package no.digipost.security.crl;

import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import no.digipost.security.DigipostSecurity;
import org.apache.http.ssl.TrustStrategy;

/* loaded from: input_file:no/digipost/security/crl/RevocationChecker.class */
public class RevocationChecker implements TrustStrategy {
    private final CRL crl;

    public RevocationChecker(Path path) {
        CertificateFactory x509CertificateFactory = DigipostSecurity.getX509CertificateFactory();
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                this.crl = x509CertificateFactory.generateCRL(newInputStream);
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } finally {
            }
        } catch (IOException | CRLException e) {
            throw new RuntimeException(String.format("Could not load CRL from path '%s'.", path));
        }
    }

    public boolean isTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (this.crl.isRevoked(x509Certificate)) {
                throw new CertificateException(String.format("Certificate with serial number %s is revoked: %s", x509Certificate.getSerialNumber().toString(16), DigipostSecurity.describe(x509Certificate)));
            }
        }
        return false;
    }
}
