package com.gitblit;

import java.io.File;
import java.io.FileInputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.concurrent.atomic.AtomicLong;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/gitblit-1.2.0.wso2v1.jar:com/gitblit/GitblitTrustManager.class */
public class GitblitTrustManager implements X509TrustManager {
    private static final Logger logger = LoggerFactory.getLogger(GitblitTrustManager.class);
    private final X509TrustManager delegate;
    private final File caRevocationList;
    private final AtomicLong lastModified = new AtomicLong(0);
    private volatile X509CRL crl;

    public GitblitTrustManager(X509TrustManager x509TrustManager, File file) {
        this.delegate = x509TrustManager;
        this.caRevocationList = file;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (!isRevoked(x509Certificate)) {
            this.delegate.checkClientTrusted(x509CertificateArr, str);
        } else {
            String format = MessageFormat.format("Rejecting revoked certificate {0,number,0} for {1}", x509Certificate.getSerialNumber(), x509Certificate.getSubjectDN().getName());
            logger.warn(format);
            throw new CertificateException(format);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.getAcceptedIssuers();
    }

    protected boolean isRevoked(X509Certificate x509Certificate) {
        if (!this.caRevocationList.exists()) {
            return false;
        }
        read();
        if (this.crl.isRevoked(x509Certificate)) {
            return true;
        }
        if (this.crl.getRevokedCertificate(x509Certificate.getSerialNumber()) == null) {
            return false;
        }
        logger.warn("Certificate issuer does not match CRL issuer, but serial number has been revoked!");
        logger.warn("   cert issuer = " + x509Certificate.getIssuerX500Principal());
        logger.warn("   crl issuer  = " + this.crl.getIssuerX500Principal());
        return true;
    }

    protected synchronized void read() {
        if (this.lastModified.get() == this.caRevocationList.lastModified()) {
            return;
        }
        logger.info("Reloading CRL from " + this.caRevocationList.getAbsolutePath());
        FileInputStream fileInputStream = null;
        try {
            fileInputStream = new FileInputStream(this.caRevocationList);
            this.crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(fileInputStream);
            this.lastModified.set(this.caRevocationList.lastModified());
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e) {
                }
            }
        } catch (Exception e2) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e3) {
                }
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e4) {
                }
            }
            throw th;
        }
    }
}
