package dev.fitko.fitconnect.jwkvalidator.x5c.crl;

import dev.fitko.fitconnect.jwkvalidator.x5c.CertStatus;
import java.net.Proxy;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/x5c/crl/CRLDistributionPointEvaluator.class */
public class CRLDistributionPointEvaluator {
    private static final Logger log = LoggerFactory.getLogger(CRLDistributionPointEvaluator.class);
    private final CRLCacheManager crlCacheManager;
    private final CRLDownloadManager crlDownloadManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CRLDistributionPointEvaluator(Proxy proxy, CRLCacheManager cRLCacheManager, List<String> list) {
        this.crlCacheManager = cRLCacheManager;
        this.crlDownloadManager = new CRLDownloadManager(proxy, list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertStatus checkCertStatusForCrlDistPoints(X509Certificate x509Certificate, X509Certificate x509Certificate2, List<DistributionPoint> list, boolean z) {
        for (DistributionPoint distributionPoint : list) {
            CertStatus processCRLURLs = processCRLURLs(extractCRLUrlsFromDistributionPoint(distributionPoint, x509Certificate), distributionPoint, x509Certificate, x509Certificate2, z);
            if (processCRLURLs != null) {
                return processCRLURLs;
            }
        }
        log.error("Could not obtain revokation status for cert {}", x509Certificate.getSerialNumber());
        return CertStatus.UNKNOWN;
    }

    List<String> extractCRLUrlsFromDistributionPoint(DistributionPoint distributionPoint, X509Certificate x509Certificate) {
        if (!validReasonFlagInDistributionPoint(distributionPoint, x509Certificate)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (GeneralName generalName : GeneralNames.getInstance(distributionPoint.getDistributionPoint().getName()).getNames()) {
            if (generalName.getTagNo() == 6) {
                arrayList.add(ASN1IA5String.getInstance(generalName.getName()).getString());
            }
        }
        return arrayList;
    }

    private boolean validReasonFlagInDistributionPoint(DistributionPoint distributionPoint, X509Certificate x509Certificate) {
        if (distributionPoint.getReasons() == null) {
            return true;
        }
        log.warn("Distribution Point suddenly specifies a reason flag for cert {}", x509Certificate.getSerialNumber());
        return false;
    }

    private CertStatus processCRLURLs(List<String> list, DistributionPoint distributionPoint, X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) {
        for (String str : list) {
            X509CRL processCrlURL = processCrlURL(str, distributionPoint, x509Certificate, x509Certificate2, z);
            if (processCrlURL != null) {
                return checkRevocationStatus(processCrlURL, str, distributionPoint, x509Certificate);
            }
        }
        return null;
    }

    private X509CRL processCrlURL(String str, DistributionPoint distributionPoint, X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) {
        Optional<X509CRL> checkForEntryInCache = this.crlCacheManager.checkForEntryInCache(str);
        if (checkForEntryInCache.isPresent()) {
            return checkForEntryInCache.get();
        }
        Optional<X509CRL> downloadAndValidateCRL = this.crlDownloadManager.downloadAndValidateCRL(distributionPoint, x509Certificate, x509Certificate2, str, z);
        if (downloadAndValidateCRL.isEmpty()) {
            return null;
        }
        X509CRL x509crl = downloadAndValidateCRL.get();
        this.crlCacheManager.saveToCache(str, x509crl);
        return x509crl;
    }

    private CertStatus checkRevocationStatus(X509CRL x509crl, String str, DistributionPoint distributionPoint, X509Certificate x509Certificate) {
        if (!x509crl.isRevoked(x509Certificate)) {
            return this.crlCacheManager.saveToCache(CertStatus.VALID, x509crl, x509Certificate);
        }
        log.error("Certificate {} was revoked by distribution point {} with url {}: {}", new Object[]{x509Certificate.getSerialNumber(), distributionPoint, str, x509crl.getExtensionValue(Extension.reasonCode.getId())});
        return this.crlCacheManager.saveToCache(CertStatus.REVOKED, x509crl, x509Certificate);
    }
}
