package org.nhindirect.config.processor.impl;

import io.netty.channel.ChannelOption;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.timeout.ReadTimeoutHandler;
import io.netty.handler.timeout.WriteTimeoutHandler;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.net.URI;
import java.net.URL;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.sql.Timestamp;
import java.time.Duration;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.nhindirect.common.crypto.CryptoExtensions;
import org.nhindirect.common.options.OptionsManager;
import org.nhindirect.common.options.OptionsParameter;
import org.nhindirect.config.processor.BundleRefreshProcessor;
import org.nhindirect.config.repository.TrustBundleAnchorRepository;
import org.nhindirect.config.repository.TrustBundleRepository;
import org.nhindirect.config.store.BundleRefreshError;
import org.nhindirect.config.store.BundleThumbprint;
import org.nhindirect.config.store.TrustBundle;
import org.nhindirect.config.store.TrustBundleAnchor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ByteArrayResource;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;
import reactor.netty.http.client.HttpClient;

/* loaded from: input_file:org/nhindirect/config/processor/impl/DefaultBundleRefreshProcessorImpl.class */
public class DefaultBundleRefreshProcessorImpl implements BundleRefreshProcessor {
    private static final Logger log = LoggerFactory.getLogger(DefaultBundleRefreshProcessorImpl.class);
    public static final String BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED = "BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED";
    protected static final int DEFAULT_URL_CONNECTION_TIMEOUT = 10000;
    protected static final int DEFAULT_URL_READ_TIMEOUT = 10000;
    protected TrustBundleRepository bundleRepo;
    protected TrustBundleAnchorRepository bundleAnchorRepo;
    protected SslContext sslContext;

    public static synchronized void initJVMParams() {
        HashMap hashMap = new HashMap();
        hashMap.put(BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED, "org.nhindirect.config.processor.impl.bundlerefresh.AllowNonVerifiedSSL");
        OptionsManager.addInitParameters(hashMap);
    }

    public DefaultBundleRefreshProcessorImpl() {
        OptionsParameter parameter = OptionsManager.getInstance().getParameter(BUNDLE_REFRESH_PROCESSOR_ALLOW_DOWNLOAD_FROM_UNTRUSTED);
        SslContextBuilder forClient = SslContextBuilder.forClient();
        if (OptionsParameter.getParamValueAsBoolean(parameter, false)) {
            forClient.trustManager(InsecureTrustManagerFactory.INSTANCE);
        }
        this.sslContext = forClient.build();
    }

    public void setRepository(TrustBundleRepository trustBundleRepository) {
        this.bundleRepo = trustBundleRepository;
    }

    public void setRepositories(TrustBundleRepository trustBundleRepository, TrustBundleAnchorRepository trustBundleAnchorRepository) {
        this.bundleRepo = trustBundleRepository;
        this.bundleAnchorRepo = trustBundleAnchorRepository;
    }

    @Override // org.nhindirect.config.processor.BundleRefreshProcessor
    public Mono<?> refreshBundle(TrustBundle trustBundle) {
        Calendar calendar = Calendar.getInstance(Locale.getDefault());
        return downloadBundleToByteArray(trustBundle, calendar).flatMap(bArr -> {
            boolean z;
            if (bArr == null || bArr.length == 0) {
                return Mono.empty();
            }
            String str = "";
            if (trustBundle.getCheckSum() == null) {
                z = true;
            } else {
                try {
                    str = BundleThumbprint.toThumbprint(bArr).toString();
                    z = !trustBundle.getCheckSum().equals(BundleThumbprint.toThumbprint(bArr).toString());
                } catch (NoSuchAlgorithmException e) {
                    trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
                    trustBundle.setLastRefreshError(BundleRefreshError.INVALID_BUNDLE_FORMAT.ordinal());
                    log.error("Failed to generate downloaded bundle thumbprint ", e);
                    return this.bundleRepo.save(trustBundle);
                }
            }
            String str2 = str;
            if (z) {
                return convertRawBundleToAnchorCollection(bArr, trustBundle, calendar).flatMap(collection -> {
                    if (collection == null || collection.isEmpty()) {
                        return Mono.empty();
                    }
                    HashSet hashSet = new HashSet(collection);
                    ArrayList arrayList = new ArrayList();
                    Iterator it = hashSet.iterator();
                    while (it.hasNext()) {
                        X509Certificate x509Certificate = (X509Certificate) it.next();
                        try {
                            TrustBundleAnchor trustBundleAnchor = new TrustBundleAnchor();
                            trustBundleAnchor.setData(x509Certificate.getEncoded());
                            trustBundleAnchor.setTrustBundleId(trustBundle.getId());
                            arrayList.add(trustBundleAnchor);
                        } catch (Exception e2) {
                            log.warn("Failed to convert downloaded anchor to byte array. ", e2);
                            return Mono.empty();
                        }
                    }
                    return this.bundleAnchorRepo.deleteByTrustBundleId(trustBundle.getId()).then(this.bundleAnchorRepo.saveAll(arrayList).collectList()).flatMap(list -> {
                        trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
                        trustBundle.setLastRefreshError(BundleRefreshError.SUCCESS.ordinal());
                        trustBundle.setCheckSum(str2);
                        trustBundle.setLastSuccessfulRefresh(LocalDateTime.now());
                        return this.bundleRepo.save(trustBundle).onErrorResume(th -> {
                            log.error("Failed to write updated bundle anchors to data store ", th);
                            trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
                            trustBundle.setLastRefreshError(BundleRefreshError.INVALID_BUNDLE_FORMAT.ordinal());
                            return this.bundleRepo.save(trustBundle);
                        });
                    });
                });
            }
            trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
            trustBundle.setLastRefreshError(BundleRefreshError.SUCCESS.ordinal());
            return this.bundleRepo.save(trustBundle);
        });
    }

