package org.cesecore.certificates.ca.internal;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Date;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.DERGeneralizedTime;
import org.bouncycastle.asn1.x509.PrivateKeyUsagePeriod;
import org.cesecore.certificates.ca.CAOfflineException;
import org.cesecore.certificates.ca.IllegalValidityException;
import org.cesecore.certificates.certificateprofile.CertificateProfile;
import org.cesecore.certificates.endentity.EndEntityInformation;
import org.cesecore.certificates.endentity.ExtendedInformation;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.util.CertTools;
import org.cesecore.util.ValidityDate;

/* loaded from: input_file:org/cesecore/certificates/ca/internal/CertificateValidity.class */
public class CertificateValidity {
    public static final long SETBACKTIME = 600000;
    private Date lastDate;
    private Date firstDate;
    private static final Logger log = Logger.getLogger(CertificateValidity.class);
    private static final InternalResources intres = InternalResources.getInstance();
    private static Date tooLateExpireDate = ValidityDate.parseCaLatestValidDateTime(CesecoreConfiguration.getCaTooLateExpireDate());

    protected static void setTooLateExpireDate(Date date) {
        tooLateExpireDate = date;
    }

    public CertificateValidity(EndEntityInformation endEntityInformation, CertificateProfile certificateProfile, Date date, Date date2, Certificate certificate, boolean z) throws IllegalValidityException {
        if (log.isDebugEnabled()) {
            log.debug("Requested notBefore: " + date);
            log.debug("Requested notAfter: " + date2);
        }
        if (tooLateExpireDate == null) {
            throw new IllegalValidityException("ca.toolateexpiredate in ejbca.properties is not a valid date.");
        }
        Date date3 = new Date(new Date().getTime() - SETBACKTIME);
        Date date4 = null;
        Date date5 = null;
        ExtendedInformation extendedinformation = endEntityInformation.getExtendedinformation();
        if (extendedinformation != null) {
            String customData = extendedinformation.getCustomData(ExtendedInformation.CUSTOM_STARTTIME);
            String customData2 = extendedinformation.getCustomData(ExtendedInformation.CUSTOM_ENDTIME);
            if (customData != null) {
                if (customData.matches("^\\d+:\\d?\\d:\\d?\\d$")) {
                    String[] split = customData.split(":");
                    date4 = new Date(date3.getTime() + (((Long.parseLong(split[0]) * 24 * 60) + (Long.parseLong(split[1]) * 60) + Long.parseLong(split[2])) * 60 * 1000));
                } else {
                    try {
                        date4 = ValidityDate.parseAsUTC(customData);
                    } catch (ParseException e) {
                        log.error(intres.getLocalizedMessage("createcert.errorinvalidstarttime", customData));
                    }
                }
                if (date4 != null && date4.before(date3)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Using custom start time, but it is before current date, ignoring custom date and setting to 'now'");
                    }
                    date4 = date3;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Custom notBefore: " + date4);
                }
            }
            if (customData2 != null) {
                if (customData2.matches("^\\d+:\\d?\\d:\\d?\\d$")) {
                    String[] split2 = customData2.split(":");
                    date5 = new Date(date3.getTime() + (((Long.parseLong(split2[0]) * 24 * 60) + (Long.parseLong(split2[1]) * 60) + Long.parseLong(split2[2])) * 60 * 1000));
                } else {
                    try {
                        date5 = ValidityDate.parseAsUTC(customData2);
                    } catch (ParseException e2) {
                        log.error(intres.getLocalizedMessage("createcert.errorinvalidstarttime", customData2));
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("Custom notAfter: " + date5);
                }
            }
        }
        if (certificateProfile.getAllowValidityOverride()) {
            this.firstDate = date4;
            this.lastDate = date5;
            if (this.firstDate == null) {
                this.firstDate = date;
            }
            if (this.lastDate == null) {
                this.lastDate = date2;
            }
            if (log.isDebugEnabled()) {
                log.debug("Allow validity override, notBefore: " + this.firstDate);
                log.debug("Allow validity override, notAfter: " + this.lastDate);
            }
        }
        if (this.firstDate == null) {
            this.firstDate = date3;
        }
        long validity = certificateProfile.getValidity();
        Date date6 = ValidityDate.getDate(validity, this.firstDate);
        if (this.lastDate == null) {
            this.lastDate = date6;
        }
        if (this.lastDate.before(this.firstDate)) {
            log.info(intres.getLocalizedMessage("createcert.errorinvalidcausality", this.firstDate, this.lastDate));
            Date date7 = this.lastDate;
            this.lastDate = this.firstDate;
            this.firstDate = date7;
        }
        if (this.firstDate.before(date3) && !certificateProfile.getAllowValidityOverride()) {
            log.error(intres.getLocalizedMessage("createcert.errorbeforecurrentdate", this.firstDate, endEntityInformation.getUsername()));
            this.firstDate = date3;
            date6 = ValidityDate.getDate(validity, this.firstDate);
            if (this.lastDate.equals(date6)) {
                this.lastDate = date6;
            }
        }
        if (this.lastDate.after(date6)) {
            log.info(intres.getLocalizedMessage("createcert.errorbeyondmaxvalidity", this.lastDate, endEntityInformation.getUsername(), date6));
            this.lastDate = date6;
        }
        if (certificate != null && this.lastDate.after(CertTools.getNotAfter(certificate)) && !z) {
            log.info(intres.getLocalizedMessage("createcert.limitingvalidity", this.lastDate.toString(), CertTools.getNotAfter(certificate)));
            this.lastDate = CertTools.getNotAfter(certificate);
        }
        if (this.lastDate.before(tooLateExpireDate)) {
            return;
        }
        String localizedMessage = intres.getLocalizedMessage("createcert.errorbeyondtoolateexpiredate", this.lastDate.toString(), tooLateExpireDate.toString());
        log.info(localizedMessage);
        throw new IllegalValidityException(localizedMessage);
    }

