package com.prosysopc.ua;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArraySet;
import org.opcfoundation.ua.builtintypes.StatusCode;
import org.opcfoundation.ua.core.ApplicationDescription;
import org.opcfoundation.ua.core.StatusCodes;
import org.opcfoundation.ua.transport.security.Cert;
import org.opcfoundation.ua.utils.CertificateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;

@Deprecated
/* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-3.1.8-580.jar:com/prosysopc/ua/PkiFileBasedCertificateValidator.class */
public class PkiFileBasedCertificateValidator implements UaCertificateValidator {
    private static final Logger logger = LoggerFactory.getLogger(PkiFileBasedCertificateValidator.class);
    private final File bq;
    private X509CRL br;
    private final List<PkiFileBasedCertificateListener> listeners;
    private final File bs;
    private final File bt;
    private boolean bu;
    private final File bv;
    private final CopyOnWriteArraySet<PublicKey> bw;
    private volatile CertificateValidationListener bx;
    private a by;
    private a bz;
    private a bA;

    /* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-3.1.8-580.jar:com/prosysopc/ua/PkiFileBasedCertificateValidator$CertificateCheck.class */
    public enum CertificateCheck {
        SelfSigned,
        Signature,
        Trusted,
        Uri,
        UriValid,
        Validity;

        public static EnumSet<CertificateCheck> COMPULSORY = EnumSet.of(Trusted, Validity, Signature, Uri);
    }

    /* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-3.1.8-580.jar:com/prosysopc/ua/PkiFileBasedCertificateValidator$ValidationResult.class */
    public enum ValidationResult {
        AcceptOnce,
        AcceptPermanently,
        Reject
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-3.1.8-580.jar:com/prosysopc/ua/PkiFileBasedCertificateValidator$a.class */
    public interface a extends Map<String, Cert> {
    }

    /* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-3.1.8-580.jar:com/prosysopc/ua/PkiFileBasedCertificateValidator$b.class */
    class b extends ConcurrentHashMap<String, Cert> implements a {
        private b(PkiFileBasedCertificateValidator pkiFileBasedCertificateValidator) {
        }

        /* synthetic */ b(PkiFileBasedCertificateValidator pkiFileBasedCertificateValidator, byte b) {
            this(pkiFileBasedCertificateValidator);
        }
    }

    public PkiFileBasedCertificateValidator() {
        this("PKI/CA", "certs", "rejected", "crl");
    }

    public PkiFileBasedCertificateValidator(String str) {
        this(str, "certs", "rejected", "crl");
    }

    public PkiFileBasedCertificateValidator(String str, String str2, String str3, String str4) {
        this.bu = true;
        this.bw = new CopyOnWriteArraySet<>();
        this.by = new b(this, (byte) 0);
        this.bz = new b(this, (byte) 0);
        this.bA = new b(this, (byte) 0);
        this.listeners = new ArrayList();
        this.bq = new File(str);
        this.bv = new File(str, str2);
        this.bs = new File(str, str3);
        this.bt = new File(str, str4);
        init();
    }

    public void addListener(PkiFileBasedCertificateListener pkiFileBasedCertificateListener) {
        if (pkiFileBasedCertificateListener == null || this.listeners.contains(pkiFileBasedCertificateListener)) {
            return;
        }
        this.listeners.add(pkiFileBasedCertificateListener);
    }

    public void addRejectedCertificate(Cert cert) throws IOException {
        if (!a(this.bz, cert)) {
            a(this.by, this.bs, cert);
        }
        b(this.bA, this.bv, cert);
        logger.info("Certificate '{}' added to rejected certificates.", a(cert));
        Iterator<PkiFileBasedCertificateListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().onRejectedCertificateAdded(cert);
        }
    }

    public void addRevokedCertificate(Cert cert) throws IOException {
        a(this.bz, this.bt, cert);
        b(this.bA, this.bv, cert);
        b(this.by, this.bs, cert);
        logger.info("Certificate '{}' added to revoked certificates.", a(cert));
        Iterator<PkiFileBasedCertificateListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().onRevokedCertificateAdded(cert);
        }
    }

