package io.jans.as.common.cert.validation;

import com.google.common.base.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import io.jans.as.common.cert.validation.model.ValidationStatus;
import io.jans.as.model.util.SecurityProviderUtility;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.NoSuchProviderException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.input.BoundedInputStream;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.x509.NoSuchParserException;
import org.bouncycastle.x509.util.StreamParsingException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/as/common/cert/validation/CRLCertificateVerifier.class */
public class CRLCertificateVerifier implements CertificateVerifier {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CRLCertificateVerifier.class);
    private int maxCrlSize;
    private LoadingCache<String, X509CRL> crlCache;

    public CRLCertificateVerifier(int i) {
        SecurityProviderUtility.installBCProvider(true);
        this.maxCrlSize = i;
        this.crlCache = CacheBuilder.newBuilder().maximumSize(10L).expireAfterWrite(60L, TimeUnit.MINUTES).build(new CacheLoader<String, X509CRL>() { // from class: io.jans.as.common.cert.validation.CRLCertificateVerifier.1
            @Override // com.google.common.cache.CacheLoader
            public X509CRL load(String str) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException {
                X509CRL requestCRL = CRLCertificateVerifier.this.requestCRL(str);
                Preconditions.checkNotNull(requestCRL);
                return requestCRL;
            }
        });
    }

    @Override // io.jans.as.common.cert.validation.CertificateVerifier
    public ValidationStatus validate(X509Certificate x509Certificate, List<X509Certificate> list, Date date) {
        X500Principal subjectX500Principal;
        String crlUri;
        X509Certificate x509Certificate2 = list.get(0);
        ValidationStatus validationStatus = new ValidationStatus(x509Certificate, x509Certificate2, date, ValidationStatus.ValidatorSourceType.CRL, ValidationStatus.CertificateValidity.UNKNOWN);
        try {
            subjectX500Principal = x509Certificate.getSubjectX500Principal();
            crlUri = getCrlUri(x509Certificate);
        } catch (Exception e) {
            log.error("CRL exception: ", (Throwable) e);
        }
        if (crlUri == null) {
            log.error("CRL's URL for '" + subjectX500Principal + "' is empty");
            return validationStatus;
        }
        log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlUri + "'");
        X509CRL crl = getCrl(crlUri);
        if (!validateCRL(crl, x509Certificate, x509Certificate2, date)) {
            log.error("The CRL is not valid!");
            validationStatus.setValidity(ValidationStatus.CertificateValidity.INVALID);
            return validationStatus;
        }
        X509CRLEntry revokedCertificate = crl.getRevokedCertificate(x509Certificate.getSerialNumber());
        if (revokedCertificate == null) {
            log.debug("CRL status is valid for '" + subjectX500Principal + "'");
            validationStatus.setValidity(ValidationStatus.CertificateValidity.VALID);
        } else if (revokedCertificate.getRevocationDate().after(date)) {
            log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + date);
            validationStatus.setRevocationObjectIssuingTime(crl.getThisUpdate());
            validationStatus.setValidity(ValidationStatus.CertificateValidity.VALID);
        } else {
            log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + revokedCertificate.getRevocationDate());
            validationStatus.setRevocationObjectIssuingTime(crl.getThisUpdate());
            validationStatus.setRevocationDate(revokedCertificate.getRevocationDate());
            validationStatus.setValidity(ValidationStatus.CertificateValidity.REVOKED);
        }
        return validationStatus;
    }

