package net.ripe.rpki.commons.crypto.cms.manifest;

import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import net.ripe.rpki.commons.validation.objectvalidators.X509ResourceCertificateParentChildValidator;
import org.joda.time.DateTime;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsEeCertificateValidator.class */
public class ManifestCmsEeCertificateValidator extends X509ResourceCertificateParentChildValidator {
    public ManifestCmsEeCertificateValidator(ValidationOptions validationOptions, ValidationResult validationResult, X509ResourceCertificate x509ResourceCertificate, X509Crl x509Crl, IpResourceSet ipResourceSet) {
        super(validationOptions, validationResult, x509ResourceCertificate, x509Crl, ipResourceSet);
    }

    @Override // net.ripe.rpki.commons.validation.objectvalidators.X509CertificateParentChildValidator
    protected void verifyValidity() {
        DateTime dateTime = new DateTime();
        this.result.rejectIfTrue(dateTime.isBefore(((X509ResourceCertificate) this.child).getValidityPeriod().getNotValidBefore()), ValidationString.NOT_VALID_BEFORE, ((X509ResourceCertificate) this.child).getValidityPeriod().getNotValidBefore().toString());
        DateTime notValidAfter = ((X509ResourceCertificate) this.child).getValidityPeriod().getNotValidAfter();
        if (dateTime.isAfter(notValidAfter)) {
            if (notValidAfter.plus(this.options.getMaxStaleDays()).isAfter(dateTime)) {
                this.result.warnIfTrue(true, ValidationString.NOT_VALID_AFTER, notValidAfter.toString());
            } else {
                this.result.rejectIfTrue(true, ValidationString.NOT_VALID_AFTER, notValidAfter.toString());
            }
        }
    }
}
