package org.jasig.cas.adaptors.x509.authentication.handler.support;

import java.security.GeneralSecurityException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import javax.annotation.PostConstruct;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.reflect.Factory;
import org.jasig.cas.adaptors.x509.util.CertUtils;
import org.jasig.inspektr.aspect.TraceLogAspect;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;

/* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker.class */
public abstract class AbstractCRLRevocationChecker implements RevocationChecker {
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    protected boolean checkAll;
    private RevocationPolicy<Void> unavailableCRLPolicy;
    private RevocationPolicy<X509CRL> expiredCRLPolicy;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;
    private static final JoinPoint.StaticPart ajc$tjp_2 = null;
    private static final JoinPoint.StaticPart ajc$tjp_3 = null;
    private static final JoinPoint.StaticPart ajc$tjp_4 = null;

    /* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            AbstractCRLRevocationChecker.init_aroundBody0((AbstractCRLRevocationChecker) objArr2[0], (JoinPoint) objArr2[1]);
            return null;
        }
    }

    /* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            AbstractCRLRevocationChecker.check_aroundBody2((AbstractCRLRevocationChecker) objArr2[0], (X509Certificate) objArr2[1], (JoinPoint) objArr2[2]);
            return null;
        }
    }

    /* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker$AjcClosure5.class */
    public class AjcClosure5 extends AroundClosure {
        public AjcClosure5(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return AbstractCRLRevocationChecker.getUnavailableCRLPolicy_aroundBody4((AbstractCRLRevocationChecker) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker$AjcClosure7.class */
    public class AjcClosure7 extends AroundClosure {
        public AjcClosure7(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return AbstractCRLRevocationChecker.getExpiredCRLPolicy_aroundBody6((AbstractCRLRevocationChecker) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/jasig/cas/adaptors/x509/authentication/handler/support/AbstractCRLRevocationChecker$AjcClosure9.class */
    public class AjcClosure9 extends AroundClosure {
        public AjcClosure9(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return AbstractCRLRevocationChecker.getCRL_aroundBody8((AbstractCRLRevocationChecker) objArr2[0], (X509Certificate) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    @PostConstruct
    public void init() {
        TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, Factory.makeJP(ajc$tjp_0, this, this)}).linkClosureAndJoinPoint(69648));
    }

    @Override // org.jasig.cas.adaptors.x509.authentication.handler.support.RevocationChecker
    public void check(X509Certificate x509Certificate) throws GeneralSecurityException {
        TraceLogAspect.aspectOf().traceMethod(new AjcClosure3(new Object[]{this, x509Certificate, Factory.makeJP(ajc$tjp_1, this, this, x509Certificate)}).linkClosureAndJoinPoint(69648));
    }

    public void setUnavailableCRLPolicy(RevocationPolicy<Void> revocationPolicy) {
        this.unavailableCRLPolicy = revocationPolicy;
    }

    public void setExpiredCRLPolicy(RevocationPolicy<X509CRL> revocationPolicy) {
        this.expiredCRLPolicy = revocationPolicy;
    }

    public RevocationPolicy<Void> getUnavailableCRLPolicy() {
        return (RevocationPolicy) TraceLogAspect.aspectOf().traceMethod(new AjcClosure5(new Object[]{this, Factory.makeJP(ajc$tjp_2, this, this)}).linkClosureAndJoinPoint(69648));
    }

    public RevocationPolicy<X509CRL> getExpiredCRLPolicy() {
        return (RevocationPolicy) TraceLogAspect.aspectOf().traceMethod(new AjcClosure7(new Object[]{this, Factory.makeJP(ajc$tjp_3, this, this)}).linkClosureAndJoinPoint(69648));
    }

    @Autowired
    public void setCheckAll(@Value("${cas.x509.authn.crl.checkAll:false}") boolean z) {
        this.checkAll = z;
    }

    public final X509CRL getCRL(X509Certificate x509Certificate) {
        return (X509CRL) TraceLogAspect.aspectOf().traceMethod(new AjcClosure9(new Object[]{this, x509Certificate, Factory.makeJP(ajc$tjp_4, this, this, x509Certificate)}).linkClosureAndJoinPoint(69648));
    }

    protected abstract boolean addCRL(Object obj, X509CRL x509crl);

    protected abstract Collection<X509CRL> getCRLs(X509Certificate x509Certificate);

