package com.sun.identity.authentication.modules.cert;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.SSLSocketFactoryManager;
import com.iplanet.dpro.session.share.SessionEncodeURL;
import com.iplanet.security.x509.CRLDistributionPoint;
import com.iplanet.security.x509.CRLDistributionPointsExtension;
import com.iplanet.security.x509.X500Name;
import com.sun.identity.authentication.spi.AuthLoginException;
import java.io.ByteArrayInputStream;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.StringTokenizer;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPEntry;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPModification;
import netscape.ldap.LDAPSearchResults;
import netscape.ldap.LDAPUrl;

/* loaded from: input_file:120091-12/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/authentication/modules/cert/CRLValidation.class */
class CRLValidation {
    private Cert certModule;
    private Debug debug;
    private static final String amAuthCert = "amAuthCert";
    private String searchFilter = null;
    private LDAPAttribute certAttribute = null;
    private LDAPAttribute crlAttribute = null;
    private Date nextCRLUpdate = null;
    private LDAPEntry cachedEntry = null;
    private static CertificateFactory cf = null;

    public CRLValidation(Cert cert) {
        this.certModule = null;
        this.debug = null;
        this.certModule = cert;
        this.debug = this.certModule.getDebug();
    }

    public boolean verifyCertificate() throws AuthLoginException {
        if (this.certModule == null) {
            return false;
        }
        return verifyCertificate(this.certModule.getLDAPConnection(), this.certModule.getCertificate());
    }

    private boolean verifyCertificate(LDAPConnection lDAPConnection, X509Certificate x509Certificate) throws AuthLoginException {
        String chkAttrCRL = this.certModule.getChkAttrCRL();
        try {
            String attributeValue = new X500Name(x509Certificate.getIssuerDN().getEncoded()).getAttributeValue(chkAttrCRL);
            if (this.debug.messageEnabled()) {
                this.debug.message(new StringBuffer().append("verifyCertificate retrieved attribute ").append(chkAttrCRL).append(" : ").append(attributeValue).toString());
            }
            this.searchFilter = new StringBuffer().append("(").append(chkAttrCRL).append("=").append(attributeValue).append(")").toString();
            if (this.debug.messageEnabled()) {
                this.debug.message(new StringBuffer().append("verifyCertificate - ldc.search: using filter: ").append(this.searchFilter).toString());
            }
            if (!getCRLFromCache(lDAPConnection)) {
                return false;
            }
            this.nextCRLUpdate = getNextCRLUpdate();
            if (this.nextCRLUpdate != null && this.nextCRLUpdate.before(new Date())) {
                if (!getUpdateCRLFromCrlDP(lDAPConnection, this.cachedEntry.getDN().toString(), getCRLdpExt(x509Certificate))) {
                    this.debug.error("Failed to update CRL.");
                    return false;
                }
            }
            try {
                X509Certificate x509Certificate2 = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream((byte[]) this.certAttribute.getByteValues().nextElement()));
                if (((X509CRL) cf.generateCRL(new ByteArrayInputStream((byte[]) this.crlAttribute.getByteValues().nextElement()))).isRevoked(x509Certificate)) {
                    if (!this.debug.messageEnabled()) {
                        return false;
                    }
                    this.debug.message("Certificate is CertRevoked.");
                    return false;
                }
                boolean z = true;
                if (!x509Certificate2.getIssuerDN().equals(x509Certificate2.getSubjectDN())) {
                    if (this.debug.messageEnabled()) {
                        this.debug.message("Verifying next signer");
                    }
                    z = verifyCertificate(lDAPConnection, x509Certificate2);
                }
                return z;
            } catch (Exception e) {
                this.debug.error("Certificate: CertRevoked = ", e);
                throw new AuthLoginException(amAuthCert, "CertRevoked", null);
            }
        } catch (Exception e2) {
            this.debug.error(new StringBuffer().append("verifyCertificate : ").append(e2).toString());
            return false;
        }
    }

    private Date getNextCRLUpdate() {
        try {
            cf = CertificateFactory.getInstance("X.509");
            X509CRL x509crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream((byte[]) this.crlAttribute.getByteValues().nextElement()));
            if (this.debug.messageEnabled()) {
                this.debug.message(new StringBuffer().append("NextCRLUpdate : ").append(x509crl.getNextUpdate().toString()).toString());
            }
            return x509crl.getNextUpdate();
        } catch (Exception e) {
            this.debug.error("Error in getting NextCRLUpdate");
            return null;
        }
    }

