package org.xipki.security.asn1;

import java.io.BufferedInputStream;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import org.bouncycastle.asn1.ASN1BitString;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERGeneralizedTime;
import org.bouncycastle.asn1.DERUTCTime;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.operator.ContentVerifier;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Arrays;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.CrlReason;
import org.xipki.security.asn1.Asn1StreamParser;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.SignerUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.LogUtil;

/* loaded from: input_file:org/xipki/security/asn1/CrlStreamParser.class */
public class CrlStreamParser extends Asn1StreamParser {
    private static final Logger LOG = LoggerFactory.getLogger(CrlStreamParser.class);
    private final File crlFile;
    private final int version;
    private final X500Name issuer;
    private final Date thisUpdate;
    private final Date nextUpdate;
    private final AlgorithmIdentifier algorithmIdentifier;
    private final byte[] signature;
    private final BigInteger crlNumber;
    private final BigInteger baseCrlNumber;
    private final Extensions crlExtensions;
    private final int firstRevokedCertificateOffset;
    private final int revokedCertificatesEndIndex;
    private final int tbsCertListOffset;
    private final int tbsCertListEndIndex;

    /* loaded from: input_file:org/xipki/security/asn1/CrlStreamParser$RevokedCert.class */
    public static class RevokedCert {
        private final BigInteger serialNumber;
        private final long revocationDate;
        private final int reason;
        private final long invalidityDate;
        private final X500Name certificateIssuer;

        private RevokedCert(BigInteger bigInteger, Date date, int i, Date date2, X500Name x500Name) {
            this.serialNumber = bigInteger;
            this.revocationDate = date.getTime() / 1000;
            this.reason = i;
            this.certificateIssuer = x500Name;
            this.invalidityDate = date2 == null ? 0L : date.equals(date2) ? 0L : date2.getTime() / 1000;
        }

        public BigInteger getSerialNumber() {
            return this.serialNumber;
        }

        public long getRevocationDate() {
            return this.revocationDate;
        }

        public int getReason() {
            return this.reason;
        }

        public long getInvalidityDate() {
            return this.invalidityDate;
        }

        public X500Name getCertificateIssuer() {
            return this.certificateIssuer;
        }
    }

    /* loaded from: input_file:org/xipki/security/asn1/CrlStreamParser$RevokedCertsIterator.class */
    public class RevokedCertsIterator implements Iterator<RevokedCert>, Closeable {
        private BufferedInputStream instream;
        private RevokedCert next;
        private int offset;

        private RevokedCertsIterator() throws IOException {
            this.instream = new BufferedInputStream(Files.newInputStream(CrlStreamParser.this.crlFile.toPath(), new OpenOption[0]));
            Asn1StreamParser.skip(this.instream, CrlStreamParser.this.firstRevokedCertificateOffset);
            this.offset = CrlStreamParser.this.firstRevokedCertificateOffset;
            next0();
        }

        @Override // java.util.Iterator
        public boolean hasNext() {
            return this.next != null;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.Iterator
        public RevokedCert next() {
            if (this.next == null) {
                throw new IllegalStateException("no next object anymore");
            }
            RevokedCert revokedCert = this.next;
            next0();
            return revokedCert;
        }

        private void next0() {
            if (this.offset >= CrlStreamParser.this.revokedCertificatesEndIndex) {
                this.next = null;
                return;
            }
            try {
                byte[] readBlock = Asn1StreamParser.readBlock(48, this.instream, "revokedCertificate");
                this.offset += readBlock.length;
                ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(readBlock);
                BigInteger value = ASN1Integer.getInstance(aSN1Sequence.getObjectAt(0)).getValue();
                Date readTime = Asn1StreamParser.readTime(aSN1Sequence.getObjectAt(1));
                Date date = null;
                int i = 0;
                X500Name x500Name = null;
                if (aSN1Sequence.size() > 2) {
                    Extensions extensions = Extensions.getInstance(aSN1Sequence.getObjectAt(2));
                    byte[] coreExtValue = X509Util.getCoreExtValue(extensions, Extension.certificateIssuer);
                    if (coreExtValue != null) {
                        x500Name = X500Name.getInstance(GeneralNames.getInstance(coreExtValue).getNames()[0].getName());
                    }
                    byte[] coreExtValue2 = X509Util.getCoreExtValue(extensions, Extension.invalidityDate);
                    if (coreExtValue2 != null) {
                        int i2 = coreExtValue2[0] & 255;
                        try {
                            if (i2 == 23) {
                                date = DERUTCTime.getInstance(coreExtValue2).getDate();
                            } else {
                                if (i2 != 24) {
                                    throw new IllegalArgumentException("invalid tag " + i2);
                                }
                                date = DERGeneralizedTime.getInstance(coreExtValue2).getDate();
                            }
                        } catch (ParseException e) {
                            throw new IllegalArgumentException("error parsing time", e);
                        }
                    }
                    byte[] coreExtValue3 = X509Util.getCoreExtValue(extensions, Extension.reasonCode);
                    i = coreExtValue3 == null ? CrlReason.UNSPECIFIED.getCode() : CRLReason.getInstance(coreExtValue3).getValue().intValue();
                }
                this.next = new RevokedCert(value, readTime, i, date, x500Name);
            } catch (IOException e2) {
                throw new IllegalStateException("error reading next revokedCertificate", e2);
            }
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            if (this.instream != null) {
                this.instream.close();
            }
            this.instream = null;
        }
    }

