package eu.unicore.security.canl;

import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import eu.emi.security.authn.x509.OCSPParametes;
import eu.emi.security.authn.x509.ProxySupport;
import eu.emi.security.authn.x509.RevocationParameters;
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.X509CertChainValidatorExt;
import eu.emi.security.authn.x509.impl.CRLParameters;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.DirectoryCertChainValidator;
import eu.emi.security.authn.x509.impl.KeystoreCertChainValidator;
import eu.emi.security.authn.x509.impl.KeystoreCredential;
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.RevocationParametersExt;
import eu.emi.security.authn.x509.impl.ValidatorParams;
import eu.emi.security.authn.x509.impl.ValidatorParamsExt;
import eu.unicore.util.Log;
import eu.unicore.util.configuration.ConfigurationException;
import eu.unicore.util.configuration.PropertiesHelper;
import eu.unicore.util.configuration.PropertyChangeListener;
import eu.unicore.util.configuration.PropertyMD;
import java.io.File;
import java.io.IOException;
import java.security.KeyStoreException;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:eu/unicore/security/canl/TrustedIssuersProperties.class */
public class TrustedIssuersProperties extends PropertiesHelper {
    public static final String DEFAULT_PREFIX = "trustedIssuers.";
    public static final String PROP_TYPE = "type";
    public static final String PROP_KS_PATH = "keystorePath";
    public static final String PROP_KS_PASSWORD = "keystorePassword";
    public static final String PROP_KS_TYPE = "keystoreFormat";
    public static final String PROP_OPENSSL_DIR = "opensslPath";
    public static final String PROP_OPENSSL_NEW_STORE_FORMAT = "opensslNewStoreFormat";
    public static final String PROP_DIRECTORY_ENCODING = "directoryEncoding";
    public static final String PROP_DIRECTORY_CONNECTION_TIMEOUT = "directoryConnectionTimeout";
    public static final String PROP_DIRECTORY_CACHE_PATH = "directoryDiskCachePath";
    protected Collection<? extends StoreUpdateListener> initialListeners;
    protected OpensslCertChainValidator opensslValidator;
    protected DirectoryCertChainValidator directoryValidator;
    protected KeystoreCertChainValidator ksValidator;
    protected TruststoreType type;
    protected long storeUpdateInterval;
    protected String opensslDir;
    protected boolean opensslNewStoreFormat;
    protected CertificateUtils.Encoding directoryEncoding;
    protected List<String> directoryLocations;
    protected int caConnectionTimeout;
    protected String caDiskCache;
    protected String ksPath;
    protected String ksType;
    protected PasswordCallback passwordCallback;
    private static final Logger log = Log.getLogger(Log.CONFIGURATION, TrustedIssuersProperties.class);
    public static final String PROP_UPDATE = "updateInterval";
    public static final String PROP_DIRECTORY_LOCATIONS = "directoryLocations.";
    private static final String[] UPDATEABLE_PROPS = {PROP_UPDATE, PROP_DIRECTORY_LOCATIONS};
    public static final Map<String, PropertyMD> META = new HashMap();

    /* loaded from: input_file:eu/unicore/security/canl/TrustedIssuersProperties$PropertyChangeListenerImpl.class */
    private class PropertyChangeListenerImpl implements PropertyChangeListener {
        private PropertyChangeListenerImpl() {
        }

        public String[] getInterestingProperties() {
            return TrustedIssuersProperties.this.getUpdateableProperties();
        }

        public void propertyChanged(String str) {
            TrustedIssuersProperties.this.update(str);
        }
    }

    /* loaded from: input_file:eu/unicore/security/canl/TrustedIssuersProperties$TruststoreType.class */
    public enum TruststoreType {
        keystore,
        openssl,
        directory
    }

    public TrustedIssuersProperties(Properties properties, Collection<? extends StoreUpdateListener> collection) throws ConfigurationException {
        this(properties, collection, null, DEFAULT_PREFIX);
    }

    public TrustedIssuersProperties(Properties properties, Collection<? extends StoreUpdateListener> collection, PasswordCallback passwordCallback) throws ConfigurationException {
        this(properties, collection, passwordCallback, DEFAULT_PREFIX);
    }

    public TrustedIssuersProperties(Properties properties, Collection<? extends StoreUpdateListener> collection, String str) throws ConfigurationException {
        this(properties, collection, null, str);
    }

    public TrustedIssuersProperties(Properties properties, Collection<? extends StoreUpdateListener> collection, PasswordCallback passwordCallback, String str) throws ConfigurationException {
        this(META, log, properties, collection, passwordCallback, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TrustedIssuersProperties(Map<String, PropertyMD> map, Logger logger, Properties properties, Collection<? extends StoreUpdateListener> collection, PasswordCallback passwordCallback, String str) throws ConfigurationException {
        super(str, properties, map, logger);
        this.opensslValidator = null;
        this.directoryValidator = null;
        this.ksValidator = null;
        this.initialListeners = collection;
        this.passwordCallback = passwordCallback;
        createValidatorSafe();
        addPropertyChangeListener(new PropertyChangeListenerImpl());
    }

