi/validation/CRL.class */
public class CRL {
    private X509CRL crl;
    private static final String PARTIAL_DISTRIBUTION_POINT_OID = "2.5.29.28";
    private TimeService timeservice = new CurrentTimeTimeService();

    /* loaded from: input_file:org/openoces/ooapi/validation/CRL$CurrentTimeTimeService.class */
    private class CurrentTimeTimeService implements TimeService {
        private CurrentTimeTimeService() {
        }

        @Override // org.openoces.ooapi.TimeService
        public Date getTime() {
            return Calendar.getInstance().getTime();
        }
    }

    public CRL(X509CRL x509crl) {
        this.crl = x509crl;
    }

    public boolean isRevoked(OcesCertificateFacade ocesCertificateFacade) {
        try {
            verifyCrl(ocesCertificateFacade.getSigningCA().getPublicKey());
            return isRevoked(ocesCertificateFacade.exportCertificate());
        } catch (SignatureException e) {
            throw new InvalidSignatureException("CRL Issued by" + this.crl.getIssuerDN().getName() + " does not have valid signature by certificate's issuer certificate " + ocesCertificateFacade.getSigningCA().getCertificate().getSubjectDN().getName(), e);
        }
    }

    public boolean isRevoked(PKILightPKICertificate pKILightPKICertificate) {
        return isRevoked(pKILightPKICertificate.exportCertificate());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isRevoked(CA ca) {
        if (ca.isRoot()) {
            throw new IllegalArgumentException("Cannot check revocation for root CA");
        }
        try {
            verifyCrl(ca.getSigningCA().getPublicKey());
            return isRevoked(ca.getCertificate());
        } catch (SignatureException e) {
            throw new InvalidSignatureException("CRL Issued by" + this.crl.getIssuerDN().getName() + " does not have valid signature by ca's issuer certificate " + ca.getSigningCA().getCertificate().getSubjectDN().getName(), e);
        }
    }

    private void verifyCrl(PublicKey publicKey) throws SignatureException {
        try {
            this.crl.verify(publicKey);
        } catch (InvalidKeyException e) {
            throw new IllegalStateException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        } catch (NoSuchProviderException e3) {
            throw new RuntimeException(e3);
        } catch (CRLException e4) {
            throw new RuntimeException(e4);
        }
    }

    private boolean isRevoked(X509Certificate x509Certificate) {
        assertCrlCurrentlyValid();
        assertCrlIssuedByCertificateIssuer(x509Certificate);
        return this.crl.isRevoked(x509Certificate);
    }

    private void assertCrlIssuedByCertificateIssuer(X509Certificate x509Certificate) {
        Principal issuerDN = this.crl.getIssuerDN();
        Principal issuerDN2 = x509Certificate.getIssuerDN();
        if (!issuerDN.equals(issuerDN2)) {
            throw new IllegalStateException("CRL is not issued by the certificate's issuing CA. CRL is issued by: " + issuerDN + ", certificate is issued by: " + issuerDN2);
        }
    }

    public X509CRLEntry getRevocationDetails(OcesCertificateFacade ocesCertificateFacade) {
        return this.crl.getRevokedCertificate(ocesCertificateFacade.exportCertificate());
    }

    public boolean isValid() {
        return !isCrlExpired();
    }

    public boolean isCrlExpired() {
        assertCrlNotBeforeValidity();
        try {
            assertCrlNotExpired();
            return false;
        } catch (CrlExpiredException e) {
            return true;
        }
    }

    private void assertCrlCurrentlyValid() {
        assertCrlNotExpired();
        assertCrlNotBeforeValidity();
    }

    private void assertCrlNotBeforeValidity() {
        if (this.timeservice.getTime().before(this.crl.getThisUpdate())) {
            throw new CrlNotYetValidException("CRL is not yet valid, crl is valid from " + this.crl.getThisUpdate());
        }
    }

    private void assertCrlNotExpired() {
        if (this.timeservice.getTime().after(this.crl.getNextUpdate())) {
            throw new CrlExpiredException("CRL is expired, crl is valid to " + this.crl.getNextUpdate());
        }
    }

    public Date getValidFrom() {
        return this.crl.getThisUpdate();
    }

    public Set<String> getRevokedCertificates(Date date) {
        TreeSet treeSet = new TreeSet();
        Iterator<X509CRLEntry> it = getRevocationDetails(date).iterator();
        while (it.hasNext()) {
            treeSet.add(it.next().getSerialNumber().toString(16));
        }
        return treeSet;
    }

    public Set<X509CRLEntry> getRevocationDetails(Date date) {
        TreeSet treeSet = new TreeSet();
        Set<? extends X509CRLEntry> revokedCertificates = this.crl.getRevokedCertificates();
        if (revokedCertificates != null) {
            for (X509CRLEntry x509CRLEntry : revokedCertificates) {
                if (!x509CRLEntry.getRevocationDate().before(date)) {
                    treeSet.add(x509CRLEntry);
                }
            }
        }
        return treeSet;
    }

    public Date getValidUntil() {
        return this.crl.getNextUpdate();
    }

    public boolean isPartial() {
        return this.crl.getExtensionValue(PARTIAL_DISTRIBUTION_POINT_OID) != null;
    }

    public boolean isCorrectPartialCrl(String str) {
        byte[] extensionValue = this.crl.getExtensionValue(PARTIAL_DISTRIBUTION_POINT_OID);
        if (extensionValue == null) {
            return false;
        }
        return new String(extensionValue).toLowerCase().contains(getCrlNumberFromPartitionCrlUrl(str));
    }

    private String getCrlNumberFromPartitionCrlUrl(String str) {
        String[] split = new X500Principal(str).getName("CANONICAL").split(",");
        if (split == null || split.length < 1) {
            throw new InvalidCrlException("the crl url is malformed", str);
        }
        String str2 = split[0];
        if (str2.length() < "cn=crl".length()) {
            throw new InvalidCrlException("The DN is not of expected format.", str);
        }
        return str2.substring("cn=".length());
    }

    protected void setTimeservice(TimeService timeService) {
        this.timeservice = timeService;
    }

    public String toString() {
        return this.crl != null ? "CRL, validFrom: " + getValidFrom() + ", validUntil: " + getValidUntil() + ", isPartial: " + isPartial() : "CRL (null)";
    }
}
