package org.eclipse.milo.opcua.stack.core.application;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import io.netty.buffer.ByteBufUtil;
import io.netty.buffer.Unpooled;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.file.ClosedWatchServiceException;
import java.nio.file.FileSystems;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
import org.eclipse.milo.opcua.stack.core.util.CertificateValidationUtil;
import org.eclipse.milo.opcua.stack.core.util.DigestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/core/application/DirectoryCertificateValidator.class */
public class DirectoryCertificateValidator implements CertificateValidator, AutoCloseable {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final Set<X509Certificate> trustedCertificates = Sets.newConcurrentHashSet();
    private final Set<X509Certificate> issuerCertificates = Sets.newConcurrentHashSet();
    private final Set<X509CRL> issuerCrls = Sets.newConcurrentHashSet();
    private final WatchService watchService;
    private final Thread watchThread;
    private final File baseDir;
    private final File issuerDir;
    private final File issuerCertsDir;
    private final File issuerCrlsDir;
    private final File trustedDir;
    private final File trustedCertsDir;
    private final File rejectedDir;

    /* loaded from: input_file:org/eclipse/milo/opcua/stack/core/application/DirectoryCertificateValidator$Watcher.class */
    private class Watcher implements Runnable {
        private final WatchService watchService;
        private final Map<WatchKey, Runnable> watchKeys;

        Watcher(WatchService watchService, Map<WatchKey, Runnable> map) {
            this.watchService = watchService;
            this.watchKeys = map;
        }

        @Override // java.lang.Runnable
        public void run() {
            WatchKey take;
            while (true) {
                try {
                    take = this.watchService.take();
                    if (this.watchKeys.containsKey(take) && take.pollEvents().stream().anyMatch(watchEvent -> {
                        return watchEvent.kind() != StandardWatchEventKinds.OVERFLOW;
                    })) {
                        this.watchKeys.get(take).run();
                    }
                } catch (InterruptedException e) {
                    DirectoryCertificateValidator.this.logger.error("Watcher interrupted.", e);
                } catch (ClosedWatchServiceException e2) {
                    DirectoryCertificateValidator.this.logger.info("Watcher got closed");
                    return;
                }
                if (!take.reset()) {
                    DirectoryCertificateValidator.this.logger.warn("Failed to reset watch key");
                    return;
                }
                continue;
            }
        }
    }

    public DirectoryCertificateValidator(File file) throws IOException {
        this.baseDir = file;
        ensureDirectoryExists(file);
        this.issuerDir = file.toPath().resolve("issuers").toFile();
        ensureDirectoryExists(this.issuerDir);
        this.issuerCertsDir = this.issuerDir.toPath().resolve("certs").toFile();
        ensureDirectoryExists(this.issuerCertsDir);
        this.issuerCrlsDir = this.issuerDir.toPath().resolve("crls").toFile();
        ensureDirectoryExists(this.issuerCrlsDir);
        this.trustedDir = file.toPath().resolve("trusted").toFile();
        ensureDirectoryExists(this.trustedDir);
        this.trustedCertsDir = this.trustedDir.toPath().resolve("certs").toFile();
        ensureDirectoryExists(this.trustedCertsDir);
        this.rejectedDir = file.toPath().resolve("rejected").toFile();
        ensureDirectoryExists(this.rejectedDir);
        this.watchService = FileSystems.getDefault().newWatchService();
        ConcurrentMap newConcurrentMap = Maps.newConcurrentMap();
        newConcurrentMap.put(this.issuerCertsDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeIssuerCerts);
        newConcurrentMap.put(this.issuerCrlsDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeIssuerCrls);
        newConcurrentMap.put(this.trustedCertsDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeTrustedCerts);
        this.watchThread = new Thread(new Watcher(this.watchService, newConcurrentMap));
        this.watchThread.setName("certificate-store-watcher");
        this.watchThread.setDaemon(true);
        this.watchThread.start();
        synchronizeIssuerCerts();
        synchronizeIssuerCrls();
        synchronizeTrustedCerts();
    }

    @Override // java.lang.AutoCloseable
    public void close() throws IOException {
        synchronized (this) {
            this.logger.info("Closing DefaultCertificateStore at {}", this.baseDir.getAbsolutePath());
            this.watchService.close();
            try {
                this.watchThread.join(5000L);
                this.issuerCertificates.clear();
                this.issuerCrls.clear();
                this.trustedCertificates.clear();
            } catch (InterruptedException e) {
                throw new IOException(e);
            }
        }
    }

    @Override // org.eclipse.milo.opcua.stack.core.application.CertificateValidator
    public synchronized void validate(X509Certificate x509Certificate) throws UaException {
        try {
            CertificateValidationUtil.validateCertificateValidity(x509Certificate);
        } catch (UaException e) {
            addRejectedCertificate(x509Certificate);
            throw e;
        }
    }

