package com.helger.peppol.utils;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.collection.impl.CommonsHashSet;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.concurrent.SimpleReadWriteLock;
import com.helger.commons.datetime.PDTFactory;
import com.helger.commons.functional.IFunction;
import com.helger.commons.state.ETriState;
import com.helger.commons.timing.StopWatch;
import com.helger.peppol.smp.SMPTransportProfile;
import com.helger.peppol.utils.PeppolKeyStoreHelper;
import java.lang.invoke.SerializedLambda;
import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.util.Date;
import java.util.EnumSet;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.GuardedBy;
import javax.annotation.concurrent.ThreadSafe;
import javax.security.auth.x500.X500Principal;
import net.jodah.expiringmap.ExpirationPolicy;
import net.jodah.expiringmap.ExpiringMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:com/helger/peppol/utils/PeppolCertificateChecker.class */
public final class PeppolCertificateChecker {
    public static final boolean DEFAULT_OSCP_CHECK_ENABLED = true;
    public static final boolean DEFAULT_CACHE_OSCP_RESULTS = true;
    private static final ICommonsList<X500Principal> PEPPOL_AP_CA_ISSUERS;
    private static final ICommonsList<X500Principal> PEPPOL_SMP_CA_ISSUERS;
    private static final AtomicBoolean OCSP_ENABLED;
    private static final AtomicBoolean CACHE_OCSP_RESULTS;
    private static final SimpleReadWriteLock s_aRWLock;

    @GuardedBy("s_aRWLock")
    private static Consumer<? super GeneralSecurityException> s_aExceptionHdl;
    private static final PeppolRevocationCache REVOCATION_CACHE_AP;
    private static final PeppolRevocationCache REVOCATION_CACHE_SMP;
    private static final Logger LOGGER = LoggerFactory.getLogger(PeppolCertificateChecker.class);
    private static final ICommonsList<X509Certificate> PEPPOL_AP_CA_CERTS = new CommonsArrayList();
    private static final ICommonsList<X509Certificate> PEPPOL_SMP_CA_CERTS = new CommonsArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    @ThreadSafe
    /* loaded from: input_file:com/helger/peppol/utils/PeppolCertificateChecker$PeppolRevocationCache.class */
    public static final class PeppolRevocationCache {
        private final ExpiringMap<String, Boolean> m_aCache = ExpiringMap.builder().expirationPolicy(ExpirationPolicy.CREATED).expiration(6, TimeUnit.HOURS).build();
        private final IFunction<X509Certificate, Boolean> m_aValueProvider;

        public PeppolRevocationCache(@Nonnull IFunction<X509Certificate, Boolean> iFunction) {
            this.m_aValueProvider = iFunction;
        }

        @Nonnull
        private static String _getKey(@Nonnull X509Certificate x509Certificate) {
            return x509Certificate.getSubjectX500Principal().getName() + "-" + x509Certificate.getSerialNumber().toString();
        }

        public boolean isRevoked(@Nonnull X509Certificate x509Certificate) {
            return ((Boolean) this.m_aCache.computeIfAbsent(_getKey(x509Certificate), str -> {
                return (Boolean) this.m_aValueProvider.apply(x509Certificate);
            })).booleanValue();
        }

        public void clearCache() {
            this.m_aCache.clear();
        }
    }

    private PeppolCertificateChecker() {
    }

    public static boolean isOCSPEnabled() {
        return OCSP_ENABLED.get();
    }

    public static void setOCSPEnabled(boolean z) {
        OCSP_ENABLED.set(z);
    }

    public static boolean isCacheOCSPResults() {
        return CACHE_OCSP_RESULTS.get();
    }

    public static void setCacheOCSPResults(boolean z) {
        CACHE_OCSP_RESULTS.set(z);
    }

    public static void clearOCSPCache() {
        REVOCATION_CACHE_AP.clearCache();
        REVOCATION_CACHE_SMP.clearCache();
    }

    @Nonnull
    public static Consumer<? super GeneralSecurityException> getExceptionHdl() {
        return (Consumer) s_aRWLock.readLocked(() -> {
            return s_aExceptionHdl;
        });
    }

    public static void setExceptionHdl(@Nonnull Consumer<? super GeneralSecurityException> consumer) {
        ValueEnforcer.notNull(consumer, "ExceptionHdl");
        s_aRWLock.writeLocked(() -> {
            s_aExceptionHdl = consumer;
            return consumer;
        });
    }

