package dk.itst.oiosaml.sp.metadata;

import dk.itst.oiosaml.configuration.SAMLConfigurationFactory;
import dk.itst.oiosaml.error.Layer;
import dk.itst.oiosaml.error.WrappedException;
import dk.itst.oiosaml.helper.DeveloperHelper;
import dk.itst.oiosaml.logging.Audit;
import dk.itst.oiosaml.logging.Logger;
import dk.itst.oiosaml.logging.LoggerFactory;
import dk.itst.oiosaml.logging.Operation;
import dk.itst.oiosaml.security.CredentialRepository;
import dk.itst.oiosaml.sp.metadata.IdpMetadata;
import dk.itst.oiosaml.sp.service.util.Constants;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.Callable;
import org.apache.commons.configuration.Configuration;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.i18n.filter.UntrustedUrlInput;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
import org.fishwife.jrugged.CircuitBreaker;
import org.fishwife.jrugged.CircuitBreakerConfig;
import org.fishwife.jrugged.CircuitBreakerException;
import org.fishwife.jrugged.CircuitBreakerFactory;
import org.fishwife.jrugged.DefaultFailureInterpreter;
import org.opensaml.xml.security.x509.X509Credential;

/* loaded from: input_file:dk/itst/oiosaml/sp/metadata/CRLChecker.class */
public class CRLChecker {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CRLChecker.class);
    private static final String AUTH_INFO_ACCESS = X509Extension.authorityInfoAccess.getId();
    private static final CircuitBreakerFactory CIRCUIT_BREAKER_FACTORY = new CircuitBreakerFactory();
    private Timer timer;

    public void checkCertificates(IdpMetadata idpMetadata, final Configuration configuration) {
        boolean z;
        long j = configuration.getLong(Constants.PROP_CIRCUIT_BREAKER_RESET_TIME_IN_SECONDS) * 1000;
        int i = configuration.getInt(Constants.PROP_CIRCUIT_BREAKER_ATTEMPTS_BEFORE_OPENING);
        long j2 = configuration.getLong(Constants.PROP_CIRCUIT_BREAKER_ATTEMPTS_WITHIN_IN_SECONDS) * 1000;
        long j3 = configuration.getLong(Constants.PROP_CIRCUIT_BREAKER_DELAY_BETWEEN_ATTEMPTS_IN_SECONDS) * 1000;
        long j4 = configuration.getLong(Constants.PROP_CERTIFICATES_REMAIN_VALID_PERIOD_IN_SECONDS) * 1000;
        for (final String str : idpMetadata.getEntityIDs()) {
            final IdpMetadata.Metadata metadata = idpMetadata.getMetadata(str);
            for (final X509Certificate x509Certificate : metadata.getAllCertificates()) {
                CircuitBreaker createCircuitBreaker = CIRCUIT_BREAKER_FACTORY.createCircuitBreaker(x509Certificate.getSubjectDN().toString(), new CircuitBreakerConfig(j, new DefaultFailureInterpreter(i, j2)));
                do {
                    try {
                        if (((Boolean) createCircuitBreaker.invoke(new Callable<Boolean>() { // from class: dk.itst.oiosaml.sp.metadata.CRLChecker.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.util.concurrent.Callable
                            public Boolean call() {
                                return CRLChecker.checkCertificate(configuration, str, metadata, x509Certificate);
                            }
                        })).booleanValue()) {
                            metadata.setCertificateValid(x509Certificate, true);
                            log.debug("Certificate validated successfully: " + x509Certificate.getSubjectDN());
                        } else {
                            metadata.setCertificateValid(x509Certificate, false);
                            log.debug("Certificate did not validate: " + x509Certificate.getSubjectDN());
                        }
                        z = false;
                    } catch (CircuitBreakerException e) {
                        RevokeCertificateIfRemainValidPeriodIsExpired(metadata, x509Certificate, e, j4);
                        z = false;
                    } catch (Exception e2) {
                        RevokeCertificateIfRemainValidPeriodIsExpired(metadata, x509Certificate, e2, j4);
                        z = true;
                        try {
                            Thread.sleep(j3);
                        } catch (InterruptedException e3) {
                        }
                    }
                } while (z);
            }
        }
    }

