package org.cesecore.certificates.ca.internal;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Date;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.x509.PrivateKeyUsagePeriod;
import org.cesecore.certificates.ca.CAOfflineException;
import org.cesecore.certificates.ca.IllegalValidityException;
import org.cesecore.certificates.certificateprofile.CertificateProfile;
import org.cesecore.certificates.endentity.EndEntityInformation;
import org.cesecore.certificates.endentity.ExtendedInformation;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.util.CertTools;
import org.cesecore.util.SimpleTime;
import org.cesecore.util.ValidityDate;

/* loaded from: input_file:org/cesecore/certificates/ca/internal/CertificateValidity.class */
public class CertificateValidity {
    private static final Logger log = Logger.getLogger(CertificateValidity.class);
    private static final InternalResources intres = InternalResources.getInstance();
    private static Date TOO_LATE_EXPIRE_DATE;
    private static long DEFAULT_VALIDITY_OFFSET;
    private Date lastDate;
    private Date firstDate;

    public static final long getValidityOffset() {
        return DEFAULT_VALIDITY_OFFSET;
    }

    public static Date getToolLateExpireDate() {
        return TOO_LATE_EXPIRE_DATE;
    }

    public static void setTooLateExpireDate(Date date) {
        TOO_LATE_EXPIRE_DATE = date;
    }

    public CertificateValidity(EndEntityInformation endEntityInformation, CertificateProfile certificateProfile, Date date, Date date2, Certificate certificate, boolean z, boolean z2) throws IllegalValidityException {
        this(new Date(), endEntityInformation, certificateProfile, date, date2, certificate, z, z2);
    }

    /* JADX WARN: Type inference failed for: r2v16, types: [java.lang.Object[], boolean[]] */
    public CertificateValidity(Date date, EndEntityInformation endEntityInformation, CertificateProfile certificateProfile, Date date2, Date date3, Certificate certificate, boolean z, boolean z2) throws IllegalValidityException {
        if (log.isDebugEnabled()) {
            log.debug("Requested notBefore: " + date2);
            log.debug("Requested notAfter: " + date3);
            if (null != endEntityInformation.getExtendedInformation()) {
                log.debug("End entity extended information 'notBefore': " + endEntityInformation.getExtendedInformation().getCustomData(ExtendedInformation.CUSTOM_STARTTIME));
            }
            if (null != endEntityInformation.getExtendedInformation()) {
                log.debug("End entity extended information 'notAfter': " + endEntityInformation.getExtendedInformation().getCustomData(ExtendedInformation.CUSTOM_ENDTIME));
            }
            log.debug("Default validty offset: " + DEFAULT_VALIDITY_OFFSET);
            log.debug("Certificate profile validty: " + certificateProfile.getEncodedValidity());
            log.debug("Certificate profile use validty offset: " + certificateProfile.getUseCertificateValidityOffset());
            log.debug("Certificate profile validty offset: " + certificateProfile.getCertificateValidityOffset());
            log.debug("Certificate profile use expiration restrictions for weekdays: " + certificateProfile.getUseExpirationRestrictionForWeekdays());
            log.debug("Certificate profile expiration restrictions weekdays: " + Arrays.toString(certificateProfile.getExpirationRestrictionWeekdays()));
            log.debug("Certificate profile expiration restrictions for weekdays before: " + certificateProfile.getExpirationRestrictionForWeekdaysExpireBefore());
        }
        if (TOO_LATE_EXPIRE_DATE == null) {
            throw new IllegalStateException("ca.toolateexpiredate in cesecore.properties is not a valid date.");
        }
        Date nowWithOffset = getNowWithOffset(date, certificateProfile);
        if (log.isDebugEnabled()) {
            log.debug("Using new start time including offset: " + nowWithOffset);
        }
        if (certificateProfile.getAllowValidityOverride()) {
            this.firstDate = getExtendedInformationStartTime(nowWithOffset, endEntityInformation);
            if (this.firstDate == null) {
                this.firstDate = date2;
            }
            Date extendedInformationEndTime = getExtendedInformationEndTime(nowWithOffset, endEntityInformation);
            this.lastDate = extendedInformationEndTime;
            if (extendedInformationEndTime == null) {
                this.lastDate = date3;
            }
            if (log.isDebugEnabled()) {
                log.debug("Allow validity override, notBefore: " + this.firstDate);
                log.debug("Allow validity override, notAfter: " + this.lastDate);
            }
        }
        if (this.firstDate == null) {
            this.firstDate = nowWithOffset;
        }
        Date date4 = new Date(getCertificateProfileValidtyEndDate(certificateProfile, this.firstDate));
        if (certificateProfile.getUseExpirationRestrictionForWeekdays() && isRelativeTime(certificateProfile.getEncodedValidity()).booleanValue()) {
            log.info("Applying expiration restrictions for weekdays: " + Arrays.asList(new boolean[]{certificateProfile.getExpirationRestrictionWeekdays()}));
            try {
                Date applyExpirationRestrictionForWeekdays = ValidityDate.applyExpirationRestrictionForWeekdays(date4, certificateProfile.getExpirationRestrictionWeekdays(), certificateProfile.getExpirationRestrictionForWeekdaysExpireBefore());
                if (!this.firstDate.before(applyExpirationRestrictionForWeekdays)) {
                    log.warn("Expiration restriction of certificate profile could not be applied because it's before start date!");
                } else if (TOO_LATE_EXPIRE_DATE.after(applyExpirationRestrictionForWeekdays)) {
                    date4 = applyExpirationRestrictionForWeekdays;
                } else {
                    log.warn("Expiration restriction of certificate profile could not be applied because it's after latest possible end date!");
                }
            } catch (Exception e) {
                log.warn("Expiration restriction of certificate profile could not be applied!");
            }
        }
        if (z2) {
            this.lastDate = date3;
        }
        if (this.lastDate == null) {
            this.lastDate = date4;
        }
        if (this.lastDate.before(this.firstDate)) {
            log.info(intres.getLocalizedMessage("createcert.errorinvalidcausality", this.firstDate, this.lastDate));
            Date date5 = this.lastDate;
            this.lastDate = this.firstDate;
            this.firstDate = date5;
        }
        if (this.firstDate.before(nowWithOffset) && !certificateProfile.getAllowValidityOverride()) {
            log.error(intres.getLocalizedMessage("createcert.errorbeforecurrentdate", this.firstDate, endEntityInformation.getUsername()));
            this.firstDate = nowWithOffset;
            date4 = new Date(getCertificateProfileValidtyEndDate(certificateProfile, this.firstDate));
        }
        if (this.lastDate.after(date4)) {
            log.info(intres.getLocalizedMessage("createcert.errorbeyondmaxvalidity", this.lastDate, endEntityInformation.getUsername(), date4));
            this.lastDate = date4;
        }
        if (certificate != null && !z) {
            Date notAfter = CertTools.getNotAfter(certificate);
            if (this.lastDate.after(notAfter)) {
                log.info(intres.getLocalizedMessage("createcert.limitingvalidity", this.lastDate.toString(), notAfter));
                this.lastDate = notAfter;
            }
        }
        if (certificate != null && !z) {
            Date notBefore = CertTools.getNotBefore(certificate);
            if (this.firstDate.before(notBefore)) {
                log.info(intres.getLocalizedMessage("createcert.limitingvaliditystart", this.firstDate.toString(), notBefore));
                this.firstDate = notBefore;
            }
        }
        if (this.lastDate.before(TOO_LATE_EXPIRE_DATE)) {
            return;
        }
        String localizedMessage = intres.getLocalizedMessage("createcert.errorbeyondtoolateexpiredate", this.lastDate.toString(), TOO_LATE_EXPIRE_DATE.toString());
        log.info(localizedMessage);
        throw new IllegalValidityException(localizedMessage);
    }

