package net.ripe.rpki.commons.crypto.x509cert;

import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Map;
import net.ripe.ipresource.IpResource;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.crl.CrlLocator;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.rfc3779.AddressFamily;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionEncoder;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionParser;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext;
import net.ripe.rpki.commons.validation.objectvalidators.ResourceValidatorFactory;
import net.ripe.rpki.commons.validation.objectvalidators.X509ResourceCertificateValidator;
import org.apache.commons.lang.Validate;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificate.class */
public class X509ResourceCertificate extends X509GenericCertificate implements X509CertificateObject {
    private static final long serialVersionUID = 2;
    private final EnumSet<IpResourceType> inheritedResourceTypes;
    private final IpResourceSet resources;
    private Boolean revoked;

    /* JADX INFO: Access modifiers changed from: protected */
    public X509ResourceCertificate(X509Certificate x509Certificate) {
        super(x509Certificate);
        ResourceExtensionParser resourceExtensionParser = new ResourceExtensionParser();
        this.inheritedResourceTypes = EnumSet.noneOf(IpResourceType.class);
        this.resources = new IpResourceSet();
        byte[] extensionValue = getCertificate().getExtensionValue(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS.getId());
        if (extensionValue != null) {
            for (Map.Entry<AddressFamily, IpResourceSet> entry : resourceExtensionParser.parseIpAddressBlocks(extensionValue).entrySet()) {
                if (entry.getValue() == null) {
                    this.inheritedResourceTypes.add(entry.getKey().toIpResourceType());
                } else {
                    this.resources.addAll(entry.getValue());
                }
            }
        }
        byte[] extensionValue2 = getCertificate().getExtensionValue(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS.getId());
        if (extensionValue2 != null) {
            IpResourceSet parseAsIdentifiers = resourceExtensionParser.parseAsIdentifiers(extensionValue2);
            if (parseAsIdentifiers == null) {
                this.inheritedResourceTypes.add(IpResourceType.ASN);
            } else {
                this.resources.addAll(parseAsIdentifiers);
            }
        }
        Validate.isTrue((this.inheritedResourceTypes.isEmpty() && this.resources.isEmpty()) ? false : true, "empty resource set");
    }

    public IpResourceSet getResources() {
        return new IpResourceSet(this.resources);
    }

    public EnumSet<IpResourceType> getInheritedResourceTypes() {
        return this.inheritedResourceTypes;
    }

    public boolean isResourceTypesInherited(EnumSet<IpResourceType> enumSet) {
        return this.inheritedResourceTypes.containsAll(enumSet);
    }

    public boolean isResourceSetInherited() {
        return !this.inheritedResourceTypes.isEmpty();
    }

    @Override // net.ripe.rpki.commons.crypto.CertificateRepositoryObject
    public URI getCrlUri() {
        return findFirstRsyncCrlDistributionPoint();
    }

    @Override // net.ripe.rpki.commons.crypto.CertificateRepositoryObject
    public URI getParentCertificateUri() {
        return findFirstAuthorityInformationAccessByMethod(X509CertificateInformationAccessDescriptor.ID_CA_CA_ISSUERS);
    }

    public void validate(String str, X509ResourceCertificateValidator x509ResourceCertificateValidator) {
        X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
        x509ResourceCertificateParser.parse(ValidationResult.withLocation(str), getEncoded());
        if (x509ResourceCertificateParser.getValidationResult().hasFailures()) {
            return;
        }
        x509ResourceCertificateValidator.validate(str, this);
    }

    @Override // net.ripe.rpki.commons.crypto.CertificateRepositoryObject
    public void validate(String str, CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext, CrlLocator crlLocator, ValidationOptions validationOptions, ValidationResult validationResult) {
        X509Crl x509Crl = null;
        if (!isRoot()) {
            ValidationLocation currentLocation = validationResult.getCurrentLocation();
            validationResult.setLocation(new ValidationLocation(getCrlUri()));
            x509Crl = crlLocator.getCrl(getCrlUri(), certificateRepositoryObjectValidationContext, validationResult);
            validationResult.setLocation(currentLocation);
            if (x509Crl == null) {
                validationResult.rejectIfFalse(false, ValidationString.OBJECTS_CRL_VALID, getCrlUri().toString());
                return;
            }
        }
        ResourceValidatorFactory.getX509ResourceCertificateValidator(certificateRepositoryObjectValidationContext, validationOptions, validationResult, x509Crl).validate(str, this);
        this.revoked = Boolean.valueOf(hasErrorInRevocationCheck(validationResult.getFailures(new ValidationLocation(str))));
    }

    @Override // net.ripe.rpki.commons.crypto.CertificateRepositoryObject
    public void validate(String str, CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext, X509Crl x509Crl, URI uri, ValidationOptions validationOptions, ValidationResult validationResult) {
        if (!isRoot() && x509Crl == null) {
            validationResult.rejectIfFalse(false, ValidationString.OBJECTS_CRL_VALID, uri.toString());
        } else {
            ResourceValidatorFactory.getX509ResourceCertificateValidator(certificateRepositoryObjectValidationContext, validationOptions, validationResult, x509Crl).validate(str, this);
            this.revoked = Boolean.valueOf(hasErrorInRevocationCheck(validationResult.getFailures(new ValidationLocation(str))));
        }
    }

    @Override // net.ripe.rpki.commons.crypto.CertificateRepositoryObject
    public boolean isPastValidityTime() {
        return getValidityPeriod().isExpiredNow();
    }

    @Override // net.ripe.rpki.commons.crypto.CertificateRepositoryObject
    public boolean isRevoked() {
        if (this.revoked == null) {
            throw new IllegalStateException("isRevoked() could only be called after validate()");
        }
        return this.revoked.booleanValue();
    }

    public IpResourceSet deriveResources(IpResourceSet ipResourceSet) {
        IpResourceSet ipResourceSet2 = new IpResourceSet(this.resources);
        if (this.inheritedResourceTypes.isEmpty()) {
            return ipResourceSet2;
        }
        Iterator it = ipResourceSet.iterator();
        while (it.hasNext()) {
            IpResource ipResource = (IpResource) it.next();
            if (this.inheritedResourceTypes.contains(ipResource.getType())) {
                ipResourceSet2.add(ipResource);
            }
        }
        return ipResourceSet2;
    }

    public boolean containsResources(IpResourceSet ipResourceSet) {
        return this.resources.contains(ipResourceSet);
    }
}