    public X509CertChainValidatorExt getValidator() {
        if (this.type.equals(TruststoreType.keystore)) {
            return this.ksValidator;
        }
        if (this.type.equals(TruststoreType.openssl)) {
            return this.opensslValidator;
        }
        if (this.type.equals(TruststoreType.directory)) {
            return this.directoryValidator;
        }
        throw new RuntimeException("BUG: not all truststore types are handled in the code");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void update(String str) throws ConfigurationException {
        if (str.equals(PROP_UPDATE)) {
            long longValue = getLongValue(PROP_UPDATE).longValue();
            if (longValue != this.storeUpdateInterval) {
                if (this.opensslValidator != null) {
                    this.opensslValidator.setUpdateInterval(longValue * 1000);
                }
                if (this.directoryValidator != null) {
                    this.directoryValidator.setTruststoreUpdateInterval(longValue * 1000);
                }
                if (this.ksValidator != null) {
                    this.ksValidator.setTruststoreUpdateInterval(longValue * 1000);
                }
                this.storeUpdateInterval = longValue;
                log.info("Updated " + this.prefix + "updateInterval value to " + this.storeUpdateInterval);
            }
        }
        if (this.opensslValidator == null && this.ksValidator == null && str.startsWith(PROP_DIRECTORY_LOCATIONS)) {
            List<String> listOfValues = getListOfValues(PROP_DIRECTORY_LOCATIONS);
            if (listOfValues.equals(this.directoryLocations)) {
                return;
            }
            this.directoryValidator.setTruststorePaths(listOfValues);
            this.directoryLocations = listOfValues;
            log.info("Updated " + this.prefix + "directoryLocations.");
        }
    }

    protected String[] getUpdateableProperties() {
        return UPDATEABLE_PROPS;
    }

    private void createValidatorSafe() throws ConfigurationException {
        try {
            createValidator();
        } catch (IOException e) {
            throw new ConfigurationException("There was a problem setting up the truststore of type " + this.type + ": " + e.getMessage(), e);
        } catch (KeyStoreException e2) {
            throw new ConfigurationException("There was a problem setting up the truststore of type " + this.type + ": " + e2.getMessage(), e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void createValidator() throws ConfigurationException, KeyStoreException, IOException {
        this.type = (TruststoreType) getEnumValue(PROP_TYPE, TruststoreType.class);
        this.storeUpdateInterval = getLongValue(PROP_UPDATE).longValue();
        if (this.type.equals(TruststoreType.keystore)) {
            this.ksValidator = getKeystoreValidator();
        } else if (this.type.equals(TruststoreType.openssl)) {
            this.opensslValidator = getOpensslValidator();
        } else if (this.type.equals(TruststoreType.directory)) {
            this.directoryValidator = getDirectoryValidator();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public DirectoryCertChainValidator getDirectoryValidator() throws ConfigurationException, KeyStoreException, IOException {
        this.directoryLocations = getListOfValues(PROP_DIRECTORY_LOCATIONS);
        this.directoryEncoding = getEnumValue(PROP_DIRECTORY_ENCODING, CertificateUtils.Encoding.class);
        this.caConnectionTimeout = getIntValue(PROP_DIRECTORY_CONNECTION_TIMEOUT).intValue();
        this.caDiskCache = getFileValueAsString(PROP_DIRECTORY_CACHE_PATH, true);
        return new DirectoryCertChainValidator(this.directoryLocations, this.directoryEncoding, this.storeUpdateInterval * 1000, this.caConnectionTimeout * 1000, this.caDiskCache, getValidatorParamsExt());
    }

    protected OpensslCertChainValidator getOpensslValidator() throws ConfigurationException {
        this.opensslDir = getFileValueAsString(PROP_OPENSSL_DIR, true);
        this.opensslNewStoreFormat = getBooleanValue(PROP_OPENSSL_NEW_STORE_FORMAT).booleanValue();
        return new OpensslCertChainValidator(this.opensslDir, this.opensslNewStoreFormat, NamespaceCheckingMode.IGNORE, this.storeUpdateInterval * 1000, new ValidatorParams(new RevocationParameters(CrlCheckingMode.IGNORE, getOCSPParameters()), ProxySupport.DENY, this.initialListeners));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KeystoreCertChainValidator getKeystoreValidator() throws ConfigurationException, KeyStoreException, IOException {
        this.ksPath = getValue(PROP_KS_PATH);
        if (this.ksPath == null) {
            throw new ConfigurationException("Keystore path must be set, property: " + this.prefix + "keystorePath");
        }
        File file = new File(this.ksPath);
        if (!file.exists() || !file.canRead() || !file.isFile()) {
            throw new ConfigurationException("Keystore specified in the property " + this.prefix + "keystorePath must be an EXISTING, READABLE file: " + this.ksPath);
        }
        char[] cArr = null;
        if (!(this.passwordCallback != null && this.passwordCallback.ignoreProperties())) {
            String value = getValue(PROP_KS_PASSWORD);
            cArr = value == null ? null : value.toCharArray();
        }
        if (cArr == null && this.passwordCallback != null) {
            cArr = this.passwordCallback.getPassword("truststore", this.ksPath);
        }
        if (cArr == null) {
            throw new ConfigurationException("Keystore password must be set, property: " + this.prefix + "keystorePassword");
        }
        this.ksType = getValue(PROP_KS_TYPE);
        if (this.ksType == null) {
            autodetectKeystoreType(cArr);
        }
        return new KeystoreCertChainValidator(this.ksPath, cArr, this.ksType, this.storeUpdateInterval * 1000, getValidatorParamsExt());
    }