    private static void RevokeCertificateIfRemainValidPeriodIsExpired(IdpMetadata.Metadata metadata, X509Certificate x509Certificate, Exception exc, long j) {
        Date lastTimeForCertificationValidation = metadata.getLastTimeForCertificationValidation(x509Certificate);
        if (lastTimeForCertificationValidation != null) {
            Date date = new Date(lastTimeForCertificationValidation.getTime() + j);
            if (new Date().before(date)) {
                log.warn("Unexpected error while checking revocation of certificate. Certificate " + x509Certificate.getSubjectDN() + " will remain valid until " + date + " if not validated successfully before.", exc);
            } else {
                log.error("Unexpected error while checking revocation of certificate. Certificate " + x509Certificate.getSubjectDN() + " has been marked as revoked!!", exc);
                metadata.setCertificateValid(x509Certificate, false);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Boolean checkCertificate(Configuration configuration, String str, IdpMetadata.Metadata metadata, X509Certificate x509Certificate) {
        boolean z = false;
        Exception exc = null;
        boolean z2 = configuration.getBoolean(Constants.SELF_SIGNED_CERT_SUPPORT, false);
        boolean z3 = configuration.getBoolean(Constants.DISABLE_OCES_TEST_CRL_CHECK, true);
        if (!configuration.getBoolean(Constants.DISABLE_OCES_TEST_CRL_CHECK_BAD_SPELLING, true)) {
            z3 = false;
        }
        if (z2 && x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
            log.info("Certificate is self-signed, skip validation");
            return true;
        }
        if (z3) {
            String name = x509Certificate.getIssuerDN().getName();
            if (name.indexOf("C=DK") >= 0 && name.indexOf("O=TRUST2408") >= 0 && name.indexOf("Systemtest") >= 0) {
                log.info("Certificate is from OCES-test, skip validation");
                return true;
            }
        }
        try {
            log.debug("Checking if certificate with the following subject is revoked using OCSP: " + x509Certificate.getSubjectDN());
            z = doOCSPCheck(configuration, str, metadata, x509Certificate);
            if (z) {
                log.info("Certificate with the following subject IS NOT marked as revoked using OCSP: " + x509Certificate.getSubjectDN());
            } else {
                log.info("Certificate with the following subject IS revoked using OCSP: " + x509Certificate.getSubjectDN());
            }
        } catch (Exception e) {
            log.warn("Unexpected error while validating certificate using OCSP.", e);
            try {
                log.debug("Checking if certificate with the following subject is revoked using CRL: " + x509Certificate.getSubjectDN());
                z = doCRLCheck(configuration, str, metadata, x509Certificate);
                if (z) {
                    log.info("Certificate with the following subject IS NOT marked as revoked using CRL: " + x509Certificate.getSubjectDN());
                } else {
                    log.info("Certificate with the following subject IS revoked using CRL: " + x509Certificate.getSubjectDN());
                }
            } catch (Exception e2) {
                log.warn("Unexpected error while validating certificate using CRL.", e);
                exc = e2;
            }
        }
        if (exc != null) {
            throw new WrappedException(Layer.BUSINESS, exc);
        }
        return Boolean.valueOf(z);
    }

    private static boolean doOCSPCheck(Configuration configuration, String str, IdpMetadata.Metadata metadata, X509Certificate x509Certificate) throws CertificateException, CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
        boolean z;
        String oCSPUrl = getOCSPUrl(configuration, str, x509Certificate);
        if (oCSPUrl == null) {
            String str2 = "No OCSP access location could be found for " + str;
            log.debug(str2);
            throw new RuntimeException(str2);
        }
        log.debug("Starting OCSP validation of certificate " + x509Certificate.getSubjectDN());
        X509Certificate certificateCA = getCertificateCA(configuration);
        if (certificateCA == null) {
            throw new RuntimeException("CA Certificate for OCSP check could not be retrieved!");
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509Certificate);
        CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(arrayList);
        Security.setProperty("ocsp.enable", "true");
        Security.setProperty("ocsp.responderURL", oCSPUrl);
        try {
            PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(certificateCA, null)));
            pKIXParameters.setRevocationEnabled(true);
            CertPathValidator.getInstance("PKIX").validate(generateCertPath, pKIXParameters);
            log.debug("Certificate successfully validated during OCSP check.");
            z = false;
        } catch (CertPathValidatorException e) {
            if (!"Certificate has been revoked".equals(e.getMessage())) {
                log.error("Validation failure, cert[" + e.getIndex() + "] :" + e.getMessage());
                throw e;
            }
            z = true;
            log.info("Certificate revoked, cert[" + e.getIndex() + "] :" + e.getMessage());
        }
        if (z) {
            Audit.log(Operation.OCSPCHECK, false, str, "Revoked: YES");
        } else {
            Audit.log(Operation.OCSPCHECK, false, str, "Revoked: NO");
        }
        return !z;
    }