    public CrlStreamParser(File file) throws IOException {
        this.crlFile = (File) Args.notNull(file, "crlFile");
        BufferedInputStream bufferedInputStream = new BufferedInputStream(Files.newInputStream(file.toPath(), new OpenOption[0]));
        Throwable th = null;
        try {
            int markAndReadTag = markAndReadTag(bufferedInputStream);
            if (markAndReadTag == 45) {
                throw new IllegalArgumentException("The CRL is not DER encoded.");
            }
            assertTag(48, markAndReadTag, "CertificateList");
            Asn1StreamParser.MyInt myInt = new Asn1StreamParser.MyInt();
            readLength(myInt, bufferedInputStream);
            int i = 0 + 1 + myInt.get();
            this.tbsCertListOffset = i;
            assertTag(48, markAndReadTag(bufferedInputStream), "tbsCertList");
            int i2 = i + 1;
            int readLength = readLength(myInt, bufferedInputStream);
            int i3 = i2 + myInt.get();
            this.tbsCertListEndIndex = i3 + readLength;
            int markAndReadTag2 = markAndReadTag(bufferedInputStream);
            if (markAndReadTag2 == 2) {
                byte[] readBlock = readBlock(bufferedInputStream, "tbsCertList.version");
                i3 += readBlock.length;
                this.version = ASN1Integer.getInstance(readBlock).getValue().intValue();
                markAndReadTag2 = markAndReadTag(bufferedInputStream);
            } else {
                this.version = 0;
            }
            assertTag(48, markAndReadTag2, "tbsCertList.signature");
            byte[] readBlock2 = readBlock(bufferedInputStream, "tbsCertList.signature");
            int length = i3 + readBlock2.length;
            AlgorithmIdentifier algorithmIdentifier = AlgorithmIdentifier.getInstance(readBlock2);
            byte[] readBlock3 = readBlock(48, bufferedInputStream, "tbsCertList.issuer");
            int length2 = length + readBlock3.length;
            this.issuer = X500Name.getInstance(readBlock3);
            Asn1StreamParser.MyInt myInt2 = new Asn1StreamParser.MyInt();
            this.thisUpdate = readTime(myInt2, bufferedInputStream, "tbsCertList.thisUpdate");
            int i4 = length2 + myInt2.get();
            int markAndReadTag3 = markAndReadTag(bufferedInputStream);
            if (markAndReadTag3 != 48) {
                bufferedInputStream.reset();
                this.nextUpdate = readTime(myInt2, bufferedInputStream, "tbsCertList.thisUpdate");
                i4 += myInt2.get();
                markAndReadTag3 = markAndReadTag(bufferedInputStream);
            } else {
                this.nextUpdate = null;
            }
            int i5 = i4 + 1;
            if (i5 >= readLength || 48 != markAndReadTag3) {
                bufferedInputStream.reset();
                this.revokedCertificatesEndIndex = -1;
                this.firstRevokedCertificateOffset = -1;
            } else {
                int readLength2 = readLength(myInt, bufferedInputStream);
                int i6 = i5 + myInt.get();
                this.revokedCertificatesEndIndex = i5 + readLength2;
                this.firstRevokedCertificateOffset = i6;
                skip(bufferedInputStream, readLength2);
                i5 = i6 + readLength2;
            }
            Extensions extensions = null;
            if (i5 < this.tbsCertListEndIndex) {
                while (i5 < this.tbsCertListEndIndex) {
                    int markAndReadTag4 = markAndReadTag(bufferedInputStream);
                    int readLength3 = readLength(myInt2, bufferedInputStream);
                    int i7 = i5 + 1 + myInt2.get();
                    if (markAndReadTag4 != 160) {
                        skip(bufferedInputStream, readLength3);
                        i5 = i7 + readLength3;
                    } else {
                        bufferedInputStream.mark(1);
                        byte[] readBlock4 = readBlock(48, bufferedInputStream, "crlExtensions");
                        i5 = i7 + readBlock4.length;
                        extensions = Extensions.getInstance(readBlock4);
                    }
                }
            }
            this.crlExtensions = extensions;
            if (this.crlExtensions != null) {
                byte[] coreExtValue = X509Util.getCoreExtValue(this.crlExtensions, Extension.cRLNumber);
                this.crlNumber = coreExtValue == null ? null : ASN1Integer.getInstance(coreExtValue).getValue();
                byte[] coreExtValue2 = X509Util.getCoreExtValue(this.crlExtensions, Extension.deltaCRLIndicator);
                this.baseCrlNumber = coreExtValue2 == null ? null : ASN1Integer.getInstance(coreExtValue2).getPositiveValue();
            } else {
                this.crlNumber = null;
                this.baseCrlNumber = null;
            }
            this.algorithmIdentifier = AlgorithmIdentifier.getInstance(readBlock(48, bufferedInputStream, "signatureAlgorithm"));
            if (!algorithmIdentifier.equals(this.algorithmIdentifier)) {
                throw new IllegalArgumentException("algorithmIdentifier != tbsCertList.signature");
            }
            this.signature = ASN1BitString.getInstance(readBlock(3, bufferedInputStream, "signature")).getBytes();
            if (bufferedInputStream != null) {
                if (0 == 0) {
                    bufferedInputStream.close();
                    return;
                }
                try {
                    bufferedInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (bufferedInputStream != null) {
                if (0 != 0) {
                    try {
                        bufferedInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    bufferedInputStream.close();
                }
            }
            throw th3;
        }
    }

