package net.ripe.rpki.commons.validation.objectvalidators;

import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.util.Arrays;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.x509cert.AbstractX509CertificateWrapper;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.joda.time.DateTime;

/* loaded from: input_file:net/ripe/rpki/commons/validation/objectvalidators/X509CertificateParentChildValidator.class */
public abstract class X509CertificateParentChildValidator<T extends AbstractX509CertificateWrapper> {
    private static final int DIG_SIGN_INDEX = 0;
    private static final int KEYCERTSIGN_INDEX = 5;
    private static final int CRLSIGN_INDEX = 6;
    private T parent;
    protected T child;
    private X509Crl crl;
    protected final ValidationOptions options;
    protected final ValidationResult result;

    public X509CertificateParentChildValidator(ValidationOptions validationOptions, ValidationResult validationResult, T t, X509Crl x509Crl) {
        this.options = validationOptions;
        this.result = validationResult;
        this.parent = t;
        this.crl = x509Crl;
    }

    public void validate(String str, T t) {
        this.child = t;
        this.result.setLocation(new ValidationLocation(str));
        verifySignature();
        verifyValidity();
        verifyCrl();
        verifyIssuer();
        verifyKeyUsage();
        verifyAuthorityKeyIdentifier();
    }

    public ValidationResult getValidationResult() {
        return this.result;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public T getChild() {
        return this.child;
    }

    private void verifySignature() {
        this.result.rejectIfFalse(this.parent.isCa(), ValidationString.ISSUER_IS_CA, new String[0]);
        boolean z = false;
        try {
            this.child.verify(this.parent.getPublicKey());
        } catch (InvalidKeyException e) {
            z = true;
        } catch (SignatureException e2) {
            z = true;
        }
        this.result.rejectIfTrue(z, ValidationString.SIGNATURE_VALID, new String[0]);
    }

    private void verifyCrl() {
        if (this.crl == null) {
            this.result.rejectIfFalse(this.child.isRoot(), ValidationString.CRL_REQUIRED, new String[0]);
            return;
        }
        boolean z = false;
        try {
            this.crl.verify(this.parent.getPublicKey());
        } catch (SignatureException e) {
            z = true;
        }
        this.result.rejectIfTrue(z, ValidationString.CRL_SIGNATURE_VALID, new String[0]);
        this.result.rejectIfTrue(this.crl.isRevoked(this.child.getCertificate()), ValidationString.CERT_NOT_REVOKED, new String[0]);
    }

    protected void verifyValidity() {
        DateTime dateTime = new DateTime();
        this.result.rejectIfTrue(dateTime.isBefore(this.child.getValidityPeriod().getNotValidBefore()), ValidationString.NOT_VALID_BEFORE, this.child.getValidityPeriod().getNotValidBefore().toString());
        this.result.rejectIfTrue(dateTime.isAfter(this.child.getValidityPeriod().getNotValidAfter()), ValidationString.NOT_VALID_AFTER, this.child.getValidityPeriod().getNotValidAfter().toString());
    }

    private void verifyIssuer() {
        this.result.rejectIfFalse(this.parent.getSubject().equals(this.child.getIssuer()), ValidationString.PREV_SUBJECT_EQ_ISSUER, new String[0]);
    }

    protected void verifyKeyUsage() {
        boolean[] keyUsage = this.child.getCertificate().getKeyUsage();
        if (this.result.warnIfNull(keyUsage, ValidationString.KEY_USAGE_EXT_PRESENT, new String[0])) {
            if (!this.child.isCa()) {
                this.result.warnIfFalse(keyUsage[0], ValidationString.DIG_SIGN, new String[0]);
            } else {
                this.result.warnIfFalse(keyUsage[KEYCERTSIGN_INDEX], ValidationString.KEY_CERT_SIGN, new String[0]);
                this.result.warnIfFalse(keyUsage[CRLSIGN_INDEX], ValidationString.CRL_SIGN, new String[0]);
            }
        }
    }

    private void verifyAuthorityKeyIdentifier() {
        if (this.child.isRoot()) {
            return;
        }
        byte[] subjectKeyIdentifier = this.parent.getSubjectKeyIdentifier();
        byte[] authorityKeyIdentifier = this.child.getAuthorityKeyIdentifier();
        if (this.result.rejectIfNull(subjectKeyIdentifier, ValidationString.SKI_PRESENT, new String[0]) && this.result.rejectIfNull(authorityKeyIdentifier, ValidationString.AKI_PRESENT, new String[0])) {
            this.result.rejectIfFalse(Arrays.equals(subjectKeyIdentifier, authorityKeyIdentifier), ValidationString.PREV_SKI_EQ_AKI, new String[0]);
        }
    }
}
