package de.mtg.jzlint.lints.rfc;

import de.mtg.jzlint.EffectiveDate;
import de.mtg.jzlint.JavaCRLLint;
import de.mtg.jzlint.Lint;
import de.mtg.jzlint.LintResult;
import de.mtg.jzlint.Source;
import de.mtg.jzlint.Status;
import de.mtg.jzlint.utils.CRLUtils;
import java.math.BigInteger;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.util.Iterator;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Extension;

@Lint(name = "e_crl_has_valid_reason_code", description = "If a CRL entry has a reason code, it MUST be in RFC5280 section 5.3.1 and SHOULD be absent instead of using unspecified (0)", citation = "RFC 5280: 5.3.1", source = Source.RFC5280, effectiveDate = EffectiveDate.RFC5280)
/* loaded from: input_file:BOOT-INF/lib/jzlint-1.0.0.jar:de/mtg/jzlint/lints/rfc/CrlHasValidReasonCode.class */
public class CrlHasValidReasonCode implements JavaCRLLint {
    @Override // de.mtg.jzlint.JavaCRLLint
    public LintResult execute(X509CRL x509crl) {
        Iterator<? extends X509CRLEntry> it = x509crl.getRevokedCertificates().iterator();
        while (it.hasNext()) {
            byte[] extensionValue = it.next().getExtensionValue(Extension.reasonCode.getId());
            if (extensionValue != null) {
                BigInteger value = CRLReason.getInstance(ASN1OctetString.getInstance(extensionValue).getOctets()).getValue();
                if (value.equals(BigInteger.ZERO)) {
                    return LintResult.of(Status.WARN, "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value.");
                }
                if (value.equals(BigInteger.valueOf(7L)) || value.compareTo(BigInteger.valueOf(10L)) == 1) {
                    return LintResult.of(Status.ERROR, String.format("Reason code, %s, not included in RFC 5280 section 5.3.1", value));
                }
            }
        }
        return LintResult.of(Status.PASS);
    }

    @Override // de.mtg.jzlint.JavaCRLLint
    public boolean checkApplies(X509CRL x509crl) {
        return CRLUtils.containsRevokedCertificates(x509crl);
    }
}
