package net.snowflake.client.core;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import net.snowflake.client.jdbc.internal.apache.commons.codec.binary.Base64;
import net.snowflake.client.jdbc.internal.apache.commons.io.IOUtils;
import net.snowflake.client.jdbc.internal.apache.http.HttpResponse;
import net.snowflake.client.jdbc.internal.apache.http.client.HttpClient;
import net.snowflake.client.jdbc.internal.apache.http.client.methods.HttpGet;
import net.snowflake.client.jdbc.internal.apache.http.ssl.SSLInitializationException;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.JsonNode;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.ObjectMapper;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.node.ArrayNode;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.node.JsonNodeType;
import net.snowflake.client.jdbc.internal.fasterxml.jackson.databind.node.ObjectNode;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1Encodable;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1Integer;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ASN1OctetString;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.DEROctetString;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.DLSequence;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.ocsp.CertID;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Certificate;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Extension;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.Extensions;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.x509.GeneralName;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.X509CertificateHolder;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.BasicOCSPResp;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.CertificateID;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.CertificateStatus;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPException;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPReq;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.OCSPResp;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.RevokedStatus;
import net.snowflake.client.jdbc.internal.org.bouncycastle.cert.ocsp.SingleResp;
import net.snowflake.client.jdbc.internal.org.bouncycastle.crypto.digests.SHA1Digest;
import net.snowflake.client.jdbc.internal.org.bouncycastle.jce.provider.BouncyCastleProvider;
import net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;
import net.snowflake.client.util.SFPair;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:net/snowflake/client/core/SFTrustManager.class */
public class SFTrustManager implements X509TrustManager {
    private static String SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN;
    private static final float TOLERABLE_VALIDITY_RANGE_RATIO = 0.01f;
    private static final long MAX_CLOCK_SKEW_IN_MILLISECONDS = 900000;
    private static final long MIN_CACHE_WARMUP_TIME_IN_MILLISECONDS = 18000000;
    private static final int MAX_RETRY_COUNTER = 10;
    private static final long INITIAL_SLEEPING_TIME_IN_MILLISECONDS = 1000;
    private static final long MAX_SLEEPING_TIME_IN_MILLISECONDS = 16000;
    private static final Map<Integer, String> OCSP_RESPONSE_CODE_TO_STRING;
    private static JcaX509CertificateConverter CONVERTER_X509;
    private static Map<Integer, Certificate> ROOT_CA;
    private static final Object ROOT_CA_LOCK;
    private static final Map<OcspResponseCacheKey, SFPair<Long, OCSPResp>> OCSP_RESPONSE_CACHE;
    private static final Object OCSP_RESPONSE_CACHE_LOCK;
    private static boolean WAS_CACHE_UPDATED;
    private static boolean WAS_CACHE_READ;
    private static final SimpleDateFormat DATE_FORMAT_UTC;
    private final X509TrustManager trustManager = getTrustManager(KeyManagerFactory.getDefaultAlgorithm());
    private final boolean useOcspResponseCacheServer;
    private static final SFLogger LOGGER = SFLoggerFactory.getLogger(SFTrustManager.class);
    private static final ASN1ObjectIdentifier OIDocsp = new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1").intern();
    private static final ASN1ObjectIdentifier SHA1RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.5").intern();
    private static final ASN1ObjectIdentifier SHA256RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.11").intern();
    private static final ASN1ObjectIdentifier SHA384RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.12").intern();
    private static final ASN1ObjectIdentifier SHA512RSA = new ASN1ObjectIdentifier("1.2.840.113549.1.1.13").intern();
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    public static final String CACHE_DIR_PROP = "net.snowflake.jdbc.ocspResponseCacheDir";
    private static final String CACHE_DIR_ENV = "SF_OCSP_RESPONSE_CACHE_DIR";
    public static final String CACHE_FILE_NAME = "ocsp_response_cache.json";
    private static final long CACHE_EXPIRATION_IN_SECONDS = 86400;
    private static final long CACHE_FILE_LOCK_EXPIRATION_IN_SECONDS = 60;
    private static final FileCacheManager fileCacheManager = FileCacheManager.builder().setCacheDirectorySystemProperty(CACHE_DIR_PROP).setCacheDirectoryEnvironmentVariable(CACHE_DIR_ENV).setBaseCacheFileName(CACHE_FILE_NAME).setCacheExpirationInSeconds(CACHE_EXPIRATION_IN_SECONDS).setCacheFileLockExpirationInSeconds(CACHE_FILE_LOCK_EXPIRATION_IN_SECONDS).build();
    public static final String DEFAULT_OCSP_CACHE_HOST = "http://ocsp.snowflakecomputing.com";
    private static String SF_OCSP_RESPONSE_CACHE_SERVER_URL = String.format("%s/%s", DEFAULT_OCSP_CACHE_HOST, CACHE_FILE_NAME);
    private static final Map<ASN1ObjectIdentifier, String> SIGNATURE_OID_TO_STRING = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/snowflake/client/core/SFTrustManager$OcspResponseCacheKey.class */
    public static class OcspResponseCacheKey {
        final byte[] nameHash;
        final byte[] keyHash;
        final BigInteger serialNumber;

