package org.apache.pdfbox.examples.signature.cert;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.pdfbox.examples.signature.SigUtils;
import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;

/* loaded from: input_file:org/apache/pdfbox/examples/signature/cert/CRLVerifier.class */
public final class CRLVerifier {
    private static final Log LOG = LogFactory.getLog(CRLVerifier.class);

    private CRLVerifier() {
    }

    public static void verifyCertificateCRLs(X509Certificate x509Certificate, Date date, Set<X509Certificate> set) throws CertificateVerificationException, RevokedCertificateException {
        try {
            try {
                Date time = Calendar.getInstance().getTime();
                Throwable th = null;
                for (String str : getCrlDistributionPoints(x509Certificate)) {
                    LOG.info("Checking distribution point URL: " + str);
                    try {
                        X509CRL downloadCRL = downloadCRL(str);
                        Set<X509Certificate> downloadExtraCertificates = CertificateVerifier.downloadExtraCertificates(downloadCRL);
                        downloadExtraCertificates.addAll(set);
                        X509Certificate x509Certificate2 = null;
                        for (X509Certificate x509Certificate3 : downloadExtraCertificates) {
                            try {
                                x509Certificate.verify(x509Certificate3.getPublicKey(), SecurityProvider.getProvider());
                                x509Certificate2 = x509Certificate3;
                                break;
                            } catch (GeneralSecurityException e) {
                            }
                        }
                        if (x509Certificate2 == null) {
                            throw new CertificateVerificationException("Certificate for " + downloadCRL.getIssuerX500Principal() + "not found in certificate chain, so the CRL at " + str + " could not be verified");
                        }
                        downloadCRL.verify(x509Certificate2.getPublicKey(), SecurityProvider.getProvider());
                        if (downloadCRL.getThisUpdate().after(time)) {
                            LOG.error("CRL not yet valid, thisUpdate is " + downloadCRL.getThisUpdate());
                        }
                        if (downloadCRL.getNextUpdate().before(time)) {
                            LOG.error("CRL no longer valid, nextUpdate is " + downloadCRL.getNextUpdate());
                        }
                        if (downloadCRL.getIssuerX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                            LOG.info("CRL issuer certificate is identical to cert issuer, no extra check needed");
                        } else {
                            LOG.info("CRL issuer certificate is not identical to cert issuer, check needed");
                            CertificateVerifier.verifyCertificate(x509Certificate2, downloadExtraCertificates, true, time);
                            LOG.info("CRL issuer certificate checked successfully");
                        }
                        checkRevocation(downloadCRL, x509Certificate, date, str);
                        return;
                    } catch (IOException | GeneralSecurityException | CertificateVerificationException | NamingException e2) {
                        LOG.warn("Caught " + e2.getClass().getSimpleName() + " downloading CRL, will try next distribution point if available");
                        if (th == null) {
                            th = e2;
                        }
                    }
                }
                if (th != null) {
                    throw th;
                }
            } catch (Exception e3) {
                throw new CertificateVerificationException("Cannot verify CRL for certificate: " + x509Certificate.getSubjectX500Principal(), e3);
            }
        } catch (CertificateVerificationException | RevokedCertificateException e4) {
            throw e4;
        }
    }

    public static void checkRevocation(X509CRL x509crl, X509Certificate x509Certificate, Date date, String str) throws RevokedCertificateException {
        X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate);
        if (revokedCertificate != null && revokedCertificate.getRevocationDate().compareTo(date) <= 0) {
            throw new RevokedCertificateException("The certificate was revoked by CRL " + str + " on " + revokedCertificate.getRevocationDate(), revokedCertificate.getRevocationDate());
        }
        if (revokedCertificate != null) {
            LOG.info("The certificate was revoked after signing by CRL " + str + " on " + revokedCertificate.getRevocationDate());
        } else {
            LOG.info("The certificate was not revoked by CRL " + str);
        }
    }

    private static X509CRL downloadCRL(String str) throws IOException, CertificateException, CRLException, CertificateVerificationException, NamingException, URISyntaxException {
        if (str.startsWith("http://") || str.startsWith("https://") || str.startsWith("ftp://")) {
            return downloadCRLFromWeb(str);
        }
        if (str.startsWith("ldap://")) {
            return downloadCRLFromLDAP(str);
        }
        throw new CertificateVerificationException("Can not download CRL from certificate distribution point: " + str);
    }

    private static X509CRL downloadCRLFromLDAP(String str) throws CertificateException, NamingException, CRLException, CertificateVerificationException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", str);
        hashtable.put("com.sun.jndi.ldap.connect.timeout", "1000");
        byte[] bArr = (byte[]) new InitialDirContext(hashtable).getAttributes("").get("certificateRevocationList;binary").get();
        if (bArr == null || bArr.length == 0) {
            throw new CertificateVerificationException("Can not download CRL from: " + str);
        }
        return (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(new ByteArrayInputStream(bArr));
    }

    public static X509CRL downloadCRLFromWeb(String str) throws IOException, CertificateException, CRLException, URISyntaxException {
        InputStream openURL = SigUtils.openURL(str);
        Throwable th = null;
        try {
            X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(openURL);
            if (openURL != null) {
                if (0 != 0) {
                    try {
                        openURL.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openURL.close();
                }
            }
            return x509crl;
        } catch (Throwable th3) {
            if (openURL != null) {
                if (0 != 0) {
                    try {
                        openURL.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openURL.close();
                }
            }
            throw th3;
        }
    }

    public static List<String> getCrlDistributionPoints(X509Certificate x509Certificate) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue == null) {
            return new ArrayList();
        }
        ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
        Throwable th = null;
        try {
            try {
                ASN1OctetString readObject = aSN1InputStream.readObject();
                if (aSN1InputStream != null) {
                    if (0 != 0) {
                        try {
                            aSN1InputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        aSN1InputStream.close();
                    }
                }
                if (!(readObject instanceof ASN1OctetString)) {
                    LOG.warn("CRL distribution points for certificate subject " + x509Certificate.getSubjectX500Principal().getName() + " should be an octet string, but is " + readObject);
                    return new ArrayList();
                }
                ASN1InputStream aSN1InputStream2 = new ASN1InputStream(readObject.getOctets());
                Throwable th3 = null;
                try {
                    ASN1Primitive readObject2 = aSN1InputStream2.readObject();
                    if (aSN1InputStream2 != null) {
                        if (0 != 0) {
                            try {
                                aSN1InputStream2.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            aSN1InputStream2.close();
                        }
                    }
                    CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(readObject2);
                    ArrayList arrayList = new ArrayList();
                    for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
                        DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                        if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                            for (GeneralName generalName : GeneralNames.getInstance(distributionPoint2.getName()).getNames()) {
                                if (generalName.getTagNo() == 6) {
                                    arrayList.add(ASN1IA5String.getInstance(generalName.getName()).getString());
                                }
                            }
                        }
                    }
                    return arrayList;
                } catch (Throwable th5) {
                    if (aSN1InputStream2 != null) {
                        if (0 != 0) {
                            try {
                                aSN1InputStream2.close();
                            } catch (Throwable th6) {
                                th3.addSuppressed(th6);
                            }
                        } else {
                            aSN1InputStream2.close();
                        }
                    }
                    throw th5;
                }
            } finally {
            }
        } catch (Throwable th7) {
            if (aSN1InputStream != null) {
                if (th != null) {
                    try {
                        aSN1InputStream.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    aSN1InputStream.close();
                }
            }
            throw th7;
        }
    }
}
