package com.rsa.certj.provider.revocation;

import com.rsa.certj.CertJ;
import com.rsa.certj.CertJUtils;
import com.rsa.certj.DatabaseService;
import com.rsa.certj.InvalidParameterException;
import com.rsa.certj.NoServiceException;
import com.rsa.certj.NotSupportedException;
import com.rsa.certj.ProviderImplementation;
import com.rsa.certj.cert.CRL;
import com.rsa.certj.cert.Certificate;
import com.rsa.certj.cert.CertificateException;
import com.rsa.certj.cert.NameException;
import com.rsa.certj.cert.NameMatcher;
import com.rsa.certj.cert.RDN;
import com.rsa.certj.cert.RevokedCertificates;
import com.rsa.certj.cert.X500Name;
import com.rsa.certj.cert.X509CRL;
import com.rsa.certj.cert.X509Certificate;
import com.rsa.certj.cert.X509V3Extensions;
import com.rsa.certj.cert.extensions.BasicConstraints;
import com.rsa.certj.cert.extensions.CRLDistributionPoints;
import com.rsa.certj.cert.extensions.CertificateIssuer;
import com.rsa.certj.cert.extensions.GeneralName;
import com.rsa.certj.cert.extensions.GeneralNames;
import com.rsa.certj.cert.extensions.IssuingDistributionPoint;
import com.rsa.certj.cert.extensions.KeyUsage;
import com.rsa.certj.cert.extensions.ReasonCode;
import com.rsa.certj.cert.extensions.X509V3Extension;
import com.rsa.certj.internal.Debug;
import com.rsa.certj.spi.path.CertPathCtx;
import com.rsa.certj.spi.path.CertPathResult;
import com.rsa.certj.spi.random.RandomException;
import com.rsa.certj.spi.revocation.CertRevocationInfo;
import com.rsa.certj.spi.revocation.CertStatusException;
import com.rsa.certj.spi.revocation.CertStatusInterface;
import com.rsa.jsafe.JSAFE_PublicKey;
import java.security.SecureRandom;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;

/* loaded from: input_file:com/rsa/certj/provider/revocation/CRLStatusCommon.class */
public abstract class CRLStatusCommon extends ProviderImplementation implements CertStatusInterface {
    protected static final String SUITEB_COMPLIANCE_FAILED = "SuiteB compliance checks failed for CRL with issuer: ";
    private static final boolean DEBUG_ON = Debug.isCertPathSet();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/rsa/certj/provider/revocation/CRLStatusCommon$RevocationStatus.class */
    public final class RevocationStatus {
        static final int UNREVOKED = 100;
        int reasonsMask;
        int certStatus;
        int interimReasonsMask;

        private RevocationStatus() {
            this.certStatus = 100;
        }

        boolean isAllReasons() {
            return this.reasonsMask == -8388608;
        }

        boolean isUnrevoked() {
            return this.certStatus == 100;
        }

        void setUnrevoked() {
            this.certStatus = 100;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CRLStatusCommon(CertJ certJ, String str) throws InvalidParameterException {
        super(certJ, str);
    }

    @Override // com.rsa.certj.spi.revocation.CertStatusInterface
    public CertRevocationInfo checkCertRevocation(CertPathCtx certPathCtx, Certificate certificate) throws NotSupportedException, CertStatusException {
        CertRevocationInfo doCheckCertRevocation;
        if (!(certificate instanceof X509Certificate)) {
            throw new NotSupportedException("CRLCertStatus$Implementation.checkCertRevocation: does not support certificate types other than X509Certificate.");
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        CRLDistributionPoints cRLDistributionPoints = (CRLDistributionPoints) getExtension(x509Certificate, 31);
        if (cRLDistributionPoints == null || certPathCtx.isFlagRaised(1024)) {
            CRLDistributionPoints cRLDistributionPoints2 = new CRLDistributionPoints();
            GeneralNames generalNames = new GeneralNames();
            GeneralName generalName = new GeneralName();
            try {
                generalName.setGeneralName(x509Certificate.getIssuerName(), 5);
                generalNames.addGeneralName(generalName);
                cRLDistributionPoints2.addDistributionPoints(generalNames, -1, (GeneralNames) null);
                doCheckCertRevocation = doCheckCertRevocation(certPathCtx, x509Certificate, cRLDistributionPoints2);
            } catch (NameException e) {
                throw new CertStatusException(e);
            }
        } else {
            doCheckCertRevocation = doCheckCertRevocation(certPathCtx, x509Certificate, cRLDistributionPoints);
        }
        return doCheckCertRevocation;
    }

