package com.helger.peppol.utils;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.annotation.Nonempty;
import com.helger.commons.annotation.ReturnsMutableCopy;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.functional.IToBooleanFunction;
import com.helger.commons.state.ETriState;
import com.helger.peppol.utils.CertificateRevocationChecker;
import com.helger.peppol.utils.PeppolKeyStoreHelper;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.time.OffsetDateTime;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import javax.annotation.concurrent.ThreadSafe;
import javax.security.auth.x500.X500Principal;
import net.jodah.expiringmap.ExpirationPolicy;
import net.jodah.expiringmap.ExpiringMap;
import org.apache.logging.log4j.util.ProcessIdUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/peppol-commons-8.7.1.jar:com/helger/peppol/utils/PeppolCertificateChecker.class */
public final class PeppolCertificateChecker {

    @Deprecated
    public static final boolean DEFAULT_OSCP_CHECK_ENABLED = true;
    public static final boolean DEFAULT_CACHE_OSCP_RESULTS = true;

    @Deprecated
    public static final ERevocationCheckMode DEFAULT_REVOCATION_CHECK_MODE = CertificateRevocationChecker.DEFAULT_REVOCATION_CHECK_MODE;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PeppolCertificateChecker.class);
    private static final ICommonsList<X509Certificate> PEPPOL_AP_CA_CERTS = new CommonsArrayList();
    private static final ICommonsList<X500Principal> PEPPOL_AP_CA_ISSUERS = new CommonsArrayList();
    private static final ICommonsList<X509Certificate> PEPPOL_SMP_CA_CERTS = new CommonsArrayList();
    private static final ICommonsList<X500Principal> PEPPOL_SMP_CA_ISSUERS = new CommonsArrayList();
    private static final AtomicBoolean CACHE_OCSP_RESULTS;
    private static final PeppolRevocationCache REVOCATION_CACHE_AP;
    private static final PeppolRevocationCache REVOCATION_CACHE_SMP;

    @ThreadSafe
    /* loaded from: input_file:WEB-INF/lib/peppol-commons-8.7.1.jar:com/helger/peppol/utils/PeppolCertificateChecker$PeppolRevocationCache.class */
    public static final class PeppolRevocationCache {
        private final ExpiringMap<String, Boolean> m_aCache;
        private final IToBooleanFunction<X509Certificate> m_aValueProvider;

        public PeppolRevocationCache(@Nonnull IToBooleanFunction<X509Certificate> iToBooleanFunction) {
            ValueEnforcer.notNull(iToBooleanFunction, "ValueProvider");
            this.m_aCache = ExpiringMap.builder().expirationPolicy(ExpirationPolicy.CREATED).expiration(6L, TimeUnit.HOURS).build();
            this.m_aValueProvider = iToBooleanFunction;
        }

        @Nonnull
        private static String _getKey(@Nonnull X509Certificate x509Certificate) {
            return x509Certificate.getSubjectX500Principal().getName() + ProcessIdUtil.DEFAULT_PROCESSID + x509Certificate.getSerialNumber().toString();
        }

        public boolean isRevoked(@Nonnull X509Certificate x509Certificate) {
            return this.m_aCache.computeIfAbsent(_getKey(x509Certificate), str -> {
                return Boolean.valueOf(this.m_aValueProvider.applyAsBoolean(x509Certificate));
            }).booleanValue();
        }

        public void clearCache() {
            this.m_aCache.clear();
        }
    }

    @NotThreadSafe
    /* loaded from: input_file:WEB-INF/lib/peppol-commons-8.7.1.jar:com/helger/peppol/utils/PeppolCertificateChecker$PeppolRevocationCheckBuilder.class */
    public static class PeppolRevocationCheckBuilder extends CertificateRevocationChecker.AbstractRevocationCheckBuilder<PeppolRevocationCheckBuilder> {
        @Nonnull
        public PeppolRevocationCheckBuilder validCAsPeppolAP() {
            return validCAs(PeppolCertificateChecker.PEPPOL_AP_CA_CERTS);
        }

        @Nonnull
        public PeppolRevocationCheckBuilder validCAsPeppolSMP() {
            return validCAs(PeppolCertificateChecker.PEPPOL_SMP_CA_CERTS);
        }
    }

    private PeppolCertificateChecker() {
    }

    @Deprecated
    public static boolean isOCSPEnabled() {
        return getRevocationCheckMode().isOCSP();
    }

