package weblogic.security.pki.revocation.common;

import com.rsa.certj.CertJ;
import com.rsa.certj.DatabaseService;
import com.rsa.certj.InvalidParameterException;
import com.rsa.certj.InvalidUseException;
import com.rsa.certj.ProviderManagementException;
import com.rsa.certj.cert.X500Name;
import com.rsa.certj.cert.X509CRL;
import com.rsa.certj.provider.db.FlatFileDB;
import com.rsa.certj.provider.path.X509V1CertPath;
import com.rsa.certj.provider.revocation.CRLCertStatus;
import com.rsa.certj.provider.revocation.CRLEvidence;
import com.rsa.certj.spi.path.CertPathCtx;
import com.rsa.certj.spi.revocation.CertRevocationInfo;
import java.io.File;
import java.io.InputStream;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.Vector;
import java.util.logging.Level;
import javax.security.auth.x500.X500Principal;
import weblogic.security.pki.revocation.common.AbstractCertRevocContext;
import weblogic.security.pki.revocation.common.CertRevocCheckMethodList;

/* loaded from: input_file:weblogic/security/pki/revocation/common/DefaultCrlChecker.class */
class DefaultCrlChecker extends CrlChecker {
    private static final String CRL_CACHE_DB_PROVIDER_NAME = "CRL_CACHE_DB_PROVIDER";
    private static final String CRL_CERT_PATH_PROVIDER_NAME = "CRL_CERT_PATH_PROVIDER";
    private static final String CRL_CERT_STATUS_PROVIDER_NAME = "CRL_CERT_STATUS_PROVIDER";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/security/pki/revocation/common/DefaultCrlChecker$DefaultCrlCacheAccessor.class */
    public static final class DefaultCrlCacheAccessor implements CrlCacheAccessor {
        private final DatabaseService dbService;
        private final boolean crlCacheUpdatable;
        private final LogListener logger;

        private DefaultCrlCacheAccessor(DatabaseService databaseService, boolean z, LogListener logListener) {
            Util.checkNotNull("DatabaseService", databaseService);
            this.dbService = databaseService;
            this.crlCacheUpdatable = z;
            this.logger = logListener;
        }

        @Override // weblogic.security.pki.revocation.common.CrlCacheAccessor
        public boolean loadCrl(InputStream inputStream) throws Exception {
            Util.checkNotNull("InputStream", inputStream);
            try {
                try {
                    try {
                        this.dbService.insertCRL(new X509CRL(Util.readAll(inputStream), 0, 0));
                        return true;
                    } catch (Exception e) {
                        logErrorLoadCrl(e, "inserting");
                        throw e;
                    } catch (OutOfMemoryError e2) {
                        logErrorLoadCrl(e2, "inserting");
                        throw new RuntimeException(e2);
                    }
                } catch (Exception e3) {
                    logErrorLoadCrl(e3, "parsing");
                    throw e3;
                } catch (OutOfMemoryError e4) {
                    logErrorLoadCrl(e4, "parsing");
                    throw new RuntimeException(e4);
                }
            } catch (Exception e5) {
                logErrorLoadCrl(e5, "reading");
                throw e5;
            } catch (OutOfMemoryError e6) {
                logErrorLoadCrl(e6, "reading");
                throw new RuntimeException(e6);
            }
        }

        @Override // weblogic.security.pki.revocation.common.CrlCacheAccessor
        public void deleteCrl(X500Principal x500Principal, Date date) throws Exception {
            Util.checkNotNull("issuerX500Name", x500Principal);
            Util.checkNotNull("thisUpdate", date);
            try {
                try {
                    this.dbService.deleteCRL(new X500Name(x500Principal.getEncoded(), 0, 0), date);
                } catch (Exception e) {
                    throw e;
                } catch (OutOfMemoryError e2) {
                    throw new RuntimeException(e2);
                }
            } catch (Exception e3) {
                throw new IllegalArgumentException("Illegal issuer distinguished name: " + x500Principal, e3);
            }
        }