    public Date getNotAfter() {
        return this.lastDate;
    }

    public Date getNotBefore() {
        return this.firstDate;
    }

    private long getCertificateProfileValidtyEndDate(CertificateProfile certificateProfile, Date date) {
        String encodedValidity = certificateProfile.getEncodedValidity();
        return (StringUtils.isNotBlank(encodedValidity) ? ValidityDate.getDate(encodedValidity, date) : ValidityDate.getDateBeforeVersion661(certificateProfile.getValidity(), date)).getTime();
    }

    private Date getNowWithOffset(Date date, CertificateProfile certificateProfile) {
        Date date2 = null;
        if (certificateProfile.getUseCertificateValidityOffset()) {
            String certificateValidityOffset = certificateProfile.getCertificateValidityOffset();
            try {
                date2 = new Date(date.getTime() + SimpleTime.parseMillies(certificateValidityOffset));
                if (log.isDebugEnabled()) {
                    log.debug("Using validity offset by certificate profile: " + certificateValidityOffset);
                }
            } catch (NumberFormatException e) {
                log.warn("Could not parse certificate validity offset " + certificateValidityOffset + "; using default " + DEFAULT_VALIDITY_OFFSET);
            }
        } else {
            date2 = new Date(date.getTime() + DEFAULT_VALIDITY_OFFSET);
            if (log.isDebugEnabled()) {
                log.debug("Using validity offset by cesecore.properties: " + SimpleTime.toString(DEFAULT_VALIDITY_OFFSET, SimpleTime.TYPE_DAYS));
            }
        }
        return date2;
    }

    private Date getExtendedInformationStartTime(Date date, EndEntityInformation endEntityInformation) {
        Date date2 = null;
        ExtendedInformation extendedInformation = endEntityInformation.getExtendedInformation();
        if (extendedInformation != null) {
            date2 = parseExtendedInformationEncodedValidity(date, extendedInformation.getCustomData(ExtendedInformation.CUSTOM_STARTTIME));
        }
        if (log.isDebugEnabled()) {
            log.debug("Using ExtendedInformationStartTime: " + date2);
        }
        return date2;
    }

