package be.fedict.trust.crl;

import be.fedict.trust.CRLRevocationData;
import be.fedict.trust.RevocationData;
import be.fedict.trust.TrustLinker;
import be.fedict.trust.TrustLinkerResult;
import be.fedict.trust.TrustLinkerResultReason;
import be.fedict.trust.TrustValidator;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidParameterException;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.LinkedList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.asn1.x509.X509Extensions;

/* loaded from: input_file:be/fedict/trust/crl/CrlTrustLinker.class */
public class CrlTrustLinker implements TrustLinker {
    private static final Log LOG = LogFactory.getLog(CrlTrustLinker.class);
    private final CrlRepository crlRepository;

    public CrlTrustLinker(CrlRepository crlRepository) {
        this.crlRepository = crlRepository;
    }

    @Override // be.fedict.trust.TrustLinker
    public TrustLinkerResult hasTrustLink(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date, RevocationData revocationData) {
        URI crlUri = getCrlUri(x509Certificate);
        if (null != crlUri) {
            return processCrl(crlUri, x509Certificate, x509Certificate2, date, revocationData, null);
        }
        LOG.debug("no CRL uri in certificate");
        return null;
    }

    private TrustLinkerResult processCrl(URI uri, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date, RevocationData revocationData, BigInteger bigInteger) {
        LOG.debug("CRL URI: " + uri);
        X509CRL findCrl = this.crlRepository.findCrl(uri, x509Certificate2, date);
        if (null == findCrl || false == checkCrlIntegrity(findCrl, x509Certificate2, date)) {
            return null;
        }
        TrustLinkerResult checkSignatureAlgorithm = TrustValidator.checkSignatureAlgorithm(findCrl.getSigAlgName());
        if (!checkSignatureAlgorithm.isValid()) {
            return checkSignatureAlgorithm;
        }
        if (isIndirectCRL(findCrl)) {
            LOG.debug("indirect CRL detected");
            return null;
        }
        LOG.debug("CRL number: " + getCrlNumber(findCrl));
        if (null != bigInteger) {
            BigInteger deltaCrlIndicator = getDeltaCrlIndicator(findCrl);
            if (!bigInteger.equals(deltaCrlIndicator)) {
                LOG.error("Delta CRL indicator (" + deltaCrlIndicator + ") not equals base CRL number(" + bigInteger + ")");
                return null;
            }
        }
        if (null != revocationData) {
            try {
                revocationData.getCrlRevocationData().add(new CRLRevocationData(findCrl.getEncoded()));
            } catch (CRLException e) {
                LOG.error("CRLException: " + e.getMessage(), e);
                throw new RuntimeException("CRLException : " + e.getMessage(), e);
            }
        }
        boolean z = true;
        X509CRLEntry revokedCertificate = findCrl.getRevokedCertificate(x509Certificate.getSerialNumber());
        if (null == revokedCertificate) {
            LOG.debug("CRL OK for: " + x509Certificate.getSubjectX500Principal());
            z = false;
        } else if (revokedCertificate.getRevocationDate().after(date)) {
            LOG.debug("CRL OK for: " + x509Certificate.getSubjectX500Principal() + " at " + date);
            z = false;
        }
        if (null == findCrl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId())) {
            List<URI> deltaCrlUris = getDeltaCrlUris(findCrl);
            if (null != deltaCrlUris) {
                for (URI uri2 : deltaCrlUris) {
                    LOG.debug("delta CRL: " + uri2.toString());
                    TrustLinkerResult processCrl = processCrl(uri2, x509Certificate, x509Certificate2, date, revocationData, getCrlNumber(findCrl));
                    if (null != processCrl) {
                        return processCrl;
                    }
                }
            }
        } else if (!z) {
            return null;
        }
        return !z ? new TrustLinkerResult(true) : new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by CRL=" + revokedCertificate.getSerialNumber());
    }