        @Override // weblogic.security.pki.revocation.common.CrlCacheAccessor
        public boolean isCrlCacheUpdatable() {
            return this.crlCacheUpdatable;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public DatabaseService getDatabaseService() {
            return this.dbService;
        }

        private void logErrorLoadCrl(Throwable th, String str) {
            if (null == this.logger || !this.logger.isLoggable(Level.FINE)) {
                return;
            }
            this.logger.log(Level.FINE, th, "Unable to load CRL, while " + str + ".", new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultCrlChecker(AbstractCertRevocContext abstractCertRevocContext) {
        super(abstractCertRevocContext);
    }

    @Override // weblogic.security.pki.revocation.common.CrlChecker
    CertRevocStatus getCrlStatus(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Util.checkNotNull("Issuer X509Certificate.", x509Certificate);
        Util.checkNotNull("X509Certificate to be checked.", x509Certificate2);
        AbstractCertRevocContext context = getContext();
        LogListener logListener = context.getLogListener();
        X500Principal issuerX500Principal = x509Certificate2.getIssuerX500Principal();
        com.rsa.certj.cert.X509Certificate rsaCert = RsaUtil.toRsaCert(x509Certificate2, logListener);
        com.rsa.certj.cert.X509Certificate rsaCert2 = RsaUtil.toRsaCert(x509Certificate, logListener);
        if (null == rsaCert || null == rsaCert2) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, "Unable to check revocation status, unable to convert both subject and issuer certificates.", new Object[0]);
            return null;
        }
        if (!RsaUtil.isFIPS140UsageOk(logListener)) {
            return null;
        }
        try {
            return evalRevocationInfo(x509Certificate2, checkCertRevocation(issuerX500Principal, rsaCert, x509Certificate2, rsaCert2, x509Certificate));
        } catch (Exception e) {
            logThrowableDuringCrlCheck(context, e);
            return null;
        } catch (OutOfMemoryError e2) {
            logThrowableDuringCrlCheck(context, e2);
            return null;
        }
    }

    private static void logThrowableDuringCrlCheck(AbstractCertRevocContext abstractCertRevocContext, Throwable th) {
        if (abstractCertRevocContext.isLoggable(Level.FINE)) {
            abstractCertRevocContext.log(Level.FINE, th, "Exception while checking revocation status using CRLs.", new Object[0]);
        }
    }

    private CertRevocationInfo checkCertRevocation(X500Principal x500Principal, com.rsa.certj.cert.X509Certificate x509Certificate, X509Certificate x509Certificate2, com.rsa.certj.cert.X509Certificate x509Certificate3, X509Certificate x509Certificate4) throws Exception {
        Util.checkNotNull("issuerDn", x500Principal);
        Util.checkNotNull("rsaCertToCheck", x509Certificate);
        Util.checkNotNull("certToCheck", x509Certificate2);
        Util.checkNotNull("rsaCertToCheckIssuer", x509Certificate3);
        Util.checkNotNull("certToCheckIssuer", x509Certificate4);
        CertJ newCertJ = newCertJ();
        DefaultCrlCacheAccessor addCrlCacheProvider = addCrlCacheProvider(newCertJ);
        addCertPathProvider(newCertJ);
        addCrlCertStatusProvider(newCertJ);
        CertPathCtx initCertPathCtx = initCertPathCtx(x509Certificate3, addCrlCacheProvider.getDatabaseService());
        AbstractCertRevocContext context = getContext();
        CertRevocationInfo certRevocationInfo = null;
        boolean z = false;
        boolean z2 = true;
        while (true) {
            if (!z2) {
                break;
            }
            z2 = false;
            certRevocationInfo = newCertJ.checkCertRevocation(initCertPathCtx, x509Certificate);
            if (null == certRevocationInfo) {
                if (context.isLoggable(Level.FINE)) {
                    context.log(Level.FINE, "CRL processing implementation returned no revocation information.", new Object[0]);
                }
            } else {
                if (2 != certRevocationInfo.getStatus()) {
                    break;
                }
                if (!z) {
                    z = true;
                    if (context.isLoggable(Level.FINEST)) {
                        context.log(Level.FINEST, "Attempting CRL fetch from Distribution Point, CRL is not cached.", new Object[0]);
                    }
                    if (context.isCrlDpEnabled(x500Principal)) {
                        if (addCrlCacheProvider.isCrlCacheUpdatable()) {
                            boolean z3 = false;
                            try {
                                z3 = updateCrlCacheFromDP(x509Certificate2, addCrlCacheProvider);
                            } catch (Exception e) {
                                if (context.isLoggable(Level.FINE)) {
                                    context.log(Level.FINE, e, "Exception while updating CRL cache from Distribution Point.", new Object[0]);
                                }
                            }
                            if (z3) {
                                z2 = true;
                            }
                        } else if (context.isLoggable(Level.FINEST)) {
                            context.log(Level.FINEST, "Not attempting CRL fetch from Distribution Point, CRL cache is not updatable.", new Object[0]);
                        }
                    } else if (context.isLoggable(Level.FINEST)) {
                        context.log(Level.FINEST, "CRL fetch from Distribution Point is disabled.", new Object[0]);
                    }
                }
            }
        }
        return certRevocationInfo;
    }

