package com.prosysopc.ua.stack.cert;

import com.prosysopc.ua.stack.builtintypes.StatusCode;
import com.prosysopc.ua.stack.core.ApplicationDescription;
import com.prosysopc.ua.stack.core.StatusCodes;
import com.prosysopc.ua.stack.transport.security.Cert;
import com.prosysopc.ua.stack.transport.security.CertificateValidator;
import com.prosysopc.ua.stack.utils.CertificateUtils;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-4.6.0-1594.jar:com/prosysopc/ua/stack/cert/DefaultCertificateValidator.class */
public class DefaultCertificateValidator implements CertificateValidator {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) DefaultCertificateValidator.class);
    private static final String gP = "invalid URI name:";
    private static final int gQ = 0;
    private static final int gR = 1;
    private volatile DefaultCertificateValidatorListener gS;
    private final CertificateStore gT;
    private final CertificateStore gU;
    private final Set<IgnoredChecks> gV;

    /* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-4.6.0-1594.jar:com/prosysopc/ua/stack/cert/DefaultCertificateValidator$IgnoredChecks.class */
    public enum IgnoredChecks {
        IGNORE_CA_MISSING_CRL,
        IGNORE_KEYUSAGE_CHECKS
    }

    public DefaultCertificateValidator(CertificateStore certificateStore) {
        this.gV = new CopyOnWriteArraySet();
        this.gT = certificateStore;
        this.gU = null;
    }

    public DefaultCertificateValidator(CertificateStore certificateStore, CertificateStore certificateStore2) {
        this.gV = new CopyOnWriteArraySet();
        this.gT = certificateStore;
        this.gU = certificateStore2;
    }

    public CertificateStore getCertificateStore() {
        return this.gT;
    }

    public Set<IgnoredChecks> getIgnoredChecks() {
        return this.gV;
    }

    public CertificateStore getIssuersCertificateStore() {
        return this.gU;
    }

    public DefaultCertificateValidatorListener getValidationListener() {
        return this.gS;
    }

    @Deprecated
    public boolean isRevocationListsRequired() {
        return !a(IgnoredChecks.IGNORE_CA_MISSING_CRL);
    }

    @Deprecated
    public void setRevocationListsRequired(boolean z) {
        if (z) {
            getIgnoredChecks().remove(IgnoredChecks.IGNORE_CA_MISSING_CRL);
        } else {
            getIgnoredChecks().add(IgnoredChecks.IGNORE_CA_MISSING_CRL);
        }
    }

    public void setValidationListener(DefaultCertificateValidatorListener defaultCertificateValidatorListener) {
        this.gS = defaultCertificateValidatorListener;
    }

