package org.apache.synapse.transport.certificatevalidation;

import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Optional;
import javax.security.cert.X509Certificate;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.transport.certificatevalidation.cache.CertCache;
import org.apache.synapse.transport.certificatevalidation.crl.CRLCache;
import org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier;
import org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache;
import org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier;
import org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator;
import org.apache.synapse.transport.nhttp.config.TrustStoreHolder;

/* loaded from: input_file:WEB-INF/lib/synapse-nhttp-transport-4.0.0-wso2v75.jar:org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.class */
public class CertificateVerificationManager {
    private int cacheSize;
    private int cacheDelayMins;
    private boolean isFullCertChainValidationEnabled;
    private boolean isCertExpiryValidationEnabled;
    private static final Log log = LogFactory.getLog(CertificateVerificationManager.class);

    public CertificateVerificationManager(Integer num, Integer num2) {
        this.cacheSize = 50;
        this.cacheDelayMins = 15;
        this.isFullCertChainValidationEnabled = true;
        this.isCertExpiryValidationEnabled = false;
        if (num == null || num.intValue() <= 50 || num.intValue() >= 10000) {
            log.warn("The cache size is out of range. Hence, using the default cache size value of 50.");
        } else {
            this.cacheSize = num.intValue();
        }
        if (num2 == null || num2.intValue() <= 1 || num2.intValue() >= 1440) {
            log.warn("The cache delay is out of range. Hence, using the default cache delay value of 15.");
        } else {
            this.cacheDelayMins = num2.intValue();
        }
    }

    public CertificateVerificationManager(Integer num, Integer num2, boolean z, boolean z2) {
        this.cacheSize = 50;
        this.cacheDelayMins = 15;
        this.isFullCertChainValidationEnabled = true;
        this.isCertExpiryValidationEnabled = false;
        if (num == null || num.intValue() <= 50 || num.intValue() >= 10000) {
            log.warn("The cache size is out of range. Hence, using the default cache size value of 50.");
        } else {
            this.cacheSize = num.intValue();
        }
        if (num2 == null || num2.intValue() <= 1 || num2.intValue() >= 1440) {
            log.warn("The cache delay is out of range. Hence, using the default cache delay value of 15.");
        } else {
            this.cacheDelayMins = num2.intValue();
        }
        this.isFullCertChainValidationEnabled = z;
        this.isCertExpiryValidationEnabled = z2;
    }

    public void verifyCertificateValidity(X509Certificate[] x509CertificateArr) throws CertificateVerificationException {
        java.security.cert.X509Certificate[] convert = convert(x509CertificateArr);
        java.security.cert.X509Certificate x509Certificate = null;
        java.security.cert.X509Certificate x509Certificate2 = null;
        if (!this.isFullCertChainValidationEnabled) {
            if (log.isDebugEnabled()) {
                log.debug("Retrieving the issuer certificate from client truststore since full certificate chain validation is disabled");
            }
            KeyStore clientTrustStore = TrustStoreHolder.getInstance().getClientTrustStore();
            Optional findFirst = Arrays.stream(convert).findFirst();
            if (!findFirst.isPresent()) {
                throw new CertificateVerificationException("Peer certificate is not provided");
            }
            x509Certificate = (java.security.cert.X509Certificate) findFirst.get();
            CertCache cache = CertCache.getCache();
            if (cache.getCacheValue(x509Certificate.getSerialNumber().toString()) == null) {
                try {
                    Enumeration<String> aliases = clientTrustStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        try {
                            x509Certificate2 = (java.security.cert.X509Certificate) clientTrustStore.getCertificate(nextElement);
                            if (x509Certificate2 == null) {
                                throw new CertificateVerificationException("Issuer certificate not found in truststore");
                            }
                            try {
                                x509Certificate.verify(x509Certificate2.getPublicKey());
                                log.debug("Valid issuer certificate found in the client truststore. Caching..");
                                cache.setCacheValue(x509Certificate.getSerialNumber().toString(), x509Certificate2);
                                if (log.isDebugEnabled()) {
                                    log.debug("Issuer certificate with serial number: " + x509Certificate2.getSerialNumber().toString() + " has been cached against the serial number:  " + x509Certificate.getSerialNumber().toString() + " of the peer certificate.");
                                }
                                break;
                            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                            }
                        } catch (KeyStoreException e2) {
                            throw new CertificateVerificationException("Unable to read the certificate from truststore with the alias: " + nextElement, e2);
                        }
                    }
                } catch (KeyStoreException e3) {
                    throw new CertificateVerificationException("Error while retrieving aliases from truststore", e3);
                }
            } else {
                try {
                    x509Certificate.verify(cache.getCacheValue(x509Certificate.getSerialNumber().toString()).getPublicKey());
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e4) {
                    throw new CertificateVerificationException("Unable to verify the signature of the certificate.");
                }
            }
        }
        for (RevocationVerifier revocationVerifier : new RevocationVerifier[]{new OCSPVerifier(OCSPCache.getCache(this.cacheSize, this.cacheDelayMins)), new CRLVerifier(CRLCache.getCache(this.cacheSize, this.cacheDelayMins))}) {
            try {
                if (this.isFullCertChainValidationEnabled) {
                    if (this.isCertExpiryValidationEnabled) {
                        log.debug("Validating certificate chain for expiry");
                        if (isExpired(convert)) {
                            throw new CertificateVerificationException("One of the provided certificates are expired");
                        }
                    }
                    log.debug("Doing full certificate chain validation");
                    new CertificatePathValidator(convert, revocationVerifier).validatePath();
                    return;
                }
                if (this.isCertExpiryValidationEnabled) {
                    log.debug("Validating the client certificate for expiry");
                    if (isExpired(convert)) {
                        throw new CertificateVerificationException("The provided certificate is expired");
                    }
                }
                log.debug("Validating client certificate with the issuer certificate retrieved fromthe trust store");
                revocationVerifier.checkRevocationStatus(x509Certificate, x509Certificate2);
                return;
            } catch (Exception e5) {
                log.debug("Certificate verification with " + revocationVerifier.getClass().getSimpleName() + " failed. ", e5);
            }
        }
        throw new CertificateVerificationException("Path Verification Failed for both OCSP and CRL");
    }

    private java.security.cert.X509Certificate[] convert(X509Certificate[] x509CertificateArr) throws CertificateVerificationException {
        Throwable th;
        java.security.cert.X509Certificate[] x509CertificateArr2 = new java.security.cert.X509Certificate[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509CertificateArr2[i] = (java.security.cert.X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i].getEncoded()));
            } catch (CertificateEncodingException e) {
                th = e;
                throw new CertificateVerificationException("Cant Convert certificates from javax to java", th);
            } catch (CertificateException e2) {
                th = e2;
                throw new CertificateVerificationException("Cant Convert certificates from javax to java", th);
            } catch (javax.security.cert.CertificateEncodingException e3) {
                th = e3;
                throw new CertificateVerificationException("Cant Convert certificates from javax to java", th);
            }
        }
        return x509CertificateArr2;
    }

    public boolean isExpired(java.security.cert.X509Certificate[] x509CertificateArr) {
        for (java.security.cert.X509Certificate x509Certificate : x509CertificateArr) {
            try {
                x509Certificate.checkValidity();
            } catch (CertificateExpiredException e) {
                log.error("Peer certificate is expired");
                return true;
            } catch (CertificateNotYetValidException e2) {
                log.error("Peer certificate is not valid yet");
                return true;
            }
        }
        return false;
    }
}