    protected ValidatorParamsExt getValidatorParamsExt() {
        return new ValidatorParamsExt(new RevocationParametersExt(CrlCheckingMode.IGNORE, new CRLParameters(), getOCSPParameters()), ProxySupport.DENY, this.initialListeners);
    }

    protected OCSPParametes getOCSPParameters() {
        return new OCSPParametes(OCSPCheckingMode.IGNORE);
    }

    private void autodetectKeystoreType(char[] cArr) throws ConfigurationException {
        try {
            this.ksType = KeystoreCredential.autodetectType(this.ksPath, cArr);
        } catch (Exception e) {
            e.printStackTrace();
            throw new ConfigurationException("Truststore type is not set in the property " + this.prefix + "keystoreFormat and its autodetection failed. Try to set it and also review password and location - most probably those are wrong.");
        }
    }

    @Override // 
    /* renamed from: clone, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
    public TrustedIssuersProperties mo17clone() {
        TrustedIssuersProperties trustedIssuersProperties = new TrustedIssuersProperties(this.properties, this.initialListeners, this.passwordCallback, this.prefix);
        super.cloneTo(trustedIssuersProperties);
        return trustedIssuersProperties;
    }

    static {
        PropertyMD.DocumentationCategory documentationCategory = new PropertyMD.DocumentationCategory("Directory type settings", "1");
        PropertyMD.DocumentationCategory documentationCategory2 = new PropertyMD.DocumentationCategory("Keystore type settings", "2");
        PropertyMD.DocumentationCategory documentationCategory3 = new PropertyMD.DocumentationCategory("Openssl type settings", "3");
        META.put(PROP_TYPE, new PropertyMD().setEnum(TruststoreType.directory).setMandatory().setDescription("The truststore type."));
        META.put(PROP_UPDATE, new PropertyMD("600").setLong().setUpdateable().setDescription("How often the truststore should be reloaded, in seconds. Set to negative value to disable refreshing at runtime."));
        META.put(PROP_KS_PASSWORD, new PropertyMD().setSecret().setCategory(documentationCategory2).setDescription("The password of the keystore type truststore."));
        META.put(PROP_KS_TYPE, new PropertyMD().setCategory(documentationCategory2).setDescription("The keystore type (jks, pkcs12) in case of truststore of keystore type."));
        META.put(PROP_KS_PATH, new PropertyMD().setCategory(documentationCategory2).setDescription("The keystore path in case of truststore of keystore type."));
        META.put(PROP_OPENSSL_DIR, new PropertyMD("/etc/grid-security/certificates").setPath().setCategory(documentationCategory3).setDescription("Directory to be used for opeenssl truststore."));
        META.put(PROP_OPENSSL_NEW_STORE_FORMAT, new PropertyMD("false").setCategory(documentationCategory3).setDescription("In case of openssl truststore, specifies whether the trust store is in openssl 1.0.0+ format (true) or older openssl 0.x format (false)"));
        META.put(PROP_DIRECTORY_LOCATIONS, new PropertyMD().setList(false).setUpdateable().setCategory(documentationCategory).setDescription("List of CA certificates locations. Can contain URLs, local files and wildcard expressions."));
        META.put(PROP_DIRECTORY_ENCODING, new PropertyMD(CertificateUtils.Encoding.PEM).setCategory(documentationCategory).setDescription("For directory truststore controls whether certificates are encoded in PEM or DER. Note that the PEM file can contain arbitrary number of concatenated, PEM-encoded certificates."));
        META.put(PROP_DIRECTORY_CONNECTION_TIMEOUT, new PropertyMD("15").setCategory(documentationCategory).setDescription("Connection timeout for fetching the remote CA certificates in seconds."));
        META.put(PROP_DIRECTORY_CACHE_PATH, new PropertyMD().setPath().setCategory(documentationCategory).setDescription("Directory where CA certificates should be cached, after downloading them from a remote source. Can be left undefined if no disk cache should be used. Note that directory should be secured, i.e. normal users should not be allowed to write to it."));
    }
}
