package org.glite.security.util;

import java.io.File;
import java.io.IOException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.Set;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.glite.security.trustmanager.ContextWrapper;

/* loaded from: input_file:org/glite/security/util/FileCRLChecker.class */
public class FileCRLChecker extends RevocationChecker {
    private static final Logger LOGGER = Logger.getLogger(FileCRLChecker.class);
    private X509CRL m_crl;
    private X509Certificate m_caCert;
    private String m_caBaseFilename;
    private String m_crlFilename;
    private int m_caNumber;
    private long m_crlModified;
    private boolean m_crlRequired;
    private String failureString;
    static FileCertReader s_certReader;

    public FileCRLChecker(X509Certificate x509Certificate, String str, int i, CaseInsensitiveProperties caseInsensitiveProperties) {
        super(x509Certificate, str, i, caseInsensitiveProperties);
        this.m_crlModified = -255L;
        this.m_crlRequired = false;
        this.failureString = null;
        this.m_caCert = x509Certificate;
        this.m_caBaseFilename = str;
        this.m_crlFilename = this.m_caBaseFilename + FullTrustAnchor.CRL_FILE_ENDING_PREFIX + this.m_caNumber;
        this.m_caNumber = i;
        String property = caseInsensitiveProperties != null ? caseInsensitiveProperties.getProperty(ContextWrapper.CRL_REQUIRED) : null;
        if (property != null) {
            property.trim().toLowerCase();
        } else {
            property = "true";
        }
        if (property.startsWith("t") || property.startsWith("y")) {
            this.m_crlRequired = true;
        }
        checkUpdate();
    }

    private void checkCrl() throws CertificateException, IOException {
        if (this.m_crl == null) {
            throw new IllegalArgumentException();
        }
        Set<String> criticalExtensionOIDs = this.m_crl.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs != null) {
            Iterator<String> it = criticalExtensionOIDs.iterator();
            while (it.hasNext()) {
                checkExtension(it.next());
            }
        }
        try {
            this.m_crl.verify(this.m_caCert.getPublicKey());
        } catch (SignatureException e) {
            LOGGER.debug("The crl " + this.m_crlFilename + " is not signed properly by CA " + DNHandler.getSubject(this.m_caCert) + ".");
            throw new CertificateException("The crl " + this.m_crlFilename + " is not signed properly by CA " + DNHandler.getSubject(this.m_caCert) + ".");
        } catch (Exception e2) {
            LOGGER.debug("The verification of crl " + this.m_crlFilename + " failed: " + e2.getMessage());
            throw new CertificateException("The verification of crl " + this.m_crlFilename + " failed: " + e2.getMessage());
        }
    }

    @Override // org.glite.security.util.RevocationChecker
    public void checkUpdate() {
        try {
            File file = new File(this.m_crlFilename);
            if (file.lastModified() != this.m_crlModified) {
                LOGGER.debug("CRL file changed, reloading it: " + file.getName());
                loadCRL(file.getAbsolutePath());
                this.failureString = null;
            }
        } catch (IOException e) {
            if (this.m_crlRequired && this.failureString == null) {
                LOGGER.warn("CRL loading for CA file " + this.m_caBaseFilename + "." + this.m_caNumber + " failed, the certificates from the CA " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " will be refused. Error was: " + e.getClass() + ": " + e.getMessage());
            }
            this.failureString = e.getMessage();
        } catch (CertificateException e2) {
            if (this.m_crlRequired && this.failureString == null) {
                LOGGER.warn("CRL loading for CA file " + this.m_caBaseFilename + "." + this.m_caNumber + " failed, the certificates from the CA " + DNHandler.getSubject(this.m_caCert).getRFCDN() + " will be refused. Error was: " + e2.getClass() + ": " + e2.getMessage());
            }
            this.failureString = e2.getMessage();
        }
    }

    private void loadCRL(String str) throws CertificateException, IOException {
        Vector readCRLs = s_certReader.readCRLs(str);
        if (readCRLs == null || readCRLs.isEmpty()) {
            throw new IOException("No CRL found in " + str + ".");
        }
        this.m_crl = (X509CRL) readCRLs.get(0);
        this.m_crlModified = new File(str).lastModified();
        checkCrl();
    }