    @Override // com.prosysopc.ua.stack.transport.security.CertificateValidator
    public StatusCode validateCertificate(ApplicationDescription applicationDescription, Cert cert) {
        StatusCode valueOf;
        try {
            logger.debug("validateCertificate: applicationDescription={}", applicationDescription);
            logger.debug("cert={}", cert);
            if (cert.certificate.getVersion() != 3) {
                logger.error("Certificate Versions is {}, must be 3", Integer.valueOf(cert.certificate.getVersion()));
                return StatusCode.valueOf(StatusCodes.Bad_CertificateUseNotAllowed);
            }
            if (!a(IgnoredChecks.IGNORE_KEYUSAGE_CHECKS)) {
                if (cert.certificate.getKeyUsage() == null) {
                    logger.error("Cert has no key usage extension: {}", cert);
                    return StatusCode.valueOf(StatusCodes.Bad_CertificateInvalid);
                }
                boolean z = cert.certificate.getKeyUsage()[0];
                boolean z2 = cert.certificate.getKeyUsage()[1];
                if (!z || !z2) {
                    return StatusCode.valueOf(StatusCodes.Bad_CertificateUseNotAllowed);
                }
            } else if (cert.certificate.getKeyUsage() == null) {
                logger.warn("Cert has no key usage extension: {}", cert);
            }
            boolean a = a(cert);
            logger.debug("isRevoked={}", Boolean.valueOf(a));
            if (a) {
                return StatusCode.valueOf(StatusCodes.Bad_CertificateRevoked);
            }
            StatusCode statusCode = StatusCode.GOOD;
            EnumSet<CertificateCheck> noneOf = EnumSet.noneOf(CertificateCheck.class);
            Set<Cert> trustedCerts = this.gT.getTrustedCerts();
            if (trustedCerts != null && trustedCerts.contains(cert)) {
                logger.debug("trusted=yes");
                noneOf.add(CertificateCheck.Trusted);
            }
            logger.debug("trusted={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Trusted)));
            X509Certificate certificate = cert.getCertificate();
            try {
                certificate.checkValidity();
                logger.debug("valid=yes");
                noneOf.add(CertificateCheck.Validity);
            } catch (CertificateExpiredException e) {
            } catch (CertificateNotYetValidException e2) {
            }
            logger.debug("valid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Validity)));
            try {
                certificate.verify(certificate.getPublicKey());
                logger.debug("signature=yes");
                logger.debug("self-signed=yes");
                noneOf.add(CertificateCheck.Signature);
                noneOf.add(CertificateCheck.SelfSigned);
            } catch (GeneralSecurityException e3) {
                boolean z3 = false;
                for (Cert cert2 : trustedCerts) {
                    try {
                        certificate.verify(cert2.getCertificate().getPublicKey());
                        z3 = true;
                        StatusCode b = b(cert2);
                        if (b.isStatusCode(StatusCodes.Bad_CertificateRevoked)) {
                            statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevoked);
                        } else if (b.isStatusCode(StatusCodes.Bad_CertificateTimeInvalid)) {
                            statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerTimeInvalid);
                        } else if (b.isStatusCode(StatusCodes.Bad_CertificateChainIncomplete) || b.isStatusCode(StatusCodes.Bad_CertificateIssuerRevoked) || b.isStatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid)) {
                            statusCode = b;
                        } else if (b.isStatusCode(StatusCodes.Bad_CertificateRevocationUnknown) || b.isStatusCode(StatusCodes.Bad_CertificateIssuerRevocationUnknown)) {
                            statusCode = b;
                        } else if (b.isNotGood()) {
                            statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateInvalid);
                        }
                    } catch (GeneralSecurityException e4) {
                    }
                }
                if (this.gU != null && !z3) {
                    for (Cert cert3 : this.gU.getTrustedCerts()) {
                        try {
                            certificate.verify(cert3.getCertificate().getPublicKey());
                            z3 = true;
                            StatusCode b2 = b(cert3);
                            if (b2.isStatusCode(StatusCodes.Bad_CertificateRevoked)) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevoked);
                            } else if (b2.isStatusCode(StatusCodes.Bad_CertificateTimeInvalid)) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerTimeInvalid);
                            } else if (b2.isStatusCode(StatusCodes.Bad_CertificateChainIncomplete) || b2.isStatusCode(StatusCodes.Bad_CertificateIssuerRevoked) || b2.isStatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid)) {
                                statusCode = b2;
                            } else if (b2.isStatusCode(StatusCodes.Bad_CertificateRevocationUnknown) || b2.isStatusCode(StatusCodes.Bad_CertificateIssuerRevocationUnknown)) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevocationUnknown);
                            } else if (b2.isNotGood()) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateInvalid);
                            }
                        } catch (GeneralSecurityException e5) {
                        }
                    }
                } else if (z3) {
                    noneOf.add(CertificateCheck.Trusted);
                }
                if (!z3) {
                    statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateChainIncomplete);
                }
                if (statusCode.isNotGood()) {
                    if (trustedCerts != null && !trustedCerts.contains(cert)) {
                        this.gT.addCertificate(ValidationResult.Reject, cert);
                    }
                    return statusCode;
                }
                logger.debug("signature=yes");
                noneOf.add(CertificateCheck.Signature);
            }
            logger.debug("signature={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Signature)));
            logger.debug("self-signed={}", Boolean.valueOf(noneOf.contains(CertificateCheck.SelfSigned)));
            String applicationUri = applicationDescription == null ? null : applicationDescription.getApplicationUri();
            boolean z4 = applicationUri == null;
            if (!z4) {
                try {
                    if (CertificateUtils.getApplicationUriOfCertificate(certificate).equals(applicationUri)) {
                        z4 = true;
                    }
                } catch (CertificateParsingException e6) {
                    if (e6.getCause().getMessage().contains(gP)) {
                        String[] split = e6.getCause().getMessage().split(gP);
                        if (split.length == 2 && split[1].equals(applicationUri)) {
                            logger.warn("The provided certificate contains an invalid ApplicationURI: {}", split[1]);
                            noneOf.add(CertificateCheck.Uri);
                        } else {
                            logger.warn("The provided certificate does not define the ApplicationURI", (Throwable) e6);
                        }
                    } else {
                        logger.warn("The provided certificate has an invalid SubjectAlternativeNames field", (Throwable) e6);
                    }
                }
            }
            if (z4) {
                noneOf.add(CertificateCheck.Uri);
                noneOf.add(CertificateCheck.UriValid);
            }
            logger.debug("uri={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Uri)));
            logger.debug("uriValid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.UriValid)));
            ValidationResult a2 = a(cert, applicationDescription, noneOf);
            logger.debug("action={}", a2);
            switch (a2) {
                case AcceptPermanently:
                    valueOf = StatusCode.GOOD;
                    this.gT.addCertificate(ValidationResult.AcceptPermanently, cert);
                    break;
                case AcceptOnce:
                    valueOf = StatusCode.GOOD;
                    this.gT.addCertificate(ValidationResult.AcceptOnce, cert);
                    break;
                case Reject:
                    if (!noneOf.contains(CertificateCheck.Trusted)) {
                        valueOf = StatusCode.valueOf(StatusCodes.Bad_SecurityChecksFailed);
                    } else if (!noneOf.contains(CertificateCheck.Signature)) {
                        valueOf = StatusCode.valueOf(StatusCodes.Bad_SecurityChecksFailed);
                    } else if (!noneOf.contains(CertificateCheck.Validity)) {
                        valueOf = StatusCode.valueOf(StatusCodes.Bad_CertificateTimeInvalid);
                    } else if (noneOf.contains(CertificateCheck.Uri)) {
                        logger.warn("Rejected a certificate which did contain passedchecks: {}", noneOf);
                        valueOf = StatusCode.valueOf(StatusCodes.Bad_SecurityChecksFailed);
                    } else {
                        valueOf = StatusCode.valueOf(StatusCodes.Bad_CertificateUriInvalid);
                    }
                    if (trustedCerts != null && !trustedCerts.contains(cert)) {
                        this.gT.addCertificate(ValidationResult.Reject, cert);
                        break;
                    }
                    break;
                default:
                    throw new RuntimeException("Encountered unknown enum value for ValidatiorResult: " + a2);
            }
            return valueOf;
        } catch (RuntimeException e7) {
            logger.error("error while validating certificates", (Throwable) e7);
            return StatusCode.valueOf(StatusCodes.Bad_InternalError);
        }
    }