    public static boolean isCertificateRevoked(@Nonnull X509Certificate x509Certificate, @Nonnull ICommonsList<X509Certificate> iCommonsList, @Nullable LocalDateTime localDateTime, @Nonnull ETriState eTriState, @Nonnull Consumer<? super GeneralSecurityException> consumer) {
        ValueEnforcer.notNull(x509Certificate, "Cert");
        ValueEnforcer.notEmpty(iCommonsList, "ValidCAs");
        ValueEnforcer.notNull(eTriState, "CheckOSCP");
        ValueEnforcer.notNull(consumer, "ExceptionHdl");
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Performing certificate revocation check on certificate '" + x509Certificate.getSubjectX500Principal().getName() + "'" + (localDateTime != null ? " for datetime " + localDateTime : ""));
        }
        StopWatch createdStarted = StopWatch.createdStarted();
        try {
            try {
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setCertificate(x509Certificate);
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) new CommonsHashSet(iCommonsList, x509Certificate2 -> {
                    return new TrustAnchor(x509Certificate2, null);
                }), x509CertSelector);
                pKIXBuilderParameters.setRevocationEnabled(true);
                boolean isOCSPEnabled = eTriState.isUndefined() ? isOCSPEnabled() : eTriState.isTrue();
                try {
                    Security.setProperty("ocsp.enable", Boolean.toString(isOCSPEnabled));
                } catch (SecurityException e) {
                    LOGGER.warn("Failed to set Security property 'ocsp.enable' to '" + isOCSPEnabled + "'");
                }
                if (localDateTime != null) {
                    pKIXBuilderParameters.setDate(PDTFactory.createDate(localDateTime));
                }
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(iCommonsList)));
                CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
                ((PKIXRevocationChecker) certPathBuilder.getRevocationChecker()).setOptions(EnumSet.of(PKIXRevocationChecker.Option.ONLY_END_ENTITY));
                PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("OCSP/CLR builder result = " + pKIXCertPathBuilderResult);
                }
                PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(pKIXCertPathBuilderResult.getCertPath(), pKIXBuilderParameters);
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("OCSP/CLR validation result = " + pKIXCertPathValidatorResult);
                }
                long stopAndGetMillis = createdStarted.stopAndGetMillis();
                if (stopAndGetMillis > 500) {
                    LOGGER.warn("OCSP/CLR revocation check took " + stopAndGetMillis + " milliseconds which is too long");
                } else if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("OCSP/CLR revocation check took " + stopAndGetMillis + " milliseconds");
                }
                return false;
            } catch (GeneralSecurityException e2) {
                consumer.accept(e2);
                long stopAndGetMillis2 = createdStarted.stopAndGetMillis();
                if (stopAndGetMillis2 > 500) {
                    LOGGER.warn("OCSP/CLR revocation check took " + stopAndGetMillis2 + " milliseconds which is too long");
                } else if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("OCSP/CLR revocation check took " + stopAndGetMillis2 + " milliseconds");
                }
                return true;
            }
        } catch (Throwable th) {
            long stopAndGetMillis3 = createdStarted.stopAndGetMillis();
            if (stopAndGetMillis3 > 500) {
                LOGGER.warn("OCSP/CLR revocation check took " + stopAndGetMillis3 + " milliseconds which is too long");
            } else if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("OCSP/CLR revocation check took " + stopAndGetMillis3 + " milliseconds");
            }
            throw th;
        }
    }

    public static boolean isPeppolAPCertificateRevoked(@Nonnull X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nonnull ETriState eTriState, @Nonnull Consumer<? super GeneralSecurityException> consumer) {
        return isCertificateRevoked(x509Certificate, PEPPOL_AP_CA_CERTS, localDateTime, eTriState, consumer);
    }

    public static boolean isPeppolSMPCertificateRevoked(@Nonnull X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nonnull ETriState eTriState, @Nonnull Consumer<? super GeneralSecurityException> consumer) {
        return isCertificateRevoked(x509Certificate, PEPPOL_SMP_CA_CERTS, localDateTime, eTriState, consumer);
    }

