package org.xipki.ocsp.server.store;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.serializer.SerializerFeature;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateException;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.datasource.DataAccessException;
import org.xipki.datasource.DataSourceWrapper;
import org.xipki.ocsp.api.CertStatusInfo;
import org.xipki.ocsp.api.OcspStore;
import org.xipki.ocsp.api.OcspStoreException;
import org.xipki.ocsp.api.RequestIssuer;
import org.xipki.ocsp.server.IssuerFilter;
import org.xipki.ocsp.server.OcspServerConf;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.CrlReason;
import org.xipki.security.HashAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.Base64;
import org.xipki.util.CollectionUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;

/* loaded from: input_file:WEB-INF/lib/ocsp-server-5.3.9.jar:org/xipki/ocsp/server/store/DbCertStatusStore.class */
public class DbCertStatusStore extends OcspStore {
    protected DataSourceWrapper datasource;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DbCertStatusStore.class);
    private static final long MS_PER_5MIN = 300000;
    private String sqlCsNoRit;
    private String sqlCs;
    private String sqlCsNoRitWithCertHash;
    private String sqlCsWithCertHash;
    private IssuerFilter issuerFilter;
    private HashAlgo certHashAlgo;
    private boolean initialized;
    private ScheduledThreadPoolExecutor scheduledThreadPoolExecutor;
    private final Object lock = new Object();
    private final AtomicBoolean storeUpdateInProcess = new AtomicBoolean(false);
    private final StoreUpdateService storeUpdateService = new StoreUpdateService();
    private IssuerStore issuerStore = new IssuerStore();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/ocsp-server-5.3.9.jar:org/xipki/ocsp/server/store/DbCertStatusStore$StoreUpdateService.class */
    public class StoreUpdateService implements Runnable {
        private StoreUpdateService() {
        }

        @Override // java.lang.Runnable
        public void run() {
            DbCertStatusStore.this.updateIssuerStore();
        }
    }

    protected List<Runnable> getScheduledServices() {
        return Arrays.asList(this.storeUpdateService);
    }

    protected IssuerStore getIssuerStore() {
        return this.issuerStore;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized void updateIssuerStore() {
        updateIssuerStore(false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateIssuerStore(boolean z) {
        if (z || !this.storeUpdateInProcess.get()) {
            synchronized (this.lock) {
                if (z) {
                    while (this.storeUpdateInProcess.get()) {
                        try {
                            Thread.sleep(1000L);
                        } catch (InterruptedException e) {
                            LOG.warn("interrputed, continue waiting");
                        }
                    }
                }
                this.storeUpdateInProcess.set(true);
                try {
                    updateIssuers();
                    updateCrls();
                    this.initialized = true;
                    this.storeUpdateInProcess.set(false);
                } catch (Throwable th) {
                    this.initialized = true;
                    this.storeUpdateInProcess.set(false);
                    throw th;
                }
            }
        }
    }

    private void updateIssuers() {
        try {
            if (this.initialized) {
                PreparedStatement preparedStatement = preparedStatement("SELECT ID,REV_INFO,S1C FROM ISSUER");
                ResultSet resultSet = null;
                try {
                    HashMap hashMap = new HashMap();
                    resultSet = preparedStatement.executeQuery();
                    while (resultSet.next()) {
                        if (!this.issuerFilter.includeAll()) {
                            if (!this.issuerFilter.includeIssuerWithSha1Fp(resultSet.getString("S1C"))) {
                            }
                        }
                        int i = resultSet.getInt("ID");
                        Long l = null;
                        String string = resultSet.getString("REV_INFO");
                        if (string != null) {
                            l = Long.valueOf(CertRevocationInfo.fromEncoded(string).getRevocationTime().getTime());
                        }
                        hashMap.put(Integer.valueOf(i), new SimpleIssuerEntry(i, l));
                    }
                    Set keySet = hashMap.keySet();
                    Set ids = this.issuerStore != null ? this.issuerStore.getIds() : Collections.emptySet();
                    boolean z = ids.size() == keySet.size() && ids.containsAll(keySet) && keySet.containsAll(ids);
                    if (z) {
                        Iterator it = keySet.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            Integer num = (Integer) it.next();
                            if (!((SimpleIssuerEntry) hashMap.get(num)).match(this.issuerStore.getIssuerForId(num.intValue()))) {
                                z = false;
                                break;
                            }
                        }
                    }
                    if (z) {
                        releaseDbResources(preparedStatement, resultSet);
                        return;
                    }
                    releaseDbResources(preparedStatement, resultSet);
                } catch (Throwable th) {
                    releaseDbResources(preparedStatement, resultSet);
                    throw th;
                }
            }
            PreparedStatement preparedStatement2 = preparedStatement("SELECT ID,NBEFORE,REV_INFO,S1C,CERT,CRL_ID FROM ISSUER");
            try {
                ResultSet executeQuery = preparedStatement2.executeQuery();
                LinkedList linkedList = new LinkedList();
                while (executeQuery.next()) {
                    if (this.issuerFilter.includeIssuerWithSha1Fp(executeQuery.getString("S1C"))) {
                        IssuerEntry issuerEntry = new IssuerEntry(executeQuery.getInt("ID"), X509Util.parseCert(StringUtil.toUtf8Bytes(executeQuery.getString("CERT"))));
                        RequestIssuer requestIssuer = new RequestIssuer(HashAlgo.SHA1, issuerEntry.getEncodedHash(HashAlgo.SHA1));
                        Iterator it2 = linkedList.iterator();
                        while (it2.hasNext()) {
                            if (((IssuerEntry) it2.next()).matchHash(requestIssuer)) {
                                throw new Exception("found at least two issuers with the same subject and key");
                            }
                        }
                        String string2 = executeQuery.getString("REV_INFO");
                        if (string2 != null) {
                            issuerEntry.setRevocationInfo(CertRevocationInfo.fromEncoded(string2).getRevocationTime());
                        }
                        issuerEntry.setCrlId(executeQuery.getInt("CRL_ID"));
                        linkedList.add(issuerEntry);
                    }
                }
                this.issuerStore.setIssuers(linkedList);
                LOG.info("Updated issuers of store {}", this.name);
                releaseDbResources(preparedStatement2, executeQuery);
            } catch (Throwable th2) {
                releaseDbResources(preparedStatement2, null);
                throw th2;
            }
        } catch (Throwable th3) {
            LogUtil.error(LOG, th3, "error while executing updateIssuers()");
        }
    }

