package com.helger.peppol.utils;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.builder.IBuilder;
import com.helger.commons.callback.IThrowingRunnable;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.collection.impl.CommonsHashSet;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.concurrent.SimpleReadWriteLock;
import com.helger.commons.datetime.PDTFactory;
import com.helger.commons.state.ETriState;
import com.helger.commons.timing.StopWatch;
import com.helger.commons.traits.IGenericImplTrait;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.OffsetDateTime;
import java.time.ZonedDateTime;
import java.util.Collection;
import java.util.Date;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.GuardedBy;
import javax.annotation.concurrent.NotThreadSafe;
import javax.annotation.concurrent.ThreadSafe;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/peppol-commons-9.3.6.jar:com/helger/peppol/utils/CertificateRevocationChecker.class */
public final class CertificateRevocationChecker {
    public static final boolean DEFAULT_ALLOW_SOFT_FAIL = false;
    public static final boolean DEFAULT_ALLOW_EXEC_SYNC = true;
    public static final ERevocationCheckMode DEFAULT_REVOCATION_CHECK_MODE = ERevocationCheckMode.CRL;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CertificateRevocationChecker.class);
    private static final SimpleReadWriteLock RW_LOCK = new SimpleReadWriteLock();

    @GuardedBy("RW_LOCK")
    private static ERevocationCheckMode s_eRevocationCheckMode = DEFAULT_REVOCATION_CHECK_MODE;

    @GuardedBy("RW_LOCK")
    private static Consumer<? super GeneralSecurityException> s_aExceptionHdl = generalSecurityException -> {
        LOGGER.warn("Certificate is revoked", (Throwable) generalSecurityException);
    };
    private static final AtomicBoolean ALLOW_SOFT_FAIL = new AtomicBoolean(false);

    @GuardedBy("RW_LOCK")
    private static Consumer<? super List<? extends CertPathValidatorException>> s_aSoftFailExceptionHdl = list -> {
        LOGGER.warn("Certificate revocation check succeeded but has messages: " + list);
    };
    private static final AtomicBoolean ALLOW_EXEC_SYNC = new AtomicBoolean(true);

    @GuardedBy("RW_LOCK")
    private static CRLCache s_aDefaultCRLCache = CRLCache.createDefault();

    @NotThreadSafe
    /* loaded from: input_file:WEB-INF/lib/peppol-commons-9.3.6.jar:com/helger/peppol/utils/CertificateRevocationChecker$AbstractRevocationCheckBuilder.class */
    public static abstract class AbstractRevocationCheckBuilder<IMPLTYPE extends AbstractRevocationCheckBuilder<IMPLTYPE>> implements IBuilder<ERevoked>, IGenericImplTrait<IMPLTYPE> {
        public static final Duration DEFAULT_EXECUTION_WARN_DURATION = Duration.ofMillis(500);
        private X509Certificate m_aCert;
        private Date m_aCheckDate;
        private ERevocationCheckMode m_eCheckMode;
        private Consumer<? super GeneralSecurityException> m_aExceptionHdl;
        private Consumer<? super List<CertPathValidatorException>> m_aSoftFailExceptionHdl;
        private final ICommonsList<X509Certificate> m_aValidCAs = new CommonsArrayList();
        private ETriState m_eAllowSoftFail = ETriState.UNDEFINED;
        private ETriState m_eExecuteInSynchronizedBlock = ETriState.UNDEFINED;
        private Duration m_aExecutionDurationWarn = DEFAULT_EXECUTION_WARN_DURATION;
        private CRLCache m_aCRLCache = CertificateRevocationChecker.getDefaultCRLCache();

        @Nullable
        public final X509Certificate certificate() {
            return this.m_aCert;
        }

