package org.jivesoftware.openfire.trustbundle.processor;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.net.SocketTimeoutException;
import java.net.URL;
import java.net.URLConnection;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.directtruststandards.timplus.common.cert.Thumbprint;
import org.jivesoftware.openfire.trustbundle.BundleRefreshError;
import org.jivesoftware.openfire.trustbundle.TrustBundle;
import org.jivesoftware.openfire.trustbundle.TrustBundleAnchor;
import org.jivesoftware.openfire.trustbundle.TrustBundleManager;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/trustbundle/processor/DefaultBundleRefreshProcessor.class */
public class DefaultBundleRefreshProcessor implements BundleRefreshProcessor {
    public static final String PROPERTY_ALLOW_DOWNLOAD_FROM_NONVERIRIDED = "xmpp.client.tls.trustBundle.allowDownloadFromNonVerifiedSite";
    protected static final int DEFAULT_URL_CONNECTION_TIMEOUT = 10000;
    protected static final int DEFAULT_URL_READ_TIMEOUT = 10000;
    private static final Logger Log = LoggerFactory.getLogger(DefaultBundleRefreshProcessor.class);

    public DefaultBundleRefreshProcessor() {
        if (Boolean.parseBoolean(JiveGlobals.getProperty(PROPERTY_ALLOW_DOWNLOAD_FROM_NONVERIRIDED, "false"))) {
            try {
                TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: org.jivesoftware.openfire.trustbundle.processor.DefaultBundleRefreshProcessor.1
                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
                    }
                }};
                SSLContext sSLContext = SSLContext.getInstance("SSL");
                sSLContext.init(null, trustManagerArr, new SecureRandom());
                HttpsURLConnection.setDefaultSSLSocketFactory(sSLContext.getSocketFactory());
                HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { // from class: org.jivesoftware.openfire.trustbundle.processor.DefaultBundleRefreshProcessor.2
                    @Override // javax.net.ssl.HostnameVerifier
                    public boolean verify(String str, SSLSession sSLSession) {
                        return true;
                    }
                });
            } catch (Exception e) {
            }
        }
    }

    @Override // org.jivesoftware.openfire.trustbundle.processor.BundleRefreshProcessor
    public void refreshBundle(TrustBundle trustBundle) {
        boolean z;
        Instant now = Instant.now();
        byte[] downloadBundleToByteArray = downloadBundleToByteArray(trustBundle, now);
        if (downloadBundleToByteArray == null) {
            return;
        }
        try {
            String thumbprint = Thumbprint.toThumbprint(downloadBundleToByteArray).toString();
            if (trustBundle.getCheckSum() == null) {
                z = true;
            } else {
                z = !trustBundle.getCheckSum().equals(thumbprint);
            }
            if (!z) {
                trustBundle.setLastRefreshAttempt(now);
                trustBundle.setLastRefreshError(BundleRefreshError.SUCCESS);
                updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
                return;
            }
            Collection<X509Certificate> convertRawBundleToAnchorCollection = convertRawBundleToAnchorCollection(downloadBundleToByteArray, trustBundle, now);
            if (convertRawBundleToAnchorCollection == null) {
                return;
            }
            HashSet hashSet = new HashSet(convertRawBundleToAnchorCollection);
            try {
                ArrayList arrayList = new ArrayList();
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    X509Certificate x509Certificate = (X509Certificate) it.next();
                    try {
                        TrustBundleAnchor trustBundleAnchor = new TrustBundleAnchor();
                        trustBundleAnchor.setAnchorData(x509Certificate.getEncoded());
                        trustBundleAnchor.setTrustBundleId(trustBundle.getId());
                        arrayList.add(trustBundleAnchor);
                    } catch (Exception e) {
                        Log.warn("Failed to convert downloaded anchor to byte array. ", e);
                    }
                }
                TrustBundleManager.getInstance().deleteAnchorsByBundleId(trustBundle.getId());
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    TrustBundleManager.getInstance().addTrustBundleAnchor(((TrustBundleAnchor) it2.next()).asX509Certificate(), trustBundle.getId());
                }
                trustBundle.setLastRefreshAttempt(now);
                trustBundle.setLastRefreshError(BundleRefreshError.SUCCESS);
                trustBundle.setCheckSum(thumbprint);
                trustBundle.setLastSuccessfulRefresh(now);
                TrustBundleManager.getInstance().updateTrustBundleAttributes(trustBundle.getBundleName(), trustBundle, false);
            } catch (Exception e2) {
                trustBundle.setLastRefreshAttempt(now);
                trustBundle.setLastRefreshError(BundleRefreshError.INVALID_BUNDLE_FORMAT);
                updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
                Log.error("Failed to write updated bundle anchors to data store ", e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            trustBundle.setLastRefreshAttempt(now);
            trustBundle.setLastRefreshError(BundleRefreshError.INVALID_BUNDLE_FORMAT);
            updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
            Log.error("Failed to generate downloaded bundle thumbprint ", e3);
        }
    }