    private boolean validateCRL(X509CRL x509crl, X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) {
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if (x509crl == null) {
            log.error("No CRL found for certificate '" + subjectX500Principal + "'");
            return false;
        }
        if (log.isTraceEnabled()) {
            try {
                log.trace("CRL number: " + getCrlNumber(x509crl));
            } catch (IOException e) {
                log.error("Failed to get CRL number", (Throwable) e);
            }
        }
        if (!x509crl.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
            log.error("The CRL must be signed by the issuer '" + subjectX500Principal + "' but instead is signed by '" + x509crl.getIssuerX500Principal() + "'");
            return false;
        }
        try {
            x509crl.verify(x509Certificate2.getPublicKey());
            log.debug("CRL validationDate: " + date);
            log.debug("CRL nextUpdate: " + x509crl.getThisUpdate());
            log.debug("CRL thisUpdate: " + x509crl.getNextUpdate());
            if (x509crl.getNextUpdate() != null && date.after(x509crl.getNextUpdate())) {
                log.error("CRL is too old");
                return false;
            }
            if (x509Certificate2.getKeyUsage() == null) {
                log.error("There is no KeyUsage extension for certificate '" + subjectX500Principal + "'");
                return false;
            }
            if (x509Certificate2.getKeyUsage()[6]) {
                return true;
            }
            log.error("cRLSign bit is not set for CRL certificate'" + subjectX500Principal + "'");
            return false;
        } catch (Exception e2) {
            log.error("The signature verification for CRL cannot be performed", (Throwable) e2);
            return false;
        }
    }

    private X509CRL getCrl(String str) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException {
        if (str.startsWith("http://") || str.startsWith("https://")) {
            return this.crlCache.get(str.toLowerCase());
        }
        log.error("It's possible to download CRL via HTTP and HTTPS only");
        return null;
    }

    public X509CRL requestCRL(String str) throws IOException, MalformedURLException, CertificateException, CRLException {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
        try {
            try {
                httpURLConnection.setUseCaches(false);
                BoundedInputStream boundedInputStream = new BoundedInputStream(httpURLConnection.getInputStream(), this.maxCrlSize);
                try {
                    X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(boundedInputStream);
                    log.debug("CRL size: " + x509crl.getEncoded().length + " bytes");
                    IOUtils.closeQuietly((InputStream) boundedInputStream);
                    if (httpURLConnection != null) {
                        httpURLConnection.disconnect();
                    }
                    return x509crl;
                } catch (Throwable th) {
                    IOUtils.closeQuietly((InputStream) boundedInputStream);
                    throw th;
                }
            } catch (IOException e) {
                log.error("Failed to download CRL from '" + str + "'", (Throwable) e);
                if (httpURLConnection == null) {
                    return null;
                }
                httpURLConnection.disconnect();
                return null;
            }
        } catch (Throwable th2) {
            if (httpURLConnection != null) {
                httpURLConnection.disconnect();
            }
            throw th2;
        }
    }

    private BigInteger getCrlNumber(X509CRL x509crl) throws IOException {
        byte[] extensionValue = x509crl.getExtensionValue(X509Extensions.CRLNumber.getId());
        if (extensionValue == null) {
            return null;
        }
        return ((ASN1Integer) new ASN1InputStream(((ASN1OctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject()).getPositiveValue();
    }

    public String getCrlUri(X509Certificate x509Certificate) throws IOException {
        try {
            ASN1Primitive extensionValue = getExtensionValue(x509Certificate, Extension.cRLDistributionPoints.getId());
            if (extensionValue == null) {
                return null;
            }
            for (DistributionPoint distributionPoint : CRLDistPoint.getInstance(extensionValue).getDistributionPoints()) {
                DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                if (0 == distributionPoint2.getType()) {
                    for (GeneralName generalName : ((GeneralNames) distributionPoint2.getName()).getNames()) {
                        if (generalName.getTagNo() == 6) {
                            return DERIA5String.getInstance((ASN1TaggedObject) generalName.toASN1Primitive(), false).getString();
                        }
                    }
                }
            }
            return null;
        } catch (IOException e) {
            log.error("Failed to get CRL URL", (Throwable) e);
            return null;
        }
    }

    private static ASN1Primitive getExtensionValue(X509Certificate x509Certificate, String str) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(str);
        if (extensionValue == null) {
            return null;
        }
        return new ASN1InputStream(new ByteArrayInputStream(((ASN1OctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets())).readObject();
    }

    @Override // io.jans.as.common.cert.validation.CertificateVerifier
    public void destroy() {
        this.crlCache.cleanUp();
    }
}
