package org.opcfoundation.ua.cert;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArraySet;
import org.opcfoundation.ua.transport.security.Cert;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;

/* loaded from: input_file:BOOT-INF/lib/opc-ua-stack-1.3.346-197.jar:org/opcfoundation/ua/cert/PkiDirectoryCertificateStore.class */
public class PkiDirectoryCertificateStore implements CertificateStore {
    private static final Logger logger = LoggerFactory.getLogger(PkiDirectoryCertificateStore.class);
    private static final String FILE_EXTENSION = ".der";
    private static final String HEXES = "0123456789ABCDEF";
    private final Map<String, Cert> rejectedCertificates;
    private final Map<String, Cert> trustedCertificates;
    private final Set<X509CRL> revocationLists;
    private final File baseDir;
    private final File revocationDir;
    private final File rejectedDir;
    private final File trustedDir;
    private final CopyOnWriteArraySet<PublicKey> trustedPublicKeys;
    private boolean storeAcceptOnceCertificates;
    private final List<DefaultCertificateStoreListener> listeners;

    public PkiDirectoryCertificateStore() {
        this("PKI/CA", "certs", "rejected", "crl");
    }

    public PkiDirectoryCertificateStore(String str) {
        this(str, "certs", "rejected", "crl");
    }

    public PkiDirectoryCertificateStore(String str, String str2, String str3, String str4) {
        this.rejectedCertificates = new ConcurrentHashMap();
        this.trustedCertificates = new ConcurrentHashMap();
        this.revocationLists = new CopyOnWriteArraySet();
        this.trustedPublicKeys = new CopyOnWriteArraySet<>();
        this.storeAcceptOnceCertificates = true;
        this.listeners = new ArrayList();
        this.baseDir = new File(str);
        this.trustedDir = new File(str, str2);
        this.rejectedDir = new File(str, str3);
        this.revocationDir = new File(str, str4);
        init();
    }

    public void addListener(DefaultCertificateStoreListener defaultCertificateStoreListener) {
        if (defaultCertificateStoreListener == null || this.listeners.contains(defaultCertificateStoreListener)) {
            return;
        }
        this.listeners.add(defaultCertificateStoreListener);
    }

    public void addRejectedCertificate(Cert cert) {
        listAdd(this.rejectedCertificates, this.rejectedDir, cert);
        removeCertificate(this.trustedCertificates, this.trustedDir, cert);
        logger.info("Certificate '{}' added to rejected certificates.", getCertKey(cert));
        fireAddedRejected(cert);
    }

    public void addRevocationList(X509CRL x509crl) {
        this.revocationLists.add(x509crl);
        fireAddedRevocationList(x509crl);
    }

    public void addTrustedCertificate(Cert cert) {
        logger.debug("addTrustedCertificate");
        listAdd(this.trustedCertificates, this.trustedDir, cert);
        removeCertificate(this.rejectedCertificates, this.rejectedDir, cert);
        logger.info("Certificate '{}' added to trusted certificates.", getCertKey(cert));
        fireAddedTrusted(cert);
    }

    @Override // org.opcfoundation.ua.cert.CertificateStore
    public Set<Cert> getTrustedCerts() {
        init();
        HashSet hashSet = new HashSet();
        Iterator<Map.Entry<String, Cert>> it = this.trustedCertificates.entrySet().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getValue());
        }
        return Collections.unmodifiableSet(hashSet);
    }

    @Override // org.opcfoundation.ua.cert.CertificateStore
    public Set<Cert> getRejectedCerts() {
        init();
        HashSet hashSet = new HashSet();
        Iterator<Map.Entry<String, Cert>> it = this.rejectedCertificates.entrySet().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getValue());
        }
        return Collections.unmodifiableSet(hashSet);
    }

    @Override // org.opcfoundation.ua.cert.CertificateStore
    public Set<X509CRL> getRevocationLists() {
        init();
        HashSet hashSet = new HashSet();
        Iterator<X509CRL> it = this.revocationLists.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next());
        }
        return Collections.unmodifiableSet(hashSet);
    }

    @Override // org.opcfoundation.ua.cert.CertificateStore
    public void addCertificate(ValidationResult validationResult, Cert cert) {
        if (validationResult == null) {
            throw new IllegalArgumentException("type cannot be null");
        }
        if (cert == null) {
            throw new IllegalArgumentException("certificate cannot be null");
        }
        switch (validationResult) {
            case AcceptPermanently:
                addTrustedCertificate(cert);
                return;
            case AcceptOnce:
                if (this.storeAcceptOnceCertificates) {
                    addRejectedCertificate(cert);
                    return;
                }
                return;
            case Reject:
                addRejectedCertificate(cert);
                return;
            default:
                throw new IllegalArgumentException("encountered unknown type parameter: " + validationResult);
        }
    }

    public File getTrustedDir() {
        return this.trustedDir;
    }

    public File getRejectedDir() {
        return this.rejectedDir;
    }

    public File getRevocationDir() {
        return this.revocationDir;
    }

    public boolean isStoreAcceptOnceCertificates() {
        return this.storeAcceptOnceCertificates;
    }