    private boolean updateCrlCacheFromDP(X509Certificate x509Certificate, CrlCacheAccessor crlCacheAccessor) throws Exception {
        AbstractCertRevocContext context = getContext();
        boolean updateCrlCacheFromDP = CrlCacheUpdater.updateCrlCacheFromDP(x509Certificate, crlCacheAccessor, context);
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "Attempted to update CRL cache from DP, updatedCache={0}.", Boolean.valueOf(updateCrlCacheFromDP));
        }
        return updateCrlCacheFromDP;
    }

    private CertJ newCertJ() throws ProviderManagementException, InvalidUseException, InvalidParameterException {
        CertJ certJ = new CertJ();
        certJ.setDevice(RsaUtil.getCryptoJDeviceList());
        return certJ;
    }

    private void addCrlCertStatusProvider(CertJ certJ) throws Exception {
        Util.checkNotNull("CertJ", certJ);
        certJ.addProvider(new CRLCertStatus(CRL_CERT_STATUS_PROVIDER_NAME));
    }

    private void addCertPathProvider(CertJ certJ) throws Exception {
        Util.checkNotNull("CertJ", certJ);
        certJ.addProvider(new X509V1CertPath(CRL_CERT_PATH_PROVIDER_NAME));
    }

    private DefaultCrlCacheAccessor addCrlCacheProvider(CertJ certJ) throws Exception {
        Util.checkNotNull("CertJ", certJ);
        AbstractCertRevocContext context = getContext();
        AbstractCertRevocContext.CrlCacheType crlCacheType = context.getCrlCacheType();
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "CrlCacheType={0}", crlCacheType);
        }
        switch (crlCacheType) {
            case FILE:
                return new DefaultCrlCacheAccessor((DatabaseService) certJ.bindService(1, CRL_CACHE_DB_PROVIDER_NAME), addCrlCacheFileProvider(certJ), context.getLogListener());
            default:
                throw new IllegalStateException("Unable to initialize file-based CRL cache, unsupported CrlCacheType \"" + crlCacheType + "\".");
        }
    }

    private boolean addCrlCacheFileProvider(CertJ certJ) throws Exception {
        Util.checkNotNull("CertJ", certJ);
        AbstractCertRevocContext context = getContext();
        File crlCacheTypeFileDir = context.getCrlCacheTypeFileDir();
        CrlCacheUpdater.ensureCrlCacheDir(crlCacheTypeFileDir);
        String absolutePath = crlCacheTypeFileDir.getAbsolutePath();
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "CrlCacheTypeFileDir=\"{0}\"", absolutePath);
        }
        certJ.addProvider(new FlatFileDB(CRL_CACHE_DB_PROVIDER_NAME, absolutePath, new char[0], 6, 2));
        return true;
    }

