package net.snowflake.client.core;

import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.InvocationTargetException;
import java.math.BigInteger;
import java.net.Socket;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import net.snowflake.client.core.HttpUtil;
import net.snowflake.client.jdbc.OCSPErrorCode;
import net.snowflake.client.jdbc.SnowflakeUtil;
import net.snowflake.client.jdbc.internal.amazonaws.Protocol;
import net.snowflake.client.jdbc.internal.amazonaws.http.apache.SdkProxyRoutePlanner;
import net.snowflake.client.jdbc.internal.apache.commons.codec.binary.Base64;
import net.snowflake.client.jdbc.internal.apache.commons.io.IOUtils;
import net.snowflake.client.jdbc.internal.apache.http.HttpHost;
import net.snowflake.client.jdbc.internal.apache.http.auth.AuthScope;
import net.snowflake.client.jdbc.internal.apache.http.auth.UsernamePasswordCredentials;
import net.snowflake.client.jdbc.internal.apache.http.client.config.RequestConfig;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.CloseableHttpResponse;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.HttpGet;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.HttpPost;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.HttpUriRequest;
import net.snowflake.client.jdbc.internal.apache.http.config.Registry;
import net.snowflake.client.jdbc.internal.apache.http.config.RegistryBuilder;
import net.snowflake.client.jdbc.internal.apache.http.conn.socket.ConnectionSocketFactory;
import net.snowflake.client.jdbc.internal.apache.http.entity.StringEntity;
import net.snowflake.client.jdbc.internal.apache.http.impl.client.BasicCredentialsProvider;
import net.snowflake.client.jdbc.internal.apache.http.impl.client.CloseableHttpClient;
import net.snowflake.client.jdbc.internal.apache.http.impl.client.DefaultRedirectStrategy;
import net.snowflake.client.jdbc.internal.apache.http.impl.client.HttpClientBuilder;
import net.snowflake.client.jdbc.internal.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import net.snowflake.client.jdbc.internal.apache.http.ssl.SSLInitializationException;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.JsonNode;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.ObjectMapper;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.node.ArrayNode;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.node.JsonNodeType;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.node.ObjectNode;
import net.snowflake.client.jdbc.internal.google.common.base.Strings;
import net.snowflake.client.jdbc.internal.microsoft.azure.storage.table.TableConstants;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1Encodable;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1Integer;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1OctetString;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1Primitive;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.DEROctetString;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.DLSequence;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ocsp.CertID;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Certificate;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Extension;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Extensions;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.GeneralName;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.X509CertificateHolder;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.BasicOCSPResp;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.CertificateID;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.CertificateStatus;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPException;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPReq;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPResp;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.RevokedStatus;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.SingleResp;
import net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;
import net.snowflake.client.util.DecorrelatedJitterBackoff;
import net.snowflake.client.util.SFPair;

/* loaded from: input_file:net/snowflake/client/core/SFTrustManager.class */
public class SFTrustManager extends X509ExtendedTrustManager {
    public static final String SF_OCSP_RESPONSE_CACHE_SERVER_URL = "SF_OCSP_RESPONSE_CACHE_SERVER_URL";
    public static final String SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED = "SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED";
    public static final String SF_OCSP_TEST_INJECT_VALIDITY_ERROR = "SF_OCSP_TEST_INJECT_VALIDITY_ERROR";
    public static final String SF_OCSP_TEST_INJECT_UNKNOWN_STATUS = "SF_OCSP_TEST_INJECT_UNKNOWN_STATUS";
    public static final String SF_OCSP_TEST_RESPONDER_URL = "SF_OCSP_TEST_RESPONDER_URL";
    public static final String SF_OCSP_TEST_OCSP_RESPONSE_CACHE_SERVER_TIMEOUT = "SF_OCSP_TEST_OCSP_RESPONSE_CACHE_SERVER_TIMEOUT";
    public static final String SF_OCSP_TEST_OCSP_RESPONDER_TIMEOUT = "SF_OCSP_TEST_OCSP_RESPONDER_TIMEOUT";
    public static final String SF_OCSP_TEST_INVALID_SIGNING_CERT = "SF_OCSP_TEST_INVALID_SIGNING_CERT";
    public static final String SF_OCSP_TEST_NO_OCSP_RESPONDER_URL = "SF_OCSP_TEST_NO_OCSP_RESPONDER_URL";
    private static final String DEFAULT_SECURITY_PROVIDER_NAME = "net.snowflake.client.jdbc.internal.org.bouncycastle.jce.provider.BouncyCastleProvider";
    private static final String ALGORITHM_SHA1_NAME = "SHA-1";
    private static final int DEFAULT_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT = 5000;
    private static final int DEFAULT_OCSP_RESPONDER_CONNECTION_TIMEOUT = 10000;
    private static final String DEFAULT_OCSP_CACHE_HOST = "http://ocsp.snowflakecomputing.com";
    private static final String BOUNCY_CASTLE_PROVIDER = "BC";
    private static final String BOUNCY_CASTLE_FIPS_PROVIDER = "BCFIPS";
    private static final float TOLERABLE_VALIDITY_RANGE_RATIO = 0.01f;
    private static final long MAX_CLOCK_SKEW_IN_MILLISECONDS = 900000;
    private static final long MIN_CACHE_WARMUP_TIME_IN_MILLISECONDS = 18000000;
    private static final long INITIAL_SLEEPING_TIME_IN_MILLISECONDS = 1000;
    private static final long MAX_SLEEPING_TIME_IN_MILLISECONDS = 16000;
    static String SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN;
    private static String SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE;
    private final X509TrustManager trustManager;
    private final X509ExtendedTrustManager exTrustManager;
    OCSPCacheServer ocspCacheServer = new OCSPCacheServer();
    private OCSPMode ocspMode;
    private static HttpClientSettingsKey proxySettingsKey;
    private static final SFLogger LOGGER = SFLoggerFactory.getLogger((Class<?>) SFTrustManager.class);
    private static final ASN1ObjectIdentifier OIDocsp = new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1").intern();
    private static final ASN1ObjectIdentifier SHA1RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.5").intern();
    private static final ASN1ObjectIdentifier SHA256RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.11").intern();
    private static final ASN1ObjectIdentifier SHA384RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.12").intern();
    private static final ASN1ObjectIdentifier SHA512RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.13").intern();
    private static final ObjectMapper OBJECT_MAPPER = ObjectMapperFactory.getObjectMapper();
    private static final Map<ASN1ObjectIdentifier, String> SIGNATURE_OID_TO_STRING = new ConcurrentHashMap();
    private static final Map<Integer, String> OCSP_RESPONSE_CODE_TO_STRING = new ConcurrentHashMap();
    private static final Object ROOT_CA_LOCK = new Object();
    private static final Map<OcspResponseCacheKey, SFPair<Long, String>> OCSP_RESPONSE_CACHE = new ConcurrentHashMap();
    private static final SimpleDateFormat DATE_FORMAT_UTC = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
    private static JcaX509CertificateConverter CONVERTER_X509 = new JcaX509CertificateConverter();
    private static Map<Integer, Certificate> ROOT_CA = new ConcurrentHashMap();
    private static final AtomicBoolean WAS_CACHE_UPDATED = new AtomicBoolean();
    private static final AtomicBoolean WAS_CACHE_READ = new AtomicBoolean();
    private static Map<Integer, CloseableHttpClient> ocspCacheServerClient = new ConcurrentHashMap();
    public static String SF_OCSP_EVENT_TYPE_REVOKED_CERTIFICATE_ERROR = "RevokedCertificateError";
    public static String SF_OCSP_EVENT_TYPE_VALIDATION_ERROR = "OCSPValidationError";
    private static final String CACHE_DIR_PROP = "net.snowflake.jdbc.ocspResponseCacheDir";
    private static final String CACHE_DIR_ENV = "SF_OCSP_RESPONSE_CACHE_DIR";
    static final String CACHE_FILE_NAME = "ocsp_response_cache.json";
    private static final long CACHE_EXPIRATION_IN_SECONDS = 432000;
    private static final long CACHE_FILE_LOCK_EXPIRATION_IN_SECONDS = 60;
    private static final FileCacheManager fileCacheManager = FileCacheManager.builder().setCacheDirectorySystemProperty(CACHE_DIR_PROP).setCacheDirectoryEnvironmentVariable(CACHE_DIR_ENV).setBaseCacheFileName(CACHE_FILE_NAME).setCacheExpirationInSeconds(CACHE_EXPIRATION_IN_SECONDS).setCacheFileLockExpirationInSeconds(CACHE_FILE_LOCK_EXPIRATION_IN_SECONDS).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/snowflake/client/core/SFTrustManager$OCSPCacheServer.class */
    public static class OCSPCacheServer {
        String SF_OCSP_RESPONSE_CACHE_SERVER;
        String SF_OCSP_RESPONSE_RETRY_URL;
        boolean new_endpoint_enabled;

