package org.apache.nifi.web.security.x509.ocsp;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientHandlerException;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.UniformInterfaceException;
import com.sun.jersey.api.client.config.DefaultClientConfig;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.framework.security.util.SslContextFactory;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.x509.ocsp.OcspStatus;
import org.apache.nifi.web.util.WebUtils;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.class */
public class OcspCertificateValidator {
    private static final Logger logger = LoggerFactory.getLogger(OcspCertificateValidator.class);
    private static final String HTTPS = "https";
    private static final String CONTENT_TYPE_HEADER = "Content-Type";
    private static final String OCSP_REQUEST_CONTENT_TYPE = "application/ocsp-request";
    private static final int CONNECT_TIMEOUT = 10000;
    private static final int READ_TIMEOUT = 10000;
    private URI validationAuthorityURI;
    private Client client;
    private Map<String, X509Certificate> trustedCAs;
    private LoadingCache<OcspRequest, OcspStatus> ocspCache;

    public OcspCertificateValidator(NiFiProperties niFiProperties) {
        String property = niFiProperties.getProperty("nifi.security.ocsp.responder.url");
        if (StringUtils.isNotBlank(property)) {
            try {
                this.validationAuthorityURI = URI.create(property);
                DefaultClientConfig defaultClientConfig = new DefaultClientConfig();
                defaultClientConfig.getProperties().put("com.sun.jersey.client.property.readTimeout", 10000);
                defaultClientConfig.getProperties().put("com.sun.jersey.client.property.connectTimeout", 10000);
                if (HTTPS.equalsIgnoreCase(this.validationAuthorityURI.getScheme())) {
                    this.client = WebUtils.createClient(defaultClientConfig, SslContextFactory.createSslContext(niFiProperties));
                } else {
                    this.client = WebUtils.createClient(defaultClientConfig);
                }
                this.trustedCAs = getTrustedCAs(niFiProperties);
                X509Certificate ocspCertificate = getOcspCertificate(niFiProperties);
                if (ocspCertificate != null) {
                    this.trustedCAs.put(ocspCertificate.getSubjectX500Principal().getName(), ocspCertificate);
                }
                this.ocspCache = CacheBuilder.newBuilder().expireAfterWrite(FormatUtils.getTimeDuration("12 hours", TimeUnit.MILLISECONDS), TimeUnit.MILLISECONDS).build(new CacheLoader<OcspRequest, OcspStatus>() { // from class: org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator.1
                    public OcspStatus load(OcspRequest ocspRequest) throws Exception {
                        String name = ocspRequest.getSubjectCertificate().getSubjectX500Principal().getName();
                        OcspCertificateValidator.logger.info(String.format("Validating client certificate via OCSP: <%s>", name));
                        OcspStatus ocspStatus = OcspCertificateValidator.this.getOcspStatus(ocspRequest);
                        OcspCertificateValidator.logger.info(String.format("Client certificate status for <%s>: %s", name, ocspStatus.toString()));
                        return ocspStatus;
                    }
                });
            } catch (Exception e) {
                logger.error("Disabling OCSP certificate validation. Unable to load OCSP configuration: " + e, e);
                this.client = null;
            }
        }
    }

    private X509Certificate getOcspCertificate(NiFiProperties niFiProperties) {
        X509Certificate x509Certificate = null;
        String property = niFiProperties.getProperty("nifi.security.ocsp.responder.certificate");
        if (StringUtils.isNotBlank(property)) {
            try {
                FileInputStream fileInputStream = new FileInputStream(property);
                Throwable th = null;
                try {
                    try {
                        x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new IllegalStateException("Unable to load the validation authority certificate: " + e);
            }
        }
        return x509Certificate;
    }

    private Map<String, X509Certificate> getTrustedCAs(NiFiProperties niFiProperties) {
        HashMap hashMap = new HashMap();
        String property = niFiProperties.getProperty("nifi.security.truststore");
        if (property == null) {
            throw new IllegalArgumentException("The truststore path is required.");
        }
        String property2 = niFiProperties.getProperty("nifi.security.truststorePasswd");
        char[] charArray = property2 == null ? new char[0] : property2.toCharArray();
        try {
            FileInputStream fileInputStream = new FileInputStream(property);
            Throwable th = null;
            try {
                try {
                    KeyStore trustStore = KeyStoreUtils.getTrustStore(KeyStore.getDefaultType());
                    trustStore.load(fileInputStream, charArray);
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(trustStore);
                    for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                        if (trustManager instanceof X509TrustManager) {
                            for (X509Certificate x509Certificate : ((X509TrustManager) trustManager).getAcceptedIssuers()) {
                                hashMap.put(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
                            }
                        }
                    }
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return hashMap;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalStateException("Unable to load the configured truststore: " + e);
        }
    }

    public void validate(X509Certificate[] x509CertificateArr) throws CertificateStatusException {
        if (this.client == null || x509CertificateArr == null || x509CertificateArr.length <= 0) {
            return;
        }
        X509Certificate subjectCertificate = getSubjectCertificate(x509CertificateArr);
        X509Certificate issuerCertificate = getIssuerCertificate(x509CertificateArr);
        if (issuerCertificate == null) {
            throw new IllegalArgumentException(String.format("Unable to obtain certificate of issuer <%s> for the specified subject certificate <%s>.", subjectCertificate.getIssuerX500Principal().getName(), subjectCertificate.getSubjectX500Principal().getName()));
        }
        try {
            OcspStatus ocspStatus = (OcspStatus) this.ocspCache.getUnchecked(new OcspRequest(subjectCertificate, issuerCertificate));
            if (OcspStatus.VerificationStatus.Verified.equals(ocspStatus.getVerificationStatus()) && OcspStatus.ValidationStatus.Revoked.equals(ocspStatus.getValidationStatus())) {
                throw new CertificateStatusException(String.format("Client certificate for <%s> is revoked according to the certificate authority.", subjectCertificate.getSubjectX500Principal().getName()));
            }
        } catch (UncheckedExecutionException e) {
            logger.warn(String.format("Unable to validate client certificate via OCSP: <%s>", subjectCertificate.getSubjectX500Principal().getName()), e.getCause());
        }
    }