    private boolean getCRLFromCache(LDAPConnection lDAPConnection) {
        try {
            LDAPSearchResults search = lDAPConnection.search(this.certModule.getStartSearchLoc(), 2, this.searchFilter, null, false);
            if (search == null || !search.hasMoreElements()) {
                this.debug.error("verifyCertificate - No CRL Cache is configured");
                return false;
            }
            this.cachedEntry = search.next();
            LDAPAttributeSet attributeSet = this.cachedEntry.getAttributeSet();
            this.certAttribute = attributeSet.getAttribute("cacertificate");
            if (this.certAttribute == null) {
                this.certAttribute = attributeSet.getAttribute("cacertificate;binary");
                if (this.certAttribute == null) {
                    return false;
                }
            }
            if (this.certAttribute.size() > 1) {
                this.debug.error("More than one CAs entries are configured");
                return false;
            }
            this.crlAttribute = attributeSet.getAttribute("certificaterevocationlist");
            if (this.crlAttribute == null) {
                this.crlAttribute = attributeSet.getAttribute("certificaterevocationlist;binary");
                if (this.crlAttribute == null) {
                    this.debug.error("No CRL Cache is configured");
                    return false;
                }
            }
            if (this.crlAttribute.size() <= 1) {
                return true;
            }
            this.debug.error("More than one CRL entries are configured");
            return false;
        } catch (Exception e) {
            this.debug.error("Error in getting Cached CRL");
            return false;
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:9:0x005a, code lost:
    
        r8 = new com.iplanet.security.x509.CRLDistributionPointsExtension(new java.lang.Boolean(false), r0.getExtensionValue());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private com.iplanet.security.x509.CRLDistributionPointsExtension getCRLdpExt(java.security.cert.X509Certificate r7) {
        /*
            r6 = this;
            r0 = 0
            r8 = r0
            r0 = 0
            r9 = r0
            sun.security.x509.X509CertImpl r0 = new sun.security.x509.X509CertImpl     // Catch: java.lang.Exception -> L75
            r1 = r0
            r2 = r7
            byte[] r2 = r2.getEncoded()     // Catch: java.lang.Exception -> L75
            r1.<init>(r2)     // Catch: java.lang.Exception -> L75
            r10 = r0
            sun.security.x509.X509CertInfo r0 = new sun.security.x509.X509CertInfo     // Catch: java.lang.Exception -> L75
            r1 = r0
            r2 = r10
            byte[] r2 = r2.getTBSCertificate()     // Catch: java.lang.Exception -> L75
            r1.<init>(r2)     // Catch: java.lang.Exception -> L75
            r11 = r0
            r0 = r11
            java.lang.String r1 = "extensions"
            java.lang.Object r0 = r0.get(r1)     // Catch: java.lang.Exception -> L75
            sun.security.x509.CertificateExtensions r0 = (sun.security.x509.CertificateExtensions) r0     // Catch: java.lang.Exception -> L75
            r9 = r0
            r0 = r9
            java.util.Enumeration r0 = r0.getElements()     // Catch: java.lang.Exception -> L75
            r12 = r0
        L30:
            r0 = r12
            boolean r0 = r0.hasMoreElements()     // Catch: java.lang.Exception -> L75
            if (r0 == 0) goto L72
            r0 = r12
            java.lang.Object r0 = r0.nextElement()     // Catch: java.lang.Exception -> L75
            sun.security.x509.Extension r0 = (sun.security.x509.Extension) r0     // Catch: java.lang.Exception -> L75
            r13 = r0
            r0 = r13
            sun.security.util.ObjectIdentifier r0 = r0.getExtensionId()     // Catch: java.lang.Exception -> L75
            java.lang.String r0 = r0.toString()     // Catch: java.lang.Exception -> L75
            r14 = r0
            r0 = r14
            java.lang.String r1 = "2.5.29.31"
            boolean r0 = r0.equals(r1)     // Catch: java.lang.Exception -> L75
            if (r0 == 0) goto L30
            com.iplanet.security.x509.CRLDistributionPointsExtension r0 = new com.iplanet.security.x509.CRLDistributionPointsExtension     // Catch: java.lang.Exception -> L75
            r1 = r0
            java.lang.Boolean r2 = new java.lang.Boolean     // Catch: java.lang.Exception -> L75
            r3 = r2
            r4 = 0
            r3.<init>(r4)     // Catch: java.lang.Exception -> L75
            r3 = r13
            byte[] r3 = r3.getExtensionValue()     // Catch: java.lang.Exception -> L75
            r1.<init>(r2, r3)     // Catch: java.lang.Exception -> L75
            r8 = r0
            goto L72
        L72:
            goto L82
        L75:
            r10 = move-exception
            r0 = r6
            com.iplanet.am.util.Debug r0 = r0.debug
            java.lang.String r1 = "Error finding CRL distribution Point configured: "
            r2 = r10
            r0.error(r1, r2)
        L82:
            r0 = r8
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.sun.identity.authentication.modules.cert.CRLValidation.getCRLdpExt(java.security.cert.X509Certificate):com.iplanet.security.x509.CRLDistributionPointsExtension");
    }

    private CRLDistributionPoint[] getCRLdp(CRLDistributionPointsExtension cRLDistributionPointsExtension) {
        CRLDistributionPoint[] cRLDistributionPointArr = null;
        if (cRLDistributionPointsExtension != null && cRLDistributionPointsExtension.getNumPoints() > 0) {
            cRLDistributionPointArr = new CRLDistributionPoint[cRLDistributionPointsExtension.getNumPoints()];
            for (int i = 0; i < cRLDistributionPointsExtension.getNumPoints(); i++) {
                cRLDistributionPointArr[i] = cRLDistributionPointsExtension.getPointAt(i);
            }
        }
        return cRLDistributionPointArr;
    }