        OCSPCacheServer() {
        }

        void resetOCSPResponseCacheServer(String str) {
            String format = str.indexOf(".global.snowflakecomputing.com") > 0 ? String.format("https://ocspssd%s/%s", str.substring(str.indexOf(45)), "ocsp") : str.indexOf(".snowflakecomputing.com") > 0 ? String.format("https://ocspssd%s/%s", str.substring(str.indexOf(46)), "ocsp") : "https://ocspssd.snowflakecomputing.com/ocsp";
            this.SF_OCSP_RESPONSE_CACHE_SERVER = String.format("%s/%s", format, "fetch");
            this.SF_OCSP_RESPONSE_RETRY_URL = String.format("%s/%s", format, "retry");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/snowflake/client/core/SFTrustManager$OCSPPostReqData.class */
    public static class OCSPPostReqData {
        private String ocsp_url;
        private String ocsp_req;
        private String cert_id_enc;
        private String hostname;

        OCSPPostReqData(String str, String str2, String str3, String str4) {
            this.ocsp_url = str;
            this.ocsp_req = str2;
            this.cert_id_enc = str3;
            this.hostname = str4;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/snowflake/client/core/SFTrustManager$OcspResponseCacheKey.class */
    public static class OcspResponseCacheKey {
        final byte[] nameHash;
        final byte[] keyHash;
        final BigInteger serialNumber;

        OcspResponseCacheKey(byte[] bArr, byte[] bArr2, BigInteger bigInteger) {
            this.nameHash = bArr;
            this.keyHash = bArr2;
            this.serialNumber = bigInteger;
        }

        public int hashCode() {
            return (((Arrays.hashCode(this.nameHash) * 37 * 10) + (Arrays.hashCode(this.keyHash) * 37)) * 10) + this.serialNumber.hashCode();
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof OcspResponseCacheKey)) {
                return false;
            }
            OcspResponseCacheKey ocspResponseCacheKey = (OcspResponseCacheKey) obj;
            return Arrays.equals(this.nameHash, ocspResponseCacheKey.nameHash) && Arrays.equals(this.keyHash, ocspResponseCacheKey.keyHash) && this.serialNumber.equals(ocspResponseCacheKey.serialNumber);
        }

        public String toString() {
            return String.format("OcspResponseCacheKey: NameHash: %s, KeyHash: %s, SerialNumber: %s", SFTrustManager.byteToHexString(this.nameHash), SFTrustManager.byteToHexString(this.keyHash), this.serialNumber.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/snowflake/client/core/SFTrustManager$SHA1DigestCalculator.class */
    public static class SHA1DigestCalculator implements DigestCalculator {
        private ByteArrayOutputStream bOut = new ByteArrayOutputStream();

        SHA1DigestCalculator() {
        }

        @Override // net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator
        public AlgorithmIdentifier getAlgorithmIdentifier() {
            return new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
        }

        @Override // net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator
        public OutputStream getOutputStream() {
            return this.bOut;
        }

        @Override // net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator
        public byte[] getDigest() {
            byte[] byteArray = this.bOut.toByteArray();
            this.bOut.reset();
            try {
                return MessageDigest.getInstance("SHA-1").digest(byteArray);
            } catch (NoSuchAlgorithmException e) {
                String format = String.format("Failed to instantiate the algorithm: %s. err=%s", "SHA-1", e.getMessage());
                SFTrustManager.LOGGER.error(format, false);
                throw new RuntimeException(format);
            }
        }
    }

    private static Provider instantiateSecurityProvider() {
        try {
            return (Provider) Class.forName(DEFAULT_SECURITY_PROVIDER_NAME).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (ClassNotFoundException | ExceptionInInitializerError | IllegalAccessException | IllegalArgumentException | InstantiationException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
            String format = String.format("Failed to load %s, err=%s. If you use Snowflake JDBC for FIPS jar, import BouncyCastleFipsProvider in the application.", DEFAULT_SECURITY_PROVIDER_NAME, e.getMessage());
            LOGGER.error(format, true);
            throw new RuntimeException(format);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SFTrustManager(HttpClientSettingsKey httpClientSettingsKey, File file) {
        this.ocspMode = httpClientSettingsKey.getOcspMode();
        proxySettingsKey = httpClientSettingsKey;
        this.trustManager = getTrustManager(KeyManagerFactory.getDefaultAlgorithm());
        this.exTrustManager = (X509ExtendedTrustManager) getTrustManager(KeyManagerFactory.getDefaultAlgorithm());
        checkNewOCSPEndpointAvailability();
        if (file != null) {
            fileCacheManager.overrideCacheFile(file);
        }
        if (WAS_CACHE_READ.getAndSet(true)) {
            return;
        }
        readJsonStoreCache(fileCacheManager.readCacheFile());
    }