    private CertRevocationInfo doCheckCertRevocation(CertPathCtx certPathCtx, X509Certificate x509Certificate, CRLDistributionPoints cRLDistributionPoints) throws CertStatusException {
        Vector<X509CRL> obtainCrls;
        CertRevocationInfo certRevocationInfo = new CertRevocationInfo();
        RevocationStatus revocationStatus = new RevocationStatus();
        Vector<Certificate> vector = new Vector<>();
        Vector<CRL> vector2 = new Vector<>();
        Vector<Certificate> vector3 = new Vector<>();
        Date date = certPathCtx.getValidationTime() == null ? new Date() : certPathCtx.getValidationTime();
        int distributionPointCount = cRLDistributionPoints.getDistributionPointCount();
        loop0: for (int i = 0; i < distributionPointCount; i++) {
            GeneralNames generalNames = null;
            try {
                generalNames = cRLDistributionPoints.getCRLIssuer(i);
            } catch (NameException e) {
                internalError(e);
            }
            boolean z = false;
            if (generalNames != null) {
                X500Name findX500Name = findX500Name(generalNames);
                validateIssuerDn(findX500Name);
                obtainCrls = obtainCrls(certPathCtx, findX500Name, date);
                z = true;
            } else {
                obtainCrls = obtainCrls(certPathCtx, x509Certificate.getIssuerName(), date);
            }
            Iterator<X509CRL> it = obtainCrls.iterator();
            while (it.hasNext()) {
                if (revocationStatus.isAllReasons() || !revocationStatus.isUnrevoked()) {
                    break loop0;
                }
                X509CRL next = it.next();
                if (!isCRLObsolete(certPathCtx, next, date) && (!z || assertsIndirectCRL(next))) {
                    updateLocalCrlCache();
                    try {
                    } catch (NameException e2) {
                        internalError(e2);
                    }
                    if (verifyIssuerAndScope(certPathCtx, next, x509Certificate, cRLDistributionPoints, i)) {
                        verifyIssuerAndScopeOnDeltaCrl();
                        if (!certPathCtx.isFlagRaised(16384)) {
                            updateInterimReasonsMask(revocationStatus, next, cRLDistributionPoints, i);
                            if (!verifyInterimReasonsMask(revocationStatus)) {
                            }
                        }
                        if (verifyPath(certPathCtx, next, vector, vector2, vector3)) {
                            if (vector2 != null && !vector2.contains(next)) {
                                vector2.add(next);
                            }
                            CertJUtils.mergeLists(vector3, vector);
                            if (findSerialNumberInCrl(x509Certificate, next, z)) {
                                ReasonCode reasonCode = (ReasonCode) getExtension(next, 21);
                                if (reasonCode != null) {
                                    revocationStatus.certStatus = reasonCode.getReasonCode();
                                } else {
                                    revocationStatus.certStatus = 0;
                                }
                                certRevocationInfo.setStatus(1);
                                certRevocationInfo.setType(1);
                                certRevocationInfo.setEvidence(new CRLEvidence(next, null, null));
                            } else if (!certPathCtx.isFlagRaised(128) && hasUnknownCriticalExtension(next)) {
                                revocationStatus.certStatus = 0;
                                certRevocationInfo.setStatus(2);
                                certRevocationInfo.setType(1);
                                certRevocationInfo.setEvidence(new CRLEvidence(next, null, null));
                            } else if (certPathCtx.isFlagRaised(16384)) {
                                certRevocationInfo.setStatus(0);
                                certRevocationInfo.setType(1);
                                certRevocationInfo.setEvidence(new CRLEvidence(null, vector3, vector2));
                            }
                            if (revocationStatus.certStatus == 8) {
                                revocationStatus.setUnrevoked();
                            }
                            revocationStatus.reasonsMask |= revocationStatus.interimReasonsMask;
                        }
                    }
                }
            }
        }
        if (certPathCtx.isFlagRaised(16384)) {
            return certRevocationInfo;
        }
        if (!revocationStatus.isAllReasons() && revocationStatus.isUnrevoked()) {
            certRevocationInfo.setStatus(2);
            certRevocationInfo.setEvidence(null);
            certRevocationInfo.setType(0);
        } else if (revocationStatus.isUnrevoked()) {
            CRLEvidence cRLEvidence = new CRLEvidence(null, vector3, vector2);
            certRevocationInfo.setStatus(0);
            certRevocationInfo.setType(1);
            certRevocationInfo.setEvidence(cRLEvidence);
        }
        return certRevocationInfo;
    }