    private void updateCrls() {
        try {
            PreparedStatement preparedStatement = preparedStatement("SELECT ID,INFO FROM CRL_INFO");
            ResultSet resultSet = null;
            try {
                HashMap hashMap = new HashMap();
                resultSet = preparedStatement.executeQuery();
                while (resultSet.next()) {
                    hashMap.put(Integer.valueOf(resultSet.getInt("ID")), new CrlInfo(resultSet.getString("INFO")));
                }
                this.issuerStore.setCrlInfos(hashMap);
                LOG.info("Updated CRL_INFOs of store {}", this.name);
                releaseDbResources(preparedStatement, resultSet);
            } catch (Throwable th) {
                releaseDbResources(preparedStatement, resultSet);
                throw th;
            }
        } catch (Throwable th2) {
            LogUtil.error(LOG, th2, "error while executing updateCrls()");
        }
    }

    @Override // org.xipki.ocsp.api.OcspStore
    protected CertStatusInfo getCertStatus0(Date date, RequestIssuer requestIssuer, BigInteger bigInteger, boolean z, boolean z2, boolean z3) throws OcspStoreException {
        String str;
        Date thisUpdate;
        Date nextUpdate;
        CertStatusInfo goodCertStatusInfo;
        if (bigInteger.signum() != 1) {
            return CertStatusInfo.getUnknownCertStatusInfo(new Date(), null);
        }
        if (!this.initialized) {
            throw new OcspStoreException("initialization of CertStore is still in process");
        }
        try {
            IssuerEntry issuerForFp = this.issuerStore.getIssuerForFp(requestIssuer);
            if (issuerForFp == null) {
                return null;
            }
            CrlInfo crlInfo = null;
            if (issuerForFp.getCrlId() != 0) {
                crlInfo = this.issuerStore.getCrlInfo(issuerForFp.getCrlId());
                if (isIgnoreExpiredCrls() && crlInfo.getNextUpdate().getTime() < date.getTime() + MS_PER_5MIN) {
                    return CertStatusInfo.getCrlExpiredStatusInfo();
                }
            }
            if (z) {
                str = z2 ? this.sqlCsWithCertHash : this.sqlCsNoRitWithCertHash;
            } else {
                str = z2 ? this.sqlCs : this.sqlCsNoRit;
            }
            ResultSet resultSet = null;
            boolean z4 = true;
            boolean z5 = false;
            String str2 = null;
            boolean z6 = false;
            int i = 0;
            long j = 0;
            long j2 = 0;
            int i2 = 0;
            PreparedStatement prepareStatement = this.datasource.prepareStatement(str);
            try {
                try {
                    prepareStatement.setInt(1, issuerForFp.getId());
                    prepareStatement.setString(2, bigInteger.toString(16));
                    resultSet = prepareStatement.executeQuery();
                    if (resultSet.next()) {
                        z4 = false;
                        i2 = resultSet.getInt("CRL_ID");
                        long time = date.getTime() / 1000;
                        if (0 == 0 && this.ignoreNotYetValidCert) {
                            long j3 = resultSet.getLong("NBEFORE");
                            if (j3 != 0 && time < j3) {
                                z5 = true;
                            }
                        }
                        if (!z5 && this.ignoreExpiredCert) {
                            long j4 = resultSet.getLong("NAFTER");
                            if (j4 != 0 && time > j4) {
                                z5 = true;
                            }
                        }
                        if (!z5) {
                            if (z) {
                                str2 = resultSet.getString("HASH");
                            }
                            z6 = resultSet.getBoolean("REV");
                            if (z6) {
                                i = resultSet.getInt("RR");
                                j = resultSet.getLong("RT");
                                if (z2) {
                                    j2 = resultSet.getLong("RIT");
                                }
                            }
                        }
                    }
                    releaseDbResources(prepareStatement, resultSet);