    public static void deleteCache() {
        fileCacheManager.deleteCacheFile();
    }

    public static void cleanTestSystemParameters() {
        System.clearProperty(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
        System.clearProperty(SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED);
        System.clearProperty(SF_OCSP_TEST_INJECT_VALIDITY_ERROR);
        System.clearProperty(SF_OCSP_TEST_INJECT_UNKNOWN_STATUS);
        System.clearProperty(SF_OCSP_TEST_RESPONDER_URL);
        System.clearProperty(SF_OCSP_TEST_OCSP_RESPONDER_TIMEOUT);
        System.clearProperty(SF_OCSP_TEST_OCSP_RESPONSE_CACHE_SERVER_TIMEOUT);
        System.clearProperty(SF_OCSP_TEST_INVALID_SIGNING_CERT);
        System.clearProperty(SF_OCSP_TEST_NO_OCSP_RESPONDER_URL);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void resetOCSPResponseCacherServerURL(String str) throws IOException {
        if (str == null || SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN != null) {
            return;
        }
        SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = str;
        if (SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE.startsWith(DEFAULT_OCSP_CACHE_HOST)) {
            return;
        }
        URL url = new URL(SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE);
        if (url.getPort() > 0) {
            SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN = String.format("%s://%s:%d/retry/%s", url.getProtocol(), url.getHost(), Integer.valueOf(url.getPort()), "%s/%s");
        } else {
            SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN = String.format("%s://%s/retry/%s", url.getProtocol(), url.getHost(), "%s/%s");
        }
    }

    private static void setOCSPResponseCacheServerURL() {
        String systemGetProperty = SnowflakeUtil.systemGetProperty(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
        if (systemGetProperty != null) {
            SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = systemGetProperty;
        }
        try {
            String systemGetEnv = SnowflakeUtil.systemGetEnv(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
            if (systemGetEnv != null) {
                SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = systemGetEnv;
            }
        } catch (Throwable th) {
            LOGGER.debug("Failed to get environment variable SF_OCSP_RESPONSE_CACHE_SERVER_URL. Ignored", true);
        }
        if (SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE == null) {
            SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = String.format("%s/%s", DEFAULT_OCSP_CACHE_HOST, CACHE_FILE_NAME);
        }
    }

    private static boolean useOCSPResponseCacheServer() {
        if (Boolean.FALSE.toString().equalsIgnoreCase(SnowflakeUtil.systemGetProperty(SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED))) {
            LOGGER.debug("No OCSP Response Cache Server is used.", false);
            return false;
        }
        try {
            if (!Boolean.FALSE.toString().equalsIgnoreCase(SnowflakeUtil.systemGetEnv(SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED))) {
                return true;
            }
            LOGGER.debug("No OCSP Response Cache Server is used.", false);
            return false;
        } catch (Throwable th) {
            LOGGER.debug("Failed to get environment variable SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED. Ignored", false);
            return true;
        }
    }

    private static String encodeCacheKey(OcspResponseCacheKey ocspResponseCacheKey) {
        try {
            return Base64.encodeBase64String(new CertID(new SHA1DigestCalculator().getAlgorithmIdentifier(), ASN1OctetString.getInstance(ocspResponseCacheKey.nameHash), ASN1OctetString.getInstance(ocspResponseCacheKey.keyHash), new ASN1Integer(ocspResponseCacheKey.serialNumber)).toASN1Primitive().getEncoded());
        } catch (Exception e) {
            LOGGER.debug("Failed to encode cache key to base64 encoded cert id", false);
            return null;
        }
    }

    private static String CertificateIDToString(CertificateID certificateID) {
        return String.format("CertID. NameHash: %s, KeyHash: %s, Serial Number: %s", byteToHexString(certificateID.getIssuerNameHash()), byteToHexString(certificateID.getIssuerKeyHash()), MessageFormat.format("{0,number,#}", certificateID.getSerialNumber()));
    }

    private static SFPair<OcspResponseCacheKey, SFPair<Long, String>> decodeCacheFromJSON(Map.Entry<String, JsonNode> entry) throws IOException {
        long time = new Date().getTime() / INITIAL_SLEEPING_TIME_IN_MILLISECONDS;
        ASN1Encodable[] array = ((DLSequence) ASN1ObjectIdentifier.fromByteArray(Base64.decodeBase64(entry.getKey()))).toArray();
        OcspResponseCacheKey ocspResponseCacheKey = new OcspResponseCacheKey(((DEROctetString) array[1]).getEncoded(), ((DEROctetString) array[2]).getEncoded(), ((ASN1Integer) array[3]).getValue());
        JsonNode value = entry.getValue();
        if (value.isArray() && value.size() == 2) {
            long asLong = value.get(0).asLong();
            return time - CACHE_EXPIRATION_IN_SECONDS <= asLong ? SFPair.of(ocspResponseCacheKey, SFPair.of(Long.valueOf(asLong), value.get(1).asText())) : SFPair.of(ocspResponseCacheKey, SFPair.of(Long.valueOf(asLong), null));
        }
        LOGGER.debug("Invalid cache file format. Ignored", false);
        return null;
    }

    private static ObjectNode encodeCacheToJSON() {
        try {
            ObjectNode createObjectNode = OBJECT_MAPPER.createObjectNode();
            for (Map.Entry<OcspResponseCacheKey, SFPair<Long, String>> entry : OCSP_RESPONSE_CACHE.entrySet()) {
                OcspResponseCacheKey key = entry.getKey();
                SFPair<Long, String> value = entry.getValue();
                long longValue = value.left.longValue();
                CertID certID = new CertID(new SHA1DigestCalculator().getAlgorithmIdentifier(), ASN1OctetString.getInstance(key.nameHash), ASN1OctetString.getInstance(key.keyHash), new ASN1Integer(key.serialNumber));
                ArrayNode createArrayNode = OBJECT_MAPPER.createArrayNode();
                createArrayNode.add(longValue);
                createArrayNode.add(value.right);
                createObjectNode.set(Base64.encodeBase64String(certID.toASN1Primitive().getEncoded()), createArrayNode);
            }
            return createObjectNode;
        } catch (IOException e) {
            LOGGER.debug("Failed to encode ASN1 object.", false);
            return null;
        }
    }