    protected abstract boolean checkCompliance(X509CRL x509crl) throws CertStatusException;

    private boolean assertsIndirectCRL(X509CRL x509crl) {
        IssuingDistributionPoint issuingDistributionPoint = (IssuingDistributionPoint) getExtension(x509crl, 28);
        return issuingDistributionPoint != null && issuingDistributionPoint.getIndirectCRL();
    }

    private X500Name findX500Name(GeneralNames generalNames) {
        Vector<GeneralName> generalNames2 = generalNames.getGeneralNames();
        for (int i = 0; i < generalNames2.size(); i++) {
            Object generalName = generalNames2.get(i).getGeneralName();
            if (generalName instanceof X500Name) {
                return (X500Name) generalName;
            }
        }
        return null;
    }

    private void internalError(Exception exc) throws CertStatusException {
        throw new CertStatusException("Internal error! ", exc);
    }

    private boolean verifyInterimReasonsMask(RevocationStatus revocationStatus) {
        return (revocationStatus.interimReasonsMask & (revocationStatus.reasonsMask ^ (-1))) != 0;
    }

    private void updateInterimReasonsMask(RevocationStatus revocationStatus, X509CRL x509crl, CRLDistributionPoints cRLDistributionPoints, int i) throws CertStatusException {
        try {
            int reasonFlags = cRLDistributionPoints.getReasonFlags(i);
            IssuingDistributionPoint issuingDistributionPoint = (IssuingDistributionPoint) getExtension(x509crl, 28);
            if (issuingDistributionPoint == null) {
                if (reasonFlags != -1) {
                    revocationStatus.interimReasonsMask = reasonFlags;
                    return;
                } else {
                    revocationStatus.interimReasonsMask = -8388608;
                    return;
                }
            }
            int reasonFlags2 = issuingDistributionPoint.getReasonFlags();
            if (reasonFlags2 == -1) {
                if (reasonFlags != -1) {
                    revocationStatus.interimReasonsMask = reasonFlags;
                    return;
                } else {
                    revocationStatus.interimReasonsMask = -8388608;
                    return;
                }
            }
            revocationStatus.interimReasonsMask = reasonFlags2;
            if (reasonFlags != -1) {
                revocationStatus.interimReasonsMask &= reasonFlags;
            }
        } catch (NameException e) {
            throw new CertStatusException("Internal error! ", e);
        }
    }

    private Vector<X509CRL> obtainCrls(CertPathCtx certPathCtx, X500Name x500Name, Date date) throws CertStatusException {
        Vector<X509CRL> vector = new Vector<>();
        try {
            DatabaseService database = certPathCtx.getDatabase();
            database.setupCRLIterator();
            while (database.hasMoreCRLs()) {
                CRL nextCRL = database.nextCRL();
                if (nextCRL instanceof X509CRL) {
                    X509CRL x509crl = (X509CRL) nextCRL;
                    if (x500Name.equals(x509crl.getIssuerName())) {
                        if (!x509crl.getThisUpdate().after(date) && !vector.contains(x509crl) && checkCompliance(x509crl)) {
                            vector.add((X509CRL) x509crl.clone());
                        }
                    }
                }
            }
            return getBestCrls(vector);
        } catch (Exception e) {
            throw new CertStatusException("CRLCertStatus$Implementation.checkCertRevocation.", e);
        }
    }

