package org.jasig.cas.adaptors.x509.authentication.handler.support;

import java.security.GeneralSecurityException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import javax.validation.constraints.NotNull;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.adaptors.x509.util.CertUtils;

/* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker.class */
public abstract class AbstractCRLRevocationChecker implements RevocationChecker {
    protected final Log log = LogFactory.getLog(getClass());

    @NotNull
    private RevocationPolicy<Void> unavailableCRLPolicy = new DenyRevocationPolicy();

    @NotNull
    private RevocationPolicy<X509CRL> expiredCRLPolicy = new ThresholdExpiredCRLRevocationPolicy();

    @Override // org.jasig.cas.adaptors.x509.authentication.handler.support.RevocationChecker
    public void check(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate cannot be null.");
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Evaluating certificate revocation status for " + CertUtils.toString(x509Certificate));
        }
        X509CRL crl = getCRL(x509Certificate);
        if (crl == null) {
            this.log.warn("CRL data is not available for " + CertUtils.toString(x509Certificate));
            this.unavailableCRLPolicy.apply(null);
            return;
        }
        if (CertUtils.isExpired(crl)) {
            this.log.warn("CRL data expired on " + crl.getNextUpdate());
            this.expiredCRLPolicy.apply(crl);
        }
        X509CRLEntry revokedCertificate = crl.getRevokedCertificate(x509Certificate);
        if (revokedCertificate != null) {
            throw new RevokedCertificateException(revokedCertificate);
        }
    }

    public void setUnavailableCRLPolicy(RevocationPolicy<Void> revocationPolicy) {
        this.unavailableCRLPolicy = revocationPolicy;
    }

    public void setExpiredCRLPolicy(RevocationPolicy<X509CRL> revocationPolicy) {
        this.expiredCRLPolicy = revocationPolicy;
    }

    protected abstract X509CRL getCRL(X509Certificate x509Certificate);
}
