package org.apereo.cas.adaptors.x509.authentication.revocation.checker;

import java.security.GeneralSecurityException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy;
import org.apereo.cas.adaptors.x509.util.CertUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/adaptors/x509/authentication/revocation/checker/AbstractCRLRevocationChecker.class */
public abstract class AbstractCRLRevocationChecker implements RevocationChecker {
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractCRLRevocationChecker.class);
    protected final boolean checkAll;
    private final RevocationPolicy<Void> unavailableCRLPolicy;
    private final RevocationPolicy<X509CRL> expiredCRLPolicy;

    public AbstractCRLRevocationChecker(boolean z, RevocationPolicy<Void> revocationPolicy, RevocationPolicy<X509CRL> revocationPolicy2) {
        this.checkAll = z;
        this.unavailableCRLPolicy = revocationPolicy == null ? new DenyRevocationPolicy() : revocationPolicy;
        this.expiredCRLPolicy = revocationPolicy2 == null ? new ThresholdExpiredCRLRevocationPolicy(0) : revocationPolicy2;
    }

    @Override // org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker
    public void check(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate cannot be null.");
        }
        LOGGER.debug("Evaluating certificate revocation status for [{}]", CertUtils.toString(x509Certificate));
        Collection<X509CRL> cRLs = getCRLs(x509Certificate);
        if (cRLs == null || cRLs.isEmpty()) {
            LOGGER.warn("CRL data is not available for [{}]", CertUtils.toString(x509Certificate));
            this.unavailableCRLPolicy.apply(null);
            return;
        }
        ArrayList arrayList = new ArrayList();
        cRLs.stream().filter(CertUtils::isExpired).forEach(x509crl -> {
            LOGGER.warn("CRL data expired on [{}]", x509crl.getNextUpdate());
            arrayList.add(x509crl);
        });
        if (cRLs.size() == arrayList.size()) {
            LOGGER.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                this.expiredCRLPolicy.apply((X509CRL) it.next());
            }
            return;
        }
        cRLs.removeAll(arrayList);
        LOGGER.debug("Valid CRLs [{}] found that are not expired yet", cRLs);
        List list = (List) cRLs.stream().map(x509crl2 -> {
            return x509crl2.getRevokedCertificate(x509Certificate);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        if (list.size() == cRLs.size()) {
            X509CRLEntry x509CRLEntry = (X509CRLEntry) list.get(0);
            LOGGER.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", x509CRLEntry);
            throw new RevokedCertificateException(x509CRLEntry);
        }
    }

    public RevocationPolicy<Void> getUnavailableCRLPolicy() {
        return this.unavailableCRLPolicy;
    }

    public RevocationPolicy<X509CRL> getExpiredCRLPolicy() {
        return this.expiredCRLPolicy;
    }

    protected abstract boolean addCRL(Object obj, X509CRL x509crl);

    protected abstract Collection<X509CRL> getCRLs(X509Certificate x509Certificate);
}
