package weblogic.security.pki.revocation.common;

import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Level;
import javax.security.auth.x500.X500Principal;
import weblogic.security.pki.revocation.common.CertRevocCheckMethodList;

/* loaded from: input_file:weblogic/security/pki/revocation/common/RevocationCertPathChecker.class */
public final class RevocationCertPathChecker extends PKIXCertPathChecker {
    private static final String CLASSNAME = RevocationCertPathChecker.class.getName();
    private final AbstractCertRevocContext context;
    private final OcspChecker ocspChecker;
    private final CrlChecker crlChecker;
    private X509Certificate issuerX509Cert;

    public static RevocationCertPathChecker getInstance(AbstractCertRevocContext abstractCertRevocContext) {
        return new RevocationCertPathChecker(abstractCertRevocContext);
    }

    private RevocationCertPathChecker(AbstractCertRevocContext abstractCertRevocContext) {
        Util.checkNotNull("AbstractCertRevocContext", abstractCertRevocContext);
        this.context = abstractCertRevocContext;
        this.ocspChecker = OcspChecker.getInstance(abstractCertRevocContext);
        this.crlChecker = CrlChecker.getInstance(abstractCertRevocContext);
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) throws CertPathValidatorException {
        if (this.context.isLoggable(Level.FINEST)) {
            this.context.log(Level.FINEST, "{0}.init called (forward not supported), forward={1}.", CLASSNAME, Boolean.valueOf(z));
        }
        this.issuerX509Cert = null;
        if (z) {
            throw new CertPathValidatorException("Forward checking is not supported.");
        }
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public Set<String> getSupportedExtensions() {
        Set<String> emptySet = Collections.emptySet();
        if (this.context.isLoggable(Level.FINEST)) {
            this.context.log(Level.FINEST, "{0}.getSupportedExtensions called.", CLASSNAME);
        }
        return emptySet;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
        if (isCertToCheckNull(certificate) || !isCertToCheckX509(certificate)) {
            this.issuerX509Cert = null;
            return;
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        try {
            if (!isEnabled()) {
                CrlCacheUpdater.cancelAllMaintenanceTasks(this.context.getLogListener());
                this.issuerX509Cert = x509Certificate;
                return;
            }
            if (!CrlCacheUpdater.isAllMaintenanceTasksActive()) {
                startAllMaintenanceTasks();
            }
            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
            X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
            if (this.context.isLoggable(Level.FINE)) {
                this.context.log(Level.FINE, "Revocation status checking X509 certificate with subject \"{0}\" and issuer \"{1}\".", subjectX500Principal, issuerX500Principal);
            }
            if (isIssuerDnMissing(issuerX500Principal)) {
                this.issuerX509Cert = x509Certificate;
                return;
            }
            if (isCheckingDisabled(issuerX500Principal)) {
                this.issuerX509Cert = x509Certificate;
                return;
            }
            boolean isFailOnUnknownRevocStatus = isFailOnUnknownRevocStatus(issuerX500Principal);
            CertRevocStatus certRevocStatus = null;
            try {
                this.context.logAttemptingCertRevocCheck(subjectX500Principal);
            } catch (Exception e) {
                if (this.context.isLoggable(Level.FINE)) {
                    this.context.log(Level.FINE, e, "An exception occurred while checking revocation of certificate={0},\nexception={1}", subjectX500Principal, e.getMessage());
                }
                if (!isFailOnUnknownRevocStatus) {
                    this.context.logUnknownCertRevocStatusNoFail(subjectX500Principal);
                    this.issuerX509Cert = x509Certificate;
                    return;
                } else {
                    this.context.logUnknownCertRevocStatusFail(subjectX500Principal);
                    throwCertPathValidatorException(subjectX500Principal, e);
                }
            }
            if (!ensureIssuerCert(issuerX500Principal, isFailOnUnknownRevocStatus)) {
                this.context.logUnknownCertRevocStatusNoFail(subjectX500Principal);
                this.issuerX509Cert = x509Certificate;
                return;
            }
            if (isSubjectDnMissing(isFailOnUnknownRevocStatus, subjectX500Principal)) {
                this.context.logUnknownCertRevocStatusNoFail(subjectX500Principal);
                this.issuerX509Cert = x509Certificate;
                return;
            }
            if (!isExpectedIssuer(issuerX500Principal, isFailOnUnknownRevocStatus)) {
                this.context.logUnknownCertRevocStatusNoFail(subjectX500Principal);
                this.issuerX509Cert = x509Certificate;
                return;
            }
            certRevocStatus = runThruMethods(x509Certificate, issuerX500Principal);
            logCertRevocStatus(subjectX500Principal, certRevocStatus);
            if (null == certRevocStatus) {
                if (isFailOnUnknownRevocStatus) {
                    this.context.logUnknownCertRevocStatusFail(subjectX500Principal);
                    throw new CertPathValidatorException("Unknown revocation status for certificate \"" + subjectX500Principal + "\".");
                }
                this.context.logUnknownCertRevocStatusNoFail(subjectX500Principal);
                this.issuerX509Cert = x509Certificate;
                return;
            }
            if (certRevocStatus.isRevoked()) {
                this.context.logRevokedCertRevocStatusFail(subjectX500Principal);
                throw new CertPathValidatorException("Certificate revoked: \"" + subjectX500Principal + "\".");
            }
            this.context.logNotRevokedCertRevocStatusNotFail(subjectX500Principal);
            this.issuerX509Cert = x509Certificate;
        } catch (Throwable th) {
            this.issuerX509Cert = x509Certificate;
            throw th;
        }
    }