    private static X509Certificate getCertificateCA(Configuration configuration) throws CertificateException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        InputStream inputStream = null;
        String string = configuration.getString(Constants.PROP_OCSP_CA);
        try {
            try {
                try {
                    if (string == null) {
                        log.debug("CA certificate path is not configured");
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (IOException e) {
                            }
                        }
                        return null;
                    }
                    log.debug("Fetching CA certificate located at: " + string);
                    InputStream openStream = new URL(string).openStream();
                    X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(openStream);
                    openStream.close();
                    if (openStream != null) {
                        try {
                            openStream.close();
                        } catch (IOException e2) {
                        }
                    }
                    return x509Certificate;
                } catch (CertificateException e3) {
                    log.error("Unable to read CA certficate from: " + string, e3);
                    if (0 != 0) {
                        try {
                            inputStream.close();
                        } catch (IOException e4) {
                        }
                    }
                    return null;
                }
            } catch (Exception e5) {
                DeveloperHelper.log("The OIOSAML library default configuration checks for the trusted CA certificate in the /temp/ folder - you can change this configuration with the oiosaml-sp.ocsp.ca property setting");
                log.error("Unexpected error while reading CA certficate from: " + string, e5);
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e6) {
                    }
                }
                return null;
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e7) {
                }
            }
            throw th;
        }
    }

    private static String getOCSPUrl(Configuration configuration, String str, X509Certificate x509Certificate) {
        String string = configuration.getString(Constants.PROP_OCSP_RESPONDER);
        if (string != null) {
            return string;
        }
        log.debug("No OCSP configured for " + str + " attempting to extract OCSP location from certificate " + x509Certificate.getSubjectDN());
        AuthorityInformationAccess authorityInformationAccess = null;
        ASN1InputStream aSN1InputStream = null;
        try {
            try {
                ASN1InputStream aSN1InputStream2 = new ASN1InputStream(x509Certificate.getExtensionValue(AUTH_INFO_ACCESS));
                ASN1OctetString readObject = aSN1InputStream2.readObject();
                aSN1InputStream2.close();
                aSN1InputStream = new ASN1InputStream(readObject.getOctets());
                ASN1Primitive readObject2 = aSN1InputStream.readObject();
                aSN1InputStream.close();
                if (readObject2 != null) {
                    authorityInformationAccess = AuthorityInformationAccess.getInstance(readObject2);
                }
                if (aSN1InputStream != null) {
                    try {
                        aSN1InputStream.close();
                    } catch (IOException e) {
                    }
                }
                Iterator<String> it = getOCSPUrls(authorityInformationAccess).iterator();
                while (it.hasNext()) {
                    string = new UntrustedUrlInput(it.next()).toString();
                }
                return string;
            } catch (Exception e2) {
                log.debug("Cannot extract access location of OCSP responder.", e2);
                if (aSN1InputStream != null) {
                    try {
                        aSN1InputStream.close();
                    } catch (IOException e3) {
                    }
                }
                return null;
            }
        } catch (Throwable th) {
            if (aSN1InputStream != null) {
                try {
                    aSN1InputStream.close();
                } catch (IOException e4) {
                }
            }
            throw th;
        }
    }

    private static List<String> getOCSPUrls(AuthorityInformationAccess authorityInformationAccess) {
        ArrayList arrayList = new ArrayList();
        if (authorityInformationAccess != null) {
            AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
            for (int i = 0; i < accessDescriptions.length; i++) {
                if (accessDescriptions[i].getAccessMethod().equals(AccessDescription.id_ad_ocsp)) {
                    GeneralName accessLocation = accessDescriptions[i].getAccessLocation();
                    if (accessLocation.getTagNo() == 6) {
                        arrayList.add(accessLocation.getName().getString());
                    }
                }
            }
        }
        return arrayList;
    }

    private static boolean doCRLCheck(Configuration configuration, String str, IdpMetadata.Metadata metadata, X509Certificate x509Certificate) throws IOException, CertificateException, CRLException, KeyStoreException, NoSuchAlgorithmException {
        boolean z;
        String cRLUrl = getCRLUrl(configuration, str, x509Certificate);
        if (cRLUrl == null) {
            String str2 = "No CRL url could be found for " + str;
            log.debug(str2);
            throw new RuntimeException(str2);
        }
        InputStream inputStream = null;
        try {
            InputStream openStream = new URL(cRLUrl).openStream();
            X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(openStream);
            log.debug("CRL for " + cRLUrl + ": " + x509crl);
            if (!checkCRLSignature(x509crl, x509Certificate, configuration)) {
                Audit.log(Operation.CRLCHECK, false, str, "CRL Signature could not be validated!!!");
                throw new RuntimeException("CRL Signature could not be validated!!!");
            }
            if (x509crl.getRevokedCertificate(x509Certificate.getSerialNumber()) != null) {
                log.debug("Certificate found in revocation list " + x509Certificate.getSubjectDN());
                z = true;
            } else {
                z = false;
            }
            if (openStream != null) {
                try {
                    openStream.close();
                } catch (IOException e) {
                }
            }
            if (z) {
                Audit.log(Operation.CRLCHECK, false, str, "Revoked: YES");
            } else {
                Audit.log(Operation.CRLCHECK, false, str, "Revoked: NO");
            }
            return !z;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                }
            }
            throw th;
        }
    }