    public void addTrustedCertificate(Cert cert) throws IOException {
        logger.debug("addTrustedCertificate");
        a(this.bA, this.bv, cert);
        b(this.by, this.bs, cert);
        logger.info("Certificate '{}' added to trusted certificates.", a(cert));
        Iterator<PkiFileBasedCertificateListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().onTrustedCertificateAdded(cert);
        }
    }

    public void clear(boolean z) {
        if (z) {
            for (File file : this.bv.listFiles()) {
                file.delete();
            }
            for (File file2 : this.bs.listFiles()) {
                file2.delete();
            }
            for (File file3 : this.bt.listFiles()) {
                file3.delete();
            }
        }
        this.bA.clear();
        this.by.clear();
        this.bz.clear();
    }

    public File getBaseDir() {
        return this.bq;
    }

    public X509CRL getCrl() {
        return this.br;
    }

    public File getFileForCert(Cert cert) {
        if (cert == null) {
            return null;
        }
        if (this.bA.containsKey(a(cert))) {
            return a(this.bv, cert);
        }
        if (this.by.containsKey(a(cert))) {
            return a(this.bs, cert);
        }
        if (this.bz.containsKey(a(cert))) {
            return a(this.bt, cert);
        }
        return null;
    }

    public Cert[] getRejectedCertificates() {
        return (Cert[]) this.by.values().toArray(new Cert[0]);
    }

    public File getRejectedDir() {
        return this.bs;
    }

    public File getRevocationDir() {
        return this.bt;
    }

    public Cert[] getRevokedCertificates() {
        return (Cert[]) this.bz.values().toArray(new Cert[0]);
    }

    public Cert[] getTrustedCertificates() {
        return (Cert[]) this.bA.values().toArray(new Cert[0]);
    }

    public File getTrustedDir() {
        return this.bv;
    }

    public CertificateValidationListener getValidationListener() {
        return this.bx;
    }

    public boolean isStoreAcceptOnceCertificates() {
        return this.bu;
    }

    public void refresh() {
        init();
    }

    public void removeListener(PkiFileBasedCertificateListener pkiFileBasedCertificateListener) {
        if (pkiFileBasedCertificateListener != null) {
            this.listeners.remove(pkiFileBasedCertificateListener);
        }
    }

    public void setCrl(X509CRL x509crl) {
        this.br = x509crl;
    }

    public void setStoreAcceptOnceCertificates(boolean z) {
        this.bu = z;
    }