        @Nonnull
        public final IMPLTYPE certificate(@Nullable X509Certificate x509Certificate) {
            this.m_aCert = x509Certificate;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE validCA(@Nullable X509Certificate x509Certificate) {
            this.m_aValidCAs.set(x509Certificate);
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE validCAs(@Nullable Iterable<? extends X509Certificate> iterable) {
            this.m_aValidCAs.setAll(iterable);
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE validCAs(@Nullable KeyStore keyStore) {
            CommonsHashSet commonsHashSet = new CommonsHashSet();
            if (keyStore != null) {
                try {
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (keyStore.isCertificateEntry(nextElement)) {
                            Certificate certificate = keyStore.getCertificate(nextElement);
                            if (certificate instanceof X509Certificate) {
                                commonsHashSet.add((X509Certificate) certificate);
                            }
                        }
                    }
                } catch (KeyStoreException e) {
                    CertificateRevocationChecker.LOGGER.warn("Failed to extract certificates from trust store", (Throwable) e);
                }
            }
            return validCAs(commonsHashSet);
        }

        @Nonnull
        public final IMPLTYPE addValidCA(@Nullable X509Certificate x509Certificate) {
            if (x509Certificate != null) {
                this.m_aValidCAs.add(x509Certificate);
            }
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE addValidCAs(@Nullable Iterable<? extends X509Certificate> iterable) {
            this.m_aValidCAs.addAll(iterable);
            return (IMPLTYPE) thisAsT();
        }

        @Nullable
        public final Date checkDate() {
            return this.m_aCheckDate;
        }

        @Nonnull
        public final IMPLTYPE checkDateNow() {
            return checkDate((Date) null);
        }

        @Nonnull
        public final IMPLTYPE checkDate(@Nullable LocalDateTime localDateTime) {
            return checkDate(localDateTime == null ? null : PDTFactory.createDate(localDateTime));
        }

        @Nonnull
        public final IMPLTYPE checkDate(@Nullable OffsetDateTime offsetDateTime) {
            return checkDate(offsetDateTime == null ? null : PDTFactory.createDate(offsetDateTime));
        }

        @Nonnull
        public final IMPLTYPE checkDate(@Nullable ZonedDateTime zonedDateTime) {
            return checkDate(zonedDateTime == null ? null : PDTFactory.createDate(zonedDateTime));
        }

        @Nonnull
        public final IMPLTYPE checkDate(@Nullable Date date) {
            this.m_aCheckDate = date;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE checkMode(@Nullable ERevocationCheckMode eRevocationCheckMode) {
            this.m_eCheckMode = eRevocationCheckMode;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE exceptionHandler(@Nullable Consumer<? super GeneralSecurityException> consumer) {
            this.m_aExceptionHdl = consumer;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE allowSoftFail(boolean z) {
            this.m_eAllowSoftFail = ETriState.valueOf(z);
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE allowSoftFailUndefined() {
            this.m_eAllowSoftFail = ETriState.UNDEFINED;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE softFailExceptionHandler(@Nullable Consumer<? super List<CertPathValidatorException>> consumer) {
            this.m_aSoftFailExceptionHdl = consumer;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE executeInSynchronizedBlock(boolean z) {
            this.m_eExecuteInSynchronizedBlock = ETriState.valueOf(z);
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE executionDurationWarnMS(long j) {
            return executionDurationWarn(Duration.ofMillis(j));
        }

        @Nonnull
        public final IMPLTYPE executionDurationWarn(@Nullable Duration duration) {
            this.m_aExecutionDurationWarn = duration;
            return (IMPLTYPE) thisAsT();
        }

