package com.helger.peppol.utils;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.annotation.Nonempty;
import com.helger.commons.annotation.ReturnsMutableCopy;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.functional.IToBooleanFunction;
import com.helger.commons.state.ETriState;
import com.helger.peppol.utils.CertificateRevocationChecker;
import com.helger.peppol.utils.PeppolKeyStoreHelper;
import java.io.IOException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.OffsetDateTime;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import javax.annotation.concurrent.ThreadSafe;
import javax.security.auth.x500.X500Principal;
import net.jodah.expiringmap.ExpirationPolicy;
import net.jodah.expiringmap.ExpiringMap;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/peppol-commons-9.0.8.jar:com/helger/peppol/utils/PeppolCertificateChecker.class */
public final class PeppolCertificateChecker {
    public static final boolean DEFAULT_CACHE_OSCP_RESULTS = true;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PeppolCertificateChecker.class);
    private static final AtomicBoolean CACHE_OCSP_RESULTS = new AtomicBoolean(true);
    private static final PeppolRevocationCache REVOCATION_CACHE_AP = new PeppolRevocationCache(x509Certificate -> {
        return peppolRevocationCheck().certificate(x509Certificate).validCAsPeppolAP().build().isRevoked();
    });
    private static final PeppolRevocationCache REVOCATION_CACHE_SMP = new PeppolRevocationCache(x509Certificate -> {
        return peppolRevocationCheck().certificate(x509Certificate).validCAsPeppolSMP().build().isRevoked();
    });
    private static final ICommonsList<X509Certificate> PEPPOL_AP_CA_CERTS = new CommonsArrayList();
    private static final ICommonsList<X500Principal> PEPPOL_AP_CA_ISSUERS = new CommonsArrayList();
    private static final ICommonsList<X509Certificate> PEPPOL_SMP_CA_CERTS = new CommonsArrayList();
    private static final ICommonsList<X500Principal> PEPPOL_SMP_CA_ISSUERS = new CommonsArrayList();

    @ThreadSafe
    /* loaded from: input_file:WEB-INF/lib/peppol-commons-9.0.8.jar:com/helger/peppol/utils/PeppolCertificateChecker$PeppolRevocationCache.class */
    public static final class PeppolRevocationCache {
        private final ExpiringMap<String, Boolean> m_aCache;
        private final IToBooleanFunction<X509Certificate> m_aValueProvider;

        public PeppolRevocationCache(@Nonnull IToBooleanFunction<X509Certificate> iToBooleanFunction) {
            ValueEnforcer.notNull(iToBooleanFunction, "ValueProvider");
            this.m_aCache = ExpiringMap.builder().expirationPolicy(ExpirationPolicy.CREATED).expiration(6L, TimeUnit.HOURS).build();
            this.m_aValueProvider = iToBooleanFunction;
        }

        @Nonnull
        private static String _getKey(@Nonnull X509Certificate x509Certificate) {
            return x509Certificate.getSubjectX500Principal().getName() + "-" + x509Certificate.getSerialNumber().toString();
        }

        public boolean isRevoked(@Nonnull X509Certificate x509Certificate) {
            return this.m_aCache.computeIfAbsent(_getKey(x509Certificate), str -> {
                return Boolean.valueOf(this.m_aValueProvider.applyAsBoolean(x509Certificate));
            }).booleanValue();
        }

        public void clearCache() {
            this.m_aCache.clear();
        }
    }

    @NotThreadSafe
    /* loaded from: input_file:WEB-INF/lib/peppol-commons-9.0.8.jar:com/helger/peppol/utils/PeppolCertificateChecker$PeppolRevocationCheckBuilder.class */
    public static class PeppolRevocationCheckBuilder extends CertificateRevocationChecker.AbstractRevocationCheckBuilder<PeppolRevocationCheckBuilder> {
        @Nonnull
        public PeppolRevocationCheckBuilder validCAsPeppolAP() {
            return validCAs(PeppolCertificateChecker.PEPPOL_AP_CA_CERTS);
        }