        OcspResponseCacheKey(byte[] bArr, byte[] bArr2, BigInteger bigInteger) {
            this.nameHash = bArr;
            this.keyHash = bArr2;
            this.serialNumber = bigInteger;
        }

        public int hashCode() {
            return (((Arrays.hashCode(this.nameHash) * 37 * 10) + (Arrays.hashCode(this.keyHash) * 37)) * 10) + this.serialNumber.hashCode();
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof OcspResponseCacheKey)) {
                return false;
            }
            OcspResponseCacheKey ocspResponseCacheKey = (OcspResponseCacheKey) obj;
            return Arrays.equals(this.nameHash, ocspResponseCacheKey.nameHash) && Arrays.equals(this.keyHash, ocspResponseCacheKey.keyHash) && this.serialNumber.equals(ocspResponseCacheKey.serialNumber);
        }

        public String toString() {
            return String.format("OcspResponseCacheKey: NameHash: %s, KeyHash: %s, SerialNumber: %s", SFTrustManager.byteToHexString(this.nameHash), SFTrustManager.byteToHexString(this.keyHash), this.serialNumber.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/snowflake/client/core/SFTrustManager$SHA1DigestCalculator.class */
    public static class SHA1DigestCalculator implements DigestCalculator {
        private ByteArrayOutputStream bOut = new ByteArrayOutputStream();

        SHA1DigestCalculator() {
        }

        @Override // net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator
        public AlgorithmIdentifier getAlgorithmIdentifier() {
            return new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
        }

        @Override // net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator
        public OutputStream getOutputStream() {
            return this.bOut;
        }

        @Override // net.snowflake.client.jdbc.internal.org.bouncycastle.operator.DigestCalculator
        public byte[] getDigest() {
            byte[] byteArray = this.bOut.toByteArray();
            this.bOut.reset();
            SHA1Digest sHA1Digest = new SHA1Digest();
            sHA1Digest.update(byteArray, 0, byteArray.length);
            byte[] bArr = new byte[sHA1Digest.getDigestSize()];
            sHA1Digest.doFinal(bArr, 0);
            return bArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SFTrustManager(File file, boolean z) {
        synchronized (OCSP_RESPONSE_CACHE_LOCK) {
            if (file != null) {
                fileCacheManager.overrideCacheFile(file);
            }
            if (!WAS_CACHE_READ) {
                readJsonStoreCache(fileCacheManager.readCacheFile());
                WAS_CACHE_READ = true;
            }
        }
        this.useOcspResponseCacheServer = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void resetOCSPResponseCacherServerURL(String str) {
        if (str == null || SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN != null) {
            return;
        }
        SF_OCSP_RESPONSE_CACHE_SERVER_URL = str;
        if (SF_OCSP_RESPONSE_CACHE_SERVER_URL.startsWith(DEFAULT_OCSP_CACHE_HOST)) {
            SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN = null;
            return;
        }
        try {
            URL url = new URL(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
            if (url.getPort() > 0) {
                SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN = String.format("%s://%s:%d/retry/", url.getProtocol(), url.getHost(), Integer.valueOf(url.getPort())) + "%s/%s";
            } else {
                SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN = String.format("%s://%s/retry/", url.getProtocol(), url.getHost()) + "%s/%s";
            }
        } catch (IOException e) {
            throw new RuntimeException(String.format("Failed to parse SF_OCSP_RESPONSE_CACHE_SERVER_URL: %s", SF_OCSP_RESPONSE_CACHE_SERVER_URL));
        }
    }

