package org.jasig.cas.adaptors.x509.authentication.handler.support;

import edu.vt.middleware.crypt.x509.ExtensionReader;
import edu.vt.middleware.crypt.x509.types.DistributionPoint;
import edu.vt.middleware.crypt.x509.types.DistributionPointList;
import edu.vt.middleware.crypt.x509.types.GeneralName;
import edu.vt.middleware.crypt.x509.types.GeneralNameList;
import java.net.URI;
import java.net.URL;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import net.sf.ehcache.Cache;
import net.sf.ehcache.Element;
import org.jasig.cas.adaptors.x509.util.CertUtils;
import org.springframework.core.io.UrlResource;

/* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/CRLDistributionPointRevocationChecker.class */
public class CRLDistributionPointRevocationChecker extends AbstractCRLRevocationChecker {
    private final Cache crlCache;

    public CRLDistributionPointRevocationChecker(Cache cache) {
        if (cache == null) {
            throw new IllegalArgumentException("Cache cannot be null.");
        }
        this.crlCache = cache;
    }

    @Override // org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker
    protected X509CRL getCRL(X509Certificate x509Certificate) {
        URL[] distributionPoints = getDistributionPoints(x509Certificate);
        this.logger.debug(String.format("Distribution points for %s: %s.", CertUtils.toString(x509Certificate), Arrays.asList(distributionPoints)));
        for (URL url : distributionPoints) {
            Element element = this.crlCache.get(url);
            if (element != null) {
                this.logger.debug("Found CRL in cache for {}", CertUtils.toString(x509Certificate));
                return (X509CRL) element.getObjectValue();
            }
        }
        X509CRL x509crl = null;
        for (int i = 0; i < distributionPoints.length && x509crl == null; i++) {
            this.logger.info("Attempting to fetch CRL at {}", distributionPoints[i]);
            try {
                x509crl = CertUtils.fetchCRL(new UrlResource(distributionPoints[i]));
                this.logger.info("Success. Caching fetched CRL.");
                this.crlCache.put(new Element(distributionPoints[i], x509crl));
            } catch (Exception e) {
                this.logger.error("Error fetching CRL at {}", distributionPoints[i], e);
            }
        }
        return x509crl;
    }

    private URL[] getDistributionPoints(X509Certificate x509Certificate) {
        try {
            DistributionPointList readCRLDistributionPoints = new ExtensionReader(x509Certificate).readCRLDistributionPoints();
            ArrayList arrayList = new ArrayList();
            for (DistributionPoint distributionPoint : (DistributionPoint[]) readCRLDistributionPoints.getItems()) {
                Object distributionPoint2 = distributionPoint.getDistributionPoint();
                if (distributionPoint2 instanceof String) {
                    addURL(arrayList, (String) distributionPoint2);
                } else if (distributionPoint2 instanceof GeneralNameList) {
                    for (GeneralName generalName : (GeneralName[]) ((GeneralNameList) distributionPoint2).getItems()) {
                        addURL(arrayList, generalName.getName());
                    }
                } else {
                    this.logger.warn("{} not supported. String or GeneralNameList expected.", distributionPoint2);
                }
            }
            return (URL[]) arrayList.toArray(new URL[arrayList.size()]);
        } catch (Exception e) {
            this.logger.error("Error reading CRLDistributionPoints extension field on " + CertUtils.toString(x509Certificate), e);
            return new URL[0];
        }
    }

    private void addURL(List<URL> list, String str) {
        try {
            URL url = new URL(str);
            list.add(new URI(url.getProtocol(), url.getAuthority(), url.getPath(), url.getQuery(), null).toURL());
        } catch (Exception unused) {
            this.logger.warn("{} is not a valid distribution point URI.", str);
        }
    }
}