    private void throwCertPathValidatorException(X500Principal x500Principal, Exception exc) throws CertPathValidatorException {
        if (!(exc instanceof CertPathValidatorException)) {
            throw new CertPathValidatorException("Unknown revocation status for certificate \"" + x500Principal + "\".", exc);
        }
        throw ((CertPathValidatorException) exc);
    }

    private void logCertRevocStatus(X500Principal x500Principal, CertRevocStatus certRevocStatus) {
        if (this.context.isLoggable(Level.FINEST)) {
            AbstractCertRevocContext abstractCertRevocContext = this.context;
            Level level = Level.FINEST;
            Object[] objArr = new Object[2];
            objArr[0] = x500Principal;
            objArr[1] = certRevocStatus == null ? "Unknown" : certRevocStatus;
            abstractCertRevocContext.log(level, "The revocation status of certificate {0} is:\n{1}.", objArr);
        }
        this.context.logCertRevocStatus(certRevocStatus);
    }

    private CertRevocStatus runThruMethods(X509Certificate x509Certificate, X500Principal x500Principal) {
        Iterator<CertRevocCheckMethodList.SelectableMethod> it = this.context.getMethodOrder(x500Principal).iterator();
        CertRevocStatus certRevocStatus = null;
        while (null == certRevocStatus && it.hasNext()) {
            CertRevocCheckMethodList.SelectableMethod next = it.next();
            if (this.context.isLoggable(Level.FINEST)) {
                this.context.log(Level.FINEST, "Trying revocation check using method {0}.", next);
            }
            if (null != next) {
                switch (next) {
                    case OCSP:
                        certRevocStatus = this.ocspChecker.getCertRevocStatus(this.issuerX509Cert, x509Certificate);
                        break;
                    case CRL:
                        certRevocStatus = this.crlChecker.getCertRevocStatus(this.issuerX509Cert, x509Certificate);
                        break;
                    default:
                        if (!this.context.isLoggable(Level.FINE)) {
                            break;
                        } else {
                            this.context.log(Level.FINE, "Skipping unknown SelectableMethod: {0}", next);
                            break;
                        }
                }
            } else if (this.context.isLoggable(Level.FINER)) {
                this.context.log(Level.FINER, "Skipping null revocation check method.", new Object[0]);
            }
        }
        return certRevocStatus;
    }

    private void startAllMaintenanceTasks() {
        CrlCacheAccessor crlCacheAccessor = this.crlChecker.getCrlCacheAccessor();
        if (null == crlCacheAccessor) {
            return;
        }
        CrlCacheUpdater.startAllMaintenanceTasks(crlCacheAccessor, this.context);
    }

    private boolean isCheckingDisabled(X500Principal x500Principal) {
        if (this.context.isCheckingDisabled(x500Principal)) {
            if (!this.context.isLoggable(Level.FINE)) {
                return true;
            }
            this.context.log(Level.FINE, "Revocation status checking is disabled for issuer \"{0}\".", x500Principal);
            return true;
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return false;
        }
        this.context.log(Level.FINE, "Revocation status checking is enabled for issuer \"{0}\".", x500Principal);
        return false;
    }