    /* JADX WARN: Code restructure failed: missing block: B:25:0x00b1, code lost:
    
        if (r0 == (-1)) goto L36;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private synchronized boolean getUpdateCRLFromCrlDP(netscape.ldap.LDAPConnection r6, java.lang.String r7, com.iplanet.security.x509.CRLDistributionPointsExtension r8) {
        /*
            Method dump skipped, instructions count: 306
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.sun.identity.authentication.modules.cert.CRLValidation.getUpdateCRLFromCrlDP(netscape.ldap.LDAPConnection, java.lang.String, com.iplanet.security.x509.CRLDistributionPointsExtension):boolean");
    }

    private boolean replaceLDAPAttr(LDAPConnection lDAPConnection, String str, LDAPAttribute lDAPAttribute) {
        try {
            lDAPConnection.modify(str, new LDAPModification(2, lDAPAttribute));
            return true;
        } catch (LDAPException e) {
            this.debug.error("Error updating CRL Cache : ", e);
            return false;
        }
    }

    private byte[] getCRLByURI(String str) {
        if (str == null) {
            return null;
        }
        String lowerCase = str.trim().toLowerCase();
        if (lowerCase.startsWith("http") || lowerCase.startsWith("https")) {
            return getCRLByHttpURI(str);
        }
        if (lowerCase.startsWith("ldap") || lowerCase.startsWith("ldaps")) {
            return getCRLByLdapURI(str);
        }
        return null;
    }

    private byte[] getCRLByLdapURI(String str) {
        LDAPSearchResults search;
        byte[] bArr = null;
        try {
            LDAPUrl lDAPUrl = new LDAPUrl(str);
            LDAPConnection lDAPConnection = lDAPUrl.isSecure() ? new LDAPConnection(SSLSocketFactoryManager.getSSLSocketFactory()) : new LDAPConnection();
            lDAPConnection.connect(lDAPUrl.getHost(), lDAPUrl.getPort(), "", "");
            search = lDAPConnection.search(lDAPUrl.getDN().toString(), 0, null, null, false);
        } catch (Exception e) {
            this.debug.error("Error in getting CRL", e);
        }
        if (search == null || !search.hasMoreElements()) {
            this.debug.error("verifyCertificate - No CRL distribution Point configured");
            return null;
        }
        LDAPAttributeSet attributeSet = search.next().getAttributeSet();
        LDAPAttribute attribute = attributeSet.getAttribute("certificaterevocationlist");
        if (attribute == null) {
            attribute = attributeSet.getAttribute("certificaterevocationlist;binary");
            if (attribute == null) {
                this.debug.error("verifyCertificate - No CRL distribution Point configured");
                return null;
            }
        }
        bArr = (byte[]) attribute.getByteValues().nextElement();
        return bArr;
    }

    private byte[] getCRLByHttpURI(String str) {
        StringBuffer stringBuffer = null;
        byte[] bArr = null;
        String uriParamsCRL = this.certModule.getUriParamsCRL();
        if (uriParamsCRL != null) {
            try {
                stringBuffer = new StringBuffer();
                StringTokenizer stringTokenizer = new StringTokenizer(uriParamsCRL, ",");
                while (stringTokenizer.hasMoreTokens()) {
                    StringTokenizer stringTokenizer2 = new StringTokenizer(stringTokenizer.nextToken(), "=");
                    if (stringTokenizer2.countTokens() == 2) {
                        stringBuffer.append(new StringBuffer().append(URLEncoder.encode(stringTokenizer2.nextToken())).append("=").append(URLEncoder.encode(stringTokenizer2.nextToken())).toString());
                        if (stringTokenizer.hasMoreTokens()) {
                            stringBuffer.append(SessionEncodeURL.AMPERSAND);
                        }
                    }
                }
            } catch (Exception e) {
                this.debug.message("Error in getting CRL", e);
            }
        }
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setDoInput(true);
        httpURLConnection.setUseCaches(false);
        httpURLConnection.setRequestProperty("Content-Length", Integer.toString(stringBuffer.toString().trim().getBytes("UTF-8").length));
        DataOutputStream dataOutputStream = new DataOutputStream(httpURLConnection.getOutputStream());
        dataOutputStream.writeBytes(stringBuffer.toString().trim());
        dataOutputStream.flush();
        dataOutputStream.close();
        InputStream inputStream = httpURLConnection.getInputStream();
        StringBuffer stringBuffer2 = new StringBuffer();
        byte[] bArr2 = new byte[1024];
        while (inputStream.read(bArr2, 0, bArr2.length) != -1) {
            stringBuffer2.append(new String(bArr2));
        }
        bArr = stringBuffer2.toString().getBytes();
        return bArr;
    }
}