                    if (i2 == 0) {
                        i2 = issuerForFp.getCrlId();
                    }
                    if (crlInfo == null && i2 != 0) {
                        crlInfo = this.issuerStore.getCrlInfo(i2);
                    }
                    if (crlInfo == null) {
                        thisUpdate = new Date();
                        nextUpdate = null;
                    } else {
                        thisUpdate = crlInfo.getThisUpdate();
                        nextUpdate = crlInfo.getNextUpdate();
                        if (isIgnoreExpiredCrls() && crlInfo.getNextUpdate().getTime() < date.getTime() + MS_PER_5MIN) {
                            return CertStatusInfo.getCrlExpiredStatusInfo();
                        }
                    }
                    if (z4) {
                        goodCertStatusInfo = CertStatusInfo.getUnknownCertStatusInfo(thisUpdate, nextUpdate);
                    } else if (z5) {
                        goodCertStatusInfo = CertStatusInfo.getIgnoreCertStatusInfo(thisUpdate, nextUpdate);
                    } else {
                        byte[] decodeFast = str2 == null ? null : Base64.decodeFast(str2);
                        if (z6) {
                            goodCertStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(new CertRevocationInfo(i, new Date(j * 1000), (j2 == 0 || j2 == j) ? null : new Date(j2 * 1000)), this.certHashAlgo, decodeFast, thisUpdate, nextUpdate, null);
                        } else {
                            goodCertStatusInfo = CertStatusInfo.getGoodCertStatusInfo(this.certHashAlgo, decodeFast, thisUpdate, nextUpdate, null);
                        }
                    }
                    if (this.includeCrlId && crlInfo != null) {
                        goodCertStatusInfo.setCrlId(crlInfo.getCrlId());
                    }
                    if (this.includeArchiveCutoff && this.retentionInterval != 0) {
                        goodCertStatusInfo.setArchiveCutOff(this.retentionInterval < 0 ? issuerForFp.getNotBefore() : new Date(Math.max(issuerForFp.getNotBefore().getTime(), System.currentTimeMillis() - (86400000 * this.retentionInterval))));
                    }
                    if (!z3 || issuerForFp.getRevocationInfo() == null) {
                        return goodCertStatusInfo;
                    }
                    CertRevocationInfo revocationInfo = issuerForFp.getRevocationInfo();
                    CertStatusInfo.CertStatus certStatus = goodCertStatusInfo.getCertStatus();
                    boolean z7 = false;
                    if (certStatus == CertStatusInfo.CertStatus.GOOD) {
                        z7 = true;
                    } else if (certStatus == CertStatusInfo.CertStatus.UNKNOWN || certStatus == CertStatusInfo.CertStatus.IGNORE) {
                        if (this.unknownCertBehaviour == CertStatusInfo.UnknownCertBehaviour.good) {
                            z7 = true;
                        }
                    } else if (certStatus == CertStatusInfo.CertStatus.REVOKED && goodCertStatusInfo.getRevocationInfo().getRevocationTime().after(revocationInfo.getRevocationTime())) {
                        z7 = true;
                    }
                    if (z7) {
                        goodCertStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(revocationInfo.getReason() == CrlReason.CA_COMPROMISE ? revocationInfo : new CertRevocationInfo(CrlReason.CA_COMPROMISE, revocationInfo.getRevocationTime(), revocationInfo.getInvalidityTime()), goodCertStatusInfo.getCertHashAlgo(), goodCertStatusInfo.getCertHash(), goodCertStatusInfo.getThisUpdate(), goodCertStatusInfo.getNextUpdate(), goodCertStatusInfo.getCertprofile());
                    }
                    return goodCertStatusInfo;
                } catch (SQLException e) {
                    throw this.datasource.translate(str, e);
                }
            } catch (Throwable th) {
                releaseDbResources(prepareStatement, resultSet);
                throw th;
            }
        } catch (DataAccessException e2) {
            throw new OcspStoreException(e2.getMessage(), e2);
        }
    }

    private PreparedStatement preparedStatement(String str) throws DataAccessException {
        return this.datasource.prepareStatement(str);
    }

