package de.rwh.utils.crypto;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.ChronoUnit;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/rwh/utils/crypto/CertificateCheckerImpl.class */
public class CertificateCheckerImpl implements CertificateChecker {
    private static final Logger logger = LoggerFactory.getLogger(CertificateCheckerImpl.class);
    private static final Logger certificateValidationWarningLogger = LoggerFactory.getLogger(CertificateChecker.CERTIFICATE_WARNING_LOGGER_NAME);
    private static final SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ", Locale.GERMANY);
    private final ScheduledExecutorService executor;

    public CertificateCheckerImpl(ScheduledExecutorService scheduledExecutorService) {
        Objects.requireNonNull(scheduledExecutorService, "executor");
        this.executor = scheduledExecutorService;
    }

    @Override // de.rwh.utils.crypto.CertificateChecker
    public void checkClientCertificateAndScheduleWarning(KeyStore keyStore, X509Certificate x509Certificate) {
        checkCertificateAndScheduleWarning(keyStore, x509Certificate, true);
    }

    @Override // de.rwh.utils.crypto.CertificateChecker
    public void checkServerCertificateAndScheduleWarning(KeyStore keyStore, X509Certificate x509Certificate) {
        checkCertificateAndScheduleWarning(keyStore, x509Certificate, false);
    }

    private void checkCertificateAndScheduleWarning(KeyStore keyStore, X509Certificate x509Certificate, boolean z) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            X509TrustManager x509TrustManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
            getCaCertificate(keyStore).forEach(x509Certificate2 -> {
                logger.info("Using CA certificate '{}'. {} to check certificate trust", x509Certificate2.getSubjectDN().toString(), validText(x509Certificate2));
            });
            try {
                if (z) {
                    x509TrustManager.checkClientTrusted(new X509Certificate[]{x509Certificate}, CertificateHelper.DEFAULT_KEY_ALGORITHM);
                } else {
                    x509TrustManager.checkServerTrusted(new X509Certificate[]{x509Certificate}, CertificateHelper.DEFAULT_KEY_ALGORITHM);
                }
                logger.info("Certificate '{}' trusted. {}.", getSubjectDn(x509Certificate), validText(x509Certificate));
                scheduleValidationError(x509Certificate);
            } catch (Exception e) {
                logger.error("Certificate ({}) '{}' not trusted: {}", new Object[]{validText(x509Certificate), getSubjectDn(x509Certificate), e.getMessage()});
            }
        } catch (KeyStoreException | NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        }
    }

    private String getSubjectDn(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().getName("RFC1779");
    }

    private List<X509Certificate> getCaCertificate(KeyStore keyStore) {
        try {
            return (List) new PKIXParameters(keyStore).getTrustAnchors().stream().map(trustAnchor -> {
                return trustAnchor.getTrustedCert();
            }).collect(Collectors.toList());
        } catch (InvalidAlgorithmParameterException | KeyStoreException e) {
            throw new RuntimeException(e);
        }
    }

    private String validText(X509Certificate x509Certificate) {
        return "Valid from '" + DATE_FORMAT.format(x509Certificate.getNotBefore()) + "' to '" + DATE_FORMAT.format(x509Certificate.getNotAfter()) + "'";
    }

    private void scheduleValidationError(X509Certificate x509Certificate) {
        LocalDateTime ofInstant = LocalDateTime.ofInstant(x509Certificate.getNotAfter().toInstant(), ZoneId.systemDefault());
        long max = Math.max(0L, Duration.between(LocalDateTime.now(), ofInstant.minusDays(30L)).get(ChronoUnit.SECONDS));
        this.executor.schedule(() -> {
            long max2 = Math.max(0L, ChronoUnit.DAYS.between(LocalDateTime.now(), ofInstant));
            Logger logger2 = certificateValidationWarningLogger;
            Object[] objArr = new Object[4];
            objArr[0] = getSubjectDn(x509Certificate);
            objArr[1] = validText(x509Certificate);
            objArr[2] = Long.valueOf(max2);
            objArr[3] = max2 != 1 ? "s" : "";
            logger2.warn("Certificate '{}'. {}. Will expire in {} day{}!", objArr);
        }, max, TimeUnit.SECONDS);
    }
}