    private X509TrustManager getTrustManager(String str) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str);
            trustManagerFactory.init((KeyStore) null);
            X509TrustManager x509TrustManager = null;
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            int length = trustManagers.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                TrustManager trustManager = trustManagers[i];
                if (trustManager instanceof X509TrustManager) {
                    x509TrustManager = (X509TrustManager) trustManager;
                    break;
                }
                i++;
            }
            if (x509TrustManager == null) {
                return null;
            }
            synchronized (ROOT_CA_LOCK) {
                if (ROOT_CA.size() == 0) {
                    for (X509Certificate x509Certificate : x509TrustManager.getAcceptedIssuers()) {
                        Certificate certificate = Certificate.getInstance(x509Certificate.getEncoded());
                        ROOT_CA.put(Integer.valueOf(certificate.getSubject().hashCode()), certificate);
                    }
                }
            }
            return x509TrustManager;
        } catch (KeyStoreException | NoSuchAlgorithmException | CertificateEncodingException e) {
            throw new SSLInitializationException(e.getMessage(), e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
        validateRevocationStatus(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

    void validateRevocationStatus(X509Certificate[] x509CertificateArr) throws CertificateException {
        List<SFPair<Certificate, Certificate>> pairIssuerSubject = getPairIssuerSubject(convertToBouncyCastleCertificate(x509CertificateArr));
        synchronized (OCSP_RESPONSE_CACHE_LOCK) {
            boolean isCached = isCached(pairIssuerSubject);
            if (this.useOcspResponseCacheServer && !isCached) {
                LOGGER.debug("Downloading OCSP response cache from the server. URL: {}", SF_OCSP_RESPONSE_CACHE_SERVER_URL);
                readOcspResponseCacheServer();
                WAS_CACHE_UPDATED = true;
            }
            executeRevocationStatusChecks(pairIssuerSubject);
            if (WAS_CACHE_UPDATED) {
                fileCacheManager.writeCacheFile(encodeCacheToJSON());
                WAS_CACHE_UPDATED = false;
            }
        }
    }

    private void executeRevocationStatusChecks(List<SFPair<Certificate, Certificate>> list) throws CertificateException {
        long time = new Date().getTime() / INITIAL_SLEEPING_TIME_IN_MILLISECONDS;
        try {
            Iterator<SFPair<Certificate, Certificate>> it = list.iterator();
            while (it.hasNext()) {
                executeOneRevoctionStatusCheck(it.next(), time);
            }
        } catch (IOException e) {
            LOGGER.debug("Failed to decode CertID. Ignored.");
        }
    }