    @Override // org.eclipse.milo.opcua.stack.core.application.CertificateValidator
    public synchronized void verifyTrustChain(List<X509Certificate> list) throws UaException {
        try {
            CertificateValidationUtil.verifyTrustChain(list, this.trustedCertificates, this.issuerCertificates, this.issuerCrls);
        } catch (UaException e) {
            addRejectedCertificate(list.get(0));
            throw e;
        }
    }

    public synchronized void addIssuerCertificate(X509Certificate x509Certificate) {
        this.issuerCertificates.add(x509Certificate);
        writeCertificateToDir(x509Certificate, this.issuerCertsDir);
    }

    public synchronized void addTrustedCertificate(X509Certificate x509Certificate) {
        this.trustedCertificates.add(x509Certificate);
        writeCertificateToDir(x509Certificate, this.trustedCertsDir);
    }

    public synchronized void addRejectedCertificate(X509Certificate x509Certificate) {
        writeCertificateToDir(x509Certificate, this.rejectedDir);
    }

    public synchronized ImmutableSet<X509Certificate> getIssuerCertificates() {
        return ImmutableSet.copyOf((Collection) this.issuerCertificates);
    }

    public synchronized ImmutableSet<CRL> getIssuerCrls() {
        return ImmutableSet.copyOf((Collection) this.issuerCrls);
    }

    public synchronized ImmutableSet<X509Certificate> getTrustedCertificates() {
        return ImmutableSet.copyOf((Collection) this.trustedCertificates);
    }

    public File getBaseDir() {
        return this.baseDir;
    }

    public File getIssuerDir() {
        return this.issuerDir;
    }

    public File getIssuerCertsDir() {
        return this.issuerCertsDir;
    }

    public File getIssuerCrlsDir() {
        return this.issuerCrlsDir;
    }

    public File getTrustedDir() {
        return this.trustedDir;
    }

    public File getTrustedCertsDir() {
        return this.trustedCertsDir;
    }

    public File getRejectedDir() {
        return this.rejectedDir;
    }

    private static String getFilename(X509Certificate x509Certificate) throws Exception {
        String[] split = x509Certificate.getSubjectX500Principal().getName().split(",");
        return String.format("%s [%s].der", ByteBufUtil.hexDump(Unpooled.wrappedBuffer(DigestUtil.sha1(x509Certificate.getEncoded()))), URLEncoder.encode(split.length > 0 ? split[0] : x509Certificate.getSubjectX500Principal().getName(), "UTF-8"));
    }

    private void writeCertificateToDir(X509Certificate x509Certificate, File file) {
        try {
            File file2 = new File(file.getAbsolutePath() + File.separator + getFilename(x509Certificate));
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            Throwable th = null;
            try {
                try {
                    fileOutputStream.write(x509Certificate.getEncoded());
                    fileOutputStream.flush();
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                    this.logger.info("Wrote certificate entry: {}", file2.getAbsolutePath());
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (Exception e) {
            this.logger.error("Error adding rejected certificate entry.", e);
        }
    }

    private synchronized void synchronizeIssuerCerts() {
        File[] listFiles = this.issuerCertsDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.issuerCertificates.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCertificateFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        });
        Set<X509Certificate> set = this.issuerCertificates;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private synchronized void synchronizeTrustedCerts() {
        File[] listFiles = this.trustedCertsDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.trustedCertificates.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCertificateFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        });
        Set<X509Certificate> set = this.trustedCertificates;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private Optional<X509Certificate> decodeCertificateFile(File file) {
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                try {
                    Optional<X509Certificate> of = Optional.of(CertificateUtil.decodeCertificate(fileInputStream));
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return of;
                } finally {
                }
            } finally {
            }
        } catch (Throwable th3) {
            return Optional.empty();
        }
    }

    private synchronized void synchronizeIssuerCrls() {
        File[] listFiles = this.issuerCrlsDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.issuerCrls.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCrlFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Set<X509CRL> set = this.issuerCrls;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private Optional<List<X509CRL>> decodeCrlFile(File file) {
        try {
            Stream<? extends CRL> filter = CertificateFactory.getInstance("X.509").generateCRLs(new FileInputStream(file)).stream().filter(crl -> {
                return crl instanceof X509CRL;
            });
            Class<X509CRL> cls = X509CRL.class;
            X509CRL.class.getClass();
            return Optional.of(filter.map((v1) -> {
                return r1.cast(v1);
            }).collect(Collectors.toList()));
        } catch (FileNotFoundException | CRLException | CertificateException e) {
            return Optional.empty();
        }
    }

    private static void ensureDirectoryExists(File file) throws IOException {
        if (!file.exists() && !file.mkdirs()) {
            throw new IOException("unable to create directory at " + file.getAbsolutePath());
        }
    }
}