    @Override // com.prosysopc.ua.stack.transport.security.CertificateValidator
    public StatusCode validateCertificate(Cert cert) {
        logger.debug("validateCertificate: Cert={}", cert);
        return cert == null ? StatusCode.GOOD : validateCertificate(null, cert);
    }

    private ValidationResult a(Cert cert, ApplicationDescription applicationDescription, EnumSet<CertificateCheck> enumSet) {
        DefaultCertificateValidatorListener defaultCertificateValidatorListener = this.gS;
        return defaultCertificateValidatorListener != null ? defaultCertificateValidatorListener.onValidate(cert, applicationDescription, enumSet) : enumSet.containsAll(CertificateCheck.COMPULSORY) ? ValidationResult.AcceptPermanently : ValidationResult.Reject;
    }

    private boolean a(IgnoredChecks ignoredChecks) {
        return this.gV.contains(ignoredChecks);
    }

    private boolean a(Cert cert) {
        Iterator<X509CRL> it = this.gT.getRevocationLists().iterator();
        while (it.hasNext()) {
            if (it.next().isRevoked(cert.getCertificate())) {
                return true;
            }
        }
        if (this.gU == null) {
            return false;
        }
        Iterator<X509CRL> it2 = this.gU.getRevocationLists().iterator();
        while (it2.hasNext()) {
            if (it2.next().isRevoked(cert.getCertificate())) {
                return true;
            }
        }
        return false;
    }