    private static synchronized void readJsonStoreCache(JsonNode jsonNode) {
        if (jsonNode == null || !jsonNode.getNodeType().equals(JsonNodeType.OBJECT)) {
            LOGGER.debug("Invalid cache file format.", false);
            return;
        }
        try {
            Iterator<Map.Entry<String, JsonNode>> fields = jsonNode.fields();
            while (fields.hasNext()) {
                SFPair<OcspResponseCacheKey, SFPair<Long, String>> decodeCacheFromJSON = decodeCacheFromJSON(fields.next());
                if (decodeCacheFromJSON != null && decodeCacheFromJSON.right != null && decodeCacheFromJSON.right.right != null) {
                    OCSP_RESPONSE_CACHE.put(decodeCacheFromJSON.left, decodeCacheFromJSON.right);
                    WAS_CACHE_UPDATED.set(true);
                } else if (decodeCacheFromJSON != null && OCSP_RESPONSE_CACHE.containsKey(decodeCacheFromJSON.left)) {
                    OCSP_RESPONSE_CACHE.remove(decodeCacheFromJSON.left);
                    WAS_CACHE_UPDATED.set(true);
                }
            }
        } catch (IOException e) {
            LOGGER.debug("Failed to decode the cache file", false);
        }
    }

    private static void verifySignature(X509CertificateHolder x509CertificateHolder, byte[] bArr, byte[] bArr2, AlgorithmIdentifier algorithmIdentifier) throws CertificateException {
        try {
            String str = SIGNATURE_OID_TO_STRING.get(algorithmIdentifier.getAlgorithm());
            if (str == null) {
                throw new NoSuchAlgorithmException(String.format("Unsupported signature OID. OID: %s", algorithmIdentifier));
            }
            Signature signature = Signature.getInstance(str);
            signature.initVerify(CONVERTER_X509.getCertificate(x509CertificateHolder).getPublicKey());
            signature.update(bArr2);
            if (!signature.verify(bArr)) {
                throw new CertificateEncodingException(String.format("Failed to verify the signature. Potentially the data was not generated by by the cert, %s", x509CertificateHolder.getSubject()));
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new CertificateEncodingException("Failed to verify the signature.", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String byteToHexString(byte[] bArr) {
        char[] charArray = "0123456789ABCDEF".toCharArray();
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            cArr[i * 2] = charArray[i2 >>> 4];
            cArr[(i * 2) + 1] = charArray[i2 & 15];
        }
        return new String(cArr);
    }

    private static CloseableHttpClient getHttpClient(int i) {
        RequestConfig build = RequestConfig.custom().setConnectTimeout(i).setConnectionRequestTimeout(i).setSocketTimeout(i).build();
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager((Registry<ConnectionSocketFactory>) RegistryBuilder.create().register("http", new HttpUtil.SFConnectionSocketFactory()).build());
        poolingHttpClientConnectionManager.setMaxTotal(1);
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(10);
        HttpClientBuilder disableCookieManagement = HttpClientBuilder.create().setDefaultRequestConfig(build).setConnectionManager(poolingHttpClientConnectionManager).useSystemProperties().setRedirectStrategy(new DefaultRedirectStrategy()).disableCookieManagement();
        if (proxySettingsKey.usesProxy()) {
            HttpHost httpHost = new HttpHost(proxySettingsKey.getProxyHost(), proxySettingsKey.getProxyPort());
            disableCookieManagement = disableCookieManagement.setProxy(httpHost).setRoutePlanner(new SdkProxyRoutePlanner(proxySettingsKey.getProxyHost(), proxySettingsKey.getProxyPort(), Protocol.HTTP, proxySettingsKey.getNonProxyHosts()));
            if (!Strings.isNullOrEmpty(proxySettingsKey.getProxyUser()) && !Strings.isNullOrEmpty(proxySettingsKey.getProxyPassword())) {
                UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials(proxySettingsKey.getProxyUser(), proxySettingsKey.getProxyPassword());
                AuthScope authScope = new AuthScope(proxySettingsKey.getProxyHost(), proxySettingsKey.getProxyPort());
                BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
                basicCredentialsProvider.setCredentials(authScope, usernamePasswordCredentials);
                disableCookieManagement = disableCookieManagement.setDefaultCredentialsProvider(basicCredentialsProvider);
            }
        }
        return disableCookieManagement.build();
    }

    private static long maxLong(long j, long j2) {
        return Math.max(j, j2);
    }

    private static long calculateTolerableValidity(Date date, Date date2) {
        return maxLong(((float) (date2.getTime() - date.getTime())) * TOLERABLE_VALIDITY_RANGE_RATIO, MIN_CACHE_WARMUP_TIME_IN_MILLISECONDS);
    }

    private static boolean isValidityRange(Date date, Date date2, Date date3) {
        if (checkOCSPResponseValidityErrorParameter()) {
            return false;
        }
        return date2.getTime() - MAX_CLOCK_SKEW_IN_MILLISECONDS <= date.getTime() && date.getTime() <= date3.getTime() + calculateTolerableValidity(date2, date3);
    }

    private static boolean checkOCSPResponseValidityErrorParameter() {
        return Boolean.TRUE.toString().equalsIgnoreCase(SnowflakeUtil.systemGetProperty(SF_OCSP_TEST_INJECT_VALIDITY_ERROR));
    }

    private boolean isEnabledSystemTestParameter(String str) {
        return Boolean.TRUE.toString().equalsIgnoreCase(SnowflakeUtil.systemGetProperty(str));
    }

    private boolean isOCSPFailOpen() {
        return this.ocspMode == OCSPMode.FAIL_OPEN;
    }

    private void checkNewOCSPEndpointAvailability() {
        String systemGetProperty;
        try {
            systemGetProperty = SnowflakeUtil.systemGetEnv("SF_OCSP_ACTIVATE_NEW_ENDPOINT");
        } catch (Throwable th) {
            LOGGER.debug("Could not get environment variable to check for New OCSP Endpoint Availability", false);
            systemGetProperty = SnowflakeUtil.systemGetProperty("net.snowflake.jdbc.ocsp_activate_new_endpoint");
        }
        this.ocspCacheServer.new_endpoint_enabled = systemGetProperty != null;
    }