    @Deprecated
    public static void setOCSPEnabled(boolean z) {
        setRevocationCheckMode(z ? ERevocationCheckMode.OCSP_BEFORE_CRL : ERevocationCheckMode.CRL);
    }

    @Nonnull
    @Deprecated
    public static ERevocationCheckMode getRevocationCheckMode() {
        return CertificateRevocationChecker.getRevocationCheckMode();
    }

    @Deprecated
    public static void setRevocationCheckMode(@Nonnull ERevocationCheckMode eRevocationCheckMode) {
        CertificateRevocationChecker.setRevocationCheckMode(eRevocationCheckMode);
    }

    public static boolean isCacheOCSPResults() {
        return CACHE_OCSP_RESULTS.get();
    }

    public static void setCacheOCSPResults(boolean z) {
        CACHE_OCSP_RESULTS.set(z);
        LOGGER.info("Global PeppolCertificateChecker OCSP cache enabled: " + z);
    }

    public static void clearOCSPCache() {
        REVOCATION_CACHE_AP.clearCache();
        REVOCATION_CACHE_SMP.clearCache();
        LOGGER.info("The PeppolCertificateChecker OCSP cache was cleared");
    }

    @Nonnull
    public static PeppolRevocationCache getRevocationCacheAP() {
        return REVOCATION_CACHE_AP;
    }

    @Nonnull
    public static PeppolRevocationCache getRevocationCacheSMP() {
        return REVOCATION_CACHE_SMP;
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X509Certificate> getAllPeppolAPCACertificates() {
        return (ICommonsList) PEPPOL_AP_CA_CERTS.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X500Principal> getAllPeppolAPCAIssuers() {
        return (ICommonsList) PEPPOL_AP_CA_ISSUERS.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X509Certificate> getAllPeppolSMPCACertificates() {
        return (ICommonsList) PEPPOL_SMP_CA_CERTS.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X500Principal> getAllPeppolSMPCAIssuers() {
        return (ICommonsList) PEPPOL_SMP_CA_ISSUERS.getClone();
    }

    @Nonnull
    @Deprecated
    public static Consumer<? super GeneralSecurityException> getExceptionHdl() {
        return CertificateRevocationChecker.getExceptionHdl();
    }

    @Deprecated
    public static void setExceptionHdl(@Nonnull Consumer<? super GeneralSecurityException> consumer) {
        CertificateRevocationChecker.setExceptionHdl(consumer);
    }

    public static PeppolRevocationCheckBuilder peppolRevocationCheck() {
        return new PeppolRevocationCheckBuilder();
    }

    @Deprecated
    public static boolean isCertificateRevoked(@Nonnull X509Certificate x509Certificate, @Nonnull ICommonsList<X509Certificate> iCommonsList, @Nullable Date date, @Nullable ERevocationCheckMode eRevocationCheckMode, @Nonnull Consumer<? super GeneralSecurityException> consumer) {
        ValueEnforcer.notNull(x509Certificate, "Cert");
        ValueEnforcer.notEmpty(iCommonsList, "ValidCAs");
        ValueEnforcer.notNull(consumer, "ExceptionHdl");
        return peppolRevocationCheck().certificate(x509Certificate).validCAs(iCommonsList).checkDate(date).checkMode(eRevocationCheckMode).exceptionHandler(consumer).build().isRevoked();
    }

    @Deprecated
    public static boolean isPeppolAPCertificateRevoked(@Nonnull X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nullable ERevocationCheckMode eRevocationCheckMode, @Nonnull Consumer<? super GeneralSecurityException> consumer) {
        return peppolRevocationCheck().certificate(x509Certificate).validCAsPeppolAP().checkDate(localDateTime).checkMode(eRevocationCheckMode).exceptionHandler(consumer).build().isRevoked();
    }

    @Deprecated
    public static boolean isPeppolSMPCertificateRevoked(@Nonnull X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nullable ERevocationCheckMode eRevocationCheckMode, @Nonnull Consumer<? super GeneralSecurityException> consumer) {
        return peppolRevocationCheck().certificate(x509Certificate).validCAsPeppolSMP().checkDate(localDateTime).checkMode(eRevocationCheckMode).exceptionHandler(consumer).build().isRevoked();
    }