    private X509Certificate getSubjectCertificate(X509Certificate[] x509CertificateArr) {
        return x509CertificateArr[0];
    }

    private X509Certificate getIssuerCertificate(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr.length > 1) {
            return x509CertificateArr[1];
        }
        if (x509CertificateArr.length != 1) {
            return null;
        }
        return this.trustedCAs.get(getSubjectCertificate(x509CertificateArr).getIssuerX500Principal().getName());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public OcspStatus getOcspStatus(OcspRequest ocspRequest) {
        BigInteger serialNumber;
        ClientResponse clientResponse;
        X509Certificate subjectCertificate = ocspRequest.getSubjectCertificate();
        X509Certificate issuerCertificate = ocspRequest.getIssuerCertificate();
        OcspStatus ocspStatus = new OcspStatus();
        ocspStatus.setVerificationStatus(OcspStatus.VerificationStatus.Unknown);
        ocspStatus.setValidationStatus(OcspStatus.ValidationStatus.Unknown);
        try {
            try {
                serialNumber = subjectCertificate.getSerialNumber();
                CertificateID certificateID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), serialNumber);
                OCSPReqBuilder oCSPReqBuilder = new OCSPReqBuilder();
                oCSPReqBuilder.addRequest(certificateID);
                oCSPReqBuilder.setRequestExtensions(new Extensions(new Extension[]{new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(BigInteger.valueOf(System.currentTimeMillis()).toByteArray()))}));
                clientResponse = getClientResponse(oCSPReqBuilder.build());
            } catch (CertificateException e) {
                e.printStackTrace();
            }
        } catch (OCSPException | IOException | UniformInterfaceException | ClientHandlerException | OperatorCreationException e2) {
            logger.error(e2.getMessage(), e2);
        }
        if (ClientResponse.Status.OK.getStatusCode() != clientResponse.getStatusInfo().getStatusCode()) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", Integer.valueOf(clientResponse.getStatus())));
            return ocspStatus;
        }
        OCSPResp oCSPResp = new OCSPResp(clientResponse.getEntityInputStream());
        switch (oCSPResp.getStatus()) {
            case 0:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful);
                break;
            case 1:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest);
                break;
            case 2:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError);
                break;
            case 3:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater);
                break;
            case 4:
            default:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown);
                break;
            case 5:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired);
                break;
            case 6:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized);
                break;
        }
        if (oCSPResp.getStatus() != 0) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString()));
            return ocspStatus;
        }
        Object responseObject = oCSPResp.getResponseObject();
        if (responseObject == null || !(responseObject instanceof BasicOCSPResp)) {
            logger.warn(String.format("Unexpected OCSP response object: %s", responseObject));
            return ocspStatus;
        }
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
        X509CertificateHolder[] certs = basicOCSPResp.getCerts();
        if (certs.length != 1) {
            logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", Integer.valueOf(certs.length)));
            return ocspStatus;
        }
        X509Certificate trustedResponderCertificate = getTrustedResponderCertificate(certs[0], issuerCertificate);
        if (trustedResponderCertificate == null) {
            ocspStatus.setVerificationStatus(OcspStatus.VerificationStatus.Unverified);
        } else if (basicOCSPResp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) {
            ocspStatus.setVerificationStatus(OcspStatus.VerificationStatus.Verified);
        } else {
            ocspStatus.setVerificationStatus(OcspStatus.VerificationStatus.Unverified);
        }
        for (SingleResp singleResp : basicOCSPResp.getResponses()) {
            if (singleResp.getCertID().getSerialNumber().equals(serialNumber)) {
                CertificateStatus certStatus = singleResp.getCertStatus();
                if (CertificateStatus.GOOD == certStatus) {
                    ocspStatus.setValidationStatus(OcspStatus.ValidationStatus.Good);
                } else if (certStatus instanceof RevokedStatus) {
                    ocspStatus.setValidationStatus(OcspStatus.ValidationStatus.Revoked);
                } else {
                    ocspStatus.setValidationStatus(OcspStatus.ValidationStatus.Unknown);
                }
            }
        }
        return ocspStatus;
    }

    private ClientResponse getClientResponse(OCSPReq oCSPReq) throws IOException {
        return (ClientResponse) this.client.resource(this.validationAuthorityURI).header(CONTENT_TYPE_HEADER, OCSP_REQUEST_CONTENT_TYPE).post(ClientResponse.class, oCSPReq.getEncoded());
    }

    private X509Certificate getTrustedResponderCertificate(X509CertificateHolder x509CertificateHolder, X509Certificate x509Certificate) throws CertificateException {
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509CertificateHolder);
        String name = certificate.getSubjectX500Principal().getName();
        if (this.trustedCAs.containsKey(name)) {
            return this.trustedCAs.get(name);
        }
        return certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal()) ? null : null;
    }
}
