package eu.unicore.security.canl;

import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import eu.emi.security.authn.x509.OCSPParametes;
import eu.emi.security.authn.x509.OCSPResponder;
import eu.emi.security.authn.x509.ProxySupport;
import eu.emi.security.authn.x509.RevocationParameters;
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.impl.CRLParameters;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.DirectoryCertChainValidator;
import eu.emi.security.authn.x509.impl.KeystoreCertChainValidator;
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.RevocationParametersExt;
import eu.emi.security.authn.x509.impl.ValidatorParams;
import eu.emi.security.authn.x509.impl.ValidatorParamsExt;
import eu.unicore.util.Log;
import eu.unicore.util.configuration.ConfigurationException;
import eu.unicore.util.configuration.PropertyMD;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStoreException;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:eu/unicore/security/canl/TruststoreProperties.class */
public class TruststoreProperties extends TrustedIssuersProperties {
    public static final String DEFAULT_PREFIX = "truststore.";
    public static final String PROP_PROXY_SUPPORT = "allowProxy";
    public static final String PROP_CRL_MODE = "crlMode";
    public static final String PROP_OCSP_MODE = "ocspMode";
    public static final String PROP_OCSP_TIMEOUT = "ocspTimeout";
    public static final String PROP_OCSP_CACHE_TTL = "ocspCacheTtl";
    public static final String PROP_OCSP_DISK_CACHE = "ocspDiskCache";
    public static final String PROP_OCSP_LOCAL_RESPONDERS = "ocspLocalResponders.";
    public static final String PROP_REVOCATION_ORDER = "revocationOrder";
    public static final String PROP_REVOCATION_USE_ALL = "revocationUseAll";
    public static final String PROP_CRL_CONNECTION_TIMEOUT = "crlConnectionTimeout";
    public static final String PROP_CRL_CACHE_PATH = "crlDiskCachePath";
    public static final String PROP_OPENSSL_NS_MODE = "opensslNsMode";
    private ProxySupport proxySupport;
    private CrlCheckingMode crlMode;
    private NamespaceCheckingMode nsMode;
    private long crlUpdateInterval;
    private int crlConnectionTimeout;
    private String crlDiskCache;
    private List<String> crlLocations;
    private static final Logger log = Log.getLogger(Log.CONFIGURATION, TruststoreProperties.class);
    public static final String PROP_CRL_UPDATE = "crlUpdateInterval";
    public static final String PROP_CRL_LOCATIONS = "crlLocations.";
    private static final String[] UPDATEABLE_PROPS = {TrustedIssuersProperties.PROP_UPDATE, PROP_CRL_UPDATE, TrustedIssuersProperties.PROP_DIRECTORY_LOCATIONS, PROP_CRL_LOCATIONS};
    public static final Map<String, PropertyMD> META = new HashMap();

    public TruststoreProperties(Properties properties, Collection<? extends StoreUpdateListener> collection) throws ConfigurationException {
        this(properties, collection, null, DEFAULT_PREFIX);
    }

    public TruststoreProperties(Properties properties, Collection<? extends StoreUpdateListener> collection, PasswordCallback passwordCallback) throws ConfigurationException {
        this(properties, collection, passwordCallback, DEFAULT_PREFIX);
    }

    public TruststoreProperties(Properties properties, Collection<? extends StoreUpdateListener> collection, String str) throws ConfigurationException {
        this(properties, collection, null, str);
    }

    public TruststoreProperties(Properties properties, Collection<? extends StoreUpdateListener> collection, PasswordCallback passwordCallback, String str) throws ConfigurationException {
        super(META, log, properties, collection, passwordCallback, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    public void update(String str) throws ConfigurationException {
        super.update(str);
        if (this.opensslValidator != null) {
            return;
        }
        if (str.equals(PROP_CRL_UPDATE)) {
            long longValue = getLongValue(PROP_CRL_UPDATE).longValue();
            if (longValue != this.crlUpdateInterval) {
                if (this.directoryValidator != null) {
                    this.directoryValidator.setCRLUpdateInterval(longValue * 1000);
                }
                if (this.ksValidator != null) {
                    this.ksValidator.setCRLUpdateInterval(longValue * 1000);
                }
                this.crlUpdateInterval = longValue;
                log.info("Updated " + this.prefix + PROP_CRL_UPDATE + " value to " + this.crlUpdateInterval);
            }
        }
        if (str.startsWith(PROP_CRL_LOCATIONS)) {
            List<String> listOfValues = getListOfValues(PROP_CRL_LOCATIONS);
            if (listOfValues.equals(this.crlLocations)) {
                return;
            }
            if (this.directoryValidator != null) {
                this.directoryValidator.setCrls(listOfValues);
            }
            if (this.ksValidator != null) {
                this.ksValidator.setCrls(listOfValues);
            }
            this.crlLocations = listOfValues;
            log.info("Updated " + this.prefix + PROP_CRL_LOCATIONS);
        }
    }