    static {
        ajc$preClinit();
    }

    static final void init_aroundBody0(AbstractCRLRevocationChecker abstractCRLRevocationChecker, JoinPoint joinPoint) {
        if (abstractCRLRevocationChecker.unavailableCRLPolicy == null) {
            abstractCRLRevocationChecker.unavailableCRLPolicy = new DenyRevocationPolicy();
        }
        if (abstractCRLRevocationChecker.expiredCRLPolicy == null) {
            abstractCRLRevocationChecker.expiredCRLPolicy = new ThresholdExpiredCRLRevocationPolicy();
        }
    }

    static final void check_aroundBody2(AbstractCRLRevocationChecker abstractCRLRevocationChecker, X509Certificate x509Certificate, JoinPoint joinPoint) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate cannot be null.");
        }
        abstractCRLRevocationChecker.logger.debug("Evaluating certificate revocation status for {}", CertUtils.toString(x509Certificate));
        Collection<X509CRL> cRLs = abstractCRLRevocationChecker.getCRLs(x509Certificate);
        if (cRLs == null || cRLs.isEmpty()) {
            abstractCRLRevocationChecker.logger.warn("CRL data is not available for {}", CertUtils.toString(x509Certificate));
            abstractCRLRevocationChecker.unavailableCRLPolicy.apply(null);
            return;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (X509CRL x509crl : cRLs) {
            if (CertUtils.isExpired(x509crl)) {
                abstractCRLRevocationChecker.logger.warn("CRL data expired on {}", x509crl.getNextUpdate());
                arrayList.add(x509crl);
            }
        }
        if (cRLs.size() == arrayList.size()) {
            abstractCRLRevocationChecker.logger.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                abstractCRLRevocationChecker.expiredCRLPolicy.apply((X509CRL) it.next());
            }
            return;
        }
        cRLs.removeAll(arrayList);
        abstractCRLRevocationChecker.logger.debug("Valid CRLs [{}] found that are not expired yet", cRLs);
        Iterator<X509CRL> it2 = cRLs.iterator();
        while (it2.hasNext()) {
            X509CRLEntry revokedCertificate = it2.next().getRevokedCertificate(x509Certificate);
            if (revokedCertificate != null) {
                arrayList2.add(revokedCertificate);
            }
        }
        if (arrayList2.size() == cRLs.size()) {
            X509CRLEntry x509CRLEntry = (X509CRLEntry) arrayList2.get(0);
            abstractCRLRevocationChecker.logger.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", x509CRLEntry);
            throw new RevokedCertificateException(x509CRLEntry);
        }
    }

    static final RevocationPolicy getUnavailableCRLPolicy_aroundBody4(AbstractCRLRevocationChecker abstractCRLRevocationChecker, JoinPoint joinPoint) {
        return abstractCRLRevocationChecker.unavailableCRLPolicy;
    }

    static final RevocationPolicy getExpiredCRLPolicy_aroundBody6(AbstractCRLRevocationChecker abstractCRLRevocationChecker, JoinPoint joinPoint) {
        return abstractCRLRevocationChecker.expiredCRLPolicy;
    }

    static final X509CRL getCRL_aroundBody8(AbstractCRLRevocationChecker abstractCRLRevocationChecker, X509Certificate x509Certificate, JoinPoint joinPoint) {
        Collection<X509CRL> cRLs = abstractCRLRevocationChecker.getCRLs(x509Certificate);
        if (cRLs != null && !cRLs.isEmpty()) {
            return cRLs.iterator().next();
        }
        abstractCRLRevocationChecker.logger.debug("No CRL could be found for {}", CertUtils.toString(x509Certificate));
        return null;
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("AbstractCRLRevocationChecker.java", AbstractCRLRevocationChecker.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "init", "org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker", "", "", "", "void"), 49);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "check", "org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker", "java.security.cert.X509Certificate", "cert", "java.security.GeneralSecurityException", "void"), 59);
        ajc$tjp_2 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "getUnavailableCRLPolicy", "org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker", "", "", "", "org.jasig.cas.adaptors.x509.authentication.handler.support.RevocationPolicy"), 127);
        ajc$tjp_3 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "getExpiredCRLPolicy", "org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker", "", "", "", "org.jasig.cas.adaptors.x509.authentication.handler.support.RevocationPolicy"), 131);
        ajc$tjp_4 = factory.makeSJP("method-execution", factory.makeMethodSig("11", "getCRL", "org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker", "java.security.cert.X509Certificate", "cert", "", "java.security.cert.X509CRL"), 155);
    }
}
