package org.eclipse.milo.opcua.stack.core.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import io.netty.buffer.ByteBufUtil;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.file.ClosedWatchServiceException;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import oracle.security.pki.resources.OraclePKICmd;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.types.builtin.ByteString;
import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
import org.eclipse.milo.opcua.stack.core.util.DigestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.13.jar:org/eclipse/milo/opcua/stack/core/security/DefaultTrustListManager.class */
public class DefaultTrustListManager implements TrustListManager, AutoCloseable {
    static final int MAX_REJECTED_CERTIFICATES = 128;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultTrustListManager.class);
    private final Set<X509Certificate> issuerCertificates = Sets.newConcurrentHashSet();
    private final Set<X509CRL> issuerCrls = Sets.newConcurrentHashSet();
    private final Set<X509Certificate> trustedCertificates = Sets.newConcurrentHashSet();
    private final Set<X509CRL> trustedCrls = Sets.newConcurrentHashSet();
    private final WatchService watchService;
    private final Thread watchThread;
    private final File baseDir;
    private final File issuerDir;
    private final File issuerCertsDir;
    private final File issuerCrlDir;
    private final File trustedDir;
    private final File trustedCertsDir;
    private final File trustedCrlDir;
    private final File rejectedDir;

    /* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.13.jar:org/eclipse/milo/opcua/stack/core/security/DefaultTrustListManager$Watcher.class */
    private static class Watcher implements Runnable {
        private final WatchService watchService;
        private final Map<WatchKey, Runnable> watchKeys;

        Watcher(WatchService watchService, Map<WatchKey, Runnable> map) {
            this.watchService = watchService;
            this.watchKeys = map;
        }

        @Override // java.lang.Runnable
        public void run() {
            WatchKey take;
            while (true) {
                try {
                    take = this.watchService.take();
                    if (this.watchKeys.containsKey(take) && take.pollEvents().stream().anyMatch(watchEvent -> {
                        return watchEvent.kind() != StandardWatchEventKinds.OVERFLOW;
                    })) {
                        this.watchKeys.get(take).run();
                    }
                } catch (InterruptedException e) {
                    DefaultTrustListManager.LOGGER.error("Watcher interrupted.", (Throwable) e);
                } catch (ClosedWatchServiceException e2) {
                    DefaultTrustListManager.LOGGER.info("Watcher got closed");
                    return;
                }
                if (!take.reset()) {
                    DefaultTrustListManager.LOGGER.warn("Failed to reset watch key");
                    return;
                }
                continue;
            }
        }
    }

    public DefaultTrustListManager(File file) throws IOException {
        this.baseDir = file;
        ensureDirectoryExists(file);
        this.issuerDir = file.toPath().resolve("issuers").toFile();
        ensureDirectoryExists(this.issuerDir);
        this.issuerCertsDir = this.issuerDir.toPath().resolve("certs").toFile();
        ensureDirectoryExists(this.issuerCertsDir);
        this.issuerCrlDir = this.issuerDir.toPath().resolve(OraclePKICmd.aC).toFile();
        ensureDirectoryExists(this.issuerCrlDir);
        this.trustedDir = file.toPath().resolve("trusted").toFile();
        ensureDirectoryExists(this.trustedDir);
        this.trustedCertsDir = this.trustedDir.toPath().resolve("certs").toFile();
        ensureDirectoryExists(this.trustedCertsDir);
        this.trustedCrlDir = this.trustedDir.toPath().resolve(OraclePKICmd.aC).toFile();
        ensureDirectoryExists(this.trustedCrlDir);
        this.rejectedDir = file.toPath().resolve("rejected").toFile();
        ensureDirectoryExists(this.rejectedDir);
        this.watchService = FileSystems.getDefault().newWatchService();
        ConcurrentMap newConcurrentMap = Maps.newConcurrentMap();
        newConcurrentMap.put(this.issuerCertsDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeIssuerCerts);
        newConcurrentMap.put(this.issuerCrlDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeIssuerCrls);
        newConcurrentMap.put(this.trustedCertsDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeTrustedCerts);
        newConcurrentMap.put(this.trustedCrlDir.toPath().register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY), this::synchronizeTrustedCrls);
        this.watchThread = new Thread(new Watcher(this.watchService, newConcurrentMap));
        this.watchThread.setName("certificate-store-watcher");
        this.watchThread.setDaemon(true);
        this.watchThread.start();
        synchronizeIssuerCerts();
        synchronizeIssuerCrls();
        synchronizeTrustedCerts();
        synchronizeTrustedCrls();
    }