        @Nonnull
        public PeppolRevocationCheckBuilder validCAsPeppolSMP() {
            return validCAs(PeppolCertificateChecker.PEPPOL_SMP_CA_CERTS);
        }
    }

    private PeppolCertificateChecker() {
    }

    public static boolean isCacheOCSPResults() {
        return CACHE_OCSP_RESULTS.get();
    }

    public static void setCacheOCSPResults(boolean z) {
        CACHE_OCSP_RESULTS.set(z);
        LOGGER.info("Global PeppolCertificateChecker OCSP cache enabled: " + z);
    }

    public static void clearOCSPCache() {
        REVOCATION_CACHE_AP.clearCache();
        REVOCATION_CACHE_SMP.clearCache();
        LOGGER.info("The PeppolCertificateChecker OCSP cache was cleared");
    }

    @Nonnull
    public static PeppolRevocationCache getRevocationCacheAP() {
        return REVOCATION_CACHE_AP;
    }

    @Nonnull
    public static PeppolRevocationCache getRevocationCacheSMP() {
        return REVOCATION_CACHE_SMP;
    }

    private static boolean _isCA(@Nonnull X509Certificate x509Certificate) {
        BasicConstraints basicConstraints;
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.basicConstraints.getId());
        if (extensionValue == null) {
            return false;
        }
        try {
            ASN1Primitive parseExtensionValue = JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
            if (!(parseExtensionValue instanceof ASN1Sequence) || (basicConstraints = BasicConstraints.getInstance((ASN1Sequence) parseExtensionValue)) == null) {
                return false;
            }
            return basicConstraints.isCA();
        } catch (IOException e) {
            return false;
        }
    }

    public static void addTrustedPeppolAPCACertificate(@Nonnull X509Certificate x509Certificate) {
        ValueEnforcer.notNull(x509Certificate, "Certificate");
        if (!_isCA(x509Certificate)) {
            throw new IllegalArgumentException("The provided AP certificate does not seem to be a CA: " + x509Certificate);
        }
        if (PEPPOL_AP_CA_CERTS.contains(x509Certificate)) {
            throw new IllegalArgumentException("AP certificate is already trusted as Peppol AP CA: " + x509Certificate);
        }
        PEPPOL_AP_CA_CERTS.add(x509Certificate);
        PEPPOL_AP_CA_ISSUERS.add(x509Certificate.getSubjectX500Principal());
    }

    public static void clearTrustedPeppolAPCACertificates() {
        LOGGER.warn("Explicitly removing all " + PEPPOL_AP_CA_CERTS.size() + " entries from the list of trusted Peppol AP CA certificates");
        PEPPOL_AP_CA_CERTS.clear();
        PEPPOL_AP_CA_ISSUERS.clear();
    }

    public static void addTrustedPeppolSMPCACertificate(@Nonnull X509Certificate x509Certificate) {
        ValueEnforcer.notNull(x509Certificate, "Certificate");
        if (!_isCA(x509Certificate)) {
            throw new IllegalArgumentException("The provided SMP certificate does not seem to be a CA: " + x509Certificate);
        }
        if (PEPPOL_SMP_CA_CERTS.contains(x509Certificate)) {
            throw new IllegalArgumentException("SMP certificate is already trusted as Peppol AP CA: " + x509Certificate);
        }
        PEPPOL_SMP_CA_CERTS.add(x509Certificate);
        PEPPOL_SMP_CA_ISSUERS.add(x509Certificate.getSubjectX500Principal());
    }

    public static void clearTrustedPeppolSMPCACertificates() {
        LOGGER.warn("Explicitly removing all " + PEPPOL_SMP_CA_CERTS.size() + " entries from the list of trusted Peppol SMP CA certificates");
        PEPPOL_SMP_CA_CERTS.clear();
        PEPPOL_SMP_CA_ISSUERS.clear();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X509Certificate> getAllPeppolAPCACertificates() {
        return (ICommonsList) PEPPOL_AP_CA_CERTS.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X500Principal> getAllPeppolAPCAIssuers() {
        return (ICommonsList) PEPPOL_AP_CA_ISSUERS.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X509Certificate> getAllPeppolSMPCACertificates() {
        return (ICommonsList) PEPPOL_SMP_CA_CERTS.getClone();
    }

