package org.apache.tsik.crl;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.net.URL;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import javax.naming.directory.InitialDirContext;
import org.apache.tsik.common.Logger;
import org.apache.tsik.common.LoggerFactory;
import org.apache.tsik.util.CertInfo;
import org.apache.tsik.verifier.TrustVerificationException;
import org.apache.tsik.verifier.TrustVerifier;

/* loaded from: input_file:org/apache/tsik/crl/CRLTrustVerifier.class */
public class CRLTrustVerifier implements TrustVerifier {
    private static Logger log;
    static String VERISIGN_PRODUCTION_DIRECTORY;
    static String VERISIGN_PILOT_DIRECTORY;
    private Map cdpMap = Collections.synchronizedMap(new HashMap());
    private Map caMap = Collections.synchronizedMap(new HashMap());
    private CertificateFactory cf;
    static String TESTPCA1_CER;
    static String TESTPCA2_CER;
    static String TESTPCA3_CER;
    static Class class$org$apache$tsik$crl$CRLTrustVerifier;

    public CRLTrustVerifier() throws TrustVerificationException {
        try {
            this.cf = CertificateFactory.getInstance("X.509");
            addVeriSignTestRoots();
        } catch (CertificateException e) {
            throw new TrustVerificationException(e);
        }
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public void verifyTrust() throws TrustVerificationException {
        throw new TrustVerificationException();
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public void verifyTrust(PublicKey publicKey) throws TrustVerificationException {
        throw new TrustVerificationException();
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public void verifyTrust(PublicKey publicKey, String str) throws TrustVerificationException {
        throw new TrustVerificationException();
    }

    @Override // org.apache.tsik.verifier.TrustVerifier
    public void verifyTrust(X509Certificate[] x509CertificateArr) throws TrustVerificationException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        boolean z = true;
        String name = x509Certificate.getSubjectDN().getName();
        log.debug(new StringBuffer().append("verifying ").append(name).toString());
        CertInfo certInfo = new CertInfo(x509Certificate);
        String fullNameCDP = certInfo.getFullNameCDP();
        X509CRL x509crl = (X509CRL) this.cdpMap.get(fullNameCDP);
        if (x509crl != null) {
            if (isCRLexpired(x509crl)) {
                this.cdpMap.remove(fullNameCDP);
                z = true;
            } else {
                z = false;
            }
        }
        if (z) {
            if (certInfo.isHttpCDP()) {
                log.debug(new StringBuffer().append("httpCDP = ").append(fullNameCDP).toString());
                try {
                    if (fullNameCDP.endsWith("LatestCRL")) {
                        fullNameCDP = new StringBuffer().append(fullNameCDP).append(".crl").toString();
                    }
                    InputStream openStream = new URL(fullNameCDP).openStream();
                    x509crl = (X509CRL) this.cf.generateCRL(openStream);
                    openStream.close();
                } catch (Exception e) {
                    throw new TrustVerificationException(new StringBuffer().append("cdp = ").append(fullNameCDP).append("error - ").toString(), e);
                }
            } else {
                if (!certInfo.isLdapCDP()) {
                    throw new TrustVerificationException(new StringBuffer().append(fullNameCDP).append(" type cdp's are not spported.").toString());
                }
                log.debug(new StringBuffer().append("ldapCDP = ").append(fullNameCDP).toString());
                String str = new String(fullNameCDP.getBytes(), 0, fullNameCDP.lastIndexOf(47));
                String obj = x509Certificate.getIssuerDN().toString();
                log.debug(new StringBuffer().append("ldap baseDN = ").append(obj).toString());
                Hashtable hashtable = new Hashtable();
                hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
                hashtable.put("java.naming.provider.url", str);
                try {
                    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream((byte[]) new InitialDirContext(hashtable).getAttributes(obj).get("certificateRevocationList;binary").get());
                    x509crl = (X509CRL) this.cf.generateCRL(byteArrayInputStream);
                    byteArrayInputStream.close();
                } catch (Exception e2) {
                    throw new TrustVerificationException(new StringBuffer().append("cdp = ").append(fullNameCDP).append("error - ").toString(), e2);
                }
            }
            X509Certificate crlSigner = getCrlSigner(x509CertificateArr, certInfo);
            if (crlSigner == null) {
                throw new TrustVerificationException("Could not verify CRL signature");
            }
            if (!crlSigner.getSubjectDN().toString().equals(crlSigner.getIssuerDN().toString())) {
                verifyTrust(new X509Certificate[]{crlSigner});
            }
            if (!isCRLvalid(x509crl, crlSigner)) {
                throw new TrustVerificationException(new StringBuffer().append(fullNameCDP).append(" CRL found for ").append(name).append(" is not valid").toString());
            }
            this.cdpMap.put(fullNameCDP, x509crl);
        }
        if (x509crl.isRevoked(x509Certificate)) {
            throw new TrustVerificationException(new StringBuffer().append(name).append("is revoked according to CRL found at ").append(fullNameCDP).toString());
        }
    }

