package com.sun.identity.security.cert;

import com.iplanet.am.util.AMPasswordUtil;
import com.iplanet.security.x509.CertUtils;
import com.sun.identity.security.SecurityDebug;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import java.io.IOException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Vector;

/* loaded from: input_file:com/sun/identity/security/cert/CRLValidator.class */
public class CRLValidator {
    private static Debug debug = SecurityDebug.debug;
    private static AMLDAPCertStoreParameters ldapParams;
    private static boolean crlCheckEnabled;
    private static String dirServerHost;
    private static String dirServerPort;
    private static String dirUseSSL;
    private static String dirPrincipleUser;
    private static String dirPrinciplePasswd;
    private static String dirStartSearchLoc;
    private static String crlSearchAttr;

    public static boolean validateCertificate(X509Certificate x509Certificate, boolean z) {
        boolean z2 = true;
        try {
            Vector vector = new Vector();
            X509CRL crl = AMCRLStore.getCRL(ldapParams, x509Certificate, crlSearchAttr);
            if (crl != null) {
                vector.add(crl);
            }
            if (debug.messageEnabled()) {
                debug.message("validateCertificate :  crls size = " + vector.size());
                if (vector.size() > 0) {
                    debug.message("validateCertificate : CRL = " + vector.toString());
                } else {
                    debug.message("validateCertificate : NO CRL found.");
                }
            }
            if (!new AMCertPath(vector).verify(new X509Certificate[]{x509Certificate}, true, false)) {
                debug.error("validateCertificate : CertPath:verify failed.");
                return false;
            }
            if (z && !AMCertStore.isRootCA(x509Certificate)) {
                z2 = validateCertificate(AMCertStore.getIssuerCertificate(ldapParams, x509Certificate, crlSearchAttr), z);
            }
            return z2;
        } catch (Exception e) {
            debug.error("validateCertificate : verify failed.", e);
            return false;
        }
    }

    public static X509CRL getCRL(X509Certificate x509Certificate) {
        X509CRL x509crl = null;
        String attributeValue = CertUtils.getAttributeValue(x509Certificate.getIssuerX500Principal(), crlSearchAttr);
        if (attributeValue == null || ldapParams == null) {
            return null;
        }
        if (debug.messageEnabled()) {
            debug.message("CRLValidator - attrValue to search crl : " + attributeValue);
        }
        ldapParams.setSearchFilter(AMCRLStore.setSearchFilter(crlSearchAttr, attributeValue));
        try {
            x509crl = new AMCRLStore(ldapParams).getCRL(x509Certificate);
        } catch (IOException e) {
            debug.error("X509Certificate: verifyCertificate." + e.toString());
        }
        return x509crl;
    }

    public static boolean isCRLCheckEnabled() {
        return crlCheckEnabled;
    }

    static {
        ldapParams = null;
        crlCheckEnabled = false;
        dirServerHost = null;
        dirServerPort = null;
        dirUseSSL = null;
        dirPrincipleUser = null;
        dirPrinciplePasswd = null;
        dirStartSearchLoc = null;
        crlSearchAttr = null;
        dirServerHost = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.host", (String) null);
        crlCheckEnabled = dirServerHost != null;
        if (debug.messageEnabled()) {
            debug.message("CRLValidator : CRL Check configured : " + crlCheckEnabled);
        }
        if (crlCheckEnabled) {
            dirServerHost = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.host", (String) null);
            dirServerPort = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.port", "389");
            dirUseSSL = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.ssl", "false");
            dirPrincipleUser = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.user", (String) null);
            dirPrinciplePasswd = AMPasswordUtil.decrypt(SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.password", (String) null));
            dirStartSearchLoc = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.searchlocs", (String) null);
            crlSearchAttr = SystemPropertiesManager.get("com.sun.identity.crl.cache.directory.searchattr", "CN");
            try {
                ldapParams = AMCertStore.setLdapStoreParam(dirServerHost, Integer.valueOf(dirServerPort).intValue(), dirPrincipleUser, dirPrinciplePasswd, dirStartSearchLoc, null, dirUseSSL.equalsIgnoreCase("true"));
            } catch (Exception e) {
                debug.error("Unable to configure ldap CRL cache " + e);
            }
            if (debug.messageEnabled()) {
                debug.message("CRLValidator : Directory Server Host : " + dirServerHost);
                debug.message("CRLValidator : Directory Server Port# : " + dirServerPort);
                debug.message("CRLValidator : SSL Enabled : " + dirUseSSL);
                debug.message("CRLValidator : Principal User : " + dirPrincipleUser);
                if (dirPrinciplePasswd != null) {
                    debug.message("CRLValidator : User Password : xxxxxx");
                } else {
                    debug.message("CRLValidator : User Password : null");
                }
                debug.message("CRLValidator : Start Search Loc : " + dirStartSearchLoc);
                debug.message("CRLValidator : CRL Search Attr : " + crlSearchAttr);
            }
        }
    }
}