        @Nonnull
        public final IMPLTYPE crlCache(@Nonnull CRLCache cRLCache) {
            ValueEnforcer.notNull(cRLCache, "CRLCache");
            this.m_aCRLCache = cRLCache;
            return (IMPLTYPE) thisAsT();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // com.helger.commons.builder.IBuilder
        @Nonnull
        public ERevoked build() {
            ERevocationCheckMode revocationCheckMode = this.m_eCheckMode != null ? this.m_eCheckMode : CertificateRevocationChecker.getRevocationCheckMode();
            Consumer<? super GeneralSecurityException> exceptionHdl = this.m_aExceptionHdl != null ? this.m_aExceptionHdl : CertificateRevocationChecker.getExceptionHdl();
            boolean asBooleanValue = this.m_eAllowSoftFail.isDefined() ? this.m_eAllowSoftFail.getAsBooleanValue() : CertificateRevocationChecker.isAllowSoftFail();
            Consumer<? super List<CertPathValidatorException>> softFailExceptionHdl = this.m_aSoftFailExceptionHdl != null ? this.m_aSoftFailExceptionHdl : CertificateRevocationChecker.getSoftFailExceptionHdl();
            boolean asBooleanValue2 = this.m_eExecuteInSynchronizedBlock.isDefined() ? this.m_eExecuteInSynchronizedBlock.getAsBooleanValue() : CertificateRevocationChecker.isExecuteInSynchronizedBlock();
            if (this.m_aCert == null) {
                throw new IllegalStateException("The certificate to be checked must be set");
            }
            if (this.m_aValidCAs.isEmpty()) {
                throw new IllegalStateException("At least one valid CAs must be present");
            }
            if (this.m_aExecutionDurationWarn != null && this.m_aExecutionDurationWarn.toMillis() <= 0) {
                throw new IllegalStateException("The duration for warning on long execution must be positive");
            }
            if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                CertificateRevocationChecker.LOGGER.debug("Performing certificate revocation check on certificate '" + this.m_aCert.getSubjectX500Principal().getName() + "' " + (this.m_aCheckDate != null ? "for datetime " + this.m_aCheckDate : "without a datetime") + (asBooleanValue2 ? " [synchronized]" : " [not synchronized]"));
            }
            StopWatch createdStarted = StopWatch.createdStarted();
            try {
                try {
                    if (!revocationCheckMode.isNone()) {
                        if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                            CertificateRevocationChecker.LOGGER.debug("Certificate revocation check is performed using mode " + revocationCheckMode + "; executeSync=" + asBooleanValue2);
                        }
                        X509CertSelector x509CertSelector = new X509CertSelector();
                        x509CertSelector.setCertificate(this.m_aCert);
                        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(new CommonsHashSet((Collection) this.m_aValidCAs, x509Certificate -> {
                            return new TrustAnchor(x509Certificate, null);
                        }), x509CertSelector);
                        pKIXBuilderParameters.setRevocationEnabled(true);
                        if (this.m_aCheckDate != null) {
                            pKIXBuilderParameters.setDate(this.m_aCheckDate);
                        }
                        IThrowingRunnable iThrowingRunnable = () -> {
                            try {
                                boolean isOCSP = revocationCheckMode.isOCSP();
                                if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                                    CertificateRevocationChecker.LOGGER.debug("Setting system property 'ocsp.enable' to " + isOCSP);
                                }
                                Security.setProperty("ocsp.enable", Boolean.toString(isOCSP));
                            } catch (SecurityException e) {
                                CertificateRevocationChecker.LOGGER.warn("Failed to set Security property 'ocsp.enable' to '" + revocationCheckMode.isOCSP() + "'");
                            }
                            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.m_aValidCAs)));
                            if (revocationCheckMode.isCRL()) {
                                if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                                    CertificateRevocationChecker.LOGGER.debug("Setting up CRL check data");
                                }
                                ICommonsList<String> allDistributionPoints = CRLHelper.getAllDistributionPoints(this.m_aCert);
                                CommonsArrayList commonsArrayList = new CommonsArrayList();
                                Iterator<String> it = allDistributionPoints.iterator();
                                while (it.hasNext()) {
                                    CRL cRLFromURL = this.m_aCRLCache.getCRLFromURL(it.next());
                                    if (cRLFromURL != null) {
                                        commonsArrayList.add(cRLFromURL);
                                    }
                                }
                                if (commonsArrayList.isNotEmpty()) {
                                    pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(commonsArrayList)));
                                } else {