    protected Collection<X509Certificate> convertRawBundleToAnchorCollection(byte[] bArr, TrustBundle trustBundle, Instant instant) {
        Collection<? extends Certificate> collection = null;
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            byteArrayInputStream = new ByteArrayInputStream(bArr);
            collection = CertificateFactory.getInstance("X.509").generateCertificates(byteArrayInputStream);
            if (collection != null) {
                if (collection.size() == 0) {
                    collection = null;
                }
            }
            IOUtils.closeQuietly(byteArrayInputStream);
        } catch (Exception e) {
            IOUtils.closeQuietly(byteArrayInputStream);
        } catch (Throwable th) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th;
        }
        try {
            if (collection == null) {
                try {
                    CMSSignedData cMSSignedData = new CMSSignedData(bArr);
                    if (trustBundle.getSigningCertificateData() != null) {
                        boolean z = false;
                        X509Certificate signingCertificateAsX509Certificate = trustBundle.getSigningCertificateAsX509Certificate();
                        Iterator it = cMSSignedData.getSignerInfos().getSigners().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (((SignerInformation) it.next()).verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(signingCertificateAsX509Certificate))) {
                                z = true;
                                break;
                            }
                        }
                        if (!z) {
                            trustBundle.setLastRefreshAttempt(instant);
                            trustBundle.setLastRefreshError(BundleRefreshError.UNMATCHED_SIGNATURE);
                            updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
                            Log.warn("Downloaded bundle signature did not match configured signing certificate.");
                            IOUtils.closeQuietly(byteArrayInputStream);
                            return null;
                        }
                    }
                    ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream((byte[]) cMSSignedData.getSignedContent().getContent());
                    collection = CertificateFactory.getInstance("X.509").generateCertificates(byteArrayInputStream2);
                    IOUtils.closeQuietly(byteArrayInputStream2);
                } catch (Exception e2) {
                    trustBundle.setLastRefreshAttempt(instant);
                    trustBundle.setLastRefreshError(BundleRefreshError.INVALID_BUNDLE_FORMAT);
                    updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
                    Log.warn("Failed to extract anchors from downloaded bundle at URL " + trustBundle.getBundleURL());
                    IOUtils.closeQuietly(byteArrayInputStream);
                }
            }
            return collection;
        } catch (Throwable th2) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th2;
        }
    }

    protected byte[] downloadBundleToByteArray(TrustBundle trustBundle, Instant instant) {
        InputStream inputStream = null;
        byte[] bArr = null;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            try {
                URLConnection openConnection = new URL(trustBundle.getBundleURL()).openConnection();
                openConnection.setConnectTimeout(10000);
                openConnection.setReadTimeout(10000);
                inputStream = openConnection.getInputStream();
                byte[] bArr2 = new byte[2048];
                while (true) {
                    int read = inputStream.read(bArr2);
                    if (read <= -1) {
                        break;
                    }
                    byteArrayOutputStream.write(bArr2, 0, read);
                }
                bArr = byteArrayOutputStream.toByteArray();
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(byteArrayOutputStream);
            } catch (SocketTimeoutException e) {
                trustBundle.setLastRefreshAttempt(instant);
                trustBundle.setLastRefreshError(BundleRefreshError.DOWNLOAD_TIMEOUT);
                updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
                Log.warn("Failed to download bundle from URL " + trustBundle.getBundleURL(), e);
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(byteArrayOutputStream);
            } catch (Exception e2) {
                trustBundle.setLastRefreshAttempt(instant);
                trustBundle.setLastRefreshError(BundleRefreshError.NOT_FOUND);
                updateBundleAttributesQuitely(trustBundle.getBundleName(), trustBundle);
                Log.warn("Failed to download bundle from URL " + trustBundle.getBundleURL(), e2);
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(byteArrayOutputStream);
            }
            return bArr;
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            IOUtils.closeQuietly(byteArrayOutputStream);
            throw th;
        }
    }

    protected void updateBundleAttributesQuitely(String str, TrustBundle trustBundle) {
        try {
            TrustBundleManager.getInstance().updateTrustBundleAttributes(str, trustBundle, false);
        } catch (Exception e) {
        }
    }
}
