package org.opcfoundation.ua.cert;

import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Set;
import org.opcfoundation.ua.builtintypes.StatusCode;
import org.opcfoundation.ua.core.ApplicationDescription;
import org.opcfoundation.ua.core.StatusCodes;
import org.opcfoundation.ua.transport.security.Cert;
import org.opcfoundation.ua.transport.security.CertificateValidator;
import org.opcfoundation.ua.utils.CertificateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/opc-ua-stack-1.3.346-197.jar:org/opcfoundation/ua/cert/DefaultCertificateValidator.class */
public class DefaultCertificateValidator implements CertificateValidator {
    private static final Logger logger = LoggerFactory.getLogger(DefaultCertificateValidator.class);
    private static final String INVALID_URI_ERROR = "invalid URI name:";
    private volatile DefaultCertificateValidatorListener validationListener;
    private final CertificateStore store;

    public DefaultCertificateValidator(CertificateStore certificateStore) {
        this.store = certificateStore;
    }

    public CertificateStore getCertificateStore() {
        return this.store;
    }

    public DefaultCertificateValidatorListener getValidationListener() {
        return this.validationListener;
    }

    public void setValidationListener(DefaultCertificateValidatorListener defaultCertificateValidatorListener) {
        this.validationListener = defaultCertificateValidatorListener;
    }