    protected Mono<Collection<X509Certificate>> convertRawBundleToAnchorCollection(byte[] bArr, TrustBundle trustBundle, Calendar calendar) {
        Collection<? extends Certificate> collection = null;
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            byteArrayInputStream = new ByteArrayInputStream(bArr);
            collection = CertificateFactory.getInstance("X.509").generateCertificates(byteArrayInputStream);
            if (collection != null) {
                if (collection.size() == 0) {
                    collection = null;
                }
            }
            IOUtils.closeQuietly(byteArrayInputStream);
        } catch (Exception e) {
            IOUtils.closeQuietly(byteArrayInputStream);
        } catch (Throwable th) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th;
        }
        try {
            if (collection == null) {
                try {
                    CMSSignedData cMSSignedData = new CMSSignedData(bArr);
                    if (trustBundle.getSigningCertificateData() != null) {
                        boolean z = false;
                        X509Certificate signingCertificate = trustBundle.toSigningCertificate();
                        Iterator it = cMSSignedData.getSignerInfos().getSigners().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (((SignerInformation) it.next()).verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(CryptoExtensions.getJCEProviderName()).build(signingCertificate))) {
                                z = true;
                                break;
                            }
                        }
                        if (!z) {
                            trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
                            trustBundle.setLastRefreshError(BundleRefreshError.UNMATCHED_SIGNATURE.ordinal());
                            log.warn("Downloaded bundle signature did not match configured signing certificate.");
                            Mono<Collection<X509Certificate>> thenReturn = this.bundleRepo.save(trustBundle).thenReturn(Collections.emptyList());
                            IOUtils.closeQuietly(byteArrayInputStream);
                            return thenReturn;
                        }
                    }
                    ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream((byte[]) cMSSignedData.getSignedContent().getContent());
                    collection = CertificateFactory.getInstance("X.509").generateCertificates(byteArrayInputStream2);
                    IOUtils.closeQuietly(byteArrayInputStream2);
                } catch (Exception e2) {
                    trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
                    trustBundle.setLastRefreshError(BundleRefreshError.INVALID_BUNDLE_FORMAT.ordinal());
                    log.warn("Failed to extract anchors from downloaded bundle at URL " + trustBundle.getBundleURL());
                    Mono<Collection<X509Certificate>> thenReturn2 = this.bundleRepo.save(trustBundle).thenReturn(Collections.emptyList());
                    IOUtils.closeQuietly(byteArrayInputStream);
                    return thenReturn2;
                }
            }
            return Mono.just(collection);
        } catch (Throwable th2) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th2;
        }
    }

    protected Mono<byte[]> downloadBundleToByteArray(TrustBundle trustBundle, Calendar calendar) {
        try {
            if (new URI(trustBundle.getBundleURL()).getScheme().compareToIgnoreCase("file") != 0) {
                return WebClient.builder().baseUrl(trustBundle.getBundleURL()).clientConnector(new ReactorClientHttpConnector(HttpClient.create().option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000).secure(sslContextSpec -> {
                    sslContextSpec.sslContext(this.sslContext);
                }).responseTimeout(Duration.ofMillis(10000L)).doOnConnected(connection -> {
                    connection.addHandlerLast(new ReadTimeoutHandler(10000L, TimeUnit.MILLISECONDS)).addHandlerLast(new WriteTimeoutHandler(10000L, TimeUnit.MILLISECONDS));
                }))).build().get().exchange().flatMap(clientResponse -> {
                    return clientResponse.bodyToMono(ByteArrayResource.class);
                }).map((v0) -> {
                    return v0.getByteArray();
                }).onErrorResume(th -> {
                    log.warn("Failed to download bundle from URL " + trustBundle.getBundleURL(), th);
                    trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
                    trustBundle.setLastRefreshError(BundleRefreshError.DOWNLOAD_TIMEOUT.ordinal());
                    return this.bundleRepo.save(trustBundle).then(Mono.empty());
                });
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            InputStream inputStream = new URL(trustBundle.getBundleURL()).openConnection().getInputStream();
            byte[] bArr = new byte[2048];
            while (true) {
                int read = inputStream.read(bArr);
                if (read <= -1) {
                    return Mono.just(byteArrayOutputStream.toByteArray());
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
        } catch (Exception e) {
            log.warn("Failed to download bundle from URL " + trustBundle.getBundleURL(), e);
            trustBundle.setLastRefreshAttempt(new Timestamp(calendar.getTime().getTime()).toLocalDateTime());
            trustBundle.setLastRefreshError(BundleRefreshError.NOT_FOUND.ordinal());
            return this.bundleRepo.save(trustBundle).then(Mono.empty());
        }
    }

    static {
        initJVMParams();
        CryptoExtensions.registerJCEProviders();
    }
}