    public void setValidationListener(CertificateValidationListener certificateValidationListener) {
        this.bx = certificateValidationListener;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v121 */
    /* JADX WARN: Type inference failed for: r0v55 */
    /* JADX WARN: Type inference failed for: r0v56 */
    /* JADX WARN: Type inference failed for: r0v57, types: [java.security.cert.CertificateParsingException] */
    /* JADX WARN: Type inference failed for: r0v76, types: [boolean] */
    @Override // com.prosysopc.ua.UaCertificateValidator, org.opcfoundation.ua.transport.security.CertificateValidator
    public StatusCode validateCertificate(ApplicationDescription applicationDescription, Cert cert) {
        init();
        logger.debug("validateCertificate: applicationDescription={}", applicationDescription);
        logger.debug("cert={}", cert);
        boolean z = (this.br != null && this.br.isRevoked(cert.getCertificate())) || a(this.bz, cert);
        logger.debug("isRevoked={}", Boolean.valueOf(z));
        if (z) {
            return new StatusCode(StatusCodes.Bad_CertificateRevoked);
        }
        StatusCode statusCode = StatusCode.GOOD;
        EnumSet<CertificateCheck> noneOf = EnumSet.noneOf(CertificateCheck.class);
        logger.debug("trustedCertificates={}", this.bA.keySet());
        if (!a(this.by, cert) && a(this.bA, cert)) {
            logger.debug("trusted=yes");
            noneOf.add(CertificateCheck.Trusted);
        }
        logger.debug("trusted={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Trusted)));
        X509Certificate certificate = cert.getCertificate();
        try {
            certificate.checkValidity();
            logger.debug("valid=yes");
            noneOf.add(CertificateCheck.Validity);
        } catch (CertificateExpiredException unused) {
        } catch (CertificateNotYetValidException unused2) {
        }
        logger.debug("valid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Validity)));
        try {
            certificate.verify(certificate.getPublicKey());
            logger.debug("signature=yes");
            logger.debug("self-signed=yes");
            noneOf.add(CertificateCheck.Signature);
            noneOf.add(CertificateCheck.SelfSigned);
        } catch (GeneralSecurityException unused3) {
            Iterator<PublicKey> it = this.bw.iterator();
            while (it.hasNext()) {
                PublicKey next = it.next();
                try {
                    certificate.verify(next);
                } catch (GeneralSecurityException unused4) {
                }
                if (this.bz.containsKey(next)) {
                    return new StatusCode(StatusCodes.Bad_CertificateIssuerRevoked);
                }
                if (this.bA.containsKey(next)) {
                    try {
                        this.bA.get(next).getCertificate().checkValidity();
                    } catch (GeneralSecurityException unused5) {
                        return new StatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid);
                    }
                }
                logger.debug("signature=yes");
                noneOf.add(CertificateCheck.Signature);
                noneOf.add(CertificateCheck.Trusted);
            }
        }
        logger.debug("signature={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Signature)));
        logger.debug("self-signed={}", Boolean.valueOf(noneOf.contains(CertificateCheck.SelfSigned)));
        String applicationUri = applicationDescription == null ? null : applicationDescription.getApplicationUri();
        String str = applicationUri;
        boolean z2 = applicationUri == null ? 1 : 0;
        boolean z3 = z2;
        if (z2 == 0) {
            try {
                z2 = CertificateUtils.getApplicationUriOfCertificate(certificate).equals(str);
                if (z2 != 0) {
                    z3 = true;
                }
            } catch (CertificateParsingException e) {
                if (z2.getCause().getMessage().contains("invalid URI name:")) {
                    String[] split = e.getCause().getMessage().split("invalid URI name:");
                    if (split.length == 2 && split[1].equals(str)) {
                        logger.warn("The provided certificate contains an invalid ApplicationURI: {}", split[1]);
                        noneOf.add(CertificateCheck.Uri);
                    } else {
                        logger.warn("The provided certificate does not define the ApplicationURI", (Throwable) e);
                    }
                } else {
                    logger.warn("The provided certificate has an invalid SubjectAlternativeNames field", (Throwable) e);
                }
            }
        }
        if (z3) {
            noneOf.add(CertificateCheck.Uri);
            noneOf.add(CertificateCheck.UriValid);
        }
        logger.debug("uri={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Uri)));
        logger.debug("uriValid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.UriValid)));
        CertificateValidationListener certificateValidationListener = this.bx;
        ValidationResult onValidate = certificateValidationListener != null ? certificateValidationListener.onValidate(cert, applicationDescription, noneOf) : noneOf.containsAll(CertificateCheck.COMPULSORY) ? ValidationResult.AcceptPermanently : ValidationResult.Reject;
        logger.debug("action={}", onValidate);
        try {
            switch (onValidate) {
                case AcceptPermanently:
                    statusCode = StatusCode.GOOD;
                    addTrustedCertificate(cert);
                    break;
                case AcceptOnce:
                    statusCode = StatusCode.GOOD;
                    if (this.bu && !noneOf.contains(CertificateCheck.Trusted)) {
                        addRejectedCertificate(cert);
                        break;
                    }
                    break;
                case Reject:
                    if (!noneOf.contains(CertificateCheck.Trusted)) {
                        statusCode = new StatusCode(StatusCodes.Bad_SecurityChecksFailed);
                    } else if (!noneOf.contains(CertificateCheck.Signature)) {
                        statusCode = new StatusCode(StatusCodes.Bad_SecurityChecksFailed);
                    } else if (!noneOf.contains(CertificateCheck.Validity)) {
                        statusCode = new StatusCode(StatusCodes.Bad_CertificateTimeInvalid);
                    } else if (!noneOf.contains(CertificateCheck.Uri)) {
                        statusCode = new StatusCode(StatusCodes.Bad_CertificateUriInvalid);
                    }
                    if (!noneOf.contains(CertificateCheck.Trusted)) {
                        addRejectedCertificate(cert);
                    }
                    break;
            }
        } catch (IOException unused6) {
        }
        return statusCode;
    }