    private void executeOneRevoctionStatusCheck(SFPair<Certificate, Certificate> sFPair, long j) throws IOException, CertificateException {
        OCSPResp oCSPResp;
        OCSPReq createRequest = createRequest(sFPair);
        CertID aSN1Primitive = createRequest.getRequestList()[0].getCertID().toASN1Primitive();
        OcspResponseCacheKey ocspResponseCacheKey = new OcspResponseCacheKey(aSN1Primitive.getIssuerNameHash().getEncoded(), aSN1Primitive.getIssuerKeyHash().getEncoded(), aSN1Primitive.getSerialNumber().getValue());
        long j2 = 1000;
        CertificateException certificateException = null;
        boolean z = false;
        for (int i = 0; i < 10; i++) {
            SFPair<Long, OCSPResp> sFPair2 = OCSP_RESPONSE_CACHE.get(ocspResponseCacheKey);
            try {
                if (sFPair2 == null) {
                    LOGGER.debug("not hit cache.");
                    oCSPResp = fetchOcspResponse(sFPair, createRequest);
                    OCSP_RESPONSE_CACHE.put(ocspResponseCacheKey, SFPair.of(Long.valueOf(j), oCSPResp));
                    WAS_CACHE_UPDATED = true;
                } else {
                    LOGGER.debug("hit cache.");
                    oCSPResp = sFPair2.right;
                }
                LOGGER.debug("validating. {}", CertificateIDToString(createRequest.getRequestList()[0].getCertID()));
                validateRevocationStatusMain(sFPair, oCSPResp);
                z = true;
                break;
            } catch (CertificateException e) {
                if (OCSP_RESPONSE_CACHE.containsKey(ocspResponseCacheKey)) {
                    LOGGER.debug("deleting the invalid OCSP cache.");
                    OCSP_RESPONSE_CACHE.remove(ocspResponseCacheKey);
                    WAS_CACHE_UPDATED = true;
                }
                certificateException = e;
                LOGGER.debug("Retrying {}/{} after sleeping {}(ms)", Integer.valueOf(i + 1), 10, Long.valueOf(j2));
                try {
                    Thread.sleep(j2);
                    j2 = minLong(MAX_SLEEPING_TIME_IN_MILLISECONDS, j2 * 2);
                } catch (InterruptedException e2) {
                }
            }
        }
        if (!z) {
            throw certificateException;
        }
    }

    private boolean isCached(List<SFPair<Certificate, Certificate>> list) {
        long time = new Date().getTime() / INITIAL_SLEEPING_TIME_IN_MILLISECONDS;
        boolean z = true;
        try {
            Iterator<SFPair<Certificate, Certificate>> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                CertificateID certID = createRequest(it.next()).getRequestList()[0].getCertID();
                LOGGER.debug(CertificateIDToString(certID));
                CertID aSN1Primitive = certID.toASN1Primitive();
                SFPair<Long, OCSPResp> sFPair = OCSP_RESPONSE_CACHE.get(new OcspResponseCacheKey(aSN1Primitive.getIssuerNameHash().getEncoded(), aSN1Primitive.getIssuerKeyHash().getEncoded(), aSN1Primitive.getSerialNumber().getValue()));
                if (sFPair == null) {
                    LOGGER.debug("Not all OCSP responses for the certificate is in the cache.");
                    z = false;
                    break;
                }
                if (time - CACHE_EXPIRATION_IN_SECONDS > sFPair.left.longValue()) {
                    LOGGER.debug("Cache for CertID expired.");
                    z = false;
                    break;
                }
            }
        } catch (IOException e) {
            LOGGER.debug("Failed to encode CertID.");
        }
        return z;
    }

    private static String CertificateIDToString(CertificateID certificateID) {
        return String.format("CertID. NameHash: %s, KeyHash: %s, Serial Number: %s", byteToHexString(certificateID.getIssuerNameHash()), byteToHexString(certificateID.getIssuerKeyHash()), MessageFormat.format("{0,number,#}", certificateID.getSerialNumber()));
    }

    private static SFPair<OcspResponseCacheKey, SFPair<Long, OCSPResp>> decodeCacheFromJSON(Map.Entry<String, JsonNode> entry) throws IOException {
        long time = new Date().getTime() / INITIAL_SLEEPING_TIME_IN_MILLISECONDS;
        ASN1Encodable[] array = ((DLSequence) ASN1ObjectIdentifier.fromByteArray(Base64.decodeBase64(entry.getKey()))).toArray();
        OcspResponseCacheKey ocspResponseCacheKey = new OcspResponseCacheKey(((DEROctetString) array[1]).getEncoded(), ((DEROctetString) array[2]).getEncoded(), ((ASN1Integer) array[3]).getValue());
        JsonNode value = entry.getValue();
        if (!value.isArray() || value.size() != 2) {
            LOGGER.debug("Invalid cache file format.");
            return null;
        }
        long asLong = value.get(0).asLong();
        byte[] decodeBase64 = Base64.decodeBase64(value.get(1).asText());
        if (time - CACHE_EXPIRATION_IN_SECONDS > asLong) {
            return SFPair.of(ocspResponseCacheKey, SFPair.of(Long.valueOf(asLong), (OCSPResp) null));
        }
        return SFPair.of(ocspResponseCacheKey, SFPair.of(Long.valueOf(asLong), new OCSPResp(decodeBase64)));
    }