    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    protected String[] getUpdateableProperties() {
        return UPDATEABLE_PROPS;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    public void createValidator() throws ConfigurationException, KeyStoreException, IOException {
        this.crlMode = getEnumValue(PROP_CRL_MODE, CrlCheckingMode.class);
        this.proxySupport = getEnumValue(PROP_PROXY_SUPPORT, ProxySupport.class);
        super.createValidator();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    public DirectoryCertChainValidator getDirectoryValidator() throws ConfigurationException, KeyStoreException, IOException {
        setCrlSettings();
        return super.getDirectoryValidator();
    }

    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    protected OpensslCertChainValidator getOpensslValidator() throws ConfigurationException {
        this.nsMode = getEnumValue(PROP_OPENSSL_NS_MODE, NamespaceCheckingMode.class);
        this.opensslDir = getFileValueAsString(TrustedIssuersProperties.PROP_OPENSSL_DIR, true);
        this.opensslNewStoreFormat = getBooleanValue(TrustedIssuersProperties.PROP_OPENSSL_NEW_STORE_FORMAT).booleanValue();
        RevocationParameters.RevocationCheckingOrder enumValue = getEnumValue(PROP_REVOCATION_ORDER, RevocationParameters.RevocationCheckingOrder.class);
        return new OpensslCertChainValidator(this.opensslDir, this.opensslNewStoreFormat, this.nsMode, this.storeUpdateInterval * 1000, new ValidatorParams(new RevocationParameters(this.crlMode, getOCSPParameters(), getBooleanValue(PROP_REVOCATION_USE_ALL).booleanValue(), enumValue), this.proxySupport, this.initialListeners));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    public KeystoreCertChainValidator getKeystoreValidator() throws ConfigurationException, KeyStoreException, IOException {
        setCrlSettings();
        return super.getKeystoreValidator();
    }

    protected void setCrlSettings() throws ConfigurationException {
        this.crlUpdateInterval = getLongValue(PROP_CRL_UPDATE).longValue();
        this.crlConnectionTimeout = getIntValue(PROP_CRL_CONNECTION_TIMEOUT).intValue();
        this.crlDiskCache = getFileValueAsString(PROP_CRL_CACHE_PATH, true);
        this.crlLocations = getListOfValues(PROP_CRL_LOCATIONS);
    }

    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    protected ValidatorParamsExt getValidatorParamsExt() {
        CRLParameters cRLParameters = new CRLParameters(this.crlLocations, this.crlUpdateInterval * 1000, this.crlConnectionTimeout, this.crlDiskCache);
        RevocationParameters.RevocationCheckingOrder enumValue = getEnumValue(PROP_REVOCATION_ORDER, RevocationParameters.RevocationCheckingOrder.class);
        return new ValidatorParamsExt(new RevocationParametersExt(this.crlMode, cRLParameters, getOCSPParameters(), getBooleanValue(PROP_REVOCATION_USE_ALL).booleanValue(), enumValue), this.proxySupport, this.initialListeners);
    }

    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    protected OCSPParametes getOCSPParameters() {
        OCSPCheckingMode enumValue = getEnumValue(PROP_OCSP_MODE, OCSPCheckingMode.class);
        int intValue = getIntValue(PROP_OCSP_TIMEOUT).intValue();
        int intValue2 = getIntValue(PROP_OCSP_CACHE_TTL).intValue();
        String fileValueAsString = getFileValueAsString(PROP_OCSP_DISK_CACHE, true);
        List listOfValues = getListOfValues(PROP_OCSP_LOCAL_RESPONDERS);
        OCSPResponder[] oCSPResponderArr = new OCSPResponder[listOfValues.size()];
        for (int i = 0; i < oCSPResponderArr.length; i++) {
            String[] split = ((String) listOfValues.get(i)).trim().split("[ ]+");
            BufferedInputStream bufferedInputStream = null;
            if (split.length != 2) {
                throw new ConfigurationException("Local responder's number " + (i + 1) + " configuration is invalid, must be: '<responderURL> <responderPemCertificatePath>'");
            }
            try {
                try {
                    try {
                        bufferedInputStream = new BufferedInputStream(new FileInputStream(split[1]));
                        oCSPResponderArr[i] = new OCSPResponder(new URL(split[0]), CertificateUtils.loadCertificate(bufferedInputStream, CertificateUtils.Encoding.PEM));
                        if (bufferedInputStream != null) {
                            try {
                                bufferedInputStream.close();
                            } catch (IOException e) {
                            }
                        }
                    } catch (Throwable th) {
                        if (bufferedInputStream != null) {
                            try {
                                bufferedInputStream.close();
                            } catch (IOException e2) {
                            }
                        }
                        throw th;
                    }
                } catch (MalformedURLException e3) {
                    throw new ConfigurationException("Local responder's URL " + split[0] + " is malformed: " + e3.getMessage(), e3);
                }
            } catch (FileNotFoundException e4) {
                throw new ConfigurationException("Local responder's number " + (i + 1) + " certificate can not be loaded, file " + split[1] + " not found.", e4);
            } catch (IOException e5) {
                throw new ConfigurationException("Local responder's number " + (i + 1) + " certificate can not be loaded: " + e5.getMessage(), e5);
            }
        }
        return new OCSPParametes(enumValue, oCSPResponderArr, intValue, true, false, intValue2, fileValueAsString);
    }