    private boolean verifyIssuerAndScopeOnDeltaCrl() {
        return true;
    }

    private boolean verifyIssuerAndScope(CertPathCtx certPathCtx, X509CRL x509crl, X509Certificate x509Certificate, CRLDistributionPoints cRLDistributionPoints, int i) throws NameException, CertStatusException {
        GeneralNames cRLIssuer = cRLDistributionPoints.getCRLIssuer(i);
        IssuingDistributionPoint issuingDistributionPoint = (IssuingDistributionPoint) getExtension(x509crl, 28);
        if (cRLIssuer != null) {
            X500Name findX500Name = findX500Name(cRLIssuer);
            validateIssuerDn(findX500Name);
            if (!NameMatcher.matchDirectoryNames(x509crl.getIssuerName(), findX500Name)) {
                return false;
            }
            if (!certPathCtx.isFlagRaised(16384) && (issuingDistributionPoint == null || !issuingDistributionPoint.getIndirectCRL())) {
                return false;
            }
        } else if (!NameMatcher.matchDirectoryNames(x509crl.getIssuerName(), x509Certificate.getIssuerName())) {
            return false;
        }
        if (issuingDistributionPoint == null || certPathCtx.isFlagRaised(16384)) {
            return true;
        }
        if (!verifyIssuingDistributionPointName(cRLIssuer, x509crl, x509Certificate, issuingDistributionPoint, cRLDistributionPoints, i)) {
            return false;
        }
        BasicConstraints basicConstraints = (BasicConstraints) getExtension(x509Certificate, 19);
        if (issuingDistributionPoint.getUserCerts() && basicConstraints != null && basicConstraints.getCA()) {
            return false;
        }
        return (!issuingDistributionPoint.getCACerts() || (basicConstraints != null && basicConstraints.getCA())) && !issuingDistributionPoint.getAttributeCerts();
    }

    private boolean verifyIssuingDistributionPointName(GeneralNames generalNames, X509CRL x509crl, X509Certificate x509Certificate, IssuingDistributionPoint issuingDistributionPoint, CRLDistributionPoints cRLDistributionPoints, int i) throws NameException, CertStatusException {
        GeneralNames generalNames2;
        X500Name issuerName;
        GeneralNames convertDnToGeneralNames;
        X500Name issuerName2;
        Object distributionPointName = issuingDistributionPoint.getDistributionPointName();
        Object distributionPointName2 = cRLDistributionPoints.getDistributionPointName(i);
        if (distributionPointName == null) {
            return true;
        }
        if (distributionPointName2 == null) {
            if (generalNames == null) {
                return false;
            }
            if (distributionPointName instanceof RDN) {
                X500Name issuerName3 = x509crl.getIssuerName();
                issuerName3.addRDN((RDN) distributionPointName);
                generalNames2 = convertDnToGeneralNames(issuerName3);
            } else {
                generalNames2 = (GeneralNames) distributionPointName;
            }
            return existsMatchingNamePair(generalNames2, generalNames);
        }
        if (!(distributionPointName instanceof RDN)) {
            GeneralNames generalNames3 = (GeneralNames) distributionPointName;
            if (distributionPointName2 instanceof GeneralNames) {
                convertDnToGeneralNames = (GeneralNames) distributionPointName2;
            } else {
                if (generalNames != null) {
                    issuerName = findX500Name(generalNames);
                    validateIssuerDn(issuerName);
                } else {
                    issuerName = x509Certificate.getIssuerName();
                }
                issuerName.addRDN((RDN) distributionPointName2);
                convertDnToGeneralNames = convertDnToGeneralNames(issuerName);
            }
            return existsMatchingNamePair(generalNames3, convertDnToGeneralNames);
        }
        X500Name issuerName4 = x509crl.getIssuerName();
        issuerName4.addRDN((RDN) distributionPointName);
        if (!(distributionPointName2 instanceof RDN)) {
            GeneralNames generalNames4 = (GeneralNames) distributionPointName2;
            GeneralName generalName = new GeneralName();
            generalName.setGeneralName(issuerName4, 5);
            return existsMatchingName(generalName, generalNames4);
        }
        if (generalNames != null) {
            issuerName2 = findX500Name(generalNames);
            validateIssuerDn(issuerName2);
        } else {
            issuerName2 = x509Certificate.getIssuerName();
        }
        issuerName2.addRDN((RDN) distributionPointName2);
        return issuerName4.equals(issuerName2);
    }

