package com.wso2.openbanking.accelerator.gateway.executor.impl.mtls.cert.validation.executor;

import com.wso2.openbanking.accelerator.common.exception.CertificateValidationException;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.gateway.cache.CertificateRevocationCache;
import com.wso2.openbanking.accelerator.gateway.cache.GatewayCacheKey;
import com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor;
import com.wso2.openbanking.accelerator.gateway.executor.model.OBAPIRequestContext;
import com.wso2.openbanking.accelerator.gateway.executor.model.OBAPIResponseContext;
import com.wso2.openbanking.accelerator.gateway.executor.model.OpenBankingExecutorError;
import com.wso2.openbanking.accelerator.gateway.executor.service.CertValidationService;
import com.wso2.openbanking.accelerator.gateway.executor.util.CertificateValidationUtils;
import com.wso2.openbanking.accelerator.gateway.internal.TPPCertValidatorDataHolder;
import com.wso2.openbanking.accelerator.gateway.util.GatewayConstants;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Optional;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/gateway/executor/impl/mtls/cert/validation/executor/CertRevocationValidationExecutor.class */
public class CertRevocationValidationExecutor implements OpenBankingGatewayExecutor {
    private static final Log LOG = LogFactory.getLog(CertRevocationValidationExecutor.class);

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    @Generated(message = "Ignoring since all cases are covered from other unit tests")
    public void preProcessRequest(OBAPIRequestContext oBAPIRequestContext) {
        LOG.info("Starting certificate revocation validation process");
        if (oBAPIRequestContext.isError()) {
            return;
        }
        try {
            Certificate[] clientCertsLatest = oBAPIRequestContext.getClientCertsLatest();
            if (clientCertsLatest != null && clientCertsLatest.length > 0) {
                Optional<X509Certificate> convertCertToX509Cert = CertificateValidationUtils.convertCertToX509Cert(clientCertsLatest[0]);
                if (convertCertToX509Cert.isPresent()) {
                    X509Certificate x509Certificate = convertCertToX509Cert.get();
                    if (CertificateValidationUtils.isExpired(x509Certificate)) {
                        LOG.error("Certificate with the serial number " + x509Certificate.getSerialNumber() + " issued by the CA " + x509Certificate.getIssuerDN().toString() + " is expired");
                        CertificateValidationUtils.handleExecutorErrors(new OpenBankingExecutorError("200008", "Invalid mutual TLS request. Client certificate is expired", "Certificate with the serial number " + x509Certificate.getSerialNumber() + " issued by the CA " + x509Certificate.getIssuerDN().toString() + " is expired", "401"), oBAPIRequestContext);
                    } else {
                        LOG.debug("Client certificate expiry validation completed successfully");
                        if (isCertRevoked(x509Certificate)) {
                            LOG.error("Invalid mutual TLS request. Client certificate is revoked");
                            CertificateValidationUtils.handleExecutorErrors(new OpenBankingExecutorError("200009", "Invalid mutual TLS request. Client certificate is revoked", "", "401"), oBAPIRequestContext);
                        } else {
                            LOG.debug("Certificate revocation validation success");
                        }
                    }
                } else {
                    LOG.error(GatewayConstants.CLIENT_CERTIFICATE_INVALID);
                    CertificateValidationUtils.handleExecutorErrors(new OpenBankingExecutorError("200003", GatewayConstants.CLIENT_CERTIFICATE_INVALID, "", "401"), oBAPIRequestContext);
                }
            }
        } catch (CertificateEncodingException e) {
            LOG.error("Unable to generate the client certificate thumbprint, caused by ", e);
            CertificateValidationUtils.handleExecutorErrors(new OpenBankingExecutorError("200003", "Unable to generate the client certificate thumbprint", "", "401"), oBAPIRequestContext);
        } catch (CertificateValidationException e2) {
            LOG.error("Unable to validate the client certificate, caused by ", e2);
            CertificateValidationUtils.handleExecutorErrors((CertificateValidationException) e2, oBAPIRequestContext);
        } catch (CertificateException e3) {
            LOG.error("Error occurred while converting the client certificate to X509Certificate ", e3);
            CertificateValidationUtils.handleExecutorErrors(new OpenBankingExecutorError("200003", "Error occurred while converting the client certificate to X509Certificate ", e3.getMessage(), "401"), oBAPIRequestContext);
        }
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    public void preProcessResponse(OBAPIResponseContext oBAPIResponseContext) {
    }

    private boolean isCertRevoked(X509Certificate x509Certificate) throws CertificateValidationException, CertificateEncodingException {
        CertificateRevocationCache certificateRevocationCache = CertificateRevocationCache.getInstance();
        GatewayCacheKey of = GatewayCacheKey.of(DigestUtils.sha256Hex(x509Certificate.getEncoded()));
        if (certificateRevocationCache.getFromCache(of) != null) {
            return !((Boolean) certificateRevocationCache.getFromCache(of)).booleanValue();
        }
        if (!isCertRevocationSuccess(x509Certificate)) {
            return true;
        }
        certificateRevocationCache.addToCache(of, true);
        return false;
    }

    private boolean isCertRevocationSuccess(X509Certificate x509Certificate) {
        boolean z;
        TPPCertValidatorDataHolder tPPCertValidatorDataHolder = TPPCertValidatorDataHolder.getInstance();
        Integer valueOf = Integer.valueOf(tPPCertValidatorDataHolder.getCertificateRevocationValidationRetryCount());
        int connectTimeout = tPPCertValidatorDataHolder.getConnectTimeout();
        int connectionRequestTimeout = tPPCertValidatorDataHolder.getConnectionRequestTimeout();
        int socketTimeout = tPPCertValidatorDataHolder.getSocketTimeout();
        if (tPPCertValidatorDataHolder.isCertificateRevocationValidationEnabled()) {
            LOG.debug("Client certificate revocation validation is enabled");
            if (x509Certificate.getSubjectDN().getName().equals(x509Certificate.getIssuerDN().getName())) {
                if (!LOG.isDebugEnabled()) {
                    return true;
                }
                LOG.debug("Client certificate is self signed. Hence, excluding the certificate revocation validation");
                return true;
            }
            if (tPPCertValidatorDataHolder.getCertificateRevocationValidationExcludedIssuers().contains(x509Certificate.getIssuerDN().getName())) {
                if (!LOG.isDebugEnabled()) {
                    return true;
                }
                LOG.debug("The issuer of the client certificate has been configured to exclude from certificate revocation validation. Hence, excluding the certificate revocation validation");
                return true;
            }
            try {
                z = CertValidationService.getInstance().verify(x509Certificate, CertificateValidationUtils.getIssuerCertificateFromTruststore(x509Certificate), valueOf.intValue(), connectTimeout, connectionRequestTimeout, socketTimeout);
            } catch (CertificateValidationException e) {
                LOG.error("Issuer certificate retrieving failed for client certificate with serial number " + x509Certificate.getSerialNumber() + " issued by the CA " + x509Certificate.getIssuerDN().toString(), e);
                return false;
            }
        } else {
            z = true;
        }
        LOG.debug("Stored certificate validation status in cache");
        return z;
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    public void postProcessResponse(OBAPIResponseContext oBAPIResponseContext) {
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    public void postProcessRequest(OBAPIRequestContext oBAPIRequestContext) {
    }
}