                                    CertificateRevocationChecker.LOGGER.warn("Failed to find any CRL objects for revocation checking");
                                }
                            }
                            if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                                CertificateRevocationChecker.LOGGER.debug("Checking certificate\n" + this.m_aCert + "\n\nagainst " + this.m_aValidCAs.size() + " valid CAs:\n" + this.m_aValidCAs);
                            }
                            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
                            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
                            EnumSet of = EnumSet.of(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
                            if (asBooleanValue) {
                                of.add(PKIXRevocationChecker.Option.SOFT_FAIL);
                            }
                            revocationCheckMode.addAllOptionsTo(of);
                            if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                                CertificateRevocationChecker.LOGGER.debug("OCSP/CRL effective options = " + of);
                            }
                            pKIXRevocationChecker.setOptions(of);
                            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
                            if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                                CertificateRevocationChecker.LOGGER.debug("OCSP/CRL builder result = " + pKIXCertPathBuilderResult);
                            }
                            PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(pKIXCertPathBuilderResult.getCertPath(), pKIXBuilderParameters);
                            if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                                CertificateRevocationChecker.LOGGER.debug("OCSP/CRL validation result = " + pKIXCertPathValidatorResult);
                            }
                            if (asBooleanValue) {
                                List<CertPathValidatorException> softFailExceptions = pKIXRevocationChecker.getSoftFailExceptions();
                                if (softFailExceptions.isEmpty()) {
                                    return;
                                }
                                softFailExceptionHdl.accept(softFailExceptions);
                            }
                        };
                        if (asBooleanValue2) {
                            synchronized (CertificateRevocationChecker.class) {
                                iThrowingRunnable.run();
                            }
                        } else {
                            iThrowingRunnable.run();
                        }
                    } else if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                        CertificateRevocationChecker.LOGGER.debug("Certificate revocation check is disabled");
                    }
                    ERevoked eRevoked = ERevoked.NOT_REVOKED;
                    long stopAndGetMillis = createdStarted.stopAndGetMillis();
                    if (this.m_aExecutionDurationWarn != null && stopAndGetMillis > this.m_aExecutionDurationWarn.toMillis()) {
                        CertificateRevocationChecker.LOGGER.warn("OCSP/CRL revocation check took " + stopAndGetMillis + " milliseconds which is too long");
                    } else if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                        CertificateRevocationChecker.LOGGER.debug("OCSP/CRL revocation check took " + stopAndGetMillis + " milliseconds");
                    }
                    return eRevoked;
                } catch (GeneralSecurityException e) {
                    CertificateRevocationChecker.LOGGER.error("Error running certification revocation check: " + e.getClass().getName() + " - " + e.getMessage());
                    exceptionHdl.accept(e);
                    ERevoked eRevoked2 = ERevoked.REVOKED;
                    long stopAndGetMillis2 = createdStarted.stopAndGetMillis();
                    if (this.m_aExecutionDurationWarn != null && stopAndGetMillis2 > this.m_aExecutionDurationWarn.toMillis()) {
                        CertificateRevocationChecker.LOGGER.warn("OCSP/CRL revocation check took " + stopAndGetMillis2 + " milliseconds which is too long");
                    } else if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                        CertificateRevocationChecker.LOGGER.debug("OCSP/CRL revocation check took " + stopAndGetMillis2 + " milliseconds");
                    }
                    return eRevoked2;
                }
            } catch (Throwable th) {
                long stopAndGetMillis3 = createdStarted.stopAndGetMillis();
                if (this.m_aExecutionDurationWarn != null && stopAndGetMillis3 > this.m_aExecutionDurationWarn.toMillis()) {
                    CertificateRevocationChecker.LOGGER.warn("OCSP/CRL revocation check took " + stopAndGetMillis3 + " milliseconds which is too long");
                } else if (CertificateRevocationChecker.LOGGER.isDebugEnabled()) {
                    CertificateRevocationChecker.LOGGER.debug("OCSP/CRL revocation check took " + stopAndGetMillis3 + " milliseconds");
                }
                throw th;
            }
        }
    }