    private boolean existsMatchingName(GeneralName generalName, GeneralNames generalNames) throws NameException {
        if (generalName == null || generalNames == null) {
            return false;
        }
        for (int i = 0; i < generalNames.getNameCount(); i++) {
            if (generalName.equals(generalNames.getGeneralName(i))) {
                return true;
            }
        }
        return false;
    }

    private boolean existsMatchingNamePair(GeneralNames generalNames, GeneralNames generalNames2) throws NameException {
        if (generalNames == null) {
            return false;
        }
        for (int i = 0; i < generalNames.getNameCount(); i++) {
            if (existsMatchingName(generalNames.getGeneralName(i), generalNames2)) {
                return true;
            }
        }
        return false;
    }

    private GeneralNames convertDnToGeneralNames(X500Name x500Name) throws NameException {
        GeneralNames generalNames = new GeneralNames();
        GeneralName generalName = new GeneralName();
        generalName.setGeneralName(x500Name, 5);
        generalNames.addGeneralName(generalName);
        return generalNames;
    }

    private void validateIssuerDn(X500Name x500Name) throws CertStatusException {
        if (x500Name == null) {
            throw new CertStatusException("the cRLIssuer MUST contain at least one X.500 distinguished name.");
        }
    }

    private void updateLocalCrlCache() {
    }

    private Vector<X509CRL> getBestCrls(Vector<X509CRL> vector) {
        HashMap hashMap = new HashMap();
        IssuingDistributionPoint issuingDistributionPoint = new IssuingDistributionPoint();
        Iterator<X509CRL> it = vector.iterator();
        while (it.hasNext()) {
            X509CRL next = it.next();
            IssuingDistributionPoint issuingDistributionPoint2 = (IssuingDistributionPoint) getExtension(next, 28);
            if (issuingDistributionPoint2 == null) {
                issuingDistributionPoint2 = issuingDistributionPoint;
            }
            X509CRL x509crl = (X509CRL) hashMap.get(issuingDistributionPoint2);
            if (x509crl == null || next.getThisUpdate().after(x509crl.getThisUpdate())) {
                hashMap.put(issuingDistributionPoint2, next);
            }
        }
        return new Vector<>(hashMap.values());
    }

    private boolean verifyPath(CertPathCtx certPathCtx, X509CRL x509crl, Vector<Certificate> vector, Vector<CRL> vector2, Vector<Certificate> vector3) throws CertStatusException {
        Vector vector4 = (Vector) certPathCtx.getAttribute(x509crl);
        if (vector4 != null) {
            CertJUtils.mergeLists(vector3, vector4);
            return true;
        }
        certPathCtx.setAttribute(x509crl, new Vector());
        Vector<Certificate> vector5 = new Vector<>();
        try {
            this.certJ.getNextCertInPath(certPathCtx, x509crl, vector5);
            if (vector5.isEmpty()) {
                certPathCtx.removeAttribute(x509crl);
                return false;
            }
            if (DEBUG_ON) {
                Debug.println("Validating certificate path for CRL issued by " + x509crl.getIssuerName().toString());
            }
            Iterator<Certificate> it = vector5.iterator();
            while (it.hasNext()) {
                X509Certificate x509Certificate = (X509Certificate) it.next();
                try {
                    CertPathResult buildCertPath = this.certJ.buildCertPath(certPathCtx, x509Certificate, vector, vector2, vector3);
                    if (buildCertPath.getValidationResult() && verifyCRLSignature(x509crl, x509Certificate, buildCertPath) && verifyKeyUsage(certPathCtx, x509Certificate)) {
                        certPathCtx.setAttribute(x509crl, vector.clone());
                        if (!DEBUG_ON) {
                            return true;
                        }
                        Debug.println("Certificate path validation for CRL issued by " + x509crl.getIssuerName().toString() + " passed.");
                        return true;
                    }
                } catch (Exception e) {
                    certPathCtx.removeAttribute(x509crl);
                    throw new CertStatusException(e);
                }
            }
            certPathCtx.removeAttribute(x509crl);
            if (!DEBUG_ON) {
                return false;
            }
            Debug.println("Certificate path validation for CRL issued by " + x509crl.getIssuerName().toString() + " failed.");
            return false;
        } catch (Exception e2) {
            certPathCtx.removeAttribute(x509crl);
            throw new CertStatusException(e2);
        }
    }

