package dev.fitko.fitconnect.jwkvalidator.x5c.crl;

import java.net.Proxy;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.Extension;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:dev/fitko/fitconnect/jwkvalidator/x5c/crl/CRLDownloadManager.class */
public class CRLDownloadManager {
    private static final Logger log = LoggerFactory.getLogger(CRLDownloadManager.class);
    private final Proxy proxy;
    private final List<String> validSignatureAlgOIDs;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CRLDownloadManager(Proxy proxy, List<String> list) {
        this.proxy = proxy == null ? Proxy.NO_PROXY : proxy;
        this.validSignatureAlgOIDs = verifySignatureAlgOIDList(list);
    }

    private List<String> verifySignatureAlgOIDList(List<String> list) {
        if (list == null || list.isEmpty()) {
            log.warn("Empty list of signature algorithm OIDs for CRL validation.");
            return Collections.emptyList();
        }
        log.debug("List of valid CRL Signature Algorithms: {}", list);
        return list;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<X509CRL> downloadAndValidateCRL(DistributionPoint distributionPoint, X509Certificate x509Certificate, X509Certificate x509Certificate2, String str, boolean z) {
        Optional<X509CRL> downloadCRL = downloadCRL(x509Certificate, str);
        return downloadCRL.isEmpty() ? Optional.empty() : validateCRL(downloadCRL.get(), distributionPoint, x509Certificate, x509Certificate2, z);
    }

    private Optional<X509CRL> downloadCRL(X509Certificate x509Certificate, String str) {
        return new CRLDownloadRequest(this.proxy).downloadResponse(x509Certificate, str);
    }

    private Optional<X509CRL> validateCRL(X509CRL x509crl, DistributionPoint distributionPoint, X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) {
        return validSignatureAlgorithm(x509crl, x509Certificate, x509Certificate2).flatMap(x509crl2 -> {
            return x509CRLIsValid(x509crl, x509Certificate, x509Certificate2, z);
        }).flatMap(x509crl3 -> {
            return validCRLIssuerInDistributionPoint(x509crl3, distributionPoint, x509Certificate);
        }).flatMap(x509crl4 -> {
            return validIssuingDistributionPointInCRL(x509crl4, x509Certificate);
        }).flatMap(x509crl5 -> {
            return validNextUpdateValue(x509crl5, x509Certificate);
        }).flatMap(x509crl6 -> {
            return validateDeltaCRLIndicator(x509crl6, x509Certificate);
        });
    }

    private Optional<X509CRL> validSignatureAlgorithm(X509CRL x509crl, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        log.debug("[validSignatureAlgorithm] - Signature algorithm {} ({}) in x509CRL and {} ({}) in signingCert {} for cert {}", new Object[]{x509crl.getSigAlgOID(), x509crl.getSigAlgName(), x509Certificate2.getSigAlgOID(), x509Certificate2.getSigAlgName(), x509Certificate2.getSerialNumber(), x509Certificate.getSerialNumber()});
        String sigAlgOID = x509crl.getSigAlgOID();
        if (this.validSignatureAlgOIDs.isEmpty()) {
            log.debug("Skipping validation of used signature algorithm in CRL");
        } else if (!this.validSignatureAlgOIDs.contains(sigAlgOID)) {
            log.error("Signature algorithm {} in CRL response not in list of valid signature algorithm OIDs: {}", sigAlgOID, this.validSignatureAlgOIDs);
            return Optional.empty();
        }
        return Optional.of(x509crl);
    }

    private Optional<X509CRL> x509CRLIsValid(X509CRL x509crl, X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) {
        try {
            if (x509Certificate2.getKeyUsage() == null || x509Certificate2.getKeyUsage()[6]) {
                x509crl.verify(x509Certificate2.getPublicKey());
                return Optional.of(x509crl);
            }
            log.error("CRLSign key usage not specified for cert {} and signing cert {}", x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber());
            return z ? Optional.empty() : Optional.of(x509crl);
        } catch (InvalidKeyException e) {
            log.error("Incorrect key in X509CRL check with cert {} and signing cert {}", new Object[]{x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber(), e});
            return Optional.of(x509crl);
        } catch (NoSuchAlgorithmException e2) {
            log.error("Signature algorithm in X509CRL is not supported for cert {} and signing cert {}", new Object[]{x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber(), e2});
            return Optional.of(x509crl);
        } catch (NoSuchProviderException e3) {
            log.error("No provider found for X509CRL check with cert {} and signing cert {}", new Object[]{x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber(), e3});
            return Optional.of(x509crl);
        } catch (SignatureException e4) {
            log.error("Incorrect signature for X509CRL check with cert {} and signing cert {}", new Object[]{x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber(), e4});
            return Optional.of(x509crl);
        } catch (CRLException e5) {
            log.error("X509CRL has wrong encoding for cert {} and signging cert {}", new Object[]{x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber(), e5});
            return Optional.of(x509crl);
        }
    }

    private Optional<X509CRL> validateDeltaCRLIndicator(X509CRL x509crl, X509Certificate x509Certificate) {
        if (x509crl.getExtensionValue(Extension.deltaCRLIndicator.getId()) == null) {
            return Optional.of(x509crl);
        }
        log.warn("CRL has a delta indicator for cert {}", x509Certificate.getSerialNumber());
        return Optional.empty();
    }

    private Optional<X509CRL> validNextUpdateValue(X509CRL x509crl, X509Certificate x509Certificate) {
        Date time = Calendar.getInstance().getTime();
        Date thisUpdate = x509crl.getThisUpdate();
        if (thisUpdate == null) {
            log.warn("CRL contains no 'thisUpdate' field for cert {}", x509Certificate.getSerialNumber());
            return Optional.empty();
        }
        Date nextUpdate = x509crl.getNextUpdate();
        if (nextUpdate == null) {
            log.warn("CRL contains no 'nextUpdate' field for cert {}", x509Certificate.getSerialNumber());
            return Optional.empty();
        }
        if (time.compareTo(thisUpdate) < 0) {
            log.warn("Current date {} < thisUpdate {} field for cert {}", new Object[]{time, thisUpdate, x509Certificate});
            return Optional.empty();
        }
        if (time.compareTo(nextUpdate) <= 0) {
            return Optional.of(x509crl);
        }
        log.warn("Current date {} > nextUpdate {} field for cert {}", new Object[]{time, thisUpdate, x509Certificate.getSerialNumber()});
        return Optional.empty();
    }

    private Optional<X509CRL> validIssuingDistributionPointInCRL(X509CRL x509crl, X509Certificate x509Certificate) {
        if (x509crl.getExtensionValue(Extension.issuingDistributionPoint.getId()) == null) {
            return Optional.of(x509crl);
        }
        log.warn("CRL has suddenly an issuing distribution point for cert {}", x509Certificate.getSerialNumber());
        return Optional.empty();
    }

    private Optional<X509CRL> validCRLIssuerInDistributionPoint(X509CRL x509crl, DistributionPoint distributionPoint, X509Certificate x509Certificate) {
        if (distributionPoint.getCRLIssuer() == null) {
            return x509crl.getIssuerX500Principal().equals(x509Certificate.getIssuerX500Principal()) ? Optional.of(x509crl) : Optional.empty();
        }
        log.warn("Distribution Point has suddenly an CRL issuer for cert {}", x509Certificate.getSerialNumber());
        return Optional.empty();
    }
}