    private boolean isSubjectDnMissing(boolean z, X500Principal x500Principal) throws CertPathValidatorException {
        if (null != x500Principal && null != x500Principal.getName() && x500Principal.getName().length() != 0) {
            return false;
        }
        if (z) {
            throw new CertPathValidatorException("Unknown Revocation Status: Certificate to check has no subject.");
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return true;
        }
        this.context.log(Level.FINE, "Skipping revocation status checking since certificate to check has no subject.", new Object[0]);
        return true;
    }

    private boolean isIssuerDnMissing(X500Principal x500Principal) {
        if (null != x500Principal && null != x500Principal.getName() && x500Principal.getName().length() != 0) {
            return false;
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return true;
        }
        this.context.log(Level.FINE, "Unable to check revocation status, missing issuer DN.", new Object[0]);
        return true;
    }

    private boolean isCertToCheckX509(Certificate certificate) {
        if (certificate instanceof X509Certificate) {
            return true;
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return false;
        }
        AbstractCertRevocContext abstractCertRevocContext = this.context;
        Level level = Level.FINE;
        Object[] objArr = new Object[1];
        objArr[0] = null == certificate ? null : certificate.getClass().getName();
        abstractCertRevocContext.log(level, "Unable to check revocation of certificate of type {0}.", objArr);
        return false;
    }

    private boolean isCertToCheckNull(Certificate certificate) {
        if (null != certificate) {
            return false;
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return true;
        }
        this.context.log(Level.FINE, "Given null certificate, no revocation checking is needed.", new Object[0]);
        return true;
    }

    private boolean isEnabled() {
        boolean isCheckingEnabled = this.context.isCheckingEnabled();
        if (this.context.isLoggable(Level.FINE)) {
            AbstractCertRevocContext abstractCertRevocContext = this.context;
            Level level = Level.FINE;
            Object[] objArr = new Object[1];
            objArr[0] = isCheckingEnabled ? "enabled" : "disabled";
            abstractCertRevocContext.log(level, "Certificate revocation checking is {0}.", objArr);
        }
        return isCheckingEnabled;
    }

    private boolean isFailOnUnknownRevocStatus(X500Principal x500Principal) {
        boolean isFailOnUnknownRevocStatus = this.context.isFailOnUnknownRevocStatus(x500Principal);
        if (this.context.isLoggable(Level.FINE)) {
            AbstractCertRevocContext abstractCertRevocContext = this.context;
            Level level = Level.FINE;
            Object[] objArr = new Object[1];
            objArr[0] = isFailOnUnknownRevocStatus ? "FAIL" : "not be affected";
            abstractCertRevocContext.log(level, "Certificate validation will {0} if revocation status is indeterminable.", objArr);
        }
        return isFailOnUnknownRevocStatus;
    }

    private boolean ensureIssuerCert(X500Principal x500Principal, boolean z) throws CertPathValidatorException {
        if (null != this.issuerX509Cert) {
            return true;
        }
        this.issuerX509Cert = this.context.getValidTrustedCert(x500Principal);
        if (null != this.issuerX509Cert) {
            return true;
        }
        if (z) {
            throw new CertPathValidatorException("Unknown Revocation Status: Could not find trusted issuer certificate with subject \"" + x500Principal + "\".");
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return false;
        }
        this.context.log(Level.FINE, "Skipping revocation status checking since cannot find trusted issuer certificate with subject \"{0}\".", x500Principal);
        return false;
    }

    private boolean isExpectedIssuer(X500Principal x500Principal, boolean z) throws CertPathValidatorException {
        X500Principal subjectX500Principal = this.issuerX509Cert.getSubjectX500Principal();
        if (x500Principal.equals(subjectX500Principal)) {
            return true;
        }
        if (z) {
            throw new CertPathValidatorException("Unexpected issuer for certificate to check, expected issuer=\"" + subjectX500Principal + "\".");
        }
        if (!this.context.isLoggable(Level.FINE)) {
            return false;
        }
        this.context.log(Level.FINE, "Unexpected issuer for certificate to check, expected issuer=\n{0}.", subjectX500Principal);
        return false;
    }
}