    @Nonnull
    @Deprecated
    public static EPeppolCertificateCheckResult checkCertificate(@Nullable X509Certificate x509Certificate, @Nullable Date date, @Nullable ICommonsList<X500Principal> iCommonsList, @Nonnull ICommonsList<X509Certificate> iCommonsList2, @Nullable PeppolRevocationCache peppolRevocationCache, @Nullable ERevocationCheckMode eRevocationCheckMode) {
        return checkCertificate(iCommonsList, peppolRevocationCache, CertificateRevocationChecker.revocationCheck().certificate(x509Certificate).checkDate(date).validCAs(iCommonsList2).checkMode(eRevocationCheckMode));
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkCertificate(@Nullable ICommonsList<X500Principal> iCommonsList, @Nullable PeppolRevocationCache peppolRevocationCache, @Nonnull CertificateRevocationChecker.AbstractRevocationCheckBuilder<?> abstractRevocationCheckBuilder) {
        ValueEnforcer.notNull(abstractRevocationCheckBuilder, "RevocationChecker");
        X509Certificate certificate = abstractRevocationCheckBuilder.certificate();
        if (certificate == null) {
            return EPeppolCertificateCheckResult.NO_CERTIFICATE_PROVIDED;
        }
        try {
            Date checkDate = abstractRevocationCheckBuilder.checkDate();
            if (checkDate == null) {
                certificate.checkValidity();
            } else {
                certificate.checkValidity(checkDate);
            }
            if (iCommonsList == null) {
                LOGGER.debug("Not testing against known certificate issuers");
            } else if (!iCommonsList.contains(certificate.getIssuerX500Principal())) {
                return EPeppolCertificateCheckResult.UNSUPPORTED_ISSUER;
            }
            if (peppolRevocationCache != null) {
                if (peppolRevocationCache.isRevoked(certificate)) {
                    return EPeppolCertificateCheckResult.REVOKED;
                }
            } else if (abstractRevocationCheckBuilder.build().isRevoked()) {
                return EPeppolCertificateCheckResult.REVOKED;
            }
            return EPeppolCertificateCheckResult.VALID;
        } catch (CertificateExpiredException e) {
            return EPeppolCertificateCheckResult.EXPIRED;
        } catch (CertificateNotYetValidException e2) {
            return EPeppolCertificateCheckResult.NOT_YET_VALID;
        }
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkPeppolAPCertificate(@Nullable X509Certificate x509Certificate, @Nullable OffsetDateTime offsetDateTime, @Nonnull ETriState eTriState, @Nullable ERevocationCheckMode eRevocationCheckMode) {
        return checkCertificate(PEPPOL_AP_CA_ISSUERS, eTriState.isUndefined() ? isCacheOCSPResults() : eTriState.isTrue() ? REVOCATION_CACHE_AP : null, peppolRevocationCheck().certificate(x509Certificate).checkDate(offsetDateTime).validCAsPeppolAP().checkMode(eRevocationCheckMode));
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkPeppolSMPCertificate(@Nullable X509Certificate x509Certificate, @Nullable OffsetDateTime offsetDateTime, @Nonnull ETriState eTriState, @Nullable ERevocationCheckMode eRevocationCheckMode) {
        return checkCertificate(PEPPOL_SMP_CA_ISSUERS, eTriState.isUndefined() ? isCacheOCSPResults() : eTriState.isTrue() ? REVOCATION_CACHE_SMP : null, peppolRevocationCheck().certificate(x509Certificate).checkDate(offsetDateTime).validCAsPeppolSMP().checkMode(eRevocationCheckMode));
    }

    static {
        PEPPOL_AP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_AP);
        PEPPOL_AP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_AP);
        PEPPOL_SMP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_SMP);
        PEPPOL_SMP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_SMP);
        PEPPOL_AP_CA_ISSUERS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_AP.getSubjectX500Principal());
        PEPPOL_AP_CA_ISSUERS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_AP.getSubjectX500Principal());
        PEPPOL_SMP_CA_ISSUERS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_SMP.getSubjectX500Principal());
        PEPPOL_SMP_CA_ISSUERS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_SMP.getSubjectX500Principal());
        CACHE_OCSP_RESULTS = new AtomicBoolean(true);
        REVOCATION_CACHE_AP = new PeppolRevocationCache(x509Certificate -> {
            return peppolRevocationCheck().certificate(x509Certificate).validCAsPeppolAP().build().isRevoked();
        });
        REVOCATION_CACHE_SMP = new PeppolRevocationCache(x509Certificate2 -> {
            return peppolRevocationCheck().certificate(x509Certificate2).validCAsPeppolSMP().build().isRevoked();
        });
    }
}