    private X509TrustManager getTrustManager(String str) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str);
            trustManagerFactory.init((KeyStore) null);
            X509TrustManager x509TrustManager = null;
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            int length = trustManagers.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                TrustManager trustManager = trustManagers[i];
                if (trustManager instanceof X509TrustManager) {
                    x509TrustManager = (X509TrustManager) trustManager;
                    break;
                }
                i++;
            }
            if (x509TrustManager == null) {
                return null;
            }
            synchronized (ROOT_CA_LOCK) {
                if (ROOT_CA.isEmpty()) {
                    for (X509Certificate x509Certificate : x509TrustManager.getAcceptedIssuers()) {
                        Certificate certificate = Certificate.getInstance(x509Certificate.getEncoded());
                        ROOT_CA.put(Integer.valueOf(certificate.getSubject().hashCode()), certificate);
                    }
                }
            }
            return x509TrustManager;
        } catch (KeyStoreException | NoSuchAlgorithmException | CertificateEncodingException e) {
            throw new SSLInitializationException(e.getMessage(), e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.exTrustManager.checkClientTrusted(x509CertificateArr, str, socket);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.exTrustManager.checkClientTrusted(x509CertificateArr, str, sSLEngine);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.exTrustManager.checkServerTrusted(x509CertificateArr, str, socket);
        validateRevocationStatus(x509CertificateArr, socket.getInetAddress().getHostName());
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.exTrustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        validateRevocationStatus(x509CertificateArr, sSLEngine.getPeerHost());
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

    void validateRevocationStatus(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        List<SFPair<Certificate, Certificate>> pairIssuerSubject = getPairIssuerSubject(convertToBouncyCastleCertificate(x509CertificateArr));
        if (str.startsWith("ocspssd")) {
            return;
        }
        if (this.ocspCacheServer.new_endpoint_enabled) {
            this.ocspCacheServer.resetOCSPResponseCacheServer(str);
        }
        setOCSPResponseCacheServerURL();
        boolean isCached = isCached(pairIssuerSubject);
        if (useOCSPResponseCacheServer() && !isCached) {
            if (this.ocspCacheServer.new_endpoint_enabled) {
                LOGGER.debug("Downloading OCSP response cache from the server. URL: {}", this.ocspCacheServer.SF_OCSP_RESPONSE_CACHE_SERVER);
            } else {
                LOGGER.debug("Downloading OCSP response cache from the server. URL: {}", SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE);
            }
            try {
                readOcspResponseCacheServer();
            } catch (SFOCSPException e) {
                LOGGER.debug("Error downloading OCSP Response from cache server : {}.OCSP Responses will be fetched directly from the CA OCSPResponder ", e.getMessage());
            }
        }
        executeRevocationStatusChecks(pairIssuerSubject, str);
        if (WAS_CACHE_UPDATED.getAndSet(false)) {
            fileCacheManager.writeCacheFile(encodeCacheToJSON());
        }
    }

    private void executeRevocationStatusChecks(List<SFPair<Certificate, Certificate>> list, String str) throws CertificateException {
        long time = new Date().getTime() / INITIAL_SLEEPING_TIME_IN_MILLISECONDS;
        Iterator<SFPair<Certificate, Certificate>> it = list.iterator();
        while (it.hasNext()) {
            executeOneRevocationStatusCheck(it.next(), time, str);
        }
    }

    private String generateFailOpenLog(String str) {
        return "WARNING!!! Using fail-open to connect. Driver is connecting to an HTTPS endpoint without OCSP based Certificate Revocation checking as it could not obtain a valid OCSP Response to use from the CA OCSP responder. Details: \n" + str;
    }

    /* JADX WARN: Code restructure failed: missing block: B:23:0x0259, code lost:
    
        if (r19 != false) goto L69;
     */
    /* JADX WARN: Code restructure failed: missing block: B:25:0x025e, code lost:
    
        if (r22 == null) goto L63;
     */
    /* JADX WARN: Code restructure failed: missing block: B:26:0x0261, code lost:
    
        r18 = new java.security.cert.CertificateException("Certificate Revocation check failed. Could not retrieve OCSP Response.", r22);
        net.snowflake.client.core.SFTrustManager.LOGGER.debug(r22.getMessage(), false);
     */
    /* JADX WARN: Code restructure failed: missing block: B:27:0x029a, code lost:
    
        r0 = r0.generateTelemetry(net.snowflake.client.core.SFTrustManager.SF_OCSP_EVENT_TYPE_VALIDATION_ERROR, r18);
     */
    /* JADX WARN: Code restructure failed: missing block: B:28:0x02aa, code lost:
    
        if (isOCSPFailOpen() == false) goto L67;
     */
    /* JADX WARN: Code restructure failed: missing block: B:29:0x02ad, code lost:
    
        net.snowflake.client.core.SFTrustManager.LOGGER.error(generateFailOpenLog(r0), false);
     */
    /* JADX WARN: Code restructure failed: missing block: B:30:?, code lost:
    
        return;
     */
    /* JADX WARN: Code restructure failed: missing block: B:32:0x02bf, code lost:
    
        net.snowflake.client.core.SFTrustManager.LOGGER.debug(r0, false);
     */
    /* JADX WARN: Code restructure failed: missing block: B:33:0x02cc, code lost:
    
        throw r18;
     */
    /* JADX WARN: Code restructure failed: missing block: B:34:0x0280, code lost:
    
        r18 = new java.security.cert.CertificateException("Certificate Revocation check failed. Could not retrieve OCSP Response.");
        net.snowflake.client.core.SFTrustManager.LOGGER.debug(r18.getMessage(), false);
     */
    /* JADX WARN: Code restructure failed: missing block: B:35:0x02cd, code lost:
    
        return;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void executeOneRevocationStatusCheck(net.snowflake.client.util.SFPair<net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Certificate, net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Certificate> r9, long r10, java.lang.String r12) throws java.security.cert.CertificateException {
        /*
            Method dump skipped, instructions count: 718
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: net.snowflake.client.core.SFTrustManager.executeOneRevocationStatusCheck(net.snowflake.client.util.SFPair, long, java.lang.String):void");
    }