    @Nonnull
    private static EPeppolCertificateCheckResult _checkCertificate(@Nullable X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nonnull ICommonsList<X500Principal> iCommonsList, @Nonnull ICommonsList<X509Certificate> iCommonsList2, @Nullable PeppolRevocationCache peppolRevocationCache, @Nonnull ETriState eTriState) {
        if (x509Certificate == null) {
            return EPeppolCertificateCheckResult.NO_CERTIFICATE_PROVIDED;
        }
        Date createDate = PDTFactory.createDate(localDateTime);
        try {
            if (createDate == null) {
                x509Certificate.checkValidity();
            } else {
                x509Certificate.checkValidity(createDate);
            }
            if (!iCommonsList.contains(x509Certificate.getIssuerX500Principal())) {
                return EPeppolCertificateCheckResult.UNSUPPORTED_ISSUER;
            }
            if (peppolRevocationCache != null) {
                if (peppolRevocationCache.isRevoked(x509Certificate)) {
                    return EPeppolCertificateCheckResult.REVOKED;
                }
            } else if (isCertificateRevoked(x509Certificate, iCommonsList2, localDateTime, eTriState, getExceptionHdl())) {
                return EPeppolCertificateCheckResult.REVOKED;
            }
            return EPeppolCertificateCheckResult.VALID;
        } catch (CertificateExpiredException e) {
            return EPeppolCertificateCheckResult.EXPIRED;
        } catch (CertificateNotYetValidException e2) {
            return EPeppolCertificateCheckResult.NOT_YET_VALID;
        }
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkPeppolAPCertificate(@Nullable X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nonnull ETriState eTriState, @Nonnull ETriState eTriState2) {
        return _checkCertificate(x509Certificate, localDateTime, PEPPOL_AP_CA_ISSUERS, PEPPOL_AP_CA_CERTS, eTriState.isUndefined() ? isCacheOCSPResults() : eTriState.isTrue() ? REVOCATION_CACHE_AP : null, eTriState2);
    }

    @Nonnull
    public static EPeppolCertificateCheckResult checkPeppolSMPCertificate(@Nullable X509Certificate x509Certificate, @Nullable LocalDateTime localDateTime, @Nonnull ETriState eTriState, @Nonnull ETriState eTriState2) {
        return _checkCertificate(x509Certificate, localDateTime, PEPPOL_SMP_CA_ISSUERS, PEPPOL_SMP_CA_CERTS, eTriState.isUndefined() ? isCacheOCSPResults() : eTriState.isTrue() ? REVOCATION_CACHE_SMP : null, eTriState2);
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -281399999:
                if (implMethodName.equals("lambda$static$2fb3cec7$1")) {
                    z = false;
                    break;
                }
                break;
            case 1281541581:
                if (implMethodName.equals("lambda$static$c6ce300e$1")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case SMPTransportProfile.DEFAULT_DEPRECATED /* 0 */:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("com/helger/commons/functional/IFunction") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/helger/peppol/utils/PeppolCertificateChecker") && serializedLambda.getImplMethodSignature().equals("(Ljava/security/cert/X509Certificate;)Ljava/lang/Boolean;")) {
                    return x509Certificate -> {
                        return Boolean.valueOf(isPeppolAPCertificateRevoked(x509Certificate, null, ETriState.UNDEFINED, getExceptionHdl()));
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("com/helger/commons/functional/IFunction") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/helger/peppol/utils/PeppolCertificateChecker") && serializedLambda.getImplMethodSignature().equals("(Ljava/security/cert/X509Certificate;)Ljava/lang/Boolean;")) {
                    return x509Certificate2 -> {
                        return Boolean.valueOf(isPeppolSMPCertificateRevoked(x509Certificate2, null, ETriState.UNDEFINED, getExceptionHdl()));
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }

    static {
        PEPPOL_AP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_AP);
        PEPPOL_AP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_AP);
        PEPPOL_SMP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PILOT_SMP);
        PEPPOL_SMP_CA_CERTS.add(PeppolKeyStoreHelper.Config2018.CERTIFICATE_PRODUCTION_SMP);
        PEPPOL_AP_CA_ISSUERS = new CommonsArrayList(PEPPOL_AP_CA_CERTS, (v0) -> {
            return v0.getSubjectX500Principal();
        });
        PEPPOL_SMP_CA_ISSUERS = new CommonsArrayList(PEPPOL_SMP_CA_CERTS, (v0) -> {
            return v0.getSubjectX500Principal();
        });
        OCSP_ENABLED = new AtomicBoolean(true);
        CACHE_OCSP_RESULTS = new AtomicBoolean(true);
        s_aRWLock = new SimpleReadWriteLock();
        s_aExceptionHdl = generalSecurityException -> {
            LOGGER.warn("Certificate is revoked", generalSecurityException);
        };
        REVOCATION_CACHE_AP = new PeppolRevocationCache(x509Certificate -> {
            return Boolean.valueOf(isPeppolAPCertificateRevoked(x509Certificate, null, ETriState.UNDEFINED, getExceptionHdl()));
        });
        REVOCATION_CACHE_SMP = new PeppolRevocationCache(x509Certificate2 -> {
            return Boolean.valueOf(isPeppolSMPCertificateRevoked(x509Certificate2, null, ETriState.UNDEFINED, getExceptionHdl()));
        });
    }
}
