package org.nhindirect.config.processor.impl;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.net.SocketTimeoutException;
import java.net.URL;
import java.net.URLConnection;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.camel.Handler;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.nhindirect.config.processor.BundleRefreshProcessor;
import org.nhindirect.config.store.BundleRefreshError;
import org.nhindirect.config.store.BundleThumbprint;
import org.nhindirect.config.store.ConfigurationStoreException;
import org.nhindirect.config.store.TrustBundle;
import org.nhindirect.config.store.TrustBundleAnchor;
import org.nhindirect.config.store.dao.TrustBundleDao;
import org.nhindirect.stagent.CryptoExtensions;
import org.nhindirect.stagent.options.OptionsManager;
import org.nhindirect.stagent.options.OptionsParameter;

/* loaded from: input_file:org/nhindirect/config/processor/impl/DefaultBundleRefreshProcessorImpl.class */
public class DefaultBundleRefreshProcessorImpl implements BundleRefreshProcessor {
    public static final String BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED = "BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED";
    protected static final int DEFAULT_URL_CONNECTION_TIMEOUT = 10000;
    protected static final int DEFAULT_URL_READ_TIMEOUT = 10000;
    private static final Log log = LogFactory.getLog(DefaultBundleRefreshProcessorImpl.class);
    protected TrustBundleDao dao;

    public static synchronized void initJVMParams() {
        HashMap hashMap = new HashMap();
        hashMap.put(BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED, "org.nhindirect.config.processor.impl.bundlerefresh.AllowNonVerifiedSSL");
        OptionsManager.addInitParameters(hashMap);
    }

    public DefaultBundleRefreshProcessorImpl() {
        if (OptionsParameter.getParamValueAsBoolean(OptionsManager.getInstance().getParameter(BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED), false)) {
            try {
                TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: org.nhindirect.config.processor.impl.DefaultBundleRefreshProcessorImpl.1
                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
                    }
                }};
                SSLContext sSLContext = SSLContext.getInstance("SSL");
                sSLContext.init(null, trustManagerArr, new SecureRandom());
                HttpsURLConnection.setDefaultSSLSocketFactory(sSLContext.getSocketFactory());
                HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { // from class: org.nhindirect.config.processor.impl.DefaultBundleRefreshProcessorImpl.2
                    @Override // javax.net.ssl.HostnameVerifier
                    public boolean verify(String str, SSLSession sSLSession) {
                        return true;
                    }
                });
            } catch (Exception e) {
            }
        }
    }

    public void setDao(TrustBundleDao trustBundleDao) {
        this.dao = trustBundleDao;
    }

    @Override // org.nhindirect.config.processor.BundleRefreshProcessor
    @Handler
    public void refreshBundle(TrustBundle trustBundle) {
        Calendar calendar = Calendar.getInstance(Locale.getDefault());
        byte[] downloadBundleToByteArray = downloadBundleToByteArray(trustBundle, calendar);
        if (downloadBundleToByteArray == null) {
            return;
        }
        boolean z = false;
        String str = "";
        if (trustBundle.getCheckSum() == null) {
            z = true;
        } else {
            try {
                str = BundleThumbprint.toThumbprint(downloadBundleToByteArray).toString();
                z = !trustBundle.getCheckSum().equals(BundleThumbprint.toThumbprint(downloadBundleToByteArray).toString());
            } catch (NoSuchAlgorithmException e) {
                this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.INVALID_BUNDLE_FORMAT);
                log.error("Failed to generate downloaded bundle thumbprint ", e);
            }
        }
        if (!z) {
            this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.SUCCESS);
            return;
        }
        Collection<X509Certificate> convertRawBundleToAnchorCollection = convertRawBundleToAnchorCollection(downloadBundleToByteArray, trustBundle, calendar);
        if (convertRawBundleToAnchorCollection == null) {
            return;
        }
        HashSet hashSet = new HashSet(convertRawBundleToAnchorCollection);
        try {
            ArrayList arrayList = new ArrayList();
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                X509Certificate x509Certificate = (X509Certificate) it.next();
                try {
                    TrustBundleAnchor trustBundleAnchor = new TrustBundleAnchor();
                    trustBundleAnchor.setData(x509Certificate.getEncoded());
                    trustBundleAnchor.setTrustBundle(trustBundle);
                    arrayList.add(trustBundleAnchor);
                } catch (Exception e2) {
                    log.warn("Failed to convert downloaded anchor to byte array. ", e2);
                }
            }
            trustBundle.setTrustBundleAnchors(arrayList);
            this.dao.updateTrustBundleAnchors(trustBundle.getId(), calendar, arrayList, str);
            this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.SUCCESS);
        } catch (ConfigurationStoreException e3) {
            this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.INVALID_BUNDLE_FORMAT);
            log.error("Failed to write updated bundle anchors to data store ", e3);
        }
    }