    private boolean isCached(List<SFPair<Certificate, Certificate>> list) {
        long time = new Date().getTime() / INITIAL_SLEEPING_TIME_IN_MILLISECONDS;
        boolean z = true;
        try {
            Iterator<SFPair<Certificate, Certificate>> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SFPair<Certificate, Certificate> next = it.next();
                CertificateID certID = createRequest(next).getRequestList()[0].getCertID();
                LOGGER.debug(CertificateIDToString(certID), false);
                CertID aSN1Primitive = certID.toASN1Primitive();
                SFPair<Long, String> sFPair = OCSP_RESPONSE_CACHE.get(new OcspResponseCacheKey(aSN1Primitive.getIssuerNameHash().getEncoded(), aSN1Primitive.getIssuerKeyHash().getEncoded(), aSN1Primitive.getSerialNumber().getValue()));
                if (sFPair == null) {
                    LOGGER.debug("Not all OCSP responses for the certificate is in the cache.", false);
                    z = false;
                    break;
                }
                if (time - CACHE_EXPIRATION_IN_SECONDS > sFPair.left.longValue()) {
                    LOGGER.debug("Cache for CertID expired.", false);
                    z = false;
                    break;
                }
                try {
                    validateRevocationStatusMain(next, sFPair.right);
                } catch (SFOCSPException e) {
                    LOGGER.debug("Cache includes invalid OCSPResponse. Will download the OCSP cache from Snowflake OCSP server", false);
                    z = false;
                }
            }
        } catch (IOException e2) {
            LOGGER.debug("Failed to encode CertID.", false);
        }
        return z;
    }

    private void readOcspResponseCacheServer() throws SFOCSPException {
        String str = this.ocspCacheServer.new_endpoint_enabled ? this.ocspCacheServer.SF_OCSP_RESPONSE_CACHE_SERVER : SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE;
        try {
            try {
                try {
                    CloseableHttpResponse execute = ocspCacheServerClient.computeIfAbsent(Integer.valueOf(getOCSPCacheServerConnectionTimeout()), num -> {
                        return getHttpClient(getOCSPCacheServerConnectionTimeout());
                    }).execute((HttpUriRequest) new HttpGet(new URI(str)));
                    if (execute == null || execute.getStatusLine().getStatusCode() != 200) {
                        Object[] objArr = new Object[1];
                        objArr[0] = Integer.valueOf(execute != null ? execute.getStatusLine().getStatusCode() : -1);
                        throw new IOException(String.format("Failed to get the OCSP response from the OCSP cache server: HTTP: %d", objArr));
                    }
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    IOUtils.copy(execute.getEntity().getContent(), byteArrayOutputStream);
                    JsonNode readTree = OBJECT_MAPPER.readTree(byteArrayOutputStream.toByteArray());
                    byteArrayOutputStream.close();
                    readJsonStoreCache(readTree);
                    LOGGER.debug("Successfully downloaded OCSP cache from the server.", false);
                    IOUtils.closeQuietly(execute);
                } catch (IOException e) {
                    LOGGER.debug("Failed to read the OCSP response cache from the server. Server: {}, Err: {}", str, e);
                    IOUtils.closeQuietly((Closeable) null);
                }
            } catch (URISyntaxException e2) {
                LOGGER.debug("Indicate that a string could not be parsed as a URI reference.", false);
                throw new SFOCSPException(OCSPErrorCode.INVALID_CACHE_SERVER_URL, "Invalid OCSP Cache Server URL used", e2);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly((Closeable) null);
            throw th;
        }
    }

    private int getOCSPCacheServerConnectionTimeout() {
        int i = 5000;
        if (SnowflakeUtil.systemGetProperty(SF_OCSP_TEST_OCSP_RESPONSE_CACHE_SERVER_TIMEOUT) != null) {
            try {
                i = Integer.parseInt(SnowflakeUtil.systemGetProperty(SF_OCSP_TEST_OCSP_RESPONSE_CACHE_SERVER_TIMEOUT));
            } catch (Exception e) {
            }
        }
        return i;
    }

    private OCSPResp fetchOcspResponse(SFPair<Certificate, Certificate> sFPair, OCSPReq oCSPReq, String str, String str2, OCSPTelemetryData oCSPTelemetryData) throws CertificateEncodingException {
        URL url;
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            try {
                String encodeBase64String = Base64.encodeBase64String(oCSPReq.getEncoded());
                Set<String> ocspUrls = getOcspUrls(sFPair.right);
                checkExistOCSPURL(ocspUrls);
                String overrideOCSPURL = overrideOCSPURL(ocspUrls.iterator().next());
                oCSPTelemetryData.setOcspUrl(overrideOCSPURL);
                oCSPTelemetryData.setOcspReq(encodeBase64String);
                if (this.ocspCacheServer.new_endpoint_enabled) {
                    url = new URL(this.ocspCacheServer.SF_OCSP_RESPONSE_RETRY_URL);
                    LOGGER.debug("not hit cache. Fetching OCSP response from Snowflake OCSP Response Fetcher. {}", url);
                } else {
                    String urlEncode = URLUtil.urlEncode(encodeBase64String);
                    url = SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN != null ? new URL(String.format(SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN, new URL(overrideOCSPURL).getHost(), urlEncode)) : new URL(String.format("%s/%s", overrideOCSPURL, urlEncode));
                    LOGGER.debug("not hit cache. Fetching OCSP response from CA OCSP server. {}", url);
                }
                long j = 1000;
                DecorrelatedJitterBackoff decorrelatedJitterBackoff = new DecorrelatedJitterBackoff(INITIAL_SLEEPING_TIME_IN_MILLISECONDS, MAX_SLEEPING_TIME_IN_MILLISECONDS);
                boolean z = false;
                int i = isOCSPFailOpen() ? 1 : 3;
                IOException iOException = null;
                CloseableHttpClient computeIfAbsent = ocspCacheServerClient.computeIfAbsent(Integer.valueOf(getOCSPResponderConnectionTimeout()), num -> {
                    return getHttpClient(getOCSPResponderConnectionTimeout());
                });
                for (int i2 = 0; i2 < i; i2++) {
                    try {
                        if (this.ocspCacheServer.new_endpoint_enabled) {
                            HttpPost httpPost = new HttpPost(url.toString());
                            httpPost.setHeader("Content-Type", TableConstants.HeaderConstants.JSON_CONTENT_TYPE);
                            httpPost.setEntity(new StringEntity(OBJECT_MAPPER.writeValueAsString(new OCSPPostReqData(overrideOCSPURL, encodeBase64String, str, str2)), "utf-8"));
                            closeableHttpResponse = computeIfAbsent.execute((HttpUriRequest) httpPost);
                        } else {
                            closeableHttpResponse = computeIfAbsent.execute((HttpUriRequest) new HttpGet(url.toString()));
                        }
                        z = closeableHttpResponse != null && closeableHttpResponse.getStatusLine().getStatusCode() == 200;
                    } catch (IOException e) {
                        LOGGER.debug("Failed to reach out OCSP responder: {}", e.getMessage());
                        iOException = e;
                    }
                    if (z) {
                        break;
                    }
                    IOUtils.closeQuietly(closeableHttpResponse);
                    LOGGER.debug("Retrying {}/{} after sleeping {}(ms)", Integer.valueOf(i2 + 1), Integer.valueOf(i), Long.valueOf(j));
                    try {
                        if (i2 + 1 < i) {
                            Thread.sleep(j);
                            j = decorrelatedJitterBackoff.nextSleepTime(j);
                        }
                    } catch (InterruptedException e2) {
                    }
                }
                if (!z) {
                    Object[] objArr = new Object[2];
                    objArr[0] = closeableHttpResponse == null ? null : Integer.valueOf(closeableHttpResponse.getStatusLine().getStatusCode());
                    objArr[1] = overrideOCSPURL;
                    throw new CertificateEncodingException(String.format("Failed to get OCSP response. StatusCode: %d, URL: %s", objArr), iOException);
                }
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                IOUtils.copy(closeableHttpResponse.getEntity().getContent(), byteArrayOutputStream);
                OCSPResp oCSPResp = new OCSPResp(byteArrayOutputStream.toByteArray());
                byteArrayOutputStream.close();
                if (oCSPResp.getStatus() != 0) {
                    throw new CertificateEncodingException(String.format("Failed to get OCSP response. Status: %s", OCSP_RESPONSE_CODE_TO_STRING.get(Integer.valueOf(oCSPResp.getStatus()))));
                }
                closeableHttpResponse = closeableHttpResponse;
                return oCSPResp;
            } catch (IOException e3) {
                throw new CertificateEncodingException("Failed to encode object.", e3);
            }
        } finally {
            IOUtils.closeQuietly((Closeable) null);
        }
    }

