package com.wso2.openbanking.accelerator.gateway.executor.util;

import com.wso2.openbanking.accelerator.common.exception.CertificateValidationException;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.gateway.executor.model.OBAPIRequestContext;
import com.wso2.openbanking.accelerator.gateway.executor.model.OpenBankingExecutorError;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.Optional;
import javax.security.cert.CertificateEncodingException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.ServerConfiguration;

/* loaded from: input_file:com/wso2/openbanking/accelerator/gateway/executor/util/CertificateValidationUtils.class */
public class CertificateValidationUtils {
    public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
    public static final String END_CERT = "-----END CERTIFICATE-----";
    public static final String X509_CERT_INSTANCE_NAME = "X.509";
    public static final String HTTP_CONTENT_TYPE = "Content-Type";
    public static final String HTTP_CONTENT_TYPE_OCSP = "application/ocsp-request";
    public static final String HTTP_ACCEPT = "Accept";
    public static final String HTTP_ACCEPT_OCSP = "application/ocsp-response";
    public static final String CONTENT_TYPE = "application/json";
    public static final String TRUSTSTORE_LOCATION_CONF_KEY = "Security.TrustStore.Location";
    public static final String TRUSTSTORE_PASS_CONF_KEY = "Security.TrustStore.Password";
    private static final Log LOG = LogFactory.getLog(CertificateValidationUtils.class);
    private static KeyStore trustStore = null;

    private CertificateValidationUtils() {
    }

    public static boolean isExpired(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
            return false;
        } catch (CertificateException e) {
            LOG.error("Certificate with the serial number " + x509Certificate.getSerialNumber() + " issued by the CA " + x509Certificate.getIssuerDN().toString() + " is expired. Caused by, " + e.getMessage());
            return true;
        }
    }

    public static X509Certificate getIssuerCertificateFromTruststore(X509Certificate x509Certificate) throws CertificateValidationException {
        KeyStore trustStore2 = getTrustStore();
        if (trustStore2 == null) {
            throw new CertificateValidationException("Client truststore has not been initialized");
        }
        return retrieveCertificateFromTruststore(x509Certificate, trustStore2);
    }

    public static synchronized KeyStore getTrustStore() {
        return trustStore;
    }

    public static X509Certificate retrieveCertificateFromTruststore(X509Certificate x509Certificate, KeyStore keyStore) throws CertificateValidationException {
        try {
            Enumeration<String> aliases = keyStore.aliases();
            if (aliases == null) {
                throw new CertificateValidationException("Unable to read the certificate aliases from the truststore");
            }
            while (aliases.hasMoreElements()) {
                String str = null;
                try {
                    str = aliases.nextElement();
                    X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate(str);
                    try {
                        x509Certificate.verify(x509Certificate2.getPublicKey());
                        LOG.debug("Valid issuer certificate found in the client truststore");
                        return x509Certificate2;
                    } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                    }
                } catch (KeyStoreException e2) {
                    throw new CertificateValidationException("Unable to read the certificate from truststore with the alias: " + str, e2);
                }
            }
            throw new CertificateValidationException("Unable to find the immediate issuer from the truststore of the certificate with the serial number " + x509Certificate.getSerialNumber() + " issued by the CA " + x509Certificate.getIssuerDN().toString());
        } catch (KeyStoreException e3) {
            throw new CertificateValidationException("Error while retrieving aliases from keystore", e3);
        }
    }

    @SuppressFBWarnings({"PATH_TRAVERSAL_IN"})
    @Generated(message = "Ignoring because ServerConfiguration cannot be mocked")
    public static synchronized void loadTrustStore(char[] cArr) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
        InputStream newInputStream = Files.newInputStream(Paths.get(ServerConfiguration.getInstance().getFirstProperty(TRUSTSTORE_LOCATION_CONF_KEY), new String[0]), new OpenOption[0]);
        Throwable th = null;
        try {
            try {
                trustStore = KeyStore.getInstance("JKS");
                trustStore.load(newInputStream, cArr);
                if (newInputStream != null) {
                    if (0 == 0) {
                        newInputStream.close();
                        return;
                    }
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (newInputStream != null) {
                if (th != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    newInputStream.close();
                }
            }
            throw th4;
        }
    }

    @SuppressFBWarnings({"PATH_TRAVERSAL_IN"})
    @Deprecated
    public static synchronized void loadTrustStore(String str, char[] cArr) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
        InputStream newInputStream = Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]);
        Throwable th = null;
        try {
            try {
                trustStore = KeyStore.getInstance("JKS");
                trustStore.load(newInputStream, cArr);
                if (newInputStream != null) {
                    if (0 == 0) {
                        newInputStream.close();
                        return;
                    }
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (newInputStream != null) {
                if (th != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    newInputStream.close();
                }
            }
            throw th4;
        }
    }

    public static void handleExecutorErrors(CertificateValidationException certificateValidationException, OBAPIRequestContext oBAPIRequestContext) {
        handleExecutorErrors(new OpenBankingExecutorError(certificateValidationException.getErrorCode(), certificateValidationException.getMessage(), certificateValidationException.getErrorPayload(), "401"), oBAPIRequestContext);
    }

    public static void handleExecutorErrors(OpenBankingExecutorError openBankingExecutorError, OBAPIRequestContext oBAPIRequestContext) {
        ArrayList<OpenBankingExecutorError> errors = oBAPIRequestContext.getErrors();
        errors.add(openBankingExecutorError);
        oBAPIRequestContext.setError(true);
        oBAPIRequestContext.setErrors(errors);
    }

    @Deprecated
    public static Optional<X509Certificate> convert(javax.security.cert.X509Certificate x509Certificate) {
        try {
            return convertCert(x509Certificate);
        } catch (CertificateException e) {
            return Optional.empty();
        }
    }

    public static Optional<X509Certificate> convertCert(javax.security.cert.X509Certificate x509Certificate) throws CertificateException {
        if (x509Certificate == null) {
            return Optional.empty();
        }
        try {
            return Optional.of((X509Certificate) CertificateFactory.getInstance(X509_CERT_INSTANCE_NAME).generateCertificate(new ByteArrayInputStream(x509Certificate.getEncoded())));
        } catch (CertificateException e) {
            LOG.error("Error while generating the certificate ", e);
            throw new CertificateException("Error while generating the certificate ", e);
        } catch (CertificateEncodingException e2) {
            LOG.error("Error while decoding the certificate ", e2);
            throw new CertificateException("Error while decoding the certificate ", e2);
        }
    }

    public static Optional<X509Certificate> convertCertToX509Cert(Certificate certificate) throws CertificateException {
        return Optional.of((X509Certificate) CertificateFactory.getInstance(X509_CERT_INSTANCE_NAME).generateCertificate(new ByteArrayInputStream(certificate.getEncoded())));
    }

    public static Date getNewDate() {
        return new Date();
    }
}
