package org.apereo.cas.adaptors.x509.authentication.revocation.checker;

import java.security.GeneralSecurityException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import javax.annotation.PostConstruct;
import org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy;
import org.apereo.cas.adaptors.x509.util.CertUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/adaptors/x509/authentication/revocation/checker/AbstractCRLRevocationChecker.class */
public abstract class AbstractCRLRevocationChecker implements RevocationChecker {
    protected transient Logger logger = LoggerFactory.getLogger(getClass());
    protected boolean checkAll;
    private RevocationPolicy<Void> unavailableCRLPolicy;
    private RevocationPolicy<X509CRL> expiredCRLPolicy;

    @PostConstruct
    public void init() {
        if (this.unavailableCRLPolicy == null) {
            this.unavailableCRLPolicy = new DenyRevocationPolicy();
        }
        if (this.expiredCRLPolicy == null) {
            this.expiredCRLPolicy = new ThresholdExpiredCRLRevocationPolicy();
        }
    }

    @Override // org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker
    public void check(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate cannot be null.");
        }
        this.logger.debug("Evaluating certificate revocation status for {}", CertUtils.toString(x509Certificate));
        Collection<X509CRL> cRLs = getCRLs(x509Certificate);
        if (cRLs == null || cRLs.isEmpty()) {
            this.logger.warn("CRL data is not available for {}", CertUtils.toString(x509Certificate));
            this.unavailableCRLPolicy.apply(null);
            return;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        cRLs.stream().filter(CertUtils::isExpired).forEach(x509crl -> {
            this.logger.warn("CRL data expired on {}", x509crl.getNextUpdate());
            arrayList.add(x509crl);
        });
        if (cRLs.size() == arrayList.size()) {
            this.logger.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                this.expiredCRLPolicy.apply((X509CRL) it.next());
            }
            return;
        }
        cRLs.removeAll(arrayList);
        this.logger.debug("Valid CRLs [{}] found that are not expired yet", cRLs);
        Iterator<X509CRL> it2 = cRLs.iterator();
        while (it2.hasNext()) {
            X509CRLEntry revokedCertificate = it2.next().getRevokedCertificate(x509Certificate);
            if (revokedCertificate != null) {
                arrayList2.add(revokedCertificate);
            }
        }
        if (arrayList2.size() == cRLs.size()) {
            X509CRLEntry x509CRLEntry = (X509CRLEntry) arrayList2.get(0);
            this.logger.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", x509CRLEntry);
            throw new RevokedCertificateException(x509CRLEntry);
        }
    }

    public void setUnavailableCRLPolicy(RevocationPolicy<Void> revocationPolicy) {
        this.unavailableCRLPolicy = revocationPolicy;
    }

    public void setExpiredCRLPolicy(RevocationPolicy<X509CRL> revocationPolicy) {
        this.expiredCRLPolicy = revocationPolicy;
    }

    public RevocationPolicy<Void> getUnavailableCRLPolicy() {
        return this.unavailableCRLPolicy;
    }

    public RevocationPolicy<X509CRL> getExpiredCRLPolicy() {
        return this.expiredCRLPolicy;
    }

    public void setCheckAll(boolean z) {
        this.checkAll = z;
    }

    public X509CRL getCRL(X509Certificate x509Certificate) {
        Collection<X509CRL> cRLs = getCRLs(x509Certificate);
        if (cRLs != null && !cRLs.isEmpty()) {
            return cRLs.iterator().next();
        }
        this.logger.debug("No CRL could be found for {}", CertUtils.toString(x509Certificate));
        return null;
    }

    protected abstract boolean addCRL(Object obj, X509CRL x509crl);

    protected abstract Collection<X509CRL> getCRLs(X509Certificate x509Certificate);
}
