package pt.unl.fct.di.novasys.babel.internal.security;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import pt.unl.fct.di.novasys.babel.core.security.IdFromCertExtractor;
import pt.unl.fct.di.novasys.network.data.Bytes;
import pt.unl.fct.di.novasys.network.security.X509ITrustManager;

/* loaded from: input_file:pt/unl/fct/di/novasys/babel/internal/security/X509BabelTrustManager.class */
public class X509BabelTrustManager extends X509ITrustManager {
    private static final Logger logger = LogManager.getLogger((Class<?>) X509BabelTrustManager.class);
    private TrustPolicy trustPolicy;
    private final Lock policyWriteLock;
    private final Lock policyReadLock;
    private final Collection<KeyStore> trustStores;
    private final KeyStore targetTrustStore;
    private final Set<Bytes> expectedIds;
    private X509CertificateChainPredicate trustConsistentCertificate;
    private X509CertificateChainPredicate trustUnknownPeerCallback;
    private X509CertificateChainPredicate verifyCertificateSignature;
    private final IdFromCertExtractor idExtractor;

    /* loaded from: input_file:pt/unl/fct/di/novasys/babel/internal/security/X509BabelTrustManager$TrustPolicy.class */
    public enum TrustPolicy {
        UNKNOWN,
        KNOWN_ID,
        KNOWN_CERT
    }

    public X509BabelTrustManager(IdFromCertExtractor idFromCertExtractor, Collection<KeyStore> collection, TrustPolicy trustPolicy, X509CertificateChainPredicate x509CertificateChainPredicate, X509CertificateChainPredicate x509CertificateChainPredicate2, KeyStore keyStore) throws KeyStoreException {
        Iterator<KeyStore> it = collection.iterator();
        while (it.hasNext()) {
            it.next().size();
        }
        keyStore.size();
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock();
        this.policyReadLock = reentrantReadWriteLock.readLock();
        this.policyWriteLock = reentrantReadWriteLock.writeLock();
        this.trustStores = collection;
        this.targetTrustStore = keyStore;
        this.expectedIds = Collections.synchronizedSet(new HashSet());
        this.idExtractor = idFromCertExtractor;
        this.trustUnknownPeerCallback = x509CertificateChainPredicate;
        this.verifyCertificateSignature = x509CertificateChainPredicate2;
        setTrustPolicy(trustPolicy);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkServerTrusted(x509CertificateArr, (byte[]) null, str);
    }

    @Override // pt.unl.fct.di.novasys.network.security.X509ITrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, byte[] bArr, String str) throws CertificateException {
        checkServerTrusted(x509CertificateArr, bArr, str);
    }

    @Override // pt.unl.fct.di.novasys.network.security.X509ITrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, byte[] bArr, String str) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("No certificate.");
        }
        byte[] extractIdentity = this.idExtractor.extractIdentity(x509CertificateArr[0]);
        if (bArr != null && !Arrays.equals(extractIdentity, bArr)) {
            throw new CertificateException("Expected id: %s Got: %s".formatted(PeerIdEncoder.encodeToString(bArr), PeerIdEncoder.encodeToString(extractIdentity)));
        }
        this.policyReadLock.lock();
        try {
            if (!this.verifyCertificateSignature.test(x509CertificateArr, extractIdentity)) {
                throw new CertificateException("Certificate signature verification failed for peer %s".formatted(PeerIdEncoder.encodeToString(extractIdentity)));
            }
            if (!this.expectedIds.remove(Bytes.of(extractIdentity)) && !this.trustConsistentCertificate.test(x509CertificateArr, extractIdentity)) {
                String formatted = "Didn't trust certificate with identity %s. Trust manager policy was %s.".formatted(PeerIdEncoder.encodeToString(extractIdentity), this.trustPolicy);
                logger.debug(formatted);
                throw new CertificateException(formatted);
            }
            try {
                String encodeToString = PeerIdEncoder.encodeToString(extractIdentity);
                if (this.targetTrustStore != null) {
                    this.targetTrustStore.setCertificateEntry(encodeToString, x509CertificateArr[0]);
                    logger.debug("Saved peer certificate to trust store: {}", encodeToString);
                }
            } catch (KeyStoreException e) {
                logger.error(e);
            }
        } finally {
            this.policyReadLock.unlock();
        }
    }

    @Override // pt.unl.fct.di.novasys.network.security.X509ITrustManager
    public byte[] extractIdFromCertificate(X509Certificate x509Certificate) throws CertificateException {
        return this.idExtractor.extractIdentity(x509Certificate);
    }