    @NotThreadSafe
    /* loaded from: input_file:WEB-INF/lib/peppol-commons-9.3.6.jar:com/helger/peppol/utils/CertificateRevocationChecker$RevocationCheckBuilder.class */
    public static class RevocationCheckBuilder extends AbstractRevocationCheckBuilder<RevocationCheckBuilder> {
    }

    private CertificateRevocationChecker() {
    }

    @Nonnull
    public static ERevocationCheckMode getRevocationCheckMode() {
        return (ERevocationCheckMode) RW_LOCK.readLockedGet(() -> {
            return s_eRevocationCheckMode;
        });
    }

    public static void setRevocationCheckMode(@Nonnull ERevocationCheckMode eRevocationCheckMode) {
        ValueEnforcer.notNull(eRevocationCheckMode, "RevocationCheckMode");
        RW_LOCK.writeLocked(() -> {
            s_eRevocationCheckMode = eRevocationCheckMode;
        });
        LOGGER.info("Global CertificateRevocationChecker revocation mode was set to: " + eRevocationCheckMode);
    }

    @Nonnull
    public static Consumer<? super GeneralSecurityException> getExceptionHdl() {
        return (Consumer) RW_LOCK.readLockedGet(() -> {
            return s_aExceptionHdl;
        });
    }

    public static void setExceptionHdl(@Nonnull Consumer<? super GeneralSecurityException> consumer) {
        ValueEnforcer.notNull(consumer, "ExceptionHdl");
        RW_LOCK.writeLocked(() -> {
            s_aExceptionHdl = consumer;
        });
    }

    public static boolean isAllowSoftFail() {
        return ALLOW_SOFT_FAIL.get();
    }

    public static void setAllowSoftFail(boolean z) {
        ALLOW_SOFT_FAIL.set(z);
        LOGGER.info("Global CertificateRevocationChecker allows for soft fail: " + z);
    }

    @Nonnull
    public static Consumer<? super List<CertPathValidatorException>> getSoftFailExceptionHdl() {
        return (Consumer) RW_LOCK.readLockedGet(() -> {
            return s_aSoftFailExceptionHdl;
        });
    }

    public static void setSoftFailExceptionHdl(@Nonnull Consumer<? super List<? extends CertPathValidatorException>> consumer) {
        ValueEnforcer.notNull(consumer, "SoftFailExceptionHdl");
        RW_LOCK.writeLocked(() -> {
            s_aSoftFailExceptionHdl = consumer;
        });
    }

    public static boolean isExecuteInSynchronizedBlock() {
        return ALLOW_EXEC_SYNC.get();
    }

    public static void setExecuteInSynchronizedBlock(boolean z) {
        ALLOW_EXEC_SYNC.set(z);
        LOGGER.info("Global CertificateRevocationChecker is executed synchronously: " + z);
    }

    @Nonnull
    public static CRLCache getDefaultCRLCache() {
        return (CRLCache) RW_LOCK.readLockedGet(() -> {
            return s_aDefaultCRLCache;
        });
    }

    public static void setDefaultCRLCache(@Nonnull CRLCache cRLCache) {
        ValueEnforcer.notNull(cRLCache, "CRLCache");
        RW_LOCK.writeLocked(() -> {
            s_aDefaultCRLCache = cRLCache;
        });
        LOGGER.info("Global default CRL Cache is set to: " + cRLCache);
    }

    public static RevocationCheckBuilder revocationCheck() {
        return new RevocationCheckBuilder();
    }
}