    public void addCRLsigners(Collection collection) {
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            X509Certificate x509Certificate = (X509Certificate) it.next();
            this.caMap.put(x509Certificate.getSubjectDN().toString(), x509Certificate);
        }
    }

    private boolean isCRLexpired(X509CRL x509crl) {
        Calendar calendar = Calendar.getInstance();
        try {
            log.debug(new StringBuffer().append("crl.getNextUpdate() = ").append(x509crl.getNextUpdate()).toString());
            return calendar.getTime().after(x509crl.getNextUpdate());
        } catch (Exception e) {
            log.debug(new StringBuffer().append("crl expiration check failed = ").append(e).toString());
            return true;
        }
    }

    private boolean isCRLvalid(X509CRL x509crl, X509Certificate x509Certificate) {
        try {
            x509crl.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            log.debug(new StringBuffer().append("crl.verify failed = ").append(e).toString());
            return false;
        }
    }

    private X509Certificate getCrlSigner(X509Certificate[] x509CertificateArr, CertInfo certInfo) throws TrustVerificationException {
        String obj = x509CertificateArr[0].getIssuerDN().toString();
        if (x509CertificateArr.length > 1 && x509CertificateArr[1] != null) {
            log.debug("CA is passed in");
            this.caMap.put(obj, x509CertificateArr[1]);
            return x509CertificateArr[1];
        }
        X509Certificate x509Certificate = (X509Certificate) this.caMap.get(obj);
        if (x509Certificate != null) {
            log.debug("CA from map is available");
            return x509Certificate;
        }
        String aIALocation = certInfo.getAIALocation();
        if (aIALocation != null) {
            if (certInfo.isHttpAIA()) {
                log.debug(new StringBuffer().append("httpAIA = ").append(aIALocation).toString());
                try {
                    InputStream openStream = new URL(aIALocation).openStream();
                    X509Certificate x509Certificate2 = (X509Certificate) this.cf.generateCertificate(openStream);
                    openStream.close();
                    log.debug("CA is available");
                    this.caMap.put(obj, x509Certificate2);
                    return x509Certificate2;
                } catch (Exception e) {
                    throw new TrustVerificationException(new StringBuffer().append(aIALocation).append(" aia is not valid error - ").toString(), e);
                }
            }
            if (certInfo.isLdapAIA()) {
                log.debug(new StringBuffer().append("ldapAIA = ").append(aIALocation).toString());
                X509Certificate queryLdapForCert = queryLdapForCert(new String(aIALocation.getBytes(), 0, aIALocation.lastIndexOf(47)), obj);
                if (queryLdapForCert != null) {
                    this.caMap.put(obj, queryLdapForCert);
                }
                return queryLdapForCert;
            }
        }
        try {
            URL xkmsUrl = certInfo.getXkmsUrl();
            if (xkmsUrl != null) {
                if (xkmsUrl == CertInfo.XKMS_PRODUCTION_URL) {
                    X509Certificate queryLdapForCert2 = queryLdapForCert(VERISIGN_PRODUCTION_DIRECTORY, obj);
                    if (queryLdapForCert2 != null) {
                        this.caMap.put(obj, queryLdapForCert2);
                        log.debug(new StringBuffer().append("CA from = ").append(VERISIGN_PRODUCTION_DIRECTORY).toString());
                    }
                    return queryLdapForCert2;
                }
                if (xkmsUrl == CertInfo.XKMS_PILOT_URL) {
                    X509Certificate queryLdapForCert3 = queryLdapForCert(VERISIGN_PILOT_DIRECTORY, obj);
                    if (queryLdapForCert3 != null) {
                        this.caMap.put(obj, queryLdapForCert3);
                        log.debug(new StringBuffer().append("CA from = ").append(VERISIGN_PILOT_DIRECTORY).toString());
                    }
                    return queryLdapForCert3;
                }
            }
        } catch (Exception e2) {
        }
        log.debug("CA is NOT available");
        return null;
    }

