package eu.europa.esig.dss.crl.x509.impl;

import eu.europa.esig.dss.crl.AbstractCRLUtils;
import eu.europa.esig.dss.crl.CRLBinary;
import eu.europa.esig.dss.crl.CRLValidity;
import eu.europa.esig.dss.crl.ICRLUtils;
import eu.europa.esig.dss.enumerations.KeyUsageBit;
import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
import eu.europa.esig.dss.model.DSSException;
import eu.europa.esig.dss.model.x509.CertificateToken;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.NoSuchProviderException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import org.bouncycastle.asn1.x509.Extension;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/crl/x509/impl/CRLUtilsX509CRLImpl.class */
public class CRLUtilsX509CRLImpl extends AbstractCRLUtils implements ICRLUtils {
    private static final Logger LOG = LoggerFactory.getLogger(CRLUtilsX509CRLImpl.class);

    public CRLValidity buildCRLValidity(CRLBinary cRLBinary, CertificateToken certificateToken) throws IOException {
        X509CRLValidity x509CRLValidity = new X509CRLValidity(cRLBinary);
        InputStream byteArrayInputStream = new ByteArrayInputStream(cRLBinary.getBinaries());
        try {
            X509CRL loadCRL = loadCRL(byteArrayInputStream);
            x509CRLValidity.setX509CRL(loadCRL);
            x509CRLValidity.setSignatureAlgorithm(SignatureAlgorithm.forOidAndParams(loadCRL.getSigAlgOID(), loadCRL.getSigAlgParams()));
            x509CRLValidity.setThisUpdate(loadCRL.getThisUpdate());
            x509CRLValidity.setNextUpdate(loadCRL.getNextUpdate());
            if (loadCRL.getIssuerX500Principal().equals(certificateToken.getSubjectX500Principal())) {
                x509CRLValidity.setIssuerX509PrincipalMatches(true);
            }
            x509CRLValidity.setCriticalExtensionsOid(loadCRL.getCriticalExtensionOIDs());
            extractIssuingDistributionPointBinary(x509CRLValidity, loadCRL.getExtensionValue(Extension.issuingDistributionPoint.getId()));
            extractExpiredCertsOnCRL(x509CRLValidity, loadCRL.getExtensionValue(Extension.expiredCertsOnCRL.getId()));
            checkSignatureValue(loadCRL, certificateToken, x509CRLValidity);
            if (x509CRLValidity.isSignatureIntact()) {
                x509CRLValidity.setCrlSignKeyUsage(certificateToken.checkKeyUsage(KeyUsageBit.CRL_SIGN));
            }
            byteArrayInputStream.close();
            return x509CRLValidity;
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private void checkSignatureValue(X509CRL x509crl, CertificateToken certificateToken, CRLValidity cRLValidity) {
        try {
            x509crl.verify(certificateToken.getPublicKey());
            cRLValidity.setSignatureIntact(true);
            cRLValidity.setIssuerToken(certificateToken);
        } catch (GeneralSecurityException e) {
            String format = String.format("CRL Signature cannot be validated : %s", e.getMessage());
            if (LOG.isDebugEnabled()) {
                LOG.debug(format, e);
            } else {
                LOG.warn(format);
            }
            cRLValidity.setSignatureInvalidityReason(format);
        }
    }

    public X509CRLEntry getRevocationInfo(CRLValidity cRLValidity, BigInteger bigInteger) {
        return getCRL(cRLValidity).getRevokedCertificate(bigInteger);
    }

    private X509CRL getCRL(CRLValidity cRLValidity) {
        X509CRL x509crl = null;
        if (cRLValidity instanceof X509CRLValidity) {
            x509crl = ((X509CRLValidity) cRLValidity).getX509CRL();
        }
        if (x509crl == null) {
            x509crl = loadCRL(cRLValidity.getCrlInputStream());
        }
        return x509crl;
    }

    private X509CRL loadCRL(InputStream inputStream) {
        try {
            X509CRL x509crl = (X509CRL) getCertificateFactory().generateCRL(inputStream);
            if (x509crl == null) {
                throw new DSSException("Unable to parse the CRL");
            }
            return x509crl;
        } catch (CRLException e) {
            throw new DSSException(e);
        }
    }

    private CertificateFactory getCertificateFactory() {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
            LOG.debug("CertificateFactory instantiated with BouncyCastle");
            return certificateFactory;
        } catch (NoSuchProviderException | CertificateException e) {
            LOG.debug("Unable to instantiate with BouncyCastle (not registered ?), trying with default CertificateFactory");
            try {
                return CertificateFactory.getInstance("X.509");
            } catch (CertificateException e2) {
                throw new DSSException("Unable to create CertificateFactory", e2);
            }
        }
    }
}