    @Override // eu.unicore.security.canl.TrustedIssuersProperties
    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public TruststoreProperties mo17clone() {
        TruststoreProperties truststoreProperties = new TruststoreProperties(this.properties, this.initialListeners, this.passwordCallback, this.prefix);
        super.cloneTo(truststoreProperties);
        return truststoreProperties;
    }

    static {
        PropertyMD.DocumentationCategory documentationCategory = new PropertyMD.DocumentationCategory("Openssl type settings", "3");
        PropertyMD.DocumentationCategory documentationCategory2 = new PropertyMD.DocumentationCategory("Revocation settings", "4");
        META.putAll(TrustedIssuersProperties.META);
        META.put(PROP_PROXY_SUPPORT, new PropertyMD(ProxySupport.ALLOW).setDescription("Controls whether proxy certificates are supported."));
        META.put(PROP_OPENSSL_NS_MODE, new PropertyMD(NamespaceCheckingMode.EUGRIDPMA_GLOBUS).setCategory(documentationCategory).setDescription("In case of openssl truststore, controls which (and in which order) namespace checking rules should be applied. The 'REQUIRE' settings will cause that all configured namespace definitions files must be present for each trusted CA certificate (otherwise checking will fail). The 'AND' settings will cause to check both existing namespace files. Otherwise the first found is checked (in the order defined by the property)."));
        META.put(PROP_REVOCATION_ORDER, new PropertyMD(RevocationParameters.RevocationCheckingOrder.OCSP_CRL).setCategory(documentationCategory2).setDescription("Controls overal revocation sources order"));
        META.put(PROP_REVOCATION_USE_ALL, new PropertyMD("false").setCategory(documentationCategory2).setDescription("Controls whether all defined revocation sources should be always checked, even if the first one already confirmed that a checked certificate is not revoked."));
        META.put(PROP_CRL_MODE, new PropertyMD(CrlCheckingMode.IF_VALID).setCategory(documentationCategory2).setDescription("General CRL handling mode. The IF_VALID setting turns on CRL checking only in case the CRL is present."));
        META.put(PROP_CRL_UPDATE, new PropertyMD("600").setLong().setUpdateable().setCategory(documentationCategory2).setDescription("How often CRLs should be updated, in seconds. Set to negative value to disable refreshing at runtime."));
        META.put(PROP_CRL_CONNECTION_TIMEOUT, new PropertyMD("15").setCategory(documentationCategory2).setDescription("Connection timeout for fetching the remote CRLs in seconds (not used for Openssl truststores)."));
        META.put(PROP_CRL_CACHE_PATH, new PropertyMD().setPath().setCategory(documentationCategory2).setDescription("Directory where CRLs should be cached, after downloading them from remote source. Can be left undefined if no disk cache should be used. Note that directory should be secured, i.e. normal users should not be allowed to write to it. Not used for Openssl truststores."));
        META.put(PROP_CRL_LOCATIONS, new PropertyMD().setList(false).setUpdateable().setCategory(documentationCategory2).setDescription("List of CRLs locations. Can contain URLs, local files and wildcard expressions. Not used for Openssl truststores."));
        META.put(PROP_OCSP_MODE, new PropertyMD(OCSPCheckingMode.IF_AVAILABLE).setCategory(documentationCategory2).setDescription("General OCSP ckecking mode. REQUIRE should not be used unless it is guaranteed that for all certificates an OCSP responder is defined."));
        META.put(PROP_OCSP_LOCAL_RESPONDERS, new PropertyMD().setList(true).setCategory(documentationCategory2).setDescription("Optional list of local OCSP responders"));
        META.put(PROP_OCSP_TIMEOUT, new PropertyMD("10000").setCategory(documentationCategory2).setDescription("Timeout for OCSP connections in miliseconds."));
        META.put(PROP_OCSP_CACHE_TTL, new PropertyMD("3600").setCategory(documentationCategory2).setDescription("For how long the OCSP responses should be locally cached in seconds (this is a maximum value, responses won't be cached after expiration)"));
        META.put(PROP_OCSP_DISK_CACHE, new PropertyMD().setPath().setCategory(documentationCategory2).setDescription("If this property is defined then OCSP responses will be cached on disk in the defined folder."));
    }
}