    StatusCode b(Cert cert) {
        boolean z;
        try {
            logger.debug("issuerCert={}", cert);
            if (cert.certificate.getVersion() != 3) {
                logger.error("Certificate Versions is {}, must be 3", Integer.valueOf(cert.certificate.getVersion()));
                return StatusCode.valueOf(StatusCodes.Bad_CertificateUseNotAllowed);
            }
            if (!a(IgnoredChecks.IGNORE_KEYUSAGE_CHECKS)) {
                if (cert.certificate.getKeyUsage() == null) {
                    logger.error("Issuer Cert has no key usage extension: {}, cert");
                    return StatusCode.valueOf(StatusCodes.Bad_CertificateInvalid);
                }
            } else if (cert.certificate.getKeyUsage() == null) {
                logger.warn("Issuer Cert has no key usage extension: {}", cert);
            }
            boolean a = a(cert);
            logger.debug("isRevoked={}", Boolean.valueOf(a));
            if (a) {
                return StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevoked);
            }
            StatusCode statusCode = StatusCode.GOOD;
            EnumSet noneOf = EnumSet.noneOf(CertificateCheck.class);
            Set<Cert> trustedCerts = this.gT.getTrustedCerts();
            if (trustedCerts != null && trustedCerts.contains(cert)) {
                logger.debug("trusted=yes");
                noneOf.add(CertificateCheck.Trusted);
            }
            logger.debug("trusted={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Trusted)));
            X509Certificate certificate = cert.getCertificate();
            try {
                certificate.checkValidity();
                logger.debug("valid=yes");
                noneOf.add(CertificateCheck.Validity);
                logger.debug("valid={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Validity)));
                try {
                    certificate.verify(certificate.getPublicKey());
                    logger.debug("signature=yes");
                    logger.debug("self-signed=yes");
                    noneOf.add(CertificateCheck.Signature);
                    noneOf.add(CertificateCheck.SelfSigned);
                    z = false;
                    if (this.gT.getTrustedCerts().contains(cert)) {
                        Iterator<X509CRL> it = this.gT.getRevocationLists().iterator();
                        while (it.hasNext()) {
                            if (it.next().getIssuerDN().equals(cert.certificate.getIssuerDN())) {
                                z = true;
                            }
                        }
                    } else if (this.gU != null) {
                        Iterator<X509CRL> it2 = this.gU.getRevocationLists().iterator();
                        while (it2.hasNext()) {
                            if (it2.next().getIssuerDN().equals(cert.certificate.getIssuerDN())) {
                                z = true;
                            }
                        }
                    }
                } catch (GeneralSecurityException e) {
                    boolean z2 = false;
                    for (Cert cert2 : trustedCerts) {
                        try {
                            certificate.verify(cert2.getCertificate().getPublicKey());
                            z2 = true;
                            StatusCode b = b(cert2);
                            if (b.isStatusCode(StatusCodes.Bad_CertificateRevoked)) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevoked);
                            } else if (b.isStatusCode(StatusCodes.Bad_CertificateTimeInvalid)) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerTimeInvalid);
                            } else if (b.isStatusCode(StatusCodes.Bad_CertificateChainIncomplete) || b.isStatusCode(StatusCodes.Bad_CertificateIssuerRevoked) || b.isStatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid)) {
                                statusCode = b;
                            } else if (b.isStatusCode(StatusCodes.Bad_CertificateRevocationUnknown) || b.isStatusCode(StatusCodes.Bad_CertificateIssuerRevocationUnknown)) {
                                statusCode = b;
                            } else if (b.isNotGood()) {
                                statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateInvalid);
                            }
                        } catch (GeneralSecurityException e2) {
                        }
                    }
                    if (this.gU != null && !z2) {
                        for (Cert cert3 : this.gU.getTrustedCerts()) {
                            try {
                                certificate.verify(cert3.getCertificate().getPublicKey());
                                z2 = true;
                                StatusCode b2 = b(cert3);
                                if (b2.isStatusCode(StatusCodes.Bad_CertificateRevoked)) {
                                    statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevoked);
                                } else if (b2.isStatusCode(StatusCodes.Bad_CertificateTimeInvalid)) {
                                    statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerTimeInvalid);
                                } else if (b2.isStatusCode(StatusCodes.Bad_CertificateChainIncomplete) || b2.isStatusCode(StatusCodes.Bad_CertificateIssuerRevoked) || b2.isStatusCode(StatusCodes.Bad_CertificateIssuerTimeInvalid)) {
                                    statusCode = b2;
                                } else if (b2.isStatusCode(StatusCodes.Bad_CertificateRevocationUnknown) || b2.isStatusCode(StatusCodes.Bad_CertificateIssuerRevocationUnknown)) {
                                    statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateIssuerRevocationUnknown);
                                } else if (b2.isNotGood()) {
                                    statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateInvalid);
                                }
                            } catch (GeneralSecurityException e3) {
                            }
                        }
                        if (!z2) {
                            statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateChainIncomplete);
                        }
                    } else if (this.gU == null && !z2) {
                        statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateChainIncomplete);
                    } else if (z2) {
                        noneOf.add(CertificateCheck.Trusted);
                    }
                    if (statusCode.isNotGood()) {
                        return statusCode;
                    }
                    logger.debug("signature=yes");
                    noneOf.add(CertificateCheck.Signature);
                    noneOf.add(CertificateCheck.Trusted);
                }
                if (!z && !a(IgnoredChecks.IGNORE_CA_MISSING_CRL)) {
                    statusCode = StatusCode.valueOf(StatusCodes.Bad_CertificateRevocationUnknown);
                    return statusCode;
                }
                logger.debug("issuer signature={}", Boolean.valueOf(noneOf.contains(CertificateCheck.Signature)));
                logger.debug("issuer self-signed={}", Boolean.valueOf(noneOf.contains(CertificateCheck.SelfSigned)));
                return statusCode;
            } catch (CertificateExpiredException e4) {
                return StatusCode.valueOf(StatusCodes.Bad_CertificateTimeInvalid);
            } catch (CertificateNotYetValidException e5) {
                return StatusCode.valueOf(StatusCodes.Bad_CertificateTimeInvalid);
            }
        } catch (RuntimeException e6) {
            logger.error("Error while validating certificate chain", (Throwable) e6);
            return StatusCode.valueOf(StatusCodes.Bad_InternalError);
        }
    }
}