    @Override // com.prosysopc.ua.UaCertificateValidator
    public StatusCode validateCertificate(ApplicationIdentity applicationIdentity) {
        return validateCertificate(applicationIdentity.getApplicationDescription(), applicationIdentity.getCertificate());
    }

    @Override // org.opcfoundation.ua.transport.security.CertificateValidator
    public StatusCode validateCertificate(Cert cert) {
        logger.debug("validateCertificate: Cert={}", cert);
        return cert == null ? StatusCode.GOOD : validateCertificate(null, cert);
    }

    private static String a(Cert cert) {
        byte[] encodedThumbprint = cert.getEncodedThumbprint();
        if (encodedThumbprint == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder(2 * encodedThumbprint.length);
        for (byte b2 : encodedThumbprint) {
            sb.append("0123456789ABCDEF".charAt((b2 & 240) >> 4)).append("0123456789ABCDEF".charAt(b2 & 15));
        }
        return sb.toString();
    }

    private File a(File file, Cert cert) {
        return new File(file, a(cert) + ApplicationIdentity.CERT_FILE_EXTENSIONS);
    }

    private synchronized void init() {
        a(this.bA, this.bv, this.by);
        Iterator<Cert> it = this.bA.values().iterator();
        while (it.hasNext()) {
            this.bw.add(it.next().getCertificate().getPublicKey());
        }
        a(this.by, this.bs, this.bA);
        a(this.bz, this.bt, this.bA);
    }

    private void a(a aVar, File file, a aVar2) {
        if (!file.exists()) {
            file.mkdirs();
        }
        if (file.isDirectory()) {
            for (File file2 : file.listFiles()) {
                if (file.equals(this.bt) && file2.getName().endsWith(".crl")) {
                    try {
                        this.br = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(new FileInputStream(file2));
                        logger.info("CRL initialized from " + file2 + ": " + (this.br.getRevokedCertificates() == null ? "no revoked certificates" : this.br.getRevokedCertificates().size() + " certificates revoked"));
                    } catch (Exception e) {
                        logger.warn("Could not read CRL file {: {}", file2, e.getMessage());
                    }
                } else {
                    try {
                        Cert load = Cert.load(file2);
                        a(aVar, file, load);
                        logger.debug("Certificate from '{}' added to accepted certificates", file2);
                        if (aVar2 != null) {
                            aVar2.remove(a(load));
                        }
                    } catch (IOException e2) {
                        logger.info("File '{}' is not a certificate: {}", file2, e2.getMessage());
                    } catch (CertificateException e3) {
                        logger.info("File '{}' is not a valid certificate: {}", file2, e3.getMessage());
                    }
                }
            }
        }
    }

    private void a(a aVar, File file, Cert cert) throws IOException {
        logger.debug("listAdd: cert={}; dir={}", a(cert), file);
        if (!aVar.containsKey(cert)) {
            try {
                File a2 = a(file, cert);
                if (!a2.exists()) {
                    cert.save(a2);
                }
                aVar.put(a(cert), cert);
            } catch (IOException e) {
                logger.warn("Cannot write to directory " + file, (Throwable) e);
                throw e;
            }
        }
        logger.debug("certificates.size()={}", Integer.valueOf(aVar.size()));
    }

    private boolean a(a aVar, Cert cert) {
        return cert.equals(aVar.get(a(cert)));
    }

    private void b(a aVar, File file, Cert cert) {
        logger.debug("removeCertificate: cert={} dir={}", a(cert), file);
        logger.debug("certificates.size()={}", Integer.valueOf(aVar.size()));
        a(file, cert).delete();
        Cert remove = aVar.remove(a(cert));
        if (logger.isDebugEnabled()) {
            logger.debug("c=" + (remove == null ? BeanDefinitionParserDelegate.NULL_ELEMENT : remove.getEncodedThumbprint()));
            logger.debug("certificates.size()={}", Integer.valueOf(aVar.size()));
        }
    }
}
