package org.clazzes.login.external;

import java.io.FileInputStream;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.security.KeyStore;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.clazzes.util.sched.ITimedJob;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/clazzes/login/external/IssuerConfig.class */
public class IssuerConfig implements Runnable, ITimedJob {
    private static final Logger log = LoggerFactory.getLogger(IssuerConfig.class);
    private final String crlDistributionPoint;
    private final String crlVerificationCertificate;
    private final Set<String> subjectDnBlacklist;
    private final long refreshCrlMinutes;
    private final long refreshCrlMinutesOnFailure;
    private Long nextCrlLoad;
    private X509CRL crl;

    public IssuerConfig(String str, String str2, Set<String> set, long j, long j2) {
        this.crlDistributionPoint = str;
        this.crlVerificationCertificate = str2;
        this.subjectDnBlacklist = set;
        this.refreshCrlMinutes = j;
        this.refreshCrlMinutesOnFailure = j2;
        this.nextCrlLoad = str == null ? null : Long.valueOf(System.currentTimeMillis() + 1000);
    }

    public synchronized X509CRL getCrl() {
        return this.crl;
    }

    public synchronized void setCrl(X509CRL x509crl) {
        if (x509crl == null) {
            this.nextCrlLoad = Long.valueOf(System.currentTimeMillis() + (this.refreshCrlMinutesOnFailure * 60000));
        } else {
            long currentTimeMillis = System.currentTimeMillis();
            long currentTimeMillis2 = System.currentTimeMillis() + (this.refreshCrlMinutes * 60000);
            Date nextUpdate = x509crl.getNextUpdate();
            if (nextUpdate != null && nextUpdate.getTime() < currentTimeMillis2) {
                if (nextUpdate.getTime() > currentTimeMillis) {
                    currentTimeMillis2 = nextUpdate.getTime();
                } else {
                    log.warn("Next update [{}] of CRL for [{}] is in the past, using failure refresh interval.", nextUpdate, x509crl.getIssuerX500Principal());
                    currentTimeMillis2 = System.currentTimeMillis() + (this.refreshCrlMinutesOnFailure * 60000);
                }
            }
            log.info("Next CRL refresh for [{}] is [{}].", x509crl.getIssuerX500Principal(), new Date(currentTimeMillis2));
            this.nextCrlLoad = Long.valueOf(currentTimeMillis2);
        }
        this.crl = x509crl;
    }

    public String getCrlDistributionPoint() {
        return this.crlDistributionPoint;
    }

    public Set<String> getSubjectDnBlacklist() {
        return this.subjectDnBlacklist;
    }

    public boolean checkCertStatus(X509CertRef x509CertRef) {
        if (this.subjectDnBlacklist != null && this.subjectDnBlacklist.contains(x509CertRef.getSubjectDn())) {
            log.error("Certificate [{}] is blacklisted.", x509CertRef);
            return false;
        }
        synchronized (this) {
            if (this.crl == null) {
                if (this.crlDistributionPoint == null) {
                    return true;
                }
                log.error("Certificate [{}] is rejected, because the issuer CRL is not yet loaded.", x509CertRef);
                return false;
            }
            X509CRLEntry revokedCertificate = this.crl.getRevokedCertificate(x509CertRef.getSerial());
            if (revokedCertificate == null) {
                return true;
            }
            log.error("Certificate [{}] has been revoked at [{}] with reason [{}].", new Object[]{x509CertRef, revokedCertificate.getRevocationDate(), revokedCertificate.getRevocationReason()});
            return false;
        }
    }

    public synchronized Long getNextExecutionDelay() {
        if (this.nextCrlLoad == null) {
            return null;
        }
        return Long.valueOf(this.nextCrlLoad.longValue() - System.currentTimeMillis());
    }

    @Override // java.lang.Runnable
    public void run() {
        X509CRL x509crl = null;
        try {
            log.info("Loading CRL from [{}]", this.crlDistributionPoint);
            URLConnection openConnection = new URL(this.crlDistributionPoint).openConnection();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream inputStream = openConnection.getInputStream();
            Throwable th = null;
            try {
                try {
                    X509CRL x509crl2 = (X509CRL) certificateFactory.generateCRL(inputStream);
                    if (inputStream != null) {
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStream.close();
                        }
                    }
                    log.info("Successfully loaded CRL from [{}]", this.crlDistributionPoint);
                    if (this.crlVerificationCertificate == null) {
                        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                        trustManagerFactory.init((KeyStore) null);
                        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                            if (trustManager instanceof X509TrustManager) {
                                X509Certificate[] acceptedIssuers = ((X509TrustManager) trustManager).getAcceptedIssuers();
                                int length = acceptedIssuers.length;
                                int i = 0;
                                while (true) {
                                    if (i < length) {
                                        X509Certificate x509Certificate = acceptedIssuers[i];
                                        if (x509Certificate.getSubjectX500Principal().equals(x509crl2.getIssuerX500Principal())) {
                                            log.info("Verifying CRL from [{}] with Certificate [{}].", this.crlDistributionPoint, x509Certificate.getSubjectX500Principal());
                                            x509Certificate.checkValidity();
                                            x509crl2.verify(x509Certificate.getPublicKey());
                                            log.info("Successfully verified CRL from [{}]", this.crlDistributionPoint);
                                            x509crl = x509crl2;
                                            break;
                                        }
                                        i++;
                                    }
                                }
                            }
                        }
                    } else {
                        FileInputStream fileInputStream = new FileInputStream(this.crlVerificationCertificate);
                        Throwable th3 = null;
                        try {
                            try {
                                X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
                                if (fileInputStream != null) {
                                    if (0 != 0) {
                                        try {
                                            fileInputStream.close();
                                        } catch (Throwable th4) {
                                            th3.addSuppressed(th4);
                                        }
                                    } else {
                                        fileInputStream.close();
                                    }
                                }
                                log.info("Verifying CRL from [{}] with Certificate [{}] from [{}].", new Object[]{this.crlDistributionPoint, x509Certificate2.getSubjectX500Principal(), this.crlVerificationCertificate});
                                x509Certificate2.checkValidity();
                                x509crl2.verify(x509Certificate2.getPublicKey());
                                log.info("Successfully verified CRL from [{}]", this.crlDistributionPoint);
                                x509crl = x509crl2;
                            } finally {
                            }
                        } finally {
                        }
                    }
                    if (x509crl == null) {
                        log.error("Cannot find a signing certificate for CRL from [{}].", this.crlDistributionPoint);
                    }
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Error loading CRL from URL [" + this.crlDistributionPoint + "]", e);
        }
        setCrl(x509crl);
    }
}