    private static ObjectNode encodeCacheToJSON() {
        try {
            ObjectNode createObjectNode = OBJECT_MAPPER.createObjectNode();
            for (Map.Entry<OcspResponseCacheKey, SFPair<Long, OCSPResp>> entry : OCSP_RESPONSE_CACHE.entrySet()) {
                OcspResponseCacheKey key = entry.getKey();
                SFPair<Long, OCSPResp> value = entry.getValue();
                long longValue = value.left.longValue();
                OCSPResp oCSPResp = value.right;
                CertID certID = new CertID(new SHA1DigestCalculator().getAlgorithmIdentifier(), ASN1OctetString.getInstance(key.nameHash), ASN1OctetString.getInstance(key.keyHash), new ASN1Integer(key.serialNumber));
                ArrayNode createArrayNode = OBJECT_MAPPER.createArrayNode();
                createArrayNode.add(longValue);
                createArrayNode.add(Base64.encodeBase64String(oCSPResp.getEncoded()));
                createObjectNode.set(Base64.encodeBase64String(certID.toASN1Primitive().getEncoded()), createArrayNode);
            }
            return createObjectNode;
        } catch (IOException e) {
            LOGGER.debug("Failed to encode ASN1 object.");
            return null;
        }
    }

    private static void readOcspResponseCacheServer() {
        long j = 1000;
        Object obj = null;
        for (int i = 0; i < 10; i++) {
            try {
                HttpResponse execute = getHttpClient().execute(new HttpGet(new URI(SF_OCSP_RESPONSE_CACHE_SERVER_URL)));
                if (execute == null || execute.getStatusLine().getStatusCode() != 200) {
                    Object[] objArr = new Object[1];
                    objArr[0] = Integer.valueOf(execute != null ? execute.getStatusLine().getStatusCode() : -1);
                    throw new IOException(String.format("Failed to get the OCSP response from the OCSP cache server: HTTP: %d", objArr));
                }
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                IOUtils.copy(execute.getEntity().getContent(), byteArrayOutputStream);
                readJsonStoreCache(OBJECT_MAPPER.readTree(byteArrayOutputStream.toByteArray()));
                LOGGER.debug("Successfully downloaded OCSP cache from the server.");
                return;
            } catch (IOException | URISyntaxException e) {
                obj = e;
                LOGGER.debug("Retrying {}/{} after sleeping {}(ms)", Integer.valueOf(i + 1), 10, Long.valueOf(j));
                try {
                    Thread.sleep(j);
                    j = minLong(MAX_SLEEPING_TIME_IN_MILLISECONDS, j * 2);
                } catch (InterruptedException e2) {
                }
            }
        }
        LOGGER.debug("Failed to read the OCSP response cache from the server. Server: {}, Err: {}", SF_OCSP_RESPONSE_CACHE_SERVER_URL, obj);
    }

    private static void readJsonStoreCache(JsonNode jsonNode) {
        if (jsonNode == null || !jsonNode.getNodeType().equals(JsonNodeType.OBJECT)) {
            LOGGER.debug("Invalid cache file format.");
            return;
        }
        try {
            Iterator<Map.Entry<String, JsonNode>> fields = jsonNode.fields();
            while (fields.hasNext()) {
                SFPair<OcspResponseCacheKey, SFPair<Long, OCSPResp>> decodeCacheFromJSON = decodeCacheFromJSON(fields.next());
                if (decodeCacheFromJSON != null && decodeCacheFromJSON.right != null && decodeCacheFromJSON.right.right != null) {
                    OCSP_RESPONSE_CACHE.put(decodeCacheFromJSON.left, decodeCacheFromJSON.right);
                } else if (decodeCacheFromJSON != null && OCSP_RESPONSE_CACHE.containsKey(decodeCacheFromJSON.left)) {
                    OCSP_RESPONSE_CACHE.remove(decodeCacheFromJSON.left);
                    WAS_CACHE_UPDATED = true;
                }
            }
        } catch (IOException e) {
            LOGGER.debug("Failed to decode the cache file");
        }
    }

