package org.eclipse.milo.opcua.stack.core.application;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import com.google.common.util.concurrent.Uninterruptibles;
import io.netty.buffer.ByteBufUtil;
import io.netty.buffer.Unpooled;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.file.ClosedWatchServiceException;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
import org.eclipse.milo.opcua.stack.core.util.CertificateValidationUtil;
import org.eclipse.milo.opcua.stack.core.util.DigestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/core/application/DefaultCertificateValidator.class */
public class DefaultCertificateValidator implements CertificateValidator, AutoCloseable {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final Set<X509Certificate> trustedCertificates = Sets.newConcurrentHashSet();
    private final Set<X509Certificate> authorityCertificates = Sets.newConcurrentHashSet();
    private final File trustedDir;
    private final File rejectedDir;
    private final File revocationDir;
    private WatchService watchService;
    private Thread thread;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/milo/opcua/stack/core/application/DefaultCertificateValidator$Watcher.class */
    public class Watcher implements Runnable {
        private final WatchService watchService;
        private final WatchKey trustedKey;

        Watcher(WatchService watchService, WatchKey watchKey) {
            this.watchService = watchService;
            this.trustedKey = watchKey;
        }

        @Override // java.lang.Runnable
        public void run() {
            WatchKey take;
            while (true) {
                try {
                    take = this.watchService.take();
                    if (take == this.trustedKey) {
                        Iterator<WatchEvent<?>> it = take.pollEvents().iterator();
                        while (it.hasNext()) {
                            if (it.next().kind() != StandardWatchEventKinds.OVERFLOW) {
                                DefaultCertificateValidator.this.synchronizeTrustedCertificates();
                            }
                        }
                    }
                } catch (InterruptedException e) {
                    DefaultCertificateValidator.this.logger.error("Watcher interrupted.", e);
                } catch (ClosedWatchServiceException e2) {
                    DefaultCertificateValidator.this.logger.info("Watcher got closed");
                    return;
                }
                if (!take.reset()) {
                    DefaultCertificateValidator.this.logger.warn("Failed to reset watch key");
                    return;
                }
                continue;
            }
        }
    }

    public DefaultCertificateValidator(File file) {
        this.trustedDir = new File(file.getAbsolutePath() + File.separator + "trusted");
        if (!this.trustedDir.exists() && !this.trustedDir.mkdirs()) {
            this.logger.warn("Could not create trusted certificate dir: {}", this.trustedDir);
        }
        this.rejectedDir = new File(file.getAbsolutePath() + File.separator + "rejected");
        if (!this.rejectedDir.exists() && !this.rejectedDir.mkdirs()) {
            this.logger.warn("Could not create rejected certificate dir: {}", this.rejectedDir);
        }
        this.revocationDir = new File(file.getAbsolutePath() + File.separator + "revocation");
        if (!this.revocationDir.exists() && !this.revocationDir.mkdirs()) {
            this.logger.warn("Could not create revocation certificate dir: {}", this.revocationDir);
        }
        createWatchService();
        synchronizeTrustedCertificates();
    }

    public DefaultCertificateValidator(@Nonnull File file, @Nullable File file2, @Nullable File file3) {
        Objects.requireNonNull(file);
        this.trustedDir = file.getAbsoluteFile();
        this.rejectedDir = file2 != null ? file2.getAbsoluteFile() : null;
        this.revocationDir = file3 != null ? file3.getAbsoluteFile() : null;
        if (!file.isDirectory()) {
            throw new IllegalArgumentException(String.format("Directory of trusted certificates could not be found: %s", file.getAbsolutePath()));
        }
        if (file2 != null && !file2.isDirectory()) {
            throw new IllegalArgumentException(String.format("Directory of rejected certificates must be an existing, writable directory: %s", file2.getAbsolutePath()));
        }
        if (file3 != null && !file3.isDirectory()) {
            throw new IllegalArgumentException(String.format("Directory of revoked certificates must be an existing, writable directory: %s", file3.getAbsolutePath()));
        }
        createWatchService();
        synchronizeTrustedCertificates();
    }