    public void removeListener(DefaultCertificateStoreListener defaultCertificateStoreListener) {
        if (defaultCertificateStoreListener != null) {
            this.listeners.remove(defaultCertificateStoreListener);
        }
    }

    public File getFileForCert(Cert cert) {
        if (cert == null) {
            return null;
        }
        if (this.trustedCertificates.containsKey(getCertKey(cert))) {
            return getFileForCert(this.trustedDir, cert);
        }
        if (this.rejectedCertificates.containsKey(getCertKey(cert))) {
            return getFileForCert(this.rejectedDir, cert);
        }
        return null;
    }

    private File getFileForCert(File file, Cert cert) {
        return new File(file, getCertKey(cert) + ".der");
    }

    public void setStoreAcceptOnceCertificates(boolean z) {
        this.storeAcceptOnceCertificates = z;
    }

    public void refresh() {
        init();
    }

    public File getBaseDir() {
        return this.baseDir;
    }

    public void clear(boolean z) {
        if (z) {
            for (File file : this.trustedDir.listFiles()) {
                file.delete();
            }
            for (File file2 : this.rejectedDir.listFiles()) {
                file2.delete();
            }
            for (File file3 : this.revocationDir.listFiles()) {
                file3.delete();
            }
        }
        this.trustedCertificates.clear();
        this.rejectedCertificates.clear();
    }

    private synchronized void init() {
        initCertificates(this.trustedCertificates, this.trustedDir, this.rejectedCertificates);
        Iterator<Cert> it = this.trustedCertificates.values().iterator();
        while (it.hasNext()) {
            this.trustedPublicKeys.add(it.next().getCertificate().getPublicKey());
        }
        initCertificates(this.rejectedCertificates, this.rejectedDir, this.trustedCertificates);
    }

    private void initCertificates(Map<String, Cert> map, File file, Map<String, Cert> map2) {
        if (!file.exists()) {
            file.mkdirs();
        }
        if (file.isDirectory()) {
            for (File file2 : file.listFiles()) {
                if (file.equals(this.revocationDir) && file2.getName().endsWith(".crl")) {
                    initCRL(file2);
                } else {
                    try {
                        Cert load = Cert.load(file2);
                        listAdd(map, file, load);
                        logger.debug("Certificate from '{}' added to accepted certificates", file2);
                        if (map2 != null) {
                            map2.remove(getCertKey(load));
                        }
                    } catch (IOException e) {
                        logger.info("File '{}' is not a certificate: {}", file2, e.getMessage());
                    } catch (CertificateException e2) {
                        logger.info("File '{}' is not a valid certificate: {}", file2, e2.getMessage());
                    }
                }
            }
        }
    }

    private void initCRL(File file) {
        try {
            X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(new FileInputStream(file));
            this.revocationLists.add(x509crl);
            logger.info("CRL initialized from " + file + ": " + (x509crl.getRevokedCertificates() == null ? "no revoked certificates" : x509crl.getRevokedCertificates().size() + " certificates revoked"));
        } catch (Exception e) {
            logger.warn("Could not read CRL file {: {}", file, e.getMessage());
        }
    }

    private void listAdd(Map<String, Cert> map, File file, Cert cert) {
        logger.debug("listAdd: cert={}; dir={}", getCertKey(cert), file);
        if (!map.containsKey(cert)) {
            try {
                File fileForCert = getFileForCert(file, cert);
                if (!fileForCert.exists()) {
                    cert.save(fileForCert);
                }
            } catch (IOException e) {
                logger.error("Cannot write to directory " + file, (Throwable) e);
            }
            map.put(getCertKey(cert), cert);
        }
        logger.debug("certificates.size()={}", Integer.valueOf(map.size()));
    }

    private String getCertKey(Cert cert) {
        return getHex(cert.getEncodedThumbprint());
    }

    private String getHex(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder(2 * bArr.length);
        for (byte b : bArr) {
            sb.append(HEXES.charAt((b & 240) >> 4)).append(HEXES.charAt(b & 15));
        }
        return sb.toString();
    }

    private void fireAddedRejected(Cert cert) {
        Iterator<DefaultCertificateStoreListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().onRejectedCertificateAdded(cert);
        }
    }

    private void fireAddedTrusted(Cert cert) {
        Iterator<DefaultCertificateStoreListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().onTrustedCertificateAdded(cert);
        }
    }

    private void fireAddedRevocationList(X509CRL x509crl) {
        Iterator<DefaultCertificateStoreListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().onRevokedListAdded(x509crl);
        }
    }

    private void removeCertificate(Map<String, Cert> map, File file, Cert cert) {
        logger.debug("removeCertificate: cert={} dir={}", getCertKey(cert), file);
        logger.debug("certificates.size()={}", Integer.valueOf(map.size()));
        getFileForCert(file, cert).delete();
        Cert remove = map.remove(getCertKey(cert));
        if (logger.isDebugEnabled()) {
            logger.debug("c=" + (remove == null ? BeanDefinitionParserDelegate.NULL_ELEMENT : remove.getEncodedThumbprint()));
            logger.debug("certificates.size()={}", Integer.valueOf(map.size()));
        }
    }
}