    @Override // java.lang.AutoCloseable
    public synchronized void close() throws IOException {
        LOGGER.debug("Closing DefaultCertificateStore at {}", this.baseDir.getAbsolutePath());
        this.watchService.close();
        try {
            this.watchThread.join(5000L);
            this.issuerCertificates.clear();
            this.issuerCrls.clear();
            this.trustedCertificates.clear();
        } catch (InterruptedException e) {
            throw new IOException(e);
        }
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized ImmutableList<X509CRL> getIssuerCrls() {
        return ImmutableList.copyOf((Collection) this.issuerCrls);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized ImmutableList<X509CRL> getTrustedCrls() {
        return ImmutableList.copyOf((Collection) this.trustedCrls);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized ImmutableList<X509Certificate> getIssuerCertificates() {
        return ImmutableList.copyOf((Collection) this.issuerCertificates);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized ImmutableList<X509Certificate> getTrustedCertificates() {
        return ImmutableList.copyOf((Collection) this.trustedCertificates);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized ImmutableList<X509Certificate> getRejectedCertificates() {
        File[] listFiles = this.rejectedDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        return ImmutableList.copyOf((Collection) Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCertificateFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        }).collect(Collectors.toList()));
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void setIssuerCrls(List<X509CRL> list) {
        replaceCrlsInDir(list, this.issuerCrlDir);
        synchronizeIssuerCrls();
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void setTrustedCrls(List<X509CRL> list) {
        replaceCrlsInDir(list, this.trustedCrlDir);
        synchronizeTrustedCrls();
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void setIssuerCertificates(List<X509Certificate> list) {
        replaceCertificatesInDir(list, this.issuerCertsDir);
        synchronizeIssuerCerts();
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void setTrustedCertificates(List<X509Certificate> list) {
        replaceCertificatesInDir(list, this.trustedCertsDir);
        synchronizeTrustedCerts();
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void addIssuerCertificate(X509Certificate x509Certificate) {
        this.issuerCertificates.add(x509Certificate);
        writeCertificateToDir(x509Certificate, this.issuerCertsDir);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void addTrustedCertificate(X509Certificate x509Certificate) {
        this.trustedCertificates.add(x509Certificate);
        writeCertificateToDir(x509Certificate, this.trustedCertsDir);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized void addRejectedCertificate(X509Certificate x509Certificate) {
        pruneOldRejectedCertificates();
        writeCertificateToDir(x509Certificate, this.rejectedDir);
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized boolean removeIssuerCertificate(ByteString byteString) {
        boolean deleteCertificateFile = deleteCertificateFile(this.issuerCertsDir, byteString);
        synchronizeIssuerCerts();
        return deleteCertificateFile;
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized boolean removeTrustedCertificate(ByteString byteString) {
        boolean deleteCertificateFile = deleteCertificateFile(this.trustedCertsDir, byteString);
        synchronizeTrustedCerts();
        return deleteCertificateFile;
    }

    @Override // org.eclipse.milo.opcua.stack.core.security.TrustListManager
    public synchronized boolean removeRejectedCertificate(ByteString byteString) {
        return deleteCertificateFile(this.rejectedDir, byteString);
    }

    public File getBaseDir() {
        return this.baseDir;
    }

    public File getIssuerDir() {
        return this.issuerDir;
    }

    public File getIssuerCertsDir() {
        return this.issuerCertsDir;
    }

    public File getIssuerCrlDir() {
        return this.issuerCrlDir;
    }

    public File getTrustedDir() {
        return this.trustedDir;
    }

    public File getTrustedCertsDir() {
        return this.trustedCertsDir;
    }

    public File getTrustedCrlDir() {
        return this.trustedCrlDir;
    }

    public File getRejectedDir() {
        return this.rejectedDir;
    }

    private synchronized boolean deleteCertificateFile(File file, ByteString byteString) {
        File[] listFiles = file.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        for (File file2 : listFiles) {
            if (((Boolean) decodeCertificateFile(file2).map(x509Certificate -> {
                try {
                    return Boolean.valueOf(CertificateUtil.thumbprint(x509Certificate).equals(byteString));
                } catch (UaException e) {
                    return false;
                }
            }).orElse(false)).booleanValue()) {
                if (file2.delete()) {
                    return true;
                }
                LOGGER.warn("Failed to delete issuer certificate: {}", file2);
                return true;
            }
        }
        return false;
    }

    private synchronized void replaceCrlsInDir(List<X509CRL> list, File file) {
        deleteDirectoryContents(file);
        list.forEach(x509crl -> {
            writeCrlToDir(x509crl, file);
        });
    }

    private synchronized void replaceCertificatesInDir(List<X509Certificate> list, File file) {
        deleteDirectoryContents(file);
        list.forEach(x509Certificate -> {
            writeCertificateToDir(x509Certificate, file);
        });
    }

    private static void deleteDirectoryContents(File file) {
        File[] listFiles = file.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        Arrays.stream(listFiles).forEach(file2 -> {
            try {
                Files.delete(file2.toPath());
            } catch (IOException e) {
                LOGGER.warn("Failed to delete file: {}", file2, e);
            }
        });
    }