    private boolean verifyCRLSignature(X509CRL x509crl, X509Certificate x509Certificate, CertPathResult certPathResult) {
        try {
            String device = this.certJ.getDevice();
            JSAFE_PublicKey subjectPublicKey = certPathResult.getSubjectPublicKey(device);
            if (subjectPublicKey == null) {
                subjectPublicKey = x509Certificate.getSubjectPublicKey(device);
            }
            return x509crl.verifyCRLSignature(device, subjectPublicKey, (SecureRandom) this.certJ.getRandomObject());
        } catch (NoServiceException e) {
            return false;
        } catch (CertificateException e2) {
            return false;
        } catch (RandomException e3) {
            return false;
        }
    }

    private boolean verifyKeyUsage(CertPathCtx certPathCtx, X509Certificate x509Certificate) {
        KeyUsage keyUsage;
        return certPathCtx.isFlagRaised(64) || (keyUsage = (KeyUsage) getExtension(x509Certificate, 15)) == null || (keyUsage.getKeyUsage() & 33554432) != 0;
    }

    private X509V3Extension getExtension(X509V3Extensions x509V3Extensions, int i) {
        X509V3Extension x509V3Extension = null;
        if (x509V3Extensions != null) {
            try {
                x509V3Extension = x509V3Extensions.getExtensionByType(i);
            } catch (CertificateException e) {
            }
        }
        return x509V3Extension;
    }

    private X509V3Extension getExtension(X509CRL x509crl, int i) {
        if (x509crl == null) {
            return null;
        }
        return getExtension(x509crl.getExtensions(), i);
    }

    private X509V3Extension getExtension(X509Certificate x509Certificate, int i) {
        if (x509Certificate == null) {
            return null;
        }
        return getExtension(x509Certificate.getExtensions(), i);
    }

    private boolean hasUnknownCriticalExtension(X509CRL x509crl) throws CertStatusException {
        X509V3Extensions extensions = x509crl.getExtensions();
        if (extensions == null) {
            return false;
        }
        for (int i = 0; i < extensions.getExtensionCount(); i++) {
            try {
                X509V3Extension extensionByIndex = extensions.getExtensionByIndex(i);
                if (extensionByIndex.getExtensionType() != 28 && extensionByIndex.getCriticality()) {
                    return true;
                }
            } catch (CertificateException e) {
                internalError(e);
                return false;
            }
        }
        return false;
    }

    private boolean findSerialNumberInCrl(X509Certificate x509Certificate, X509CRL x509crl, boolean z) throws CertStatusException {
        CertificateIssuer certificateIssuer;
        RevokedCertificates revokedCertificates = x509crl.getRevokedCertificates();
        byte[] serialNumber = x509Certificate.getSerialNumber();
        if (revokedCertificates == null) {
            return false;
        }
        X500Name issuerName = x509crl.getIssuerName();
        for (int i = 0; i < revokedCertificates.getCertificateCount(); i++) {
            try {
                if (z && (certificateIssuer = (CertificateIssuer) getExtension(revokedCertificates.getExtensions(i), 29)) != null) {
                    issuerName = findX500Name(certificateIssuer.getGeneralNames());
                }
                if (CertJUtils.byteArraysEqual(serialNumber, revokedCertificates.getSerialNumber(i))) {
                    if (z) {
                        return x509Certificate.getIssuerName().equals(issuerName);
                    }
                    return true;
                }
            } catch (CertificateException e) {
                internalError(e);
                return false;
            }
        }
        return false;
    }

    private boolean isCRLObsolete(CertPathCtx certPathCtx, X509CRL x509crl, Date date) {
        Date nextUpdate;
        return (certPathCtx.isFlagRaised(262144) || (nextUpdate = x509crl.getNextUpdate()) == null || !date.after(nextUpdate)) ? false : true;
    }
}