    private X509Certificate queryLdapForCert(String str, String str2) {
        try {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
            hashtable.put("java.naming.provider.url", str);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream((byte[]) new InitialDirContext(hashtable).getAttributes(str2, new String[]{"cacertificate;binary"}).get("cacertificate;binary").get());
            X509Certificate x509Certificate = (X509Certificate) this.cf.generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            return x509Certificate;
        } catch (Exception e) {
            return null;
        }
    }

    private void addVeriSignTestRoots() {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add((X509Certificate) this.cf.generateCertificate(new ByteArrayInputStream(TESTPCA1_CER.getBytes())));
            arrayList.add((X509Certificate) this.cf.generateCertificate(new ByteArrayInputStream(TESTPCA2_CER.getBytes())));
            arrayList.add((X509Certificate) this.cf.generateCertificate(new ByteArrayInputStream(TESTPCA3_CER.getBytes())));
        } catch (Exception e) {
            log.error(e);
        }
        addCRLsigners(arrayList);
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$apache$tsik$crl$CRLTrustVerifier == null) {
            cls = class$("org.apache.tsik.crl.CRLTrustVerifier");
            class$org$apache$tsik$crl$CRLTrustVerifier = cls;
        } else {
            cls = class$org$apache$tsik$crl$CRLTrustVerifier;
        }
        log = LoggerFactory.getLogger(cls);
        VERISIGN_PRODUCTION_DIRECTORY = "ldap://directory.verisign.com";
        VERISIGN_PILOT_DIRECTORY = "ldap://pilotldap.verisign.com";
        TESTPCA1_CER = "-----BEGIN CERTIFICATE-----\nMIIDYDCCAskCEEZ+CGcrgxtfQ9sTmDM3gswwDQYJKoZIhvcNAQEFBQAwgfAxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjFBMD8GA1UECxM4Q2xhc3MgMSBURVNUIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIxQzBBBgNVBAsTOlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYS8gKGMpMDIxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxHzAdBgNVBAsTFkZvciBUZXN0IFB1cnBvc2VzIE9ubHkwHhcNMDIwNDIwMDAwMDAwWhcNMjgwODAxMjM1OTU5WjCB8DELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMUEwPwYDVQQLEzhDbGFzcyAxIFRFU1QgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjFDMEEGA1UECxM6VGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhLyAoYykwMjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEfMB0GA1UECxMWRm9yIFRlc3QgUHVycG9zZXMgT25seTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4ErpYEV9Pn/nY5wHuHsDjWNxpixT9FRPTK8WxcbY7Zp+E1f0HWMN6lrA3CQQM/WWUzjxoQx79fX6pBqaOrZsdYDqH1PSaCDu/ZhOGgxOuAIHoCzKzP6xy9KFNmtJ1bC+YDQM1JIo4/aAJU20Btax+5yQ4moDH36vBKd1ZwlT+e8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQB2qWKmCufBKbHSCGRcyOTIsSGbZZJkTtpILwQkCRGmJK1BRMT5lzuD3bUyXRsbbQVLsl6w/m6p9WY9TJj8Ir0efrn6H0V8XZ+K/R0fISi7eGAdkm48wGscODnnIv2Jk4fiwW6FB+FPbSjQnwx9mJGlpWy10culvx0F/7daabU+sw==\n-----END CERTIFICATE-----\n";