    public int getVersion() {
        return this.version;
    }

    public X500Name getIssuer() {
        return this.issuer;
    }

    public Date getThisUpdate() {
        return this.thisUpdate;
    }

    public Date getNextUpdate() {
        return this.nextUpdate;
    }

    public AlgorithmIdentifier getAlgorithmIdentifier() {
        return this.algorithmIdentifier;
    }

    public byte[] getSignature() {
        return Arrays.copyOf(this.signature, this.signature.length);
    }

    public BigInteger getCrlNumber() {
        return this.crlNumber;
    }

    public BigInteger getBaseCrlNumber() {
        return this.baseCrlNumber;
    }

    public boolean isDeltaCrl() {
        return this.baseCrlNumber != null;
    }

    public Extensions getCrlExtensions() {
        return this.crlExtensions;
    }

    public boolean verifySignature(SubjectPublicKeyInfo subjectPublicKeyInfo) throws IOException {
        try {
            return verifySignature(KeyUtil.generatePublicKey(subjectPublicKeyInfo));
        } catch (InvalidKeySpecException e) {
            throw new IllegalArgumentException("error parsing public key", e);
        }
    }

    /* JADX WARN: Finally extract failed */
    public boolean verifySignature(PublicKey publicKey) throws IOException {
        try {
            ContentVerifier contentVerifier = SignerUtil.getContentVerifierProvider(publicKey, null).get(this.algorithmIdentifier);
            OutputStream outputStream = contentVerifier.getOutputStream();
            InputStream newInputStream = Files.newInputStream(this.crlFile.toPath(), new OpenOption[0]);
            Throwable th = null;
            try {
                skip(newInputStream, this.tbsCertListOffset);
                int i = this.tbsCertListEndIndex - this.tbsCertListOffset;
                byte[] bArr = new byte[1024];
                do {
                    int read = newInputStream.read(bArr);
                    if (read == -1) {
                        break;
                    }
                    if (read > 0) {
                        if (read <= i) {
                            outputStream.write(bArr, 0, read);
                            i -= read;
                        } else {
                            outputStream.write(bArr, 0, i);
                            i = 0;
                        }
                    }
                } while (i != 0);
                if (i != 0) {
                    throw new IOException("could reading all tbsCertList");
                }
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                outputStream.close();
                return contentVerifier.verify(getSignature());
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (InvalidKeyException | OperatorCreationException e) {
            LogUtil.error(LOG, e, "could not validate POP of CSR");
            return false;
        }
    }

    public RevokedCertsIterator revokedCertificates() throws IOException {
        return new RevokedCertsIterator();
    }
}