    public static boolean checkCrlIntegrity(X509CRL x509crl, X509Certificate x509Certificate, Date date) {
        if (false == x509crl.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
            return false;
        }
        try {
            x509crl.verify(x509Certificate.getPublicKey());
            Date thisUpdate = x509crl.getThisUpdate();
            LOG.debug("validation date: " + date);
            LOG.debug("CRL this update: " + thisUpdate);
            if (thisUpdate.after(date)) {
                LOG.warn("CRL too young");
                return false;
            }
            LOG.debug("CRL next update: " + x509crl.getNextUpdate());
            if (date.after(x509crl.getNextUpdate())) {
                LOG.debug("CRL too old");
                return false;
            }
            if (null == x509Certificate.getKeyUsage()) {
                LOG.debug("No KeyUsage extension for CRL issuing certificate");
                return false;
            }
            if (false != x509Certificate.getKeyUsage()[6]) {
                return true;
            }
            LOG.debug("cRLSign bit not set for CRL issuing certificate");
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    public static URI getCrlUri(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.CRLDistributionPoints.getId());
        if (null == extensionValue) {
            return null;
        }
        try {
            for (DistributionPoint distributionPoint : CRLDistPoint.getInstance((ASN1Sequence) new ASN1InputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject()).getDistributionPoints()) {
                DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                if (0 == distributionPoint2.getType()) {
                    for (GeneralName generalName : ((GeneralNames) distributionPoint2.getName()).getNames()) {
                        if (generalName.getTagNo() == 6) {
                            return toURI(DERIA5String.getInstance(generalName.getDERObject()).getString());
                        }
                        LOG.debug("not a uniform resource identifier");
                    }
                }
            }
            return null;
        } catch (IOException e) {
            throw new RuntimeException("IO error: " + e.getMessage(), e);
        }
    }

    private List<URI> getDeltaCrlUris(X509CRL x509crl) {
        byte[] extensionValue = x509crl.getExtensionValue(X509Extensions.FreshestCRL.getId());
        if (null == extensionValue) {
            LOG.debug("no freshestCRL extension");
            return null;
        }
        try {
            ASN1Sequence aSN1Sequence = (ASN1Sequence) new ASN1InputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject();
            LinkedList linkedList = new LinkedList();
            for (DistributionPoint distributionPoint : CRLDistPoint.getInstance(aSN1Sequence).getDistributionPoints()) {
                DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                if (0 == distributionPoint2.getType()) {
                    for (GeneralName generalName : ((GeneralNames) distributionPoint2.getName()).getNames()) {
                        if (generalName.getTagNo() != 6) {
                            LOG.debug("not a uniform resource identifier");
                        } else {
                            linkedList.add(toURI(DERIA5String.getInstance(generalName.getDERObject()).getString()));
                        }
                    }
                }
            }
            return linkedList;
        } catch (IOException e) {
            throw new RuntimeException("IO error: " + e.getMessage(), e);
        }
    }

    private BigInteger getDeltaCrlIndicator(X509CRL x509crl) {
        byte[] extensionValue = x509crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
        if (null == extensionValue) {
            return null;
        }
        try {
            return ((DERInteger) new ASN1InputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject()).getPositiveValue();
        } catch (IOException e) {
            throw new RuntimeException("IO error: " + e.getMessage(), e);
        }
    }

    private BigInteger getCrlNumber(X509CRL x509crl) {
        byte[] extensionValue = x509crl.getExtensionValue(X509Extensions.CRLNumber.getId());
        if (null == extensionValue) {
            return null;
        }
        try {
            return ((DERInteger) new ASN1InputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject()).getPositiveValue();
        } catch (IOException e) {
            throw new RuntimeException("IO error: " + e.getMessage(), e);
        }
    }

    private boolean isIndirectCRL(X509CRL x509crl) {
        byte[] extensionValue = x509crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId());
        boolean z = false;
        if (extensionValue != null) {
            z = IssuingDistributionPoint.getInstance(extensionValue).isIndirectCRL();
        }
        return z;
    }

    private static URI toURI(String str) {
        try {
            return new URI(str);
        } catch (URISyntaxException e) {
            throw new InvalidParameterException("CRL URI syntax error: " + e.getMessage());
        }
    }
}
