package eu.europa.esig.dss.crl;

import eu.europa.esig.dss.DSSException;
import eu.europa.esig.dss.SignatureAlgorithm;
import eu.europa.esig.dss.tsl.KeyUsageBit;
import eu.europa.esig.dss.x509.CertificateToken;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/crl/CRLUtilsX509CRLImpl.class */
public class CRLUtilsX509CRLImpl extends AbstractCRLUtils implements ICRLUtils {
    private static final Logger LOG = LoggerFactory.getLogger(CRLUtilsX509CRLImpl.class);
    private static final BouncyCastleProvider BC_PROVIDER = new BouncyCastleProvider();
    private static final CertificateFactory CERT_FACTORY;

    public CRLValidity isValidCRL(InputStream inputStream, CertificateToken certificateToken) {
        X509CRLValidity x509CRLValidity = new X509CRLValidity();
        X509CRL loadCRL = loadCRL(inputStream);
        try {
            x509CRLValidity.setX509CRL(loadCRL);
            x509CRLValidity.setCrlEncoded(loadCRL.getEncoded());
        } catch (CRLException e) {
            LOG.error("Unable to read the CRL binaries", e);
        }
        x509CRLValidity.setSignatureAlgorithm(SignatureAlgorithm.forOID(loadCRL.getSigAlgOID()));
        x509CRLValidity.setThisUpdate(loadCRL.getThisUpdate());
        x509CRLValidity.setNextUpdate(loadCRL.getNextUpdate());
        if (loadCRL.getIssuerX500Principal().equals(certificateToken.getSubjectX500Principal())) {
            x509CRLValidity.setIssuerX509PrincipalMatches(true);
        }
        checkCriticalExtensions(x509CRLValidity, loadCRL.getCriticalExtensionOIDs(), loadCRL.getExtensionValue(Extension.issuingDistributionPoint.getId()));
        extractExpiredCertsOnCRL(x509CRLValidity, loadCRL.getExtensionValue(Extension.expiredCertsOnCRL.getId()));
        checkSignatureValue(loadCRL, certificateToken, x509CRLValidity);
        if (x509CRLValidity.isSignatureIntact()) {
            x509CRLValidity.setCrlSignKeyUsage(certificateToken.checkKeyUsage(KeyUsageBit.crlSign));
        }
        return x509CRLValidity;
    }

    private void checkSignatureValue(X509CRL x509crl, CertificateToken certificateToken, CRLValidity cRLValidity) {
        try {
            x509crl.verify(certificateToken.getPublicKey());
            cRLValidity.setSignatureIntact(true);
            cRLValidity.setIssuerToken(certificateToken);
        } catch (KeyException | NoSuchAlgorithmException | SignatureException | CRLException e) {
            cRLValidity.setSignatureInvalidityReason(e.getClass().getSimpleName() + " - " + e.getMessage());
        } catch (NoSuchProviderException e2) {
            throw new DSSException(e2);
        }
    }

    public X509CRLEntry getRevocationInfo(CRLValidity cRLValidity, BigInteger bigInteger) {
        return getCRL(cRLValidity).getRevokedCertificate(bigInteger);
    }

    private X509CRL getCRL(CRLValidity cRLValidity) {
        X509CRL x509crl = null;
        if (cRLValidity instanceof X509CRLValidity) {
            x509crl = ((X509CRLValidity) cRLValidity).getX509CRL();
        }
        if (x509crl == null) {
            x509crl = loadCRL(cRLValidity.getCrlInputStream());
        }
        return x509crl;
    }

    private X509CRL loadCRL(InputStream inputStream) {
        try {
            X509CRL x509crl = (X509CRL) CERT_FACTORY.generateCRL(inputStream);
            if (x509crl == null) {
                throw new DSSException("Unable to parse the CRL");
            }
            return x509crl;
        } catch (CRLException e) {
            throw new DSSException(e);
        }
    }

    static {
        try {
            Security.addProvider(BC_PROVIDER);
            CERT_FACTORY = CertificateFactory.getInstance("X.509", "BC");
        } catch (NoSuchProviderException e) {
            LOG.error(e.getMessage(), e);
            throw new DSSException("Platform does not support BouncyCastle", e);
        } catch (CertificateException e2) {
            LOG.error(e2.getMessage(), e2);
            throw new DSSException("Platform does not support X509 certificate", e2);
        }
    }
}