    private OCSPResp fetchOcspResponse(SFPair<Certificate, Certificate> sFPair, OCSPReq oCSPReq) throws CertificateEncodingException {
        URL url;
        try {
            String encodeBase64String = Base64.encodeBase64String(oCSPReq.getEncoded());
            String next = getOcspUrls(sFPair.right).iterator().next();
            if (SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN != null) {
                String str = SF_OCSP_RESPONSE_CACHE_SERVER_RETRY_URL_PATTERN;
                url = new URL(String.format(next, encodeBase64String));
            } else {
                url = new URL(String.format("%s/%s", next, encodeBase64String));
            }
            LOGGER.debug("not hit cache. Fetching OCSP response from CA OCSP server. {0}", url.toString());
            long j = 1000;
            boolean z = false;
            HttpResponse httpResponse = null;
            int i = 0;
            while (true) {
                if (i >= 10) {
                    break;
                }
                httpResponse = getHttpClient().execute(new HttpGet(url.toString()));
                if (httpResponse != null && httpResponse.getStatusLine().getStatusCode() == 200) {
                    z = true;
                    LOGGER.debug("Successfully downloaded OCSP response from CA server. URL: {}", url.toString());
                    break;
                }
                LOGGER.debug("Retrying {}/{} after sleeping {}(ms)", Integer.valueOf(i + 1), 10, Long.valueOf(j));
                try {
                    Thread.sleep(j);
                    j = minLong(MAX_SLEEPING_TIME_IN_MILLISECONDS, j * 2);
                } catch (InterruptedException e) {
                }
                i++;
            }
            if (!z) {
                Object[] objArr = new Object[2];
                objArr[0] = httpResponse == null ? null : Integer.valueOf(httpResponse.getStatusLine().getStatusCode());
                objArr[1] = next;
                throw new CertificateEncodingException(String.format("Failed to get OCSP response. StatusCode: %d, URL: %s", objArr));
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            IOUtils.copy(httpResponse.getEntity().getContent(), byteArrayOutputStream);
            OCSPResp oCSPResp = new OCSPResp(byteArrayOutputStream.toByteArray());
            if (oCSPResp.getStatus() != 0) {
                throw new CertificateEncodingException(String.format("Failed to get OCSP response. Status: %s", OCSP_RESPONSE_CODE_TO_STRING.get(Integer.valueOf(oCSPResp.getStatus()))));
            }
            return oCSPResp;
        } catch (IOException e2) {
            throw new CertificateEncodingException("Failed to encode object.", e2);
        }
    }

    private void validateRevocationStatusMain(SFPair<Certificate, Certificate> sFPair, OCSPResp oCSPResp) throws CertificateException {
        X509CertificateHolder x509CertificateHolder;
        try {
            Date date = new Date();
            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            X509CertificateHolder[] certs = basicOCSPResp.getCerts();
            if (certs.length > 0) {
                LOGGER.debug("Certificate is attached for verification. Verifying it by the issuer certificate.");
                x509CertificateHolder = certs[0];
                verifySignature(new X509CertificateHolder(sFPair.left.getEncoded()), x509CertificateHolder.getSignature(), CONVERTER_X509.getCertificate(x509CertificateHolder).getTBSCertificate(), x509CertificateHolder.getSignatureAlgorithm());
                LOGGER.debug("Verifying OCSP signature by the attached certificate public key.");
            } else {
                LOGGER.debug("Certificate is NOT attached for verification. Verifying OCSP signature by the issuer public key.");
                x509CertificateHolder = new X509CertificateHolder(sFPair.left.getEncoded());
            }
            verifySignature(x509CertificateHolder, basicOCSPResp.getSignature(), basicOCSPResp.getTBSResponseData(), basicOCSPResp.getSignatureAlgorithmID());
            validateBasicOcspResponse(date, basicOCSPResp);
        } catch (IOException | OCSPException e) {
            throw new CertificateEncodingException("Failed to check revocation status.", e);
        }
    }