    protected Collection<X509Certificate> convertRawBundleToAnchorCollection(byte[] bArr, TrustBundle trustBundle, Calendar calendar) {
        Collection<? extends Certificate> collection = null;
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            byteArrayInputStream = new ByteArrayInputStream(bArr);
            collection = CertificateFactory.getInstance("X.509").generateCertificates(byteArrayInputStream);
            if (collection != null) {
                if (collection.size() == 0) {
                    collection = null;
                }
            }
            IOUtils.closeQuietly(byteArrayInputStream);
        } catch (Exception e) {
            IOUtils.closeQuietly(byteArrayInputStream);
        } catch (Throwable th) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th;
        }
        try {
            if (collection == null) {
                try {
                    CMSSignedData cMSSignedData = new CMSSignedData(bArr);
                    if (trustBundle.getSigningCertificateData() != null) {
                        boolean z = false;
                        X509Certificate signingCertificate = trustBundle.toSigningCertificate();
                        Iterator it = cMSSignedData.getSignerInfos().getSigners().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (((SignerInformation) it.next()).verify(signingCertificate, CryptoExtensions.getJCEProviderName())) {
                                z = true;
                                break;
                            }
                        }
                        if (!z) {
                            this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.UNMATCHED_SIGNATURE);
                            log.warn("Downloaded bundle signature did not match configured signing certificate.");
                            IOUtils.closeQuietly(byteArrayInputStream);
                            return null;
                        }
                    }
                    ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream((byte[]) cMSSignedData.getSignedContent().getContent());
                    collection = CertificateFactory.getInstance("X.509").generateCertificates(byteArrayInputStream2);
                    IOUtils.closeQuietly(byteArrayInputStream2);
                } catch (Exception e2) {
                    this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.INVALID_BUNDLE_FORMAT);
                    log.warn("Failed to extract anchors from downloaded bundle at URL " + trustBundle.getBundleURL());
                    IOUtils.closeQuietly(byteArrayInputStream);
                }
            }
            return collection;
        } catch (Throwable th2) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th2;
        }
    }

    protected byte[] downloadBundleToByteArray(TrustBundle trustBundle, Calendar calendar) {
        InputStream inputStream = null;
        byte[] bArr = null;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            try {
                try {
                    URLConnection openConnection = new URL(trustBundle.getBundleURL()).openConnection();
                    openConnection.setConnectTimeout(10000);
                    openConnection.setReadTimeout(10000);
                    inputStream = openConnection.getInputStream();
                    byte[] bArr2 = new byte[2048];
                    while (true) {
                        int read = inputStream.read(bArr2);
                        if (read <= -1) {
                            break;
                        }
                        byteArrayOutputStream.write(bArr2, 0, read);
                    }
                    bArr = byteArrayOutputStream.toByteArray();
                    IOUtils.closeQuietly(inputStream);
                    IOUtils.closeQuietly(byteArrayOutputStream);
                } catch (SocketTimeoutException e) {
                    this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.DOWNLOAD_TIMEOUT);
                    log.warn("Failed to download bundle from URL " + trustBundle.getBundleURL(), e);
                    IOUtils.closeQuietly(inputStream);
                    IOUtils.closeQuietly(byteArrayOutputStream);
                }
            } catch (Exception e2) {
                this.dao.updateLastUpdateError(trustBundle.getId(), calendar, BundleRefreshError.NOT_FOUND);
                log.warn("Failed to download bundle from URL " + trustBundle.getBundleURL(), e2);
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(byteArrayOutputStream);
            }
            return bArr;
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            IOUtils.closeQuietly(byteArrayOutputStream);
            throw th;
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        initJVMParams();
    }
}