    @Override // pt.unl.fct.di.novasys.network.security.X509ITrustManager
    public Set<Bytes> getTrustedIds() {
        HashSet hashSet = new HashSet(this.expectedIds);
        for (KeyStore keyStore : this.trustStores) {
            try {
                synchronized (keyStore) {
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        hashSet.add(Bytes.of(this.idExtractor.extractIdentity(keyStore.getCertificate(aliases.nextElement()))));
                    }
                }
            } catch (KeyStoreException | CertificateException e) {
                logger.warn(e);
            }
        }
        return hashSet;
    }

    @Override // pt.unl.fct.di.novasys.network.security.X509ITrustManager
    public void addTrustedId(byte[] bArr) {
        this.expectedIds.add(Bytes.of(bArr));
    }

    @Override // pt.unl.fct.di.novasys.network.security.X509ITrustManager
    public void removeTrustedId(byte[] bArr) {
        this.expectedIds.remove(Bytes.of(bArr));
        for (KeyStore keyStore : this.trustStores) {
            try {
                String encodeToString = PeerIdEncoder.encodeToString(bArr);
                if (Arrays.equals(this.idExtractor.extractIdentity(keyStore.getCertificate(encodeToString)), bArr)) {
                    keyStore.deleteEntry(encodeToString);
                }
            } catch (KeyStoreException | CertificateException e) {
                logger.warn(e);
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    public TrustPolicy getTrustPolicy() {
        return this.trustPolicy;
    }

    public void setTrustPolicy(TrustPolicy trustPolicy) {
        X509CertificateChainPredicate x509CertificateChainPredicate;
        this.policyWriteLock.lock();
        try {
            this.trustPolicy = trustPolicy;
            switch (this.trustPolicy) {
                case UNKNOWN:
                    x509CertificateChainPredicate = (x509CertificateArr, bArr) -> {
                        return true;
                    };
                    break;
                case KNOWN_ID:
                    x509CertificateChainPredicate = this::knownIdPolicyTrustConsistentCertificate;
                    break;
                case KNOWN_CERT:
                    x509CertificateChainPredicate = this::knownCertPolicyTrustConsistentCertificate;
                    break;
                default:
                    throw new MatchException((String) null, (Throwable) null);
            }
            this.trustConsistentCertificate = x509CertificateChainPredicate;
        } finally {
            this.policyWriteLock.unlock();
        }
    }

    public void setCertificateSignatureVerifier(X509CertificateChainPredicate x509CertificateChainPredicate) {
        this.policyWriteLock.lock();
        try {
            this.verifyCertificateSignature = x509CertificateChainPredicate;
        } finally {
            this.policyWriteLock.unlock();
        }
    }

    public void setTrustUnknownPeerCallback(X509CertificateChainPredicate x509CertificateChainPredicate) {
        this.policyWriteLock.lock();
        try {
            this.trustUnknownPeerCallback = x509CertificateChainPredicate;
        } finally {
            this.policyWriteLock.unlock();
        }
    }

    private boolean knownIdPolicyTrustConsistentCertificate(X509Certificate[] x509CertificateArr, byte[] bArr) throws CertificateException {
        if (getPeerCertificate(bArr) != null) {
            return true;
        }
        logger.debug("Unknown identity received. Calling \"trust unkown\" callback handler.");
        return this.trustUnknownPeerCallback.test(x509CertificateArr, bArr);
    }

    private boolean knownCertPolicyTrustConsistentCertificate(X509Certificate[] x509CertificateArr, byte[] bArr) throws CertificateException {
        Certificate peerCertificate = getPeerCertificate(bArr);
        if (peerCertificate != null && Arrays.equals(peerCertificate.getEncoded(), x509CertificateArr[0].getEncoded())) {
            return true;
        }
        logger.debug("Unknown certificate received. Calling \"trust unkown certificate\" callback handler.");
        return this.trustUnknownPeerCallback.test(x509CertificateArr, bArr);
    }

    private Certificate getPeerCertificate(byte[] bArr) {
        Certificate certificate;
        Iterator<KeyStore> it = this.trustStores.iterator();
        while (it.hasNext()) {
            try {
                certificate = it.next().getCertificate(PeerIdEncoder.encodeToString(bArr));
            } catch (KeyStoreException | CertificateException e) {
            }
            if (Arrays.equals(bArr, this.idExtractor.extractIdentity(certificate))) {
                return certificate;
            }
        }
        return null;
    }
}