    @Nonnull
    @Nonempty
    @ReturnsMutableCopy
    public static ICommonsList<X500Principal> getAllPeppolSMPCAIssuers() {
        return (ICommonsList) PEPPOL_SMP_CA_ISSUERS.getClone();
    }

    public static PeppolRevocationCheckBuilder peppolRevocationCheck() {
        return new PeppolRevocationCheckBuilder();
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkCertificate(@Nullable ICommonsList<X500Principal> iCommonsList, @Nullable PeppolRevocationCache peppolRevocationCache, @Nonnull CertificateRevocationChecker.AbstractRevocationCheckBuilder<?> abstractRevocationCheckBuilder) {
        ValueEnforcer.notNull(abstractRevocationCheckBuilder, "RevocationChecker");
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Running Peppol Certificate Check" + (iCommonsList != null ? " against a list of " + iCommonsList.size() + " certificate issuers" : "") + (peppolRevocationCache != null ? "; a cache is provided" : "; not using a cache"));
        }
        X509Certificate certificate = abstractRevocationCheckBuilder.certificate();
        if (certificate == null) {
            LOGGER.warn("No Peppol Certificate was provided to the certificate check");
            return EPeppolCertificateCheckResult.NO_CERTIFICATE_PROVIDED;
        }
        Date checkDate = abstractRevocationCheckBuilder.checkDate();
        try {
            if (checkDate == null) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Checking the Peppol Certificate validity against the current date time");
                }
                certificate.checkValidity();
            } else {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Checking the Peppol Certificate validity against the provided date time " + checkDate);
                }
                certificate.checkValidity(checkDate);
            }
            if (iCommonsList != null) {
                X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
                if (!iCommonsList.contains(issuerX500Principal)) {
                    LOGGER.warn("The provided Peppol Certificate issuer '" + issuerX500Principal + "' is not in the list of trusted issuers");
                    return EPeppolCertificateCheckResult.UNSUPPORTED_ISSUER;
                }
            } else if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Not testing against known Peppol Certificate issuers");
            }
            if (peppolRevocationCache != null) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Testing if the Peppol Certificate is revoked, using a cache");
                }
                if (peppolRevocationCache.isRevoked(certificate)) {
                    LOGGER.warn("The Peppol Certificate is revoked [caching used]");
                    return EPeppolCertificateCheckResult.REVOKED;
                }
            } else {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Testing if the Peppol Certificate is revoked, without a cache");
                }
                if (abstractRevocationCheckBuilder.build().isRevoked()) {
                    LOGGER.warn("The Peppol Certificate is revoked [no caching]");
                    return EPeppolCertificateCheckResult.REVOKED;
                }
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("The Peppol Certificate seems to be valid");
            }
            return EPeppolCertificateCheckResult.VALID;
        } catch (CertificateExpiredException e) {
            LOGGER.warn("The provided Peppol Certificate is expired per " + (checkDate == null ? "now" : checkDate.toString()));
            return EPeppolCertificateCheckResult.EXPIRED;
        } catch (CertificateNotYetValidException e2) {
            LOGGER.warn("The provided Peppol Certificate is not yet valid per " + (checkDate == null ? "now" : checkDate.toString()));
            return EPeppolCertificateCheckResult.NOT_YET_VALID;
        }
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkPeppolAPCertificate(@Nullable X509Certificate x509Certificate, @Nullable OffsetDateTime offsetDateTime, @Nonnull ETriState eTriState, @Nullable ERevocationCheckMode eRevocationCheckMode) {
        return checkCertificate(PEPPOL_AP_CA_ISSUERS, eTriState.isUndefined() ? isCacheOCSPResults() : eTriState.isTrue() ? REVOCATION_CACHE_AP : null, peppolRevocationCheck().certificate(x509Certificate).checkDate(offsetDateTime).validCAsPeppolAP().checkMode(eRevocationCheckMode));
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkPeppolSMPCertificate(@Nullable X509Certificate x509Certificate, @Nullable OffsetDateTime offsetDateTime, @Nonnull ETriState eTriState, @Nullable ERevocationCheckMode eRevocationCheckMode) {
        return checkCertificate(PEPPOL_SMP_CA_ISSUERS, eTriState.isUndefined() ? isCacheOCSPResults() : eTriState.isTrue() ? REVOCATION_CACHE_SMP : null, peppolRevocationCheck().certificate(x509Certificate).checkDate(offsetDateTime).validCAsPeppolSMP().checkMode(eRevocationCheckMode));
    }

    static {
        addTrustedPeppolAPCACertificate(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_AP);
        addTrustedPeppolAPCACertificate(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_AP);
        addTrustedPeppolSMPCACertificate(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_SMP);
        addTrustedPeppolSMPCACertificate(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_SMP);
    }
}