    @Override // org.opcfoundation.ua.transport.security.CertificateValidator
    public StatusCode validateCertificate(ApplicationDescription applicationDescription, Cert cert) {
        try {
            logger.debug("validateCertificate: applicationDescription={}", applicationDescription);
            logger.debug("cert={}", cert);
            boolean isRevoked = isRevoked(cert);
            logger.debug("isRevoked={}", Boolean.valueOf(isRevoked));
            if (isRevoked) {
                return new StatusCode(StatusCodes.Bad_CertificateRevoked);
            }
            StatusCode statusCode = StatusCode.GOOD;
            EnumSet<CertificateCheck> noneOf = EnumSet.noneOf(CertificateCheck.class);
            Set<Cert> trustedCerts = this.store.getTrustedCerts();
            if (trustedCerts != null && trustedCerts.contains(cert)) {
                logger.debug("trusted=yes");
                noneOf.add(CertificateCheck.Trusted);
            }
            logger.debug("trusted={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Trusted)));
            X509Certificate certificate = cert.getCertificate();
            try {
                certificate.checkValidity();
                logger.debug("valid=yes");
                noneOf.add(CertificateCheck.Validity);
            } catch (CertificateExpiredException e) {
            } catch (CertificateNotYetValidException e2) {
            }
            logger.debug("valid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Validity)));
            try {
                certificate.verify(certificate.getPublicKey());
                logger.debug("signature=yes");
                logger.debug("self-signed=yes");
                noneOf.add(CertificateCheck.Signature);
                noneOf.add(CertificateCheck.SelfSigned);
            } catch (GeneralSecurityException e3) {
                boolean z = false;
                for (Cert cert2 : trustedCerts) {
                    try {
                        certificate.verify(cert2.getCertificate().getPublicKey());
                        z = true;
                        StatusCode validateCertificate = validateCertificate(cert2);
                        if (validateCertificate.isStatusCode(StatusCodes.Bad_CertificateRevoked)) {
                            statusCode = new StatusCode(StatusCodes.Bad_CertificateIssuerRevoked);
                        } else if (validateCertificate.isStatusCode(StatusCodes.Bad_CertificateTimeInvalid)) {
                            statusCode = new StatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid);
                        } else if (validateCertificate.isStatusCode(StatusCodes.Bad_CertificateChainIncomplete) || validateCertificate.isStatusCode(StatusCodes.Bad_CertificateIssuerRevoked) || validateCertificate.isStatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid)) {
                            statusCode = validateCertificate;
                        } else if (validateCertificate.isNotGood()) {
                            statusCode = new StatusCode(StatusCodes.Bad_CertificateInvalid);
                        }
                    } catch (GeneralSecurityException e4) {
                    }
                }
                if (!z) {
                    statusCode = new StatusCode(StatusCodes.Bad_CertificateChainIncomplete);
                }
                if (statusCode.isNotGood()) {
                    this.store.addCertificate(ValidationResult.Reject, cert);
                    return statusCode;
                }
                logger.debug("signature=yes");
                noneOf.add(CertificateCheck.Signature);
                noneOf.add(CertificateCheck.Trusted);
            }
            logger.debug("signature={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Signature)));
            logger.debug("self-signed={}", Boolean.valueOf(noneOf.contains(CertificateCheck.SelfSigned)));
            String applicationUri = applicationDescription == null ? null : applicationDescription.getApplicationUri();
            boolean z2 = applicationUri == null;
            if (!z2) {
                try {
                    if (CertificateUtils.getApplicationUriOfCertificate(certificate).equals(applicationUri)) {
                        z2 = true;
                    }
                } catch (CertificateParsingException e5) {
                    if (e5.getCause().getMessage().contains(INVALID_URI_ERROR)) {
                        String[] split = e5.getCause().getMessage().split(INVALID_URI_ERROR);
                        if (split.length == 2 && split[1].equals(applicationUri)) {
                            logger.warn("The provided certificate contains an invalid ApplicationURI: {}", split[1]);
                            noneOf.add(CertificateCheck.Uri);
                        } else {
                            logger.warn("The provided certificate does not define the ApplicationURI", (Throwable) e5);
                        }
                    } else {
                        logger.warn("The provided certificate has an invalid SubjectAlternativeNames field", (Throwable) e5);
                    }
                }
            }
            if (z2) {
                noneOf.add(CertificateCheck.Uri);
                noneOf.add(CertificateCheck.UriValid);
            }
            logger.debug("uri={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Uri)));
            logger.debug("uriValid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.UriValid)));
            ValidationResult checkValidationAction = checkValidationAction(cert, applicationDescription, noneOf);
            logger.debug("action={}", checkValidationAction);
            switch (checkValidationAction) {
                case AcceptPermanently:
                    statusCode = StatusCode.GOOD;
                    this.store.addCertificate(ValidationResult.AcceptPermanently, cert);
                    break;
                case AcceptOnce:
                    statusCode = StatusCode.GOOD;
                    this.store.addCertificate(ValidationResult.AcceptOnce, cert);
                    break;
                case Reject:
                    if (!noneOf.contains(CertificateCheck.Trusted)) {
                        statusCode = new StatusCode(StatusCodes.Bad_SecurityChecksFailed);
                    } else if (!noneOf.contains(CertificateCheck.Signature)) {
                        statusCode = new StatusCode(StatusCodes.Bad_SecurityChecksFailed);
                    } else if (!noneOf.contains(CertificateCheck.Validity)) {
                        statusCode = new StatusCode(StatusCodes.Bad_CertificateTimeInvalid);
                    } else if (noneOf.contains(CertificateCheck.Uri)) {
                        logger.warn("Rejected a certificate which did contain passedchecks: {}", noneOf);
                        statusCode = new StatusCode(StatusCodes.Bad_SecurityChecksFailed);
                    } else {
                        statusCode = new StatusCode(StatusCodes.Bad_CertificateUriInvalid);
                    }
                    this.store.addCertificate(ValidationResult.Reject, cert);
                    break;
            }
            return statusCode;
        } catch (RuntimeException e6) {
            logger.error("error while validating certificates", (Throwable) e6);
            return new StatusCode(StatusCodes.Bad_InternalError);
        }
    }

    private boolean isRevoked(Cert cert) {
        Iterator<X509CRL> it = this.store.getRevocationLists().iterator();
        while (it.hasNext()) {
            if (it.next().isRevoked(cert.getCertificate())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.opcfoundation.ua.transport.security.CertificateValidator
    public StatusCode validateCertificate(Cert cert) {
        logger.debug("validateCertificate: Cert={}", cert);
        return cert == null ? StatusCode.GOOD : validateCertificate(null, cert);
    }

    private ValidationResult checkValidationAction(Cert cert, ApplicationDescription applicationDescription, EnumSet<CertificateCheck> enumSet) {
        DefaultCertificateValidatorListener defaultCertificateValidatorListener = this.validationListener;
        return defaultCertificateValidatorListener != null ? defaultCertificateValidatorListener.onValidate(cert, applicationDescription, enumSet) : enumSet.containsAll(CertificateCheck.COMPULSORY) ? ValidationResult.AcceptPermanently : ValidationResult.Reject;
    }
}
