package eu.europa.esig.dss.x509.crl;

import eu.europa.esig.dss.DSSException;
import eu.europa.esig.dss.DSSUtils;
import eu.europa.esig.dss.OID;
import eu.europa.esig.dss.SignatureAlgorithm;
import eu.europa.esig.dss.tsl.KeyUsageBit;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.x509.CertificateToken;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.util.Date;
import java.util.Set;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/x509/crl/CRLUtils.class */
public class CRLUtils {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CRLUtils.class);

    public static CRLValidity isValidCRL(X509CRL x509crl, CertificateToken certificateToken) {
        CRLValidity cRLValidity = new CRLValidity();
        cRLValidity.setX509CRL(x509crl);
        try {
            cRLValidity.setCrlEncoded(x509crl.getEncoded());
        } catch (CRLException e) {
            LOG.error("Unable to read the CRL binaries", (Throwable) e);
        }
        cRLValidity.setSignatureAlgorithm(SignatureAlgorithm.forOID(x509crl.getSigAlgOID()));
        if (DSSUtils.getNormalizedX500Principal(x509crl.getIssuerX500Principal()).equals(DSSUtils.getNormalizedX500Principal(certificateToken.getSubjectX500Principal()))) {
            cRLValidity.setIssuerX509PrincipalMatches(true);
        }
        cRLValidity.setThisUpdate(x509crl.getThisUpdate());
        cRLValidity.setNextUpdate(x509crl.getNextUpdate());
        cRLValidity.setExpiredCertsOnCRL(getExpiredCertsOnCRL(x509crl));
        checkCriticalExtensions(x509crl, cRLValidity);
        checkSignatureValue(x509crl, certificateToken, cRLValidity);
        if (cRLValidity.isSignatureIntact()) {
            cRLValidity.setCrlSignKeyUsage(hasCRLSignKeyUsage(certificateToken));
        }
        return cRLValidity;
    }

    static boolean hasCRLSignKeyUsage(CertificateToken certificateToken) {
        return certificateToken.checkKeyUsage(KeyUsageBit.crlSign);
    }

    private static void checkSignatureValue(X509CRL x509crl, CertificateToken certificateToken, CRLValidity cRLValidity) {
        try {
            x509crl.verify(certificateToken.getPublicKey());
            cRLValidity.setSignatureIntact(true);
            cRLValidity.setIssuerToken(certificateToken);
        } catch (InvalidKeyException e) {
            cRLValidity.setSignatureInvalidityReason(e.getClass().getSimpleName() + " - " + e.getMessage());
        } catch (NoSuchAlgorithmException e2) {
            cRLValidity.setSignatureInvalidityReason(e2.getClass().getSimpleName() + " - " + e2.getMessage());
        } catch (NoSuchProviderException e3) {
            throw new DSSException(e3);
        } catch (SignatureException e4) {
            cRLValidity.setSignatureInvalidityReason(e4.getClass().getSimpleName() + " - " + e4.getMessage());
        } catch (CRLException e5) {
            cRLValidity.setSignatureInvalidityReason(e5.getClass().getSimpleName() + " - " + e5.getMessage());
        }
    }

    private static void checkCriticalExtensions(X509CRL x509crl, CRLValidity cRLValidity) {
        GeneralNames generalNames;
        Set<String> criticalExtensionOIDs = x509crl.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs == null || criticalExtensionOIDs.isEmpty()) {
            cRLValidity.setUnknownCriticalExtension(false);
            return;
        }
        IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(x509crl.getExtensionValue(Extension.issuingDistributionPoint.getId())).getOctets());
        boolean onlyContainsAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts();
        boolean onlyContainsCACerts = issuingDistributionPoint.onlyContainsCACerts();
        boolean onlyContainsUserCerts = issuingDistributionPoint.onlyContainsUserCerts();
        boolean isIndirectCRL = issuingDistributionPoint.isIndirectCRL();
        ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons();
        DistributionPointName distributionPoint = issuingDistributionPoint.getDistributionPoint();
        boolean z = false;
        if (0 == distributionPoint.getType() && (generalNames = (GeneralNames) distributionPoint.getName()) != null && generalNames.getNames() != null && generalNames.getNames().length > 0) {
            for (GeneralName generalName : generalNames.getNames()) {
                if (6 == generalName.getTagNo()) {
                    z = true;
                }
            }
        }
        if (!(onlyContainsAttributeCerts && onlyContainsCACerts && onlyContainsUserCerts && isIndirectCRL) && onlySomeReasons == null && z) {
            cRLValidity.setUnknownCriticalExtension(false);
        }
    }

    public static Date getExpiredCertsOnCRL(X509CRL x509crl) {
        Set<String> nonCriticalExtensionOIDs = x509crl.getNonCriticalExtensionOIDs();
        if (nonCriticalExtensionOIDs == null || !nonCriticalExtensionOIDs.contains(OID.id_ce_expiredCertsOnCRL.getId())) {
            return null;
        }
        byte[] extensionValue = x509crl.getExtensionValue(OID.id_ce_expiredCertsOnCRL.getId());
        if (!Utils.isArrayNotEmpty(extensionValue)) {
            return null;
        }
        try {
            return ((ASN1GeneralizedTime) ASN1Primitive.fromByteArray(((ASN1OctetString) ASN1Primitive.fromByteArray(extensionValue)).getOctets())).getDate();
        } catch (Exception e) {
            LOG.error("Unable to retrieve id_ce_expiredCertsOnCRL on CRL : " + e.getMessage(), (Throwable) e);
            return null;
        }
    }
}