    private void checkExistOCSPURL(Set<String> set) throws CertificateEncodingException {
        if (set.size() == 0 || isEnabledSystemTestParameter(SF_OCSP_TEST_NO_OCSP_RESPONDER_URL)) {
            throw new CertificateEncodingException("No OCSP Responder URL is attached to the certificate.", new SFOCSPException(OCSPErrorCode.NO_OCSP_URL_ATTACHED, "No OCSP Responder URL is attached to the certificate."));
        }
    }

    private int getOCSPResponderConnectionTimeout() {
        int i = 10000;
        if (SnowflakeUtil.systemGetProperty(SF_OCSP_TEST_OCSP_RESPONDER_TIMEOUT) != null) {
            try {
                i = Integer.parseInt(SnowflakeUtil.systemGetProperty(SF_OCSP_TEST_OCSP_RESPONDER_TIMEOUT));
            } catch (Exception e) {
            }
        }
        return i;
    }

    private String overrideOCSPURL(String str) {
        String systemGetProperty = SnowflakeUtil.systemGetProperty(SF_OCSP_TEST_RESPONDER_URL);
        return systemGetProperty != null ? systemGetProperty : str;
    }

    private void validateRevocationStatusMain(SFPair<Certificate, Certificate> sFPair, String str) throws SFOCSPException {
        X509CertificateHolder x509CertificateHolder;
        try {
            OCSPResp b64ToOCSPResp = b64ToOCSPResp(str);
            if (b64ToOCSPResp == null) {
                throw new SFOCSPException(OCSPErrorCode.INVALID_OCSP_RESPONSE, "OCSP response is null. The content is invalid.");
            }
            Date date = new Date();
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) b64ToOCSPResp.getResponseObject();
            X509CertificateHolder[] certs = basicOCSPResp.getCerts();
            checkInvalidSigningCertTestParameter();
            if (certs.length > 0) {
                LOGGER.debug("Certificate is attached for verification. Verifying it by the issuer certificate.", false);
                x509CertificateHolder = certs[0];
                if (date.after(x509CertificateHolder.getNotAfter()) || date.before(x509CertificateHolder.getNotBefore())) {
                    throw new SFOCSPException(OCSPErrorCode.EXPIRED_OCSP_SIGNING_CERTIFICATE, String.format("Cert attached to OCSP Response is invalid.Current time - %sCertificate not before time - %sCertificate not after time - %s", date, x509CertificateHolder.getNotBefore(), x509CertificateHolder.getNotAfter()));
                }
                try {
                    verifySignature(new X509CertificateHolder(sFPair.left.getEncoded()), x509CertificateHolder.getSignature(), CONVERTER_X509.getCertificate(x509CertificateHolder).getTBSCertificate(), x509CertificateHolder.getSignatureAlgorithm());
                    LOGGER.debug("Verifying OCSP signature by the attached certificate public key.", false);
                } catch (CertificateException e) {
                    LOGGER.debug("OCSP Signing Certificate signature verification failed", false);
                    throw new SFOCSPException(OCSPErrorCode.INVALID_CERTIFICATE_SIGNATURE, "OCSP Signing Certificate signature verification failed", e);
                }
            } else {
                LOGGER.debug("Certificate is NOT attached for verification. Verifying OCSP signature by the issuer public key.", false);
                x509CertificateHolder = new X509CertificateHolder(sFPair.left.getEncoded());
            }
            try {
                verifySignature(x509CertificateHolder, basicOCSPResp.getSignature(), basicOCSPResp.getTBSResponseData(), basicOCSPResp.getSignatureAlgorithmID());
                validateBasicOcspResponse(date, basicOCSPResp);
            } catch (CertificateException e2) {
                LOGGER.debug("OCSP signature verification failed", false);
                throw new SFOCSPException(OCSPErrorCode.INVALID_OCSP_RESPONSE_SIGNATURE, "OCSP signature verification failed", e2);
            }
        } catch (IOException | OCSPException e3) {
            throw new SFOCSPException(OCSPErrorCode.REVOCATION_CHECK_FAILURE, "Failed to check revocation status.", e3);
        }
    }

    private void checkInvalidSigningCertTestParameter() throws SFOCSPException {
        if (isEnabledSystemTestParameter(SF_OCSP_TEST_INVALID_SIGNING_CERT)) {
            throw new SFOCSPException(OCSPErrorCode.EXPIRED_OCSP_SIGNING_CERTIFICATE, "Cert attached to OCSP Response is invalid");
        }
    }