    synchronized void pruneOldRejectedCertificates() {
        File[] listFiles = this.rejectedDir.listFiles();
        if (listFiles == null || listFiles.length < 128) {
            return;
        }
        int length = listFiles.length - 128;
        HashMap hashMap = new HashMap();
        Arrays.stream(listFiles).forEach(file -> {
        });
        Arrays.stream(listFiles).sorted((file2, file3) -> {
            return Long.compareUnsigned(((Long) hashMap.get(file2)).longValue(), ((Long) hashMap.get(file3)).longValue());
        }).limit(length + 1).forEach(file4 -> {
            if (file4.delete()) {
                return;
            }
            LOGGER.warn("Unable to delete rejected certificate: {}", file4);
        });
    }

    private synchronized void synchronizeIssuerCerts() {
        LOGGER.debug("Synchronizing issuer certs...");
        File[] listFiles = this.issuerCertsDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.issuerCertificates.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCertificateFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        });
        Set<X509Certificate> set = this.issuerCertificates;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private synchronized void synchronizeIssuerCrls() {
        LOGGER.debug("Synchronizing issuer CRLs...");
        File[] listFiles = this.issuerCrlDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.issuerCrls.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCrlFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Set<X509CRL> set = this.issuerCrls;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private synchronized void synchronizeTrustedCerts() {
        LOGGER.debug("Synchronizing trusted certs...");
        File[] listFiles = this.trustedCertsDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.trustedCertificates.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCertificateFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        });
        Set<X509Certificate> set = this.trustedCertificates;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private synchronized void synchronizeTrustedCrls() {
        LOGGER.debug("Synchronizing trusted CRLs...");
        File[] listFiles = this.trustedCrlDir.listFiles();
        if (listFiles == null) {
            listFiles = new File[0];
        }
        this.trustedCrls.clear();
        Stream flatMap = Arrays.stream(listFiles).flatMap(file -> {
            return (Stream) decodeCrlFile(file).map((v0) -> {
                return Stream.of(v0);
            }).orElse(Stream.empty());
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Set<X509CRL> set = this.trustedCrls;
        set.getClass();
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void writeCrlToDir(X509CRL x509crl, File file) {
        try {
            File file2 = file.toPath().resolve(getFilename(x509crl)).toFile();
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            Throwable th = null;
            try {
                try {
                    fileOutputStream.write(x509crl.getEncoded());
                    fileOutputStream.flush();
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                    LOGGER.debug("Wrote CRL entry: {}", file2.getAbsolutePath());
                } finally {
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Exception e) {
            LOGGER.error("Error writing CRL", (Throwable) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void writeCertificateToDir(X509Certificate x509Certificate, File file) {
        try {
            File file2 = file.toPath().resolve(getFilename(x509Certificate)).toFile();
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            Throwable th = null;
            try {
                try {
                    fileOutputStream.write(x509Certificate.getEncoded());
                    fileOutputStream.flush();
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                    LOGGER.debug("Wrote certificate entry: {}", file2.getAbsolutePath());
                } finally {
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Exception e) {
            LOGGER.error("Error writing certificate", (Throwable) e);
        }
    }

    private static Optional<List<X509CRL>> decodeCrlFile(File file) {
        try {
            Stream<? extends CRL> filter = CertificateFactory.getInstance("X.509").generateCRLs(new FileInputStream(file)).stream().filter(crl -> {
                return crl instanceof X509CRL;
            });
            Class<X509CRL> cls = X509CRL.class;
            X509CRL.class.getClass();
            return Optional.of(filter.map((v1) -> {
                return r1.cast(v1);
            }).collect(Collectors.toList()));
        } catch (FileNotFoundException | CRLException | CertificateException e) {
            LOGGER.debug("Error decoding CRL file: {}", file.toString(), e);
            return Optional.empty();
        }
    }

    private static Optional<X509Certificate> decodeCertificateFile(File file) {
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                Optional<X509Certificate> of = Optional.of(CertificateUtil.decodeCertificate(fileInputStream));
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                return of;
            } finally {
            }
        } catch (Throwable th3) {
            LOGGER.debug("Error decoding certificate file: {}", file.toString(), th3);
            return Optional.empty();
        }
    }

    private static String getFilename(X509CRL x509crl) throws Exception {
        return String.format("%s.crl", ByteBufUtil.hexDump(DigestUtil.sha1(x509crl.getEncoded())));
    }

    private static String getFilename(X509Certificate x509Certificate) throws Exception {
        String[] split = x509Certificate.getSubjectX500Principal().getName().split(",");
        return String.format("%s [%s].der", ByteBufUtil.hexDump(DigestUtil.sha1(x509Certificate.getSignature())), sanitizeForUseInFilename(split.length > 0 ? split[0] : x509Certificate.getSubjectX500Principal().getName()));
    }

    static String sanitizeForUseInFilename(String str) throws Exception {
        return URLEncoder.encode(str, "UTF-8").replaceAll("\\*", "_");
    }

    private static void ensureDirectoryExists(File file) throws IOException {
        if (!file.exists() && !file.mkdirs()) {
            throw new IOException("unable to create directory at " + file.getAbsolutePath());
        }
    }
}