    private CertPathCtx initCertPathCtx(com.rsa.certj.cert.X509Certificate x509Certificate, DatabaseService databaseService) {
        Util.checkNotNull("issuerCert", x509Certificate);
        Util.checkNotNull("dbService", databaseService);
        AbstractCertRevocContext context = getContext();
        com.rsa.certj.cert.X509Certificate[] x509CertificateArr = {x509Certificate};
        byte[][] bArr = (byte[][]) null;
        Date date = new Date();
        if (context.isLoggable(Level.FINEST)) {
            context.log(Level.FINEST, "Validation time=\"{0}\"", date);
        }
        return new CertPathCtx(4, x509CertificateArr, bArr, date, databaseService);
    }

    private CertRevocStatus evalRevocationInfo(X509Certificate x509Certificate, CertRevocationInfo certRevocationInfo) {
        Util.checkNotNull("certToCheck", x509Certificate);
        AbstractCertRevocContext context = getContext();
        if (null == certRevocationInfo) {
            if (!context.isLoggable(Level.FINER)) {
                return null;
            }
            context.log(Level.FINER, "Revocation status unavailable from CRL (CertRevocationInfo is null).", new Object[0]);
            return null;
        }
        Boolean evalRevocStatusCode = RsaUtil.evalRevocStatusCode(CertRevocCheckMethodList.SelectableMethod.CRL, certRevocationInfo.getStatus(), context.getLogListener());
        if (null == evalRevocStatusCode) {
            return null;
        }
        int type = certRevocationInfo.getType();
        if (type != 1) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, "Revocation status unavailable from CRL, unexpected evidence type {0}.", Integer.valueOf(type));
            return null;
        }
        CRLEvidence cRLEvidence = (CRLEvidence) certRevocationInfo.getEvidence();
        if (null == cRLEvidence) {
            if (!context.isLoggable(Level.FINE)) {
                return null;
            }
            context.log(Level.FINE, "Revocation status unavailable from CRL, no evidence available.", new Object[0]);
            return null;
        }
        Date date = null;
        Date date2 = null;
        X509CRL x509crl = (X509CRL) cRLEvidence.getCRL();
        if (null == x509crl) {
            Vector cRLList = cRLEvidence.getCRLList();
            if (null != cRLList && !cRLList.isEmpty()) {
                Iterator it = cRLList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Object next = it.next();
                    if (!(next instanceof X509CRL) && context.isLoggable(Level.FINE)) {
                        Level level = Level.FINE;
                        Object[] objArr = new Object[1];
                        objArr[0] = null == next ? null : next.getClass().getName();
                        context.log(level, "Found non-X509CRL object in evidence.getCRLList(), foundClass={0}", objArr);
                    }
                    X509CRL x509crl2 = (X509CRL) next;
                    if (null == x509crl2.getNextUpdate()) {
                        date = x509crl2.getThisUpdate();
                        date2 = x509crl2.getNextUpdate();
                        break;
                    }
                    if (null == date2 || x509crl2.getNextUpdate().before(date2)) {
                        date = x509crl2.getThisUpdate();
                        date2 = x509crl2.getNextUpdate();
                    }
                }
            } else {
                if (!context.isLoggable(Level.FINE)) {
                    return null;
                }
                context.log(Level.FINE, "Revocation status unavailable from CRL, no CRL evidence available.", new Object[0]);
                return null;
            }
        } else {
            date = x509crl.getThisUpdate();
            date2 = x509crl.getNextUpdate();
        }
        return new CertRevocStatus(CertRevocCheckMethodList.SelectableMethod.CRL, x509Certificate.getSubjectX500Principal(), x509Certificate.getIssuerX500Principal(), x509Certificate.getSerialNumber(), date, date2, evalRevocStatusCode.booleanValue(), null, null);
    }

    @Override // weblogic.security.pki.revocation.common.CrlChecker
    CrlCacheAccessor getCrlCacheAccessor() {
        DefaultCrlCacheAccessor defaultCrlCacheAccessor = null;
        try {
            defaultCrlCacheAccessor = addCrlCacheProvider(newCertJ());
        } catch (Exception e) {
            AbstractCertRevocContext context = getContext();
            if (context.isLoggable(Level.FINE)) {
                context.log(Level.FINE, e, "Unable to get CrlCacheAccessor.", new Object[0]);
            }
        }
        return defaultCrlCacheAccessor;
    }
}