        TESTPCA2_CER = "-----BEGIN CERTIFICATE-----\nMIIDYDCCAskCEFGPHJ5mo1ju2GI/3a+Lzj0wDQYJKoZIhvcNAQEFBQAwgfAxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjFBMD8GA1UECxM4Q2xhc3MgMiBURVNUIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIxQzBBBgNVBAsTOlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYS8gKGMpMDIxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxHzAdBgNVBAsTFkZvciBUZXN0IFB1cnBvc2VzIE9ubHkwHhcNMDIwNDIwMDAwMDAwWhcNMjgwODAxMjM1OTU5WjCB8DELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMUEwPwYDVQQLEzhDbGFzcyAyIFRFU1QgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjFDMEEGA1UECxM6VGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhLyAoYykwMjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEfMB0GA1UECxMWRm9yIFRlc3QgUHVycG9zZXMgT25seTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA60eHRXpO0VTdqWroeajDYMta9SDVIOGvUOGSN81/O1TYjzjHGgHQvWC00J79dY+U2ksjGxNosXbHZz0jsWVcDgrGImdf0Hxq/6XAkNt0sWoS7HS/5a0P7kR0ktfjeuOEgZniWyIjuQrUn/oKYFxPPxg1DR5XRCkGQQVgJPtUfQ8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQDRT+AD1HFFCeo/xz2Y2az7ytNqoRh0B4sO5VPDreSy25vrWhU9q79bu7txxQHZ+m+xvnX+rBwyMKBgwF3VPdUmzhN7kire6m9nI4s/+kW7wtbWrZduCH8JMeiJRe2xYS1EFda7o7WyQ93DMepZHqt+AO+kuYnW1MiORflWcxSg+Q==\n-----END CERTIFICATE-----\n";
        TESTPCA3_CER = "-----BEGIN CERTIFICATE-----\nMIIDYDCCAskCEE7AAy8i52UxbSDBnU1yPOYwDQYJKoZIhvcNAQEFBQAwgfAxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjFBMD8GA1UECxM4Q2xhc3MgMyBURVNUIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIxQzBBBgNVBAsTOlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYS8gKGMpMDIxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxHzAdBgNVBAsTFkZvciBUZXN0IFB1cnBvc2VzIE9ubHkwHhcNMDIwNDIwMDAwMDAwWhcNMjgwODAxMjM1OTU5WjCB8DELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMUEwPwYDVQQLEzhDbGFzcyAzIFRFU1QgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjFDMEEGA1UECxM6VGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhLyAoYykwMjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEfMB0GA1UECxMWRm9yIFRlc3QgUHVycG9zZXMgT25seTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1LckyPH44lNpEK+fu5Fx316ok0Z3ToZCm9WJTEgM5XZSO0KYonRCh2qaa/UQarc8AJpyGNXyTd1bJMyR8o/ETZWKxmYN/cM1cIf8f27U+Fg4rChXMe2e8rgaLiOIQXvsNqJfGeZVnpW9ieqspZnUduWGm3eBnAAO5w41WN4+xLkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBXyPWRwGUbjWWyIgcwrVa/P9of8HKoAh/RIM8c0SfuIpWPtBTrDWLoOYsRn7uE2p+FZNS95rqehwbgXQGes2W5xaCFj7amu/+gajiewXI3+XONSXkE1SPa9KfYj0pC8cQQ10wxwa87gS9hGwRKR4mMNG6d4UdVnLo+mUzWKxdZaA==\n-----END CERTIFICATE-----\n";
    }
}