    private static String getCRLUrl(Configuration configuration, String str, X509Certificate x509Certificate) {
        String string = configuration.getString(Constants.PROP_CRL + str);
        if (string != null) {
            return string;
        }
        log.debug("No CRL configured for " + str + " attempting to extract distribution point from certificate " + x509Certificate.getSubjectDN());
        byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.31");
        if (extensionValue != null) {
            try {
                for (DistributionPoint distributionPoint : CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue)).getDistributionPoints()) {
                    if (distributionPoint.getDistributionPoint() != null && (distributionPoint.getDistributionPoint().getName() instanceof GeneralNames)) {
                        for (GeneralName generalName : distributionPoint.getDistributionPoint().getName().getNames()) {
                            if (generalName.getName() instanceof DERIA5String) {
                                string = generalName.getName().getString();
                            }
                        }
                    }
                }
            } catch (IOException e) {
                log.debug("Cannot extract distribution point for certificate.", e);
                throw new RuntimeException(e);
            }
        }
        return string;
    }

    private static boolean checkCRLSignature(X509CRL x509crl, X509Certificate x509Certificate, Configuration configuration) throws WrappedException, NoSuchAlgorithmException, CertificateException, IllegalStateException, KeyStoreException, IOException {
        if (configuration.getString(Constants.PROP_CRL_TRUSTSTORE, (String) null) == null) {
            return true;
        }
        CredentialRepository credentialRepository = new CredentialRepository();
        credentialRepository.getCertificate(SAMLConfigurationFactory.getConfiguration().getKeystore(), configuration.getString(Constants.PROP_CRL_TRUSTSTORE_PASSWORD), null);
        for (X509Credential x509Credential : credentialRepository.getCredentials()) {
            try {
                x509crl.verify(x509Credential.getPublicKey());
            } catch (Exception e) {
                log.debug("CRL not signed by " + x509Credential);
                return false;
            }
        }
        return true;
    }

    public void startChecker(long j, final IdpMetadata idpMetadata, final Configuration configuration) {
        if (this.timer != null) {
            return;
        }
        String string = configuration.getString(Constants.PROP_HTTP_PROXY_HOST);
        String string2 = configuration.getString(Constants.PROP_HTTP_PROXY_PORT);
        if (string != null && string2 != null) {
            log.debug("Enabling use of proxy " + string + " port " + string2 + " when checking revocation of certificates.");
            System.setProperty("http.proxyHost", string);
            System.setProperty("http.proxyPort", string2);
        }
        log.info("Starting CRL checker, running with " + j + " seconds interval. Checking " + idpMetadata.getEntityIDs().size() + " certificates");
        this.timer = new Timer("CRLChecker");
        this.timer.schedule(new TimerTask() { // from class: dk.itst.oiosaml.sp.metadata.CRLChecker.2
            @Override // java.util.TimerTask, java.lang.Runnable
            public void run() {
                CRLChecker.log.debug("Running CRL checker task");
                try {
                    CRLChecker.this.checkCertificates(idpMetadata, configuration);
                } catch (Exception e) {
                    CRLChecker.log.error("Unable to run CRL checker", e);
                }
            }
        }, 1000L, 1000 * j);
    }

    public void stopChecker() {
        if (this.timer != null) {
            log.info("Stopping CRL checker");
            this.timer.cancel();
            this.timer = null;
        }
    }

    public void setAllCertificatesValid(IdpMetadata idpMetadata) {
        Iterator<String> it = idpMetadata.getEntityIDs().iterator();
        while (it.hasNext()) {
            IdpMetadata.Metadata metadata = idpMetadata.getMetadata(it.next());
            Iterator<X509Certificate> it2 = metadata.getAllCertificates().iterator();
            while (it2.hasNext()) {
                metadata.setCertificateValid(it2.next(), true);
            }
        }
    }
}