    private Date getExtendedInformationEndTime(Date date, EndEntityInformation endEntityInformation) {
        Date date2 = null;
        ExtendedInformation extendedInformation = endEntityInformation.getExtendedInformation();
        if (extendedInformation != null) {
            date2 = parseExtendedInformationEncodedValidity(date, extendedInformation.getCustomData(ExtendedInformation.CUSTOM_ENDTIME));
        }
        if (log.isDebugEnabled()) {
            log.debug("Using ExtendedInformationEndTime: " + date2);
        }
        return date2;
    }

    public static void checkPrivateKeyUsagePeriod(X509Certificate x509Certificate) throws CAOfflineException {
        checkPrivateKeyUsagePeriod(x509Certificate, new Date());
    }

    public static void checkPrivateKeyUsagePeriod(X509Certificate x509Certificate, Date date) throws CAOfflineException {
        Date date2;
        if (x509Certificate == null) {
            if (log.isDebugEnabled()) {
                log.debug("No CA certificate available, not checking PrivateKeyUsagePeriod.");
                return;
            }
            return;
        }
        PrivateKeyUsagePeriod privateKeyUsagePeriod = CertTools.getPrivateKeyUsagePeriod(x509Certificate);
        if (privateKeyUsagePeriod == null) {
            if (log.isDebugEnabled()) {
                log.debug("No PrivateKeyUsagePeriod available in certificate.");
                return;
            }
            return;
        }
        ASN1GeneralizedTime notBefore = privateKeyUsagePeriod.getNotBefore();
        if (notBefore == null) {
            date2 = null;
        } else {
            try {
                date2 = notBefore.getDate();
            } catch (ParseException e) {
                throw new IllegalStateException("Could not parse dates.", e);
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("PrivateKeyUsagePeriod.notBefore is " + date2);
        }
        if (date2 != null && date.before(date2)) {
            String localizedMessage = intres.getLocalizedMessage("createcert.privatekeyusagenotvalid", date2.toString(), x509Certificate.getSubjectDN().toString());
            if (log.isDebugEnabled()) {
                log.debug(localizedMessage);
            }
            throw new CAOfflineException(localizedMessage);
        }
        ASN1GeneralizedTime notAfter = privateKeyUsagePeriod.getNotAfter();
        Date date3 = notAfter == null ? null : notAfter.getDate();
        if (log.isDebugEnabled()) {
            log.debug("PrivateKeyUsagePeriod.notAfter is " + date3);
        }
        if (date3 == null || !date.after(date3)) {
            return;
        }
        String localizedMessage2 = intres.getLocalizedMessage("createcert.privatekeyusageexpired", date3.toString(), x509Certificate.getSubjectDN().toString());
        if (log.isDebugEnabled()) {
            log.debug(localizedMessage2);
        }
        throw new CAOfflineException(localizedMessage2);
    }

    private static final Boolean isRelativeTime(String str) {
        try {
            SimpleTime.parseMillies(str);
            return Boolean.TRUE;
        } catch (NumberFormatException e) {
            try {
                ValidityDate.parseAsIso8601(str);
                return Boolean.FALSE;
            } catch (ParseException e2) {
                return null;
            }
        }
    }

    private static final Date parseExtendedInformationEncodedValidity(Date date, String str) {
        Date date2 = null;
        if (str != null) {
            if (str.matches("^\\d+:\\d?\\d:\\d?\\d$")) {
                String[] split = str.split(":");
                date2 = new Date(date.getTime() + (((Long.parseLong(split[0]) * 24 * 60) + (Long.parseLong(split[1]) * 60) + Long.parseLong(split[2])) * 60 * 1000));
            } else {
                try {
                    date2 = ValidityDate.parseAsUTC(str);
                } catch (ParseException e) {
                    log.error(intres.getLocalizedMessage("createcert.errorinvalidstarttime", str));
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Time string by end entity extended Information: " + date2);
            }
        }
        return date2;
    }

    static {
        String caTooLateExpireDate = CesecoreConfiguration.getCaTooLateExpireDate();
        try {
            TOO_LATE_EXPIRE_DATE = ValidityDate.parseCaLatestValidDateTime(caTooLateExpireDate);
        } catch (Exception e) {
            String formatAsISO8601 = ValidityDate.formatAsISO8601(new Date(Long.MAX_VALUE), ValidityDate.TIMEZONE_SERVER);
            TOO_LATE_EXPIRE_DATE = ValidityDate.parseCaLatestValidDateTime(formatAsISO8601);
            log.warn("cesecore.properties ca.toolateexpiredate '" + caTooLateExpireDate + "' could not be parsed Using default value '" + formatAsISO8601 + "'.", e);
        }
        String certificateValidityOffset = CesecoreConfiguration.getCertificateValidityOffset();
        try {
            DEFAULT_VALIDITY_OFFSET = SimpleTime.getSecondsFormat().parseMillis(certificateValidityOffset);
        } catch (Exception e2) {
            DEFAULT_VALIDITY_OFFSET = -600000L;
            log.warn("cesecore.properties certificate.validityoffset '" + certificateValidityOffset + "' could not be parsed as relative time string. Using default value '-10m' = -60000ms", e2);
        }
    }
}
