package com.atlassian.bitbucket.internal.x509;

import com.atlassian.bitbucket.concurrent.LockService;
import com.atlassian.bitbucket.internal.x509.dao.X509RevokedCertificateDao;
import com.atlassian.bitbucket.internal.x509.model.InternalX509Certificate;
import com.atlassian.bitbucket.internal.x509.model.InternalX509RevokedCertificate;
import com.atlassian.bitbucket.util.MoreCollectors;
import com.atlassian.bitbucket.util.concurrent.LockGuard;
import com.atlassian.httpclient.api.Response;
import com.atlassian.stash.internal.spring.SpringTransactionUtils;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.mutable.MutableInt;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.support.TransactionTemplate;

/* loaded from: input_file:com/atlassian/bitbucket/internal/x509/X509RevokedCertificateHelper.class */
public class X509RevokedCertificateHelper {
    private static final Logger log = LoggerFactory.getLogger(X509RevokedCertificateHelper.class);
    private final ExecutorService executorService;
    private final LockService lockService;
    private final TransactionTemplate readOnlyTransaction;
    private final TransactionTemplate readWriteTransaction;
    private final X509CertificateFactory x509CertificateFactory;
    private final X509HttpRequestExecutor x509HttpRequestExecutor;
    private final X509RevokedCertificateDao x509RevokedCertificateDao;

    public X509RevokedCertificateHelper(ExecutorService executorService, LockService lockService, PlatformTransactionManager platformTransactionManager, X509CertificateFactory x509CertificateFactory, X509HttpRequestExecutor x509HttpRequestExecutor, X509RevokedCertificateDao x509RevokedCertificateDao) {
        this.executorService = executorService;
        this.x509HttpRequestExecutor = x509HttpRequestExecutor;
        this.lockService = lockService;
        this.x509CertificateFactory = x509CertificateFactory;
        this.x509RevokedCertificateDao = x509RevokedCertificateDao;
        this.readOnlyTransaction = new TransactionTemplate(platformTransactionManager, SpringTransactionUtils.definitionFor(0, true));
        this.readWriteTransaction = new TransactionTemplate(platformTransactionManager, SpringTransactionUtils.definitionFor(0));
    }

    public void updateRevokedCertificates(@Nonnull InternalX509Certificate internalX509Certificate, @Nonnull X509Certificate x509Certificate) {
        Objects.requireNonNull(internalX509Certificate, "issuerCertificate");
        Objects.requireNonNull(x509Certificate, "x509Certificate");
        LockGuard tryLock = LockGuard.tryLock(this.lockService.getLock(internalX509Certificate.getFingerprint()));
        try {
            if (tryLock == null) {
                log.debug("Unable to acquire lock for updating the list of revoked X.509 certificates for X.509 certificate {}", internalX509Certificate);
                if (tryLock != null) {
                    tryLock.close();
                    return;
                }
                return;
            }
            log.debug("Updating the list of revoked X.509 certificates for X.509 certificate {}", internalX509Certificate);
            this.executorService.execute(() -> {
                MutableInt mutableInt = new MutableInt();
                MutableInt mutableInt2 = new MutableInt();
                getCrls(x509Certificate, this.x509CertificateFactory).forEach(x509crl -> {
                    Set<? extends X509CRLEntry> revokedCertificates = x509crl.getRevokedCertificates();
                    if (revokedCertificates != null) {
                        revokedCertificates.forEach(x509CRLEntry -> {
                            Boolean addIfNotPresent = addIfNotPresent(internalX509Certificate, x509CRLEntry);
                            if (Boolean.TRUE.equals(addIfNotPresent)) {
                                mutableInt.increment();
                            } else if (Boolean.FALSE.equals(addIfNotPresent)) {
                                mutableInt2.increment();
                            }
                        });
                    }
                });
                log.debug("Certificate revocation list update results for X.509 certificate {} - Successfully added {} new revoked X.509 certificate DB entries; Failed to add {} new revoked X.509 certificate DB entries", new Object[]{internalX509Certificate, Integer.valueOf(mutableInt.intValue()), Integer.valueOf(mutableInt2.intValue())});
            });
            if (tryLock != null) {
                tryLock.close();
            }
        } catch (Throwable th) {
            if (tryLock != null) {
                try {
                    tryLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @VisibleForTesting
    Boolean addIfNotPresent(InternalX509Certificate internalX509Certificate, X509CRLEntry x509CRLEntry) {
        long longValue = x509CRLEntry.getSerialNumber().longValue();
        if (((Optional) this.readOnlyTransaction.execute(transactionStatus -> {
            return this.x509RevokedCertificateDao.getBySerialNumberAndIssuerId(longValue, internalX509Certificate.getId());
        })).isPresent()) {
            return null;
        }
        InternalX509RevokedCertificate build = new InternalX509RevokedCertificate.Builder().serialNumber(longValue).issuer(internalX509Certificate).build();
        return (Boolean) this.readWriteTransaction.execute(transactionStatus2 -> {
            this.x509RevokedCertificateDao.create(build);
            return true;
        });
    }

    @VisibleForTesting
    Set<X509CRL> getCrls(X509Certificate x509Certificate, X509CertificateFactory x509CertificateFactory) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (String str : getCrlUrls(x509Certificate)) {
            log.debug("Attempting to get the X.509 certificate revocation list information at URL '{}'", str);
            Response makeGetRequest = this.x509HttpRequestExecutor.makeGetRequest(str);
            if (makeGetRequest.isOk()) {
                try {
                    InputStream entityStream = makeGetRequest.getEntityStream();
                    try {
                        builder.add(x509CertificateFactory.generateCrl(entityStream));
                        if (entityStream != null) {
                            entityStream.close();
                        }
                    } catch (Throwable th) {
                        if (entityStream != null) {
                            try {
                                entityStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                        break;
                    }
                } catch (IOException | CRLException e) {
                    log.warn("Failed to generate the certificate revocation list based on information at URL '{}' for X.509 certificate {}", new Object[]{str, x509Certificate, e});
                }
            } else {
                log.warn("Could not successfully obtain X.509 certificate revocation list information at URL '{}'", str);
            }
        }
        return builder.build();
    }

    @VisibleForTesting
    Set<String> getCrlUrls(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        BigInteger serialNumber = x509Certificate.getSerialNumber();
        if (extensionValue == null || extensionValue.length <= 0) {
            log.debug("X.509 certificate with serial number '{}' did not have any certificate revocation list distribution points", serialNumber);
            return Collections.emptySet();
        }
        try {
            return (Set) Arrays.stream(CRLDistPoint.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getDistributionPoints()).map((v0) -> {
                return v0.getDistributionPoint();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).filter(distributionPointName -> {
                return distributionPointName.getType() == 0;
            }).map(distributionPointName2 -> {
                return GeneralNames.getInstance(distributionPointName2.getName()).getNames();
            }).flatMap((v0) -> {
                return Arrays.stream(v0);
            }).filter(generalName -> {
                return generalName.getTagNo() == 6;
            }).map(generalName2 -> {
                return ASN1IA5String.getInstance(generalName2.getName()).getString();
            }).collect(MoreCollectors.toImmutableSet());
        } catch (IOException e) {
            log.debug("Failed to retrieve the certificate revocation list URLs for X.509 certificate with serial number '{}'", serialNumber, e);
            return Collections.emptySet();
        }
    }

    private static byte[] getEncoded(X509CRLEntry x509CRLEntry) {
        try {
            return x509CRLEntry.getEncoded();
        } catch (CRLException e) {
            log.warn("Failed to encode X.509 CRL entry {}", x509CRLEntry, e);
            return null;
        }
    }
}
