package org.eclipse.kura.core.keystore.crl;

import java.io.Closeable;
import java.io.File;
import java.net.URI;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertStore;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.OptionalLong;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.eclipse.kura.core.keystore.util.CRLUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/kura/core/keystore/crl/CRLManager.class */
public class CRLManager implements Closeable {
    private static final Logger logger = LoggerFactory.getLogger(CRLManager.class);
    private final CRLStore store;
    private final long forceUpdateIntervalNanos;
    private final long periodicReckeckIntervalMs;
    private final CRLVerifier verifier;
    private Optional<Listener> listener;
    private final ScheduledExecutorService updateExecutor = Executors.newSingleThreadScheduledExecutor();
    private final ExecutorService downloadExecutor = Executors.newCachedThreadPool();
    private final List<DistributionPointState> referencedDistributionPoints = new ArrayList();
    private Optional<ScheduledFuture<?>> updateTask = Optional.empty();

    /* loaded from: input_file:org/eclipse/kura/core/keystore/crl/CRLManager$CRLVerifier.class */
    public interface CRLVerifier {
        boolean verifyCRL(X509CRL x509crl);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/kura/core/keystore/crl/CRLManager$DistributionPointState.class */
    public class DistributionPointState {
        private int refCnt = 1;
        private OptionalLong lastDownloadInstantNanos = OptionalLong.empty();
        private final Set<URI> distributionPoints;

        public DistributionPointState(Set<URI> set) {
            this.distributionPoints = set;
        }

        int ref() {
            this.refCnt++;
            return this.refCnt;
        }

        int unref() {
            this.refCnt--;
            return this.refCnt;
        }
    }

    /* loaded from: input_file:org/eclipse/kura/core/keystore/crl/CRLManager$Listener.class */
    public interface Listener {
        void onCRLCacheChanged();
    }

    public CRLManager(File file, long j, long j2, long j3, CRLVerifier cRLVerifier) {
        this.store = new CRLStore(file, j);
        this.periodicReckeckIntervalMs = j2;
        this.forceUpdateIntervalNanos = Duration.ofMillis(j3).toNanos();
        this.verifier = cRLVerifier;
        requestUpdate();
    }

    public void setListener(Optional<Listener> optional) {
        this.listener = optional;
    }

    public synchronized boolean addDistributionPoint(Set<URI> set) {
        logger.info("referencing distribution points: {}", set);
        Optional<DistributionPointState> findAny = this.referencedDistributionPoints.stream().filter(distributionPointState -> {
            return distributionPointState.distributionPoints.equals(set);
        }).findAny();
        if (findAny.isPresent()) {
            findAny.get().ref();
            return false;
        }
        this.referencedDistributionPoints.add(new DistributionPointState(set));
        requestUpdate();
        return true;
    }

    public synchronized boolean removeDistributionPoint(Set<URI> set) {
        logger.info("unreferencing distribution points: {}", set);
        if (!this.referencedDistributionPoints.removeIf(distributionPointState -> {
            return distributionPointState.distributionPoints.equals(set) && distributionPointState.unref() <= 0;
        })) {
            return false;
        }
        requestUpdate();
        return true;
    }

    public boolean addTrustedCertificate(X509Certificate x509Certificate) {
        try {
            Set<URI> crlURIs = CRLUtil.getCrlURIs(x509Certificate);
            if (!crlURIs.isEmpty()) {
                return addDistributionPoint(crlURIs);
            }
            logger.info("certificate {} has no CRL distribution points", x509Certificate.getSubjectX500Principal());
            return false;
        } catch (Exception e) {
            logger.warn("failed to get distribution points for {}", x509Certificate.getSubjectX500Principal(), e);
            return false;
        }
    }

    public boolean removeTrustedCertificate(X509Certificate x509Certificate) {
        try {
            return removeDistributionPoint(CRLUtil.getCrlURIs(x509Certificate));
        } catch (Exception e) {
            logger.warn("failed to get distribution points for {}", x509Certificate.getSubjectX500Principal(), e);
            return false;
        }
    }

    public synchronized List<X509CRL> getCrls() {
        return (List) this.store.getCRLs().stream().map((v0) -> {
            return v0.getCrl();
        }).collect(Collectors.toList());
    }

    public CertStore getCertStore() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
        return this.store.getCertStore();
    }

    public CRLStore getCRLStore() {
        return this.store;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.listener = Optional.empty();
        this.updateExecutor.shutdown();
        this.downloadExecutor.shutdown();
    }

    private void requestUpdate() {
        if (this.updateTask.isPresent()) {
            this.updateTask.get().cancel(false);
        }
        this.updateTask = Optional.of(this.updateExecutor.scheduleWithFixedDelay(this::update, 5000L, this.periodicReckeckIntervalMs, TimeUnit.MILLISECONDS));
    }

    private synchronized void update() {
        boolean z = false;
        long nanoTime = System.nanoTime();
        for (DistributionPointState distributionPointState : this.referencedDistributionPoints) {
            Optional<StoredCRL> findAny = this.store.getCRLs().stream().filter(storedCRL -> {
                return storedCRL.getDistributionPoints().equals(distributionPointState.distributionPoints);
            }).findAny();
            if (!findAny.isPresent() || findAny.get().isExpired() || !distributionPointState.lastDownloadInstantNanos.isPresent() || nanoTime - distributionPointState.lastDownloadInstantNanos.getAsLong() > this.forceUpdateIntervalNanos) {
                CompletableFuture<X509CRL> fetchCRL = CRLUtil.fetchCRL(distributionPointState.distributionPoints, this.downloadExecutor);
                try {
                    z |= validateAndStoreCRL(nanoTime, distributionPointState, findAny, fetchCRL.get(1L, TimeUnit.MINUTES));
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    logger.warn("failed to download CRL", e);
                    fetchCRL.cancel(true);
                } catch (Exception e2) {
                    logger.warn("failed to download CRL", e2);
                    fetchCRL.cancel(true);
                }
            }
        }
        if (z || this.store.removeCRLs(storedCRL2 -> {
            return this.referencedDistributionPoints.stream().noneMatch(distributionPointState2 -> {
                return distributionPointState2.distributionPoints.equals(storedCRL2.getDistributionPoints());
            });
        })) {
            this.listener.ifPresent((v0) -> {
                v0.onCRLCacheChanged();
            });
        }
    }

    private boolean validateAndStoreCRL(long j, DistributionPointState distributionPointState, Optional<StoredCRL> optional, X509CRL x509crl) {
        if (optional.isPresent()) {
            X509CRL crl = optional.get().getCrl();
            if (crl.equals(x509crl)) {
                logger.info("current CRL is up to date");
                distributionPointState.lastDownloadInstantNanos = OptionalLong.of(j);
                return false;
            }
            if (!crl.getIssuerX500Principal().equals(x509crl.getIssuerX500Principal())) {
                logger.warn("CRL issuer differs, not updating CRL");
                return false;
            }
        }
        if (!this.verifier.verifyCRL(x509crl)) {
            logger.warn("CRL verification failed");
            return false;
        }
        this.store.storeCRL(new StoredCRL(distributionPointState.distributionPoints, x509crl));
        distributionPointState.lastDownloadInstantNanos = OptionalLong.of(j);
        return true;
    }
}
