package org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.crl;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.CertificateVerificationException;
import org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.Constants;
import org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.RevocationStatus;
import org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.RevocationVerifier;

/* JADX WARN: Classes with same name are omitted:
  input_file:dependencies/msf4j-all-2.8.1.jar:org/wso2/transport/http/netty/contractimpl/common/certificatevalidation/crl/CRLVerifier.class
 */
/* loaded from: input_file:org/wso2/transport/http/netty/contractimpl/common/certificatevalidation/crl/CRLVerifier.class */
public class CRLVerifier implements RevocationVerifier {
    private CRLCache cache;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CRLVerifier.class);

    public CRLVerifier(CRLCache cRLCache) {
        this.cache = cRLCache;
    }

    @Override // org.wso2.transport.http.netty.contractimpl.common.certificatevalidation.RevocationVerifier
    public RevocationStatus checkRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateVerificationException {
        X509CRL downloadCRLFromWeb;
        X509CRL cacheValue;
        for (String str : getCrlDistributionPoints(x509Certificate)) {
            if (LOG.isInfoEnabled()) {
                LOG.info("Trying to get CRL for URL: {}", str);
            }
            if (this.cache != null && (cacheValue = this.cache.getCacheValue(str)) != null) {
                RevocationStatus revocationStatus = getRevocationStatus(cacheValue, x509Certificate);
                if (LOG.isInfoEnabled()) {
                    LOG.info("CRL taken from cache.");
                }
                return revocationStatus;
            }
            try {
                downloadCRLFromWeb = downloadCRLFromWeb(str);
            } catch (IOException e) {
                if (LOG.isInfoEnabled()) {
                    LOG.info("Either URL is bad or can't build X509CRL. So check with the next url in the list.", (Throwable) e);
                }
            }
            if (downloadCRLFromWeb != null) {
                if (this.cache != null) {
                    this.cache.setCacheValue(str, downloadCRLFromWeb);
                }
                return getRevocationStatus(downloadCRLFromWeb, x509Certificate);
            }
            continue;
        }
        throw new CertificateVerificationException("Cannot check revocation status with the certificate");
    }

    private RevocationStatus getRevocationStatus(X509CRL x509crl, X509Certificate x509Certificate) {
        return x509crl.isRevoked(x509Certificate) ? RevocationStatus.REVOKED : RevocationStatus.GOOD;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509CRL downloadCRLFromWeb(String str) throws IOException, CertificateVerificationException {
        try {
            InputStream openStream = new URL(str).openStream();
            Throwable th = null;
            try {
                try {
                    X509CRL x509crl = (X509CRL) CertificateFactory.getInstance(Constants.X_509).generateCRL(openStream);
                    if (openStream != null) {
                        if (0 != 0) {
                            try {
                                openStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            openStream.close();
                        }
                    }
                    return x509crl;
                } finally {
                }
            } catch (Throwable th3) {
                if (openStream != null) {
                    if (th != null) {
                        try {
                            openStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        openStream.close();
                    }
                }
                throw th3;
            }
        } catch (MalformedURLException e) {
            throw new CertificateVerificationException("CRL URL is malformed", e);
        } catch (IOException e2) {
            throw new CertificateVerificationException("Cant reach URI: " + str + " - only support HTTP", e2);
        } catch (CRLException e3) {
            throw new CertificateVerificationException("Cannot generate X509CRL from the stream data", e3);
        } catch (CertificateException e4) {
            throw new CertificateVerificationException(e4);
        }
    }

    private List<String> getCrlDistributionPoints(X509Certificate x509Certificate) throws CertificateVerificationException {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue == null) {
            throw new CertificateVerificationException("Certificate doesn't have CRL distribution points");
        }
        ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
        try {
            try {
                CRLDistPoint octetInputStream = getOctetInputStream((DEROctetString) aSN1InputStream.readObject());
                ArrayList arrayList = new ArrayList();
                for (DistributionPoint distributionPoint : octetInputStream.getDistributionPoints()) {
                    DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                    if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                        for (GeneralName generalName : GeneralNames.getInstance(distributionPoint2.getName()).getNames()) {
                            if (generalName.getTagNo() == 6) {
                                arrayList.add(DERIA5String.getInstance(generalName.getName()).getString().trim());
                            }
                        }
                    }
                }
                if (arrayList.isEmpty()) {
                    throw new CertificateVerificationException("Cant get CRL urls from certificate");
                }
                return arrayList;
            } catch (IOException e) {
                throw new CertificateVerificationException("Cannot read certificate to get CRL URLs", e);
            }
        } finally {
            try {
                aSN1InputStream.close();
            } catch (IOException e2) {
                LOG.error("Cannot close input stream", (Throwable) e2);
            }
        }
    }

    private CRLDistPoint getOctetInputStream(DEROctetString dEROctetString) throws CertificateVerificationException {
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(dEROctetString.getOctets());
            Throwable th = null;
            try {
                try {
                    CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(aSN1InputStream.readObject());
                    if (aSN1InputStream != null) {
                        if (0 != 0) {
                            try {
                                aSN1InputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            aSN1InputStream.close();
                        }
                    }
                    return cRLDistPoint;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new CertificateVerificationException("Cannot read certificate to get CRL URLs", e);
        }
    }
}
