package de.sep.sesam.security;

import de.sep.sesam.common.logging.ContextLogger;
import de.sep.sesam.common.logging.LogGroup;
import de.sep.sesam.common.logging.messages.SimpleMessage;
import de.sep.sesam.common.security.CertificateUtils;
import de.sep.sesam.rest.exceptions.AuthenticationException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:de/sep/sesam/security/CertificateAuthenticationHandler.class */
public final class CertificateAuthenticationHandler {
    private static final CertificateFactory certificateFactory;
    private static final CertificateAuthenticationHandler instance;
    private final AtomicReference<File> rootCertificateFile = new AtomicReference<>();
    private final AtomicLong rootCertificateLastModified = new AtomicLong();
    private final AtomicReference<X509Certificate> rootCertificate = new AtomicReference<>();
    private final ContextLogger logger = new ContextLogger(CertificateAuthenticationHandler.class);
    private final Thread checkThread = new Thread(new Runnable() { // from class: de.sep.sesam.security.CertificateAuthenticationHandler.1
        @Override // java.lang.Runnable
        public void run() {
            CertificateAuthenticationHandler.this.logger.info("checkThread", new SimpleMessage("Certificate authentication handler started."), new Object[0]);
            try {
                if (CertificateAuthenticationHandler.this.rootCertificateFile.get() == null) {
                    CertificateAuthenticationHandler.this.logger.warn("checkThread", "Certificate authentication handler: Root certificate file not configured.", new Object[0]);
                } else {
                    CertificateAuthenticationHandler.this.logger.info("checkThread", "Certificate authentication handler: Configure root certificate from file ''{0}''.", CertificateAuthenticationHandler.this.rootCertificateFile.get().getAbsolutePath());
                }
                while (true) {
                    File file = CertificateAuthenticationHandler.this.rootCertificateFile.get();
                    if (file != null) {
                        if (file.canRead()) {
                            if (CertificateAuthenticationHandler.this.rootCertificate.get() != null && CertificateAuthenticationHandler.this.rootCertificateLastModified.get() != file.lastModified()) {
                                CertificateAuthenticationHandler.this.rootCertificate.set(null);
                                CertificateAuthenticationHandler.this.logger.info("checkThread", "Certificate authentication handler: Root certificate file ''{0}'' has changed on disk. UPDATING.'", file.getAbsolutePath());
                            }
                            if (CertificateAuthenticationHandler.this.rootCertificate.get() == null) {
                                CertificateAuthenticationHandler.this.rootCertificateLastModified.set(file.lastModified());
                                try {
                                    CertificateAuthenticationHandler.this.rootCertificate.set((X509Certificate) CertificateAuthenticationHandler.certificateFactory.generateCertificate(new FileInputStream(file)));
                                    CertificateAuthenticationHandler.this.logger.info("checkThread", "Certificate authentication handler: INSTALLED root certificate from certificate file ''{0}''.", file.getAbsolutePath());
                                } catch (FileNotFoundException | CertificateException e) {
                                }
                            }
                        } else {
                            CertificateAuthenticationHandler.this.rootCertificate.set(null);
                            CertificateAuthenticationHandler.this.logger.info("checkThread", "Certificate authentication handler: Root certificate file ''{0}'' does not exist anymore. REMOVING.'", file.getAbsolutePath());
                        }
                    }
                    try {
                        Thread.sleep(10000L);
                    } catch (InterruptedException e2) {
                    }
                }
            } catch (Throwable th) {
                CertificateAuthenticationHandler.this.logger.info("checkThread", new SimpleMessage("Certificate authentication handler stopped."), new Object[0]);
                throw th;
            }
        }
    }, "CertificateUserCheck");
    static final /* synthetic */ boolean $assertionsDisabled;

    private CertificateAuthenticationHandler() {
    }

    public boolean isInitialized() {
        return this.rootCertificateFile.get() != null;
    }

    public void setRootCertificateFile(File file) {
        if (file != null && file.canRead() && this.rootCertificateFile.get() == null) {
            this.rootCertificateFile.set(file);
            if (this.checkThread.isAlive()) {
                return;
            }
            this.checkThread.start();
        }
    }

    public void validate(String str, Certificate certificate) throws AuthenticationException {
        if (!$assertionsDisabled && !StringUtils.isNotBlank(str)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.rootCertificate.get() == null) {
            throw new AssertionError();
        }
        boolean z = false;
        if (certificate instanceof X509Certificate) {
            X509Certificate x509Certificate = (X509Certificate) certificate;
            if (x509Certificate.equals(this.rootCertificate.get())) {
                z = true;
            } else {
                try {
                    x509Certificate.verify(this.rootCertificate.get().getPublicKey());
                    z = true;
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                    File slaveAuthenticationCertificateFile = CertificateUtils.getSlaveAuthenticationCertificateFile();
                    if (slaveAuthenticationCertificateFile != null && slaveAuthenticationCertificateFile.canRead()) {
                        try {
                            x509Certificate.verify(((X509Certificate) certificateFactory.generateCertificate(new FileInputStream(slaveAuthenticationCertificateFile))).getPublicKey());
                            z = true;
                        } catch (FileNotFoundException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e2) {
                        }
                    }
                    if (!z) {
                        this.logger.error("validate", LogGroup.SECURITY, new SimpleMessage(e.getMessage()), new Object[0]);
                    }
                }
            }
        }
        if (!z) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CERTIFICATE_INVALID, str);
        }
    }

    public static CertificateAuthenticationHandler getInstance() {
        return instance;
    }

    static {
        CertificateFactory certificateFactory2;
        $assertionsDisabled = !CertificateAuthenticationHandler.class.desiredAssertionStatus();
        instance = new CertificateAuthenticationHandler();
        try {
            certificateFactory2 = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            certificateFactory2 = null;
        }
        certificateFactory = certificateFactory2;
    }
}