    private void validateBasicOcspResponse(Date date, BasicOCSPResp basicOCSPResp) throws CertificateEncodingException {
        int i;
        for (SingleResp singleResp : basicOCSPResp.getResponses()) {
            Date thisUpdate = singleResp.getThisUpdate();
            Date nextUpdate = singleResp.getNextUpdate();
            LOGGER.debug("Current Time: {}, This Update: {}, Next Update: {}", date, thisUpdate, nextUpdate);
            CertificateStatus certStatus = singleResp.getCertStatus();
            if (certStatus != CertificateStatus.GOOD) {
                if (!(certStatus instanceof RevokedStatus)) {
                    throw new CertificateEncodingException("Failed to validate the certificate for UNKNOWN reason.");
                }
                RevokedStatus revokedStatus = (RevokedStatus) certStatus;
                try {
                    i = revokedStatus.getRevocationReason();
                } catch (IllegalStateException e) {
                    i = -1;
                }
                throw new CertificateEncodingException(String.format("The certificate has been revoked. Reason: %d, Time: %s", Integer.valueOf(i), DATE_FORMAT_UTC.format(revokedStatus.getRevocationTime())));
            }
            if (!isValidityRange(date, thisUpdate, nextUpdate)) {
                throw new CertificateEncodingException(String.format("The validity is out of range: Current Time: %s, This Update: %s, Next Update: %s", DATE_FORMAT_UTC.format(date), DATE_FORMAT_UTC.format(thisUpdate), DATE_FORMAT_UTC.format(nextUpdate)));
            }
        }
        LOGGER.debug("OK. Verified the certificate revocation status.");
    }

    private static void verifySignature(X509CertificateHolder x509CertificateHolder, byte[] bArr, byte[] bArr2, AlgorithmIdentifier algorithmIdentifier) throws CertificateException {
        try {
            String str = SIGNATURE_OID_TO_STRING.get(algorithmIdentifier.getAlgorithm());
            if (str == null) {
                throw new NoSuchAlgorithmException(String.format("Unsupported signature OID. OID: %s", algorithmIdentifier));
            }
            Signature signature = Signature.getInstance(str, BouncyCastleProvider.PROVIDER_NAME);
            signature.initVerify(CONVERTER_X509.getCertificate(x509CertificateHolder).getPublicKey());
            signature.update(bArr2);
            if (!signature.verify(bArr)) {
                throw new CertificateEncodingException(String.format("Failed to verify the signature. Potentially the data was not generated by by the cert, %s", x509CertificateHolder.getSubject()));
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e) {
            throw new CertificateEncodingException("Failed to verify the signature.", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String byteToHexString(byte[] bArr) {
        char[] charArray = "0123456789ABCDEF".toCharArray();
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            cArr[i * 2] = charArray[i2 >>> 4];
            cArr[(i * 2) + 1] = charArray[i2 & 15];
        }
        return new String(cArr);
    }

    private OCSPReq createRequest(SFPair<Certificate, Certificate> sFPair) {
        Certificate certificate = sFPair.left;
        Certificate certificate2 = sFPair.right;
        OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
        try {
            oCSPReqBuilder.addRequest(new CertificateID(new SHA1DigestCalculator(), new X509CertificateHolder(certificate.getEncoded()), certificate2.getSerialNumber().getValue()));
            return oCSPReqBuilder.build();
        } catch (IOException | OCSPException e) {
            throw new RuntimeException("Failed to build a OCSPReq.");
        }
    }

    private List<Certificate> convertToBouncyCastleCertificate(X509Certificate[] x509CertificateArr) {
        ArrayList arrayList = new ArrayList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            try {
                arrayList.add(Certificate.getInstance(x509Certificate.getEncoded()));
            } catch (CertificateEncodingException e) {
                throw new RuntimeException("Failed to decode the certificate DER data");
            }
        }
        return arrayList;
    }