    @Override // java.lang.AutoCloseable
    public void close() throws IOException {
        WatchService watchService;
        Thread thread;
        synchronized (this) {
            this.logger.info("Closing default certificate validator");
            watchService = this.watchService;
            thread = this.thread;
            this.watchService = null;
            this.thread = null;
            this.trustedCertificates.clear();
            this.authorityCertificates.clear();
        }
        if (watchService != null) {
            watchService.close();
        }
        if (thread != null) {
            Uninterruptibles.joinUninterruptibly(thread);
        }
    }

    @Override // org.eclipse.milo.opcua.stack.core.application.CertificateValidator
    public void validate(X509Certificate x509Certificate) throws UaException {
        try {
            CertificateValidationUtil.validateCertificateValidity(x509Certificate);
        } catch (UaException e) {
            certificateRejected(x509Certificate);
            throw e;
        }
    }

    @Override // org.eclipse.milo.opcua.stack.core.application.CertificateValidator
    public synchronized void verifyTrustChain(List<X509Certificate> list) throws UaException {
        try {
            CertificateValidationUtil.verifyTrustChain(list, this.trustedCertificates, this.authorityCertificates);
        } catch (UaException e) {
            certificateRejected(list.get(0));
            throw e;
        }
    }

    public synchronized ImmutableSet<X509Certificate> getTrustedCertificates() {
        return ImmutableSet.copyOf((Collection) this.trustedCertificates);
    }

    public synchronized ImmutableSet<X509Certificate> getAuthorityCertificates() {
        return ImmutableSet.copyOf((Collection) this.authorityCertificates);
    }

    private void createWatchService() {
        try {
            this.watchService = this.trustedDir.toPath().getFileSystem().newWatchService();
            this.thread = new Thread(new Watcher(this.watchService, this.trustedDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY)));
            this.thread.setName("ua-certificate-directory-watcher");
            this.thread.setDaemon(true);
            this.thread.start();
        } catch (IOException e) {
            this.logger.error("Error creating WatchService.", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void synchronizeTrustedCertificates() {
        this.logger.debug("Synchronizing trusted certificates...");
        Set<X509Certificate> certificatesFromDir = certificatesFromDir(this.trustedDir);
        Set set = (Set) certificatesFromDir.stream().filter(x509Certificate -> {
            return x509Certificate.getBasicConstraints() == -1;
        }).collect(Collectors.toSet());
        Set set2 = (Set) certificatesFromDir.stream().filter(x509Certificate2 -> {
            return x509Certificate2.getBasicConstraints() != -1;
        }).collect(Collectors.toSet());
        synchronized (this) {
            this.trustedCertificates.clear();
            this.trustedCertificates.addAll(set);
            this.authorityCertificates.clear();
            this.authorityCertificates.addAll(set2);
        }
        this.logger.debug("trustedCertificates.size()={}, authorityCertificates.size()={}", Integer.valueOf(this.trustedCertificates.size()), Integer.valueOf(this.authorityCertificates.size()));
    }

    private Set<X509Certificate> certificatesFromDir(File file) {
        File[] listFiles = file.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        return (Set) Arrays.stream(listFiles).map(this::file2certificate).filter(x509Certificate -> {
            return x509Certificate != null;
        }).collect(Collectors.toSet());
    }

    private X509Certificate file2certificate(File file) {
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                try {
                    X509Certificate decodeCertificate = CertificateUtil.decodeCertificate(fileInputStream);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return decodeCertificate;
                } finally {
                }
            } finally {
            }
        } catch (Throwable th3) {
            return null;
        }
    }

    private void certificateRejected(X509Certificate x509Certificate) {
        if (this.rejectedDir == null) {
            return;
        }
        try {
            String[] split = x509Certificate.getSubjectX500Principal().getName().split(",");
            String format = String.format("%s [%s].der", URLEncoder.encode(split.length > 0 ? split[0] : x509Certificate.getSubjectX500Principal().getName(), "UTF-8"), ByteBufUtil.hexDump(Unpooled.wrappedBuffer(DigestUtil.sha1(x509Certificate.getEncoded()))));
            FileOutputStream fileOutputStream = new FileOutputStream(new File(this.rejectedDir.getAbsolutePath() + File.separator + format));
            Throwable th = null;
            try {
                try {
                    fileOutputStream.write(x509Certificate.getEncoded());
                    fileOutputStream.flush();
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                    this.logger.debug("Added rejected certificate entry: {}", format);
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (IOException | CertificateEncodingException e) {
            this.logger.error("Error adding rejected certificate entry.", e);
        }
    }
}