    @Override // org.glite.security.util.RevocationChecker
    public void check(X509Certificate x509Certificate) throws IOException, CertificateException, CertificateRevokedException {
        DN subject = DNHandler.getSubject(x509Certificate);
        DN issuer = DNHandler.getIssuer(x509Certificate);
        if (this.failureString != null) {
            throw new CertificateException("CRL checking failed, CRL loading had failed: " + this.failureString);
        }
        Date date = new Date(System.currentTimeMillis());
        Date nextUpdate = this.m_crl.getNextUpdate();
        if (nextUpdate.before(date)) {
            if (this.m_crlRequired) {
                LOGGER.info("The certificate " + subject + " is not in the CRL of " + issuer + ", but the CRL has expired on " + nextUpdate + ", so rejecting this certificate.");
                throw new CertificateRevokedException("The certificate " + subject + " is not in the CRL of " + issuer + ", but the CRL has expired on " + nextUpdate + ", so rejecting this certificate.");
            }
            LOGGER.warn("The CRL of " + issuer + " has expired on " + nextUpdate + ", but as CRLs are not required, the cert is not rejected.");
        }
        Date thisUpdate = this.m_crl.getThisUpdate();
        if (thisUpdate.after(date)) {
            if (this.m_crlRequired) {
                LOGGER.info("The certificate " + subject + " is not in the CRL of " + issuer + ", but the CRL is not yet valid (valid from " + thisUpdate + "), so rejecting this certificate.");
                throw new CertificateRevokedException("The certificate " + subject + " is not in the CRL of " + issuer + ", but the CRL is not yet valid (valid from " + thisUpdate + "), so rejecting this certificate.");
            }
            LOGGER.warn("The CRL of " + issuer + " is not yet valid (valid from " + thisUpdate + "), but as CRLs are not required, the cert is not rejected.");
        }
        X509CRLEntry revokedCertificate = this.m_crl.getRevokedCertificate(x509Certificate);
        if (revokedCertificate != null) {
            throw new CertificateRevokedException("The certificate " + subject + " is revoked by CA " + issuer + " on " + revokedCertificate.getRevocationDate() + ".");
        }
    }

    private void checkExtension(String str) throws CertificateException, IOException {
        if (str.equals(X509Extensions.DeltaCRLIndicator)) {
            LOGGER.debug("Found DeltaCRLIndicator extension that can't be supported.");
            throw new CertificateException("Usupported critical extension in CRL: DeltaCRLIndicator");
        }
        if (!str.equals(X509Extensions.IssuingDistributionPoint.toString())) {
            throw new CertificateException("Unrecognized critical extension in CRL: " + str);
        }
        checkIssuinDistributionPoint();
    }

    private void checkIssuinDistributionPoint() throws CertificateException, IOException {
        DEROctetString fromByteArray = ASN1Object.fromByteArray(this.m_crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.toString()));
        if (!(fromByteArray instanceof DEROctetString)) {
            throw new CertificateException("Invalid data in IssuingDistributionPoint extension, not DEROctetString");
        }
        ASN1Sequence fromByteArray2 = ASN1Object.fromByteArray(fromByteArray.getOctets());
        if (!(fromByteArray2 instanceof ASN1Sequence)) {
            throw new CertificateException("Invalid data in IssuingDistributionPoint extension, not ASN1Sequence");
        }
        IssuingDistributionPoint issuingDistributionPoint = new IssuingDistributionPoint(fromByteArray2);
        if (issuingDistributionPoint.onlyContainsAttributeCerts()) {
            throw new CertificateException("CRL only contains attribute certs, not useful for authentication.");
        }
        if (issuingDistributionPoint.getOnlySomeReasons() != null) {
            throw new CertificateException("CRL only contains some reasons of revocations, can't trust the certificates without other complementing CRL(s), which is not supported.");
        }
    }

    static {
        try {
            s_certReader = new FileCertReader();
        } catch (CertificateException e) {
            throw new RuntimeException("Security provider initialization failed: " + e.getMessage(), e);
        }
    }
}