    private List<SFPair<Certificate, Certificate>> getPairIssuerSubject(List<Certificate> list) {
        ArrayList arrayList = new ArrayList();
        int size = list.size();
        for (int i = 0; i < size; i++) {
            Certificate certificate = list.get(i);
            if (!certificate.getIssuer().equals(certificate.getSubject())) {
                if (i < size - 1) {
                    arrayList.add(SFPair.of(list.get(i + 1), list.get(i)));
                } else {
                    synchronized (ROOT_CA_LOCK) {
                        Certificate certificate2 = ROOT_CA.get(Integer.valueOf(certificate.getIssuer().hashCode()));
                        if (certificate2 == null) {
                            throw new RuntimeException("Failed to find the root CA.");
                        }
                        arrayList.add(SFPair.of(certificate2, list.get(i)));
                    }
                }
            }
        }
        return arrayList;
    }

    private Set<String> getOcspUrls(Certificate certificate) {
        Extensions extensions = certificate.getTBSCertificate().getExtensions();
        if (extensions == null) {
            throw new RuntimeException("Failed to get Tbs Certificate.");
        }
        HashSet hashSet = new HashSet();
        Enumeration oids = extensions.oids();
        while (oids.hasMoreElements()) {
            Extension extension = extensions.getExtension((ASN1ObjectIdentifier) oids.nextElement());
            if (extension.getExtnId() == Extension.authorityInfoAccess) {
                Iterator<ASN1Encodable> it = ((DLSequence) extension.getParsedValue()).iterator();
                while (it.hasNext()) {
                    ASN1Encodable[] array = ((DLSequence) it.next()).toArray();
                    if (array.length == 2 && ((ASN1ObjectIdentifier) array[0]) == OIDocsp) {
                        hashSet.add(GeneralName.getInstance(array[1]).getName().toString());
                    }
                }
            }
        }
        return hashSet;
    }

    private static HttpClient getHttpClient() {
        return HttpUtil.getHttpClient();
    }

    private static long minLong(long j, long j2) {
        return j < j2 ? j : j2;
    }

    private static long maxLong(long j, long j2) {
        return j > j2 ? j : j2;
    }

    private static long calculateTolerableVadility(Date date, Date date2) {
        return maxLong(((float) (date2.getTime() - date.getTime())) * TOLERABLE_VALIDITY_RANGE_RATIO, MIN_CACHE_WARMUP_TIME_IN_MILLISECONDS);
    }

    private static boolean isValidityRange(Date date, Date date2, Date date3) {
        return date2.getTime() - MAX_CLOCK_SKEW_IN_MILLISECONDS <= date.getTime() && date.getTime() <= date3.getTime() + calculateTolerableVadility(date2, date3);
    }

    static {
        SIGNATURE_OID_TO_STRING.put(SHA1RSA, "SHA1withRSA");
        SIGNATURE_OID_TO_STRING.put(SHA256RSA, "SHA256withRSA");
        SIGNATURE_OID_TO_STRING.put(SHA384RSA, "SHA384withRSA");
        SIGNATURE_OID_TO_STRING.put(SHA512RSA, "SHA512withRSA");
        OCSP_RESPONSE_CODE_TO_STRING = new HashMap();
        OCSP_RESPONSE_CODE_TO_STRING.put(0, "successful");
        OCSP_RESPONSE_CODE_TO_STRING.put(1, "malformedRequest");
        OCSP_RESPONSE_CODE_TO_STRING.put(2, "internalError");
        OCSP_RESPONSE_CODE_TO_STRING.put(3, "tryLater");
        OCSP_RESPONSE_CODE_TO_STRING.put(5, "sigRequired");
        OCSP_RESPONSE_CODE_TO_STRING.put(6, "unauthorized");
        Security.addProvider(new BouncyCastleProvider());
        CONVERTER_X509 = new JcaX509CertificateConverter();
        ROOT_CA = new HashMap();
        ROOT_CA_LOCK = new Object();
        OCSP_RESPONSE_CACHE = new HashMap();
        OCSP_RESPONSE_CACHE_LOCK = new Object();
        WAS_CACHE_UPDATED = false;
        WAS_CACHE_READ = false;
        DATE_FORMAT_UTC = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        DATE_FORMAT_UTC.setTimeZone(TimeZone.getTimeZone("UTC"));
    }
}