    private void validateBasicOcspResponse(Date date, BasicOCSPResp basicOCSPResp) throws SFOCSPException {
        int i;
        for (SingleResp singleResp : basicOCSPResp.getResponses()) {
            checkCertUnknownTestParameter();
            CertificateStatus certStatus = singleResp.getCertStatus();
            if (certStatus != CertificateStatus.GOOD) {
                if (!(certStatus instanceof RevokedStatus)) {
                    throw new SFOCSPException(OCSPErrorCode.CERTIFICATE_STATUS_UNKNOWN, "Failed to validate the certificate for UNKNOWN reason.");
                }
                RevokedStatus revokedStatus = (RevokedStatus) certStatus;
                try {
                    i = revokedStatus.getRevocationReason();
                } catch (IllegalStateException e) {
                    i = -1;
                }
                throw new SFOCSPException(OCSPErrorCode.CERTIFICATE_STATUS_REVOKED, String.format("The certificate has been revoked. Reason: %d, Time: %s", Integer.valueOf(i), DATE_FORMAT_UTC.format(revokedStatus.getRevocationTime())));
            }
            Date thisUpdate = singleResp.getThisUpdate();
            Date nextUpdate = singleResp.getNextUpdate();
            LOGGER.debug("Current Time: {}, This Update: {}, Next Update: {}", date, thisUpdate, nextUpdate);
            if (!isValidityRange(date, thisUpdate, nextUpdate)) {
                throw new SFOCSPException(OCSPErrorCode.INVALID_OCSP_RESPONSE_VALIDITY, String.format("The OCSP response validity is out of range: Current Time: %s, This Update: %s, Next Update: %s", DATE_FORMAT_UTC.format(date), DATE_FORMAT_UTC.format(thisUpdate), DATE_FORMAT_UTC.format(nextUpdate)));
            }
        }
        LOGGER.debug("OK. Verified the certificate revocation status.", false);
    }

    private void checkCertUnknownTestParameter() throws SFOCSPException {
        if (isEnabledSystemTestParameter(SF_OCSP_TEST_INJECT_UNKNOWN_STATUS)) {
            throw new SFOCSPException(OCSPErrorCode.CERTIFICATE_STATUS_UNKNOWN, "Failed to validate the certificate for UNKNOWN reason.");
        }
    }

    private OCSPReq createRequest(SFPair<Certificate, Certificate> sFPair) throws IOException {
        Certificate certificate = sFPair.left;
        Certificate certificate2 = sFPair.right;
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        try {
            oCSPReqBuilder.addRequest(new CertificateID(new SHA1DigestCalculator(), new X509CertificateHolder(certificate.getEncoded()), certificate2.getSerialNumber().getValue()));
            return oCSPReqBuilder.build();
        } catch (OCSPException e) {
            throw new IOException("Failed to build a OCSPReq.", e);
        }
    }

    private List<Certificate> convertToBouncyCastleCertificate(X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
        ArrayList arrayList = new ArrayList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            arrayList.add(Certificate.getInstance(x509Certificate.getEncoded()));
        }
        return arrayList;
    }

    private List<SFPair<Certificate, Certificate>> getPairIssuerSubject(List<Certificate> list) throws CertificateException {
        ArrayList arrayList = new ArrayList();
        int size = list.size();
        for (int i = 0; i < size; i++) {
            Certificate certificate = list.get(i);
            if (!certificate.getIssuer().equals(certificate.getSubject())) {
                if (i < size - 1) {
                    arrayList.add(SFPair.of(list.get(i + 1), list.get(i)));
                } else {
                    Certificate certificate2 = ROOT_CA.get(Integer.valueOf(certificate.getIssuer().hashCode()));
                    if (certificate2 == null) {
                        throw new CertificateException("Failed to find the root CA.", new SFOCSPException(OCSPErrorCode.NO_ROOTCA_FOUND, "Failed to find the root CA."));
                    }
                    arrayList.add(SFPair.of(certificate2, list.get(i)));
                }
            }
        }
        return arrayList;
    }

    private Set<String> getOcspUrls(Certificate certificate) throws IOException {
        Extensions extensions = certificate.getTBSCertificate().getExtensions();
        if (extensions == null) {
            throw new IOException("Failed to get Tbs Certificate.");
        }
        HashSet hashSet = new HashSet();
        Enumeration oids = extensions.oids();
        while (oids.hasMoreElements()) {
            Extension extension = extensions.getExtension((ASN1ObjectIdentifier) oids.nextElement());
            if (Extension.authorityInfoAccess.equals((ASN1Primitive) extension.getExtnId())) {
                Iterator<ASN1Encodable> it = ((DLSequence) extension.getParsedValue()).iterator();
                while (it.hasNext()) {
                    ASN1Encodable[] array = ((DLSequence) it.next()).toArray();
                    if (array.length == 2) {
                        if (OIDocsp.equals((ASN1Primitive) array[0])) {
                            hashSet.add(GeneralName.getInstance(array[1]).getName().toString());
                        }
                    }
                }
            }
        }
        return hashSet;
    }

    private String ocspResponseToB64(OCSPResp oCSPResp) {
        if (oCSPResp == null) {
            return null;
        }
        try {
            return Base64.encodeBase64String(oCSPResp.getEncoded());
        } catch (Throwable th) {
            LOGGER.debug("Could not convert OCSP Response to Base64", false);
            return null;
        }
    }

    private OCSPResp b64ToOCSPResp(String str) {
        try {
            return new OCSPResp(Base64.decodeBase64(str));
        } catch (Throwable th) {
            LOGGER.debug("Could not cover OCSP Response from Base64 to OCSPResp object", false);
            return null;
        }
    }

    static {
        SIGNATURE_OID_TO_STRING.put(SHA1RSA, "SHA1withRSA");
        SIGNATURE_OID_TO_STRING.put(SHA256RSA, "SHA256withRSA");
        SIGNATURE_OID_TO_STRING.put(SHA384RSA, "SHA384withRSA");
        SIGNATURE_OID_TO_STRING.put(SHA512RSA, "SHA512withRSA");
        OCSP_RESPONSE_CODE_TO_STRING.put(0, "successful");
        OCSP_RESPONSE_CODE_TO_STRING.put(1, "malformedRequest");
        OCSP_RESPONSE_CODE_TO_STRING.put(2, "internalError");
        OCSP_RESPONSE_CODE_TO_STRING.put(3, "tryLater");
        OCSP_RESPONSE_CODE_TO_STRING.put(5, "sigRequired");
        OCSP_RESPONSE_CODE_TO_STRING.put(6, "unauthorized");
        if (Security.getProvider("BC") == null && Security.getProvider(BOUNCY_CASTLE_FIPS_PROVIDER) == null) {
            Security.addProvider(instantiateSecurityProvider());
        }
        DATE_FORMAT_UTC.setTimeZone(TimeZone.getTimeZone("UTC"));
    }
}
