package eu.europa.ec.markt.dss.validation.crl;

import eu.europa.ec.markt.dss.CertificateIdentifier;
import eu.europa.ec.markt.dss.validation.CertificateStatus;
import eu.europa.ec.markt.dss.validation.CertificateStatusVerifier;
import eu.europa.ec.markt.dss.validation.CertificateValidity;
import eu.europa.ec.markt.dss.validation.ValidatorSourceType;
import eu.europa.ec.markt.dss.validation.X500PrincipalMatcher;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.X509Extensions;

/* loaded from: input_file:applet/signature-client.jar:eu/europa/ec/markt/dss/validation/crl/CRLCertificateVerifier.class */
public class CRLCertificateVerifier implements CertificateStatusVerifier {
    private static final Logger LOG = Logger.getLogger(CRLCertificateVerifier.class.getName());
    private final CRLSource crlSource;

    public CRLCertificateVerifier(CRLSource cRLSource) {
        this.crlSource = cRLSource;
    }

    @Override // eu.europa.ec.markt.dss.validation.CertificateStatusVerifier
    public CertificateStatus check(X509Certificate x509Certificate, X509Certificate x509Certificate2, Date date) {
        try {
            if (this.crlSource == null) {
                LOG.warning("CRLSource null");
                return null;
            }
            CertificateStatus certificateStatus = new CertificateStatus();
            certificateStatus.setCertificate(x509Certificate);
            certificateStatus.setValidationDate(date);
            certificateStatus.setIssuerCertificate(x509Certificate2);
            X509CRL findCrl = this.crlSource.findCrl(x509Certificate, x509Certificate2);
            if (findCrl == null) {
                if (!LOG.isLoggable(Level.INFO)) {
                    return null;
                }
                LOG.info("No CRL found for " + CertificateIdentifier.getId(x509Certificate));
                return null;
            }
            if (!isCRLValid(findCrl, x509Certificate2, date)) {
                LOG.warning("The CRL is not valid !");
                return null;
            }
            certificateStatus.setStatusSource(findCrl);
            certificateStatus.setValidity(CertificateValidity.UNKNOWN);
            certificateStatus.setCertificate(x509Certificate);
            certificateStatus.setStatusSourceType(ValidatorSourceType.CRL);
            certificateStatus.setValidationDate(date);
            X509CRLEntry revokedCertificate = findCrl.getRevokedCertificate(x509Certificate.getSerialNumber());
            if (null == revokedCertificate) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("CRL OK for: " + CertificateIdentifier.getId(x509Certificate));
                }
                certificateStatus.setValidity(CertificateValidity.VALID);
            } else if (revokedCertificate.getRevocationDate().after(date)) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("CRL OK for: " + CertificateIdentifier.getId(x509Certificate) + " at " + date);
                }
                certificateStatus.setValidity(CertificateValidity.VALID);
                certificateStatus.setRevocationObjectIssuingTime(findCrl.getThisUpdate());
            } else {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("CRL reports certificate: " + CertificateIdentifier.getId(x509Certificate) + " as revoked since " + revokedCertificate.getRevocationDate());
                }
                certificateStatus.setValidity(CertificateValidity.REVOKED);
                certificateStatus.setRevocationObjectIssuingTime(findCrl.getThisUpdate());
                certificateStatus.setRevocationDate(revokedCertificate.getRevocationDate());
            }
            return certificateStatus;
        } catch (IOException e) {
            LOG.log(Level.SEVERE, "IOException when accessing CRL for " + CertificateIdentifier.getId(x509Certificate), (Throwable) e);
            return null;
        }
    }

    private boolean isCRLValid(X509CRL x509crl, X509Certificate x509Certificate, Date date) {
        if (!isCRLOK(x509crl, x509Certificate, date)) {
            return false;
        }
        LOG.fine("CRL number: " + getCrlNumber(x509crl));
        return true;
    }

    private boolean isCRLOK(X509CRL x509crl, X509Certificate x509Certificate, Date date) {
        if (x509Certificate == null) {
            throw new NullPointerException("Must provide a issuer certificate to validate the signature");
        }
        X500Principal issuerX500Principal = x509crl.getIssuerX500Principal();
        if (!X500PrincipalMatcher.viaAny(issuerX500Principal, x509Certificate.getSubjectX500Principal())) {
            LOG.warning("The CRL must be signed by the issuer (" + CertificateIdentifier.getId(x509Certificate) + " ) but instead is signed by " + issuerX500Principal);
            return false;
        }
        try {
            x509crl.verify(x509Certificate.getPublicKey());
            Date thisUpdate = x509crl.getThisUpdate();
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("validation date: " + date);
                LOG.fine("CRL this update: " + thisUpdate);
            }
            LOG.fine("CRL next update: " + x509crl.getNextUpdate());
            if (x509crl.getNextUpdate() != null && date.after(x509crl.getNextUpdate())) {
                LOG.info("CRL too old");
                return false;
            }
            if (null == x509Certificate.getKeyUsage()) {
                LOG.warning("No KeyUsage extension for CRL issuing certificate");
                return false;
            }
            if (false != x509Certificate.getKeyUsage()[6]) {
                return true;
            }
            LOG.warning("cRLSign bit not set for CRL issuing certificate");
            return false;
        } catch (Exception e) {
            LOG.warning("The signature verification for CRL cannot be performed : " + e.getMessage());
            return false;
        }
    }

    private BigInteger getCrlNumber(X509CRL x509crl) {
        byte[] extensionValue = x509crl.getExtensionValue(X509Extensions.CRLNumber.getId());
        if (null == extensionValue) {
            return null;
        }
        try {
            return ((DERInteger) new ASN1InputStream(((DEROctetString) new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject()).getOctets()).readObject()).getPositiveValue();
        } catch (IOException e) {
            throw new RuntimeException("IO error: " + e.getMessage(), e);
        }
    }
}
