package hu.microsec.authenticator.util;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.io.IOUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spongycastle.asn1.DERIA5String;
import org.spongycastle.asn1.x509.CRLDistPoint;
import org.spongycastle.asn1.x509.DistributionPoint;
import org.spongycastle.asn1.x509.DistributionPointName;
import org.spongycastle.asn1.x509.GeneralName;
import org.spongycastle.asn1.x509.GeneralNames;
import org.spongycastle.x509.extension.X509ExtensionUtil;

/* loaded from: classes.dex */
public class CrlVerifier {
    private static final Logger LOGGER = LoggerFactory.getLogger(CrlVerifier.class);
    private static final String OID_CRL_DISTRIBUTION_POINT = "2.5.29.31";

    /* loaded from: classes.dex */
    public static class CrlVerificationException extends Exception {
        private static final long serialVersionUID = 1;

        public CrlVerificationException(String str) {
            super(str);
        }

        public CrlVerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    private static X509CRL downloadCRL(String str) throws IOException, CertificateException, CRLException, CrlVerificationException {
        if (!str.startsWith("http://") && !str.startsWith("https://") && !str.startsWith("ftp://")) {
            throw new CrlVerificationException("Unsupported protocol in CRL URL: " + str);
        }
        InputStream openStream = new URL(str).openStream();
        try {
            return (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(openStream);
        } finally {
            IOUtils.closeQuietly(openStream);
        }
    }

    private static List<String> getCrlDistributionPoints(X509Certificate x509Certificate) throws CertificateParsingException, IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(OID_CRL_DISTRIBUTION_POINT);
        if (extensionValue == null) {
            LOGGER.debug("No CRL distribution points");
            return new ArrayList();
        }
        CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue));
        LOGGER.debug("CRL Distribution points: " + cRLDistPoint.getDistributionPoints().length);
        ArrayList arrayList = new ArrayList();
        for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
            DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
            if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                for (GeneralName generalName : GeneralNames.getInstance(distributionPoint2.getName()).getNames()) {
                    if (generalName.getTagNo() == 6) {
                        String string = DERIA5String.getInstance(generalName.getName()).getString();
                        arrayList.add(string);
                        LOGGER.debug("CRL URL found: " + string);
                    }
                }
            }
        }
        return arrayList;
    }

    public static boolean verify(X509Certificate x509Certificate) throws CrlVerificationException {
        try {
            for (String str : getCrlDistributionPoints(x509Certificate)) {
                if (downloadCRL(str).isRevoked(x509Certificate)) {
                    LOGGER.info("The certificate is revoked by CRL: {}", str);
                    return false;
                }
                LOGGER.debug("Cert not found in revocation list: {}", str);
            }
            return true;
        } catch (CrlVerificationException e) {
            throw e;
        } catch (Exception e2) {
            throw new CrlVerificationException("Can not verify CRL for certificate: " + x509Certificate.getSubjectX500Principal(), e2);
        }
    }
}
