package net.ripe.rpki.commons.crypto.crl;

import java.security.SignatureException;
import net.ripe.rpki.commons.crypto.x509cert.AbstractX509CertificateWrapper;
import net.ripe.rpki.commons.util.UTC;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidator;
import org.joda.time.DateTime;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/crl/X509CrlValidator.class */
public class X509CrlValidator implements CertificateRepositoryObjectValidator<X509Crl> {
    private AbstractX509CertificateWrapper parent;
    private ValidationOptions options;
    private ValidationResult result;

    public X509CrlValidator(ValidationOptions validationOptions, ValidationResult validationResult, AbstractX509CertificateWrapper abstractX509CertificateWrapper) {
        this.options = validationOptions;
        this.result = validationResult;
        this.parent = abstractX509CertificateWrapper;
    }

    @Override // net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidator
    public ValidationResult getValidationResult() {
        return this.result;
    }

    @Override // net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidator
    public void validate(String str, X509Crl x509Crl) {
        this.result.setLocation(new ValidationLocation(str));
        checkSignature(x509Crl);
        checkValidityTimes(x509Crl);
    }

    private void checkValidityTimes(X509Crl x509Crl) {
        DateTime dateTime = UTC.dateTime();
        DateTime nextUpdateTime = x509Crl.getNextUpdateTime();
        DateTime thisUpdateTime = x509Crl.getThisUpdateTime();
        this.result.rejectIfTrue(thisUpdateTime.isAfter(dateTime), ValidationString.CRL_THIS_UPDATE_AFTER_NOW, thisUpdateTime.toString());
        if (!this.options.isStrictManifestCRLValidityChecks()) {
            this.result.warnIfTrue(dateTime.isAfter(nextUpdateTime), ValidationString.CRL_NEXT_UPDATE_BEFORE_NOW, nextUpdateTime.toString());
        } else if (dateTime.isAfter(nextUpdateTime.plus(this.options.getCrlMaxStalePeriod()))) {
            this.result.error(ValidationString.CRL_NEXT_UPDATE_BEFORE_NOW, nextUpdateTime.toString());
        } else {
            this.result.warnIfTrue(dateTime.isAfter(nextUpdateTime), ValidationString.CRL_NEXT_UPDATE_BEFORE_NOW, nextUpdateTime.toString());
        }
    }

    private void checkSignature(X509Crl x509Crl) {
        boolean z;
        try {
            x509Crl.verify(this.parent.getPublicKey());
            z = true;
        } catch (SignatureException e) {
            z = false;
        }
        this.result.rejectIfFalse(z, ValidationString.CRL_SIGNATURE_VALID);
    }
}
