package org.apache.synapse.transport.certificatevalidation.crl;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
import org.apache.synapse.transport.certificatevalidation.RevocationStatus;
import org.apache.synapse.transport.certificatevalidation.RevocationVerifier;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;

/* loaded from: input_file:WEB-INF/lib/synapse-nhttp-transport-2.1.7-wso2v52.jar:org/apache/synapse/transport/certificatevalidation/crl/CRLVerifier.class */
public class CRLVerifier implements RevocationVerifier {
    private CRLCache cache;
    private static final Log log = LogFactory.getLog(CRLVerifier.class);

    public CRLVerifier(CRLCache cRLCache) {
        this.cache = cRLCache;
    }

    @Override // org.apache.synapse.transport.certificatevalidation.RevocationVerifier
    public RevocationStatus checkRevocationStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateVerificationException {
        X509CRL downloadCRLFromWeb;
        X509CRL cacheValue;
        for (String str : getCrlDistributionPoints(x509Certificate)) {
            log.info("Trying to get CRL for URL: " + str);
            if (this.cache != null && (cacheValue = this.cache.getCacheValue(str)) != null) {
                RevocationStatus revocationStatus = getRevocationStatus(cacheValue, x509Certificate);
                log.info("CRL taken from cache....");
                return revocationStatus;
            }
            try {
                downloadCRLFromWeb = downloadCRLFromWeb(str);
            } catch (Exception e) {
                log.info("Either url is bad or cant build X509CRL. So check with the next url in the list.", e);
            }
            if (downloadCRLFromWeb != null) {
                if (this.cache != null) {
                    this.cache.setCacheValue(str, downloadCRLFromWeb);
                }
                return getRevocationStatus(downloadCRLFromWeb, x509Certificate);
            }
            continue;
        }
        throw new CertificateVerificationException("Cannot check revocation status with the certificate");
    }

    private RevocationStatus getRevocationStatus(X509CRL x509crl, X509Certificate x509Certificate) {
        return x509crl.isRevoked(x509Certificate) ? RevocationStatus.REVOKED : RevocationStatus.GOOD;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509CRL downloadCRLFromWeb(String str) throws IOException, CertificateVerificationException {
        InputStream inputStream = null;
        try {
            try {
                try {
                    try {
                        inputStream = new URL(str).openStream();
                        X509CRL x509crl = (X509CRL) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCRL(inputStream);
                        if (inputStream != null) {
                            inputStream.close();
                        }
                        return x509crl;
                    } catch (CertificateException e) {
                        throw new CertificateVerificationException(e);
                    }
                } catch (MalformedURLException e2) {
                    throw new CertificateVerificationException("CRL Url is malformed", e2);
                }
            } catch (IOException e3) {
                throw new CertificateVerificationException("Cant reach URI: " + str + " - only support HTTP", e3);
            } catch (CRLException e4) {
                throw new CertificateVerificationException("Cannot generate X509CRL from the stream data", e4);
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                inputStream.close();
            }
            throw th;
        }
    }

    private List<String> getCrlDistributionPoints(X509Certificate x509Certificate) throws CertificateVerificationException {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue == null) {
            throw new CertificateVerificationException("Certificate doesn't have CRL Distribution points");
        }
        try {
            CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(new ASN1InputStream(((DEROctetString) new ASN1InputStream(extensionValue).readObject()).getOctets()).readObject());
            ArrayList arrayList = new ArrayList();
            for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
                DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                    for (GeneralName generalName : GeneralNames.getInstance(distributionPoint2.getName()).getNames()) {
                        if (generalName.getTagNo() == 6) {
                            arrayList.add(DERIA5String.getInstance(generalName.getName()).getString().trim());
                        }
                    }
                }
            }
            if (arrayList.isEmpty()) {
                throw new CertificateVerificationException("Cant get CRL urls from certificate");
            }
            return arrayList;
        } catch (IOException e) {
            throw new CertificateVerificationException("Cannot read certificate to get CRL urls", e);
        }
    }
}
