package org.apereo.cas.adaptors.x509.authentication.handler.support;

import com.google.common.base.Throwables;
import com.google.common.collect.Lists;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.net.URLDecoder;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import net.sf.ehcache.Cache;
import net.sf.ehcache.Element;
import org.apereo.cas.adaptors.x509.util.CertUtils;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.GeneralName;
import org.cryptacular.x509.ExtensionReader;
import org.springframework.core.io.ByteArrayResource;
import org.springframework.core.io.Resource;

/* loaded from: input_file:org/apereo/cas/adaptors/x509/authentication/handler/support/CRLDistributionPointRevocationChecker.class */
public class CRLDistributionPointRevocationChecker extends AbstractCRLRevocationChecker {
    private Cache crlCache;
    private CRLFetcher fetcher;
    private boolean throwOnFetchFailure;

    public CRLDistributionPointRevocationChecker() {
    }

    public CRLDistributionPointRevocationChecker(Cache cache) {
        this(cache, new ResourceCRLFetcher());
    }

    public CRLDistributionPointRevocationChecker(Cache cache, boolean z) {
        this(cache, new ResourceCRLFetcher());
        setThrowOnFetchFailure(z);
    }

    public CRLDistributionPointRevocationChecker(Cache cache, CRLFetcher cRLFetcher) {
        this.crlCache = cache;
        this.fetcher = cRLFetcher;
    }

    public void setThrowOnFetchFailure(boolean z) {
        this.throwOnFetchFailure = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apereo.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker
    public List<X509CRL> getCRLs(X509Certificate x509Certificate) {
        if (this.crlCache == null) {
            throw new IllegalArgumentException("CRL cache is not defined");
        }
        if (this.fetcher == null) {
            throw new IllegalArgumentException("CRL fetcher is not defined");
        }
        if (getExpiredCRLPolicy() == null) {
            throw new IllegalArgumentException("Expiration CRL policy is not defined");
        }
        if (getUnavailableCRLPolicy() == null) {
            throw new IllegalArgumentException("Unavailable CRL policy is not defined");
        }
        URI[] distributionPoints = getDistributionPoints(x509Certificate);
        this.logger.debug("Distribution points for {}: {}.", CertUtils.toString(x509Certificate), Lists.newArrayList(distributionPoints));
        ArrayList arrayList = new ArrayList(distributionPoints.length);
        boolean z = false;
        int i = 0;
        while (!z) {
            try {
                if (i >= distributionPoints.length) {
                    break;
                }
                URI uri = distributionPoints[i];
                Element element = this.crlCache.get(uri);
                if (element != null) {
                    this.logger.debug("Found CRL in cache for {}", CertUtils.toString(x509Certificate));
                    X509CRL fetch = this.fetcher.fetch((Resource) new ByteArrayResource((byte[]) element.getObjectValue()));
                    if (fetch != null) {
                        arrayList.add(fetch);
                    } else {
                        this.logger.warn("Could fetch X509 CRL for {}. Returned value is null", uri);
                    }
                } else {
                    this.logger.debug("CRL for {} is not cached. Fetching and caching...", CertUtils.toString(x509Certificate));
                    try {
                        X509CRL fetch2 = this.fetcher.fetch(uri);
                        if (fetch2 != null) {
                            this.logger.info("Success. Caching fetched CRL at {}.", uri);
                            addCRL(uri, fetch2);
                            arrayList.add(fetch2);
                        }
                    } catch (Exception e) {
                        this.logger.error("Error fetching CRL at {}", uri, e);
                        if (this.throwOnFetchFailure) {
                            throw Throwables.propagate(e);
                        }
                    }
                }
                if (!this.checkAll && !arrayList.isEmpty()) {
                    this.logger.debug("CRL fetching is configured to not check all locations.");
                    z = true;
                }
                i++;
            } catch (Exception e2) {
                throw Throwables.propagate(e2);
            }
        }
        this.logger.debug("Found {} CRLs", Integer.valueOf(arrayList.size()));
        return arrayList;
    }

    @Override // org.apereo.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker
    protected boolean addCRL(Object obj, X509CRL x509crl) {
        try {
            if (x509crl == null) {
                this.logger.debug("No CRL was passed. Removing {} from cache...", obj);
                return this.crlCache.remove(obj);
            }
            this.crlCache.put(new Element(obj, x509crl.getEncoded()));
            return this.crlCache.get(obj) != null;
        } catch (Exception e) {
            this.logger.warn("Failed to add the crl entry [{}] to the cache", x509crl);
            throw Throwables.propagate(e);
        }
    }

    private URI[] getDistributionPoints(X509Certificate x509Certificate) {
        try {
            List readCRLDistributionPoints = new ExtensionReader(x509Certificate).readCRLDistributionPoints();
            ArrayList arrayList = new ArrayList();
            if (readCRLDistributionPoints != null) {
                Iterator it = readCRLDistributionPoints.iterator();
                while (it.hasNext()) {
                    DistributionPointName distributionPoint = ((DistributionPoint) it.next()).getDistributionPoint();
                    if (distributionPoint != null) {
                        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(distributionPoint.getName());
                        for (int i = 0; i < aSN1Sequence.size(); i++) {
                            GeneralName generalName = GeneralName.getInstance(aSN1Sequence.getObjectAt(i));
                            this.logger.debug("Found CRL distribution point {}.", generalName);
                            try {
                                addURL(arrayList, DERIA5String.getInstance(generalName.getName()).getString());
                            } catch (RuntimeException unused) {
                                this.logger.warn("{} not supported. String or GeneralNameList expected.", distributionPoint);
                            }
                        }
                    }
                }
            }
            return (URI[]) arrayList.toArray(new URI[arrayList.size()]);
        } catch (RuntimeException e) {
            this.logger.error("Error reading CRLDistributionPoints extension field on {}", CertUtils.toString(x509Certificate), e);
            return new URI[0];
        }
    }

    private void addURL(List<URI> list, String str) {
        URI uri;
        try {
            try {
                URL url = new URL(URLDecoder.decode(str, "UTF-8"));
                uri = new URI(url.getProtocol(), url.getAuthority(), url.getPath(), url.getQuery(), null);
            } catch (MalformedURLException unused) {
                uri = new URI(str);
            }
            list.add(uri);
        } catch (Exception unused2) {
            this.logger.warn("{} is not a valid distribution point URI.", str);
        }
    }
}