    public Date getNotAfter() {
        return this.lastDate;
    }

    public Date getNotBefore() {
        return this.firstDate;
    }

    public static void checkPrivateKeyUsagePeriod(X509Certificate x509Certificate) throws CAOfflineException {
        Date date;
        if (x509Certificate == null) {
            if (log.isDebugEnabled()) {
                log.debug("No CA certificate available, not checking PrivateKeyUsagePeriod.");
                return;
            }
            return;
        }
        PrivateKeyUsagePeriod privateKeyUsagePeriod = CertTools.getPrivateKeyUsagePeriod(x509Certificate);
        if (privateKeyUsagePeriod == null) {
            if (log.isDebugEnabled()) {
                log.debug("No PrivateKeyUsagePeriod available in certificate.");
                return;
            }
            return;
        }
        Date date2 = new Date();
        DERGeneralizedTime notBefore = privateKeyUsagePeriod.getNotBefore();
        if (notBefore == null) {
            date = null;
        } else {
            try {
                date = notBefore.getDate();
            } catch (ParseException e) {
                throw new IllegalStateException("Could not parse dates.", e);
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("PrivateKeyUsagePeriod.notBefore is " + date);
        }
        if (date != null && date2.before(date)) {
            String localizedMessage = intres.getLocalizedMessage("createcert.privatekeyusagenotvalid", date.toString(), x509Certificate.getSubjectDN().toString());
            if (log.isDebugEnabled()) {
                log.debug(localizedMessage);
            }
            throw new CAOfflineException(localizedMessage);
        }
        DERGeneralizedTime notAfter = privateKeyUsagePeriod.getNotAfter();
        Date date3 = notAfter == null ? null : notAfter.getDate();
        if (log.isDebugEnabled()) {
            log.debug("PrivateKeyUsagePeriod.notAfter is " + date3);
        }
        if (date3 == null || !date2.after(date3)) {
            return;
        }
        String localizedMessage2 = intres.getLocalizedMessage("createcert.privatekeyusageexpired", date3.toString(), x509Certificate.getSubjectDN().toString());
        if (log.isDebugEnabled()) {
            log.debug(localizedMessage2);
        }
        throw new CAOfflineException(localizedMessage2);
    }
}