    @Override // org.xipki.ocsp.api.OcspStore
    public boolean isHealthy() {
        if (!isInitialized()) {
            return false;
        }
        try {
            PreparedStatement preparedStatement = preparedStatement("SELECT ID FROM ISSUER");
            ResultSet resultSet = null;
            try {
                resultSet = preparedStatement.executeQuery();
                releaseDbResources(preparedStatement, resultSet);
                return true;
            } catch (Throwable th) {
                releaseDbResources(preparedStatement, resultSet);
                throw th;
            }
        } catch (Exception e) {
            LogUtil.error(LOG, e);
            return false;
        }
    }

    private void releaseDbResources(Statement statement, ResultSet resultSet) {
        this.datasource.releaseResources(statement, resultSet);
    }

    @Override // org.xipki.ocsp.api.OcspStore
    public void init(Map<String, ? extends Object> map, DataSourceWrapper dataSourceWrapper) throws OcspStoreException {
        Object obj;
        OcspServerConf.CaCerts caCerts = null;
        if (map != null && (obj = map.get("caCerts")) != null) {
            caCerts = (OcspServerConf.CaCerts) JSON.parseObject(JSON.toJSONBytes(obj, new SerializerFeature[0]), OcspServerConf.CaCerts.class, new Feature[0]);
        }
        this.datasource = (DataSourceWrapper) Args.notNull(dataSourceWrapper, "datasource");
        this.sqlCs = dataSourceWrapper.buildSelectFirstSql(1, "NBEFORE,NAFTER,REV,RR,RT,RIT,CRL_ID FROM CERT WHERE IID=? AND SN=?");
        this.sqlCsNoRit = dataSourceWrapper.buildSelectFirstSql(1, "NBEFORE,NAFTER,REV,RR,RT,CRL_ID FROM CERT WHERE IID=? AND SN=?");
        this.sqlCsWithCertHash = dataSourceWrapper.buildSelectFirstSql(1, "NBEFORE,NAFTER,REV,RR,RT,RIT,HASH,CRL_ID FROM CERT WHERE IID=? AND SN=?");
        this.sqlCsNoRitWithCertHash = dataSourceWrapper.buildSelectFirstSql(1, "NBEFORE,NAFTER,REV,RR,RT,HASH,CRL_ID FROM CERT WHERE IID=? AND SN=?");
        try {
            this.certHashAlgo = getCertHashAlgo(dataSourceWrapper);
            Set<X509Cert> set = null;
            Set<X509Cert> set2 = null;
            if (caCerts != null) {
                try {
                    if (CollectionUtil.isNotEmpty(caCerts.getIncludes())) {
                        set = parseCerts(caCerts.getIncludes());
                    }
                    if (CollectionUtil.isNotEmpty(caCerts.getExcludes())) {
                        set2 = parseCerts(caCerts.getExcludes());
                    }
                } catch (CertificateException e) {
                    throw new OcspStoreException(e.getMessage(), e);
                }
            }
            this.issuerFilter = new IssuerFilter(set, set2);
            updateIssuerStore();
            if (this.scheduledThreadPoolExecutor != null) {
                this.scheduledThreadPoolExecutor.shutdownNow();
            }
            if (this.updateInterval != null) {
                List<Runnable> scheduledServices = getScheduledServices();
                int size = scheduledServices == null ? 0 : scheduledServices.size();
                if (size > 0) {
                    this.scheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(size);
                    Random random = new Random();
                    long approxMinutes = this.updateInterval.approxMinutes() * 60;
                    Iterator<Runnable> it = scheduledServices.iterator();
                    while (it.hasNext()) {
                        this.scheduledThreadPoolExecutor.scheduleAtFixedRate(it.next(), approxMinutes + random.nextInt(60), approxMinutes, TimeUnit.SECONDS);
                    }
                }
            }
        } catch (DataAccessException e2) {
            throw new OcspStoreException("Could not retrieve the certhash's algorithm from the database", e2);
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.scheduledThreadPoolExecutor != null) {
            this.scheduledThreadPoolExecutor.shutdown();
            this.scheduledThreadPoolExecutor = null;
        }
        if (this.datasource != null) {
            this.datasource.close();
        }
    }

    @Override // org.xipki.ocsp.api.OcspStore
    public boolean knowsIssuer(RequestIssuer requestIssuer) {
        return (this.issuerStore == null || null == this.issuerStore.getIssuerForFp(requestIssuer)) ? false : true;
    }

    @Override // org.xipki.ocsp.api.OcspStore
    public X509Cert getIssuerCert(RequestIssuer requestIssuer) {
        IssuerEntry issuerForFp;
        if (this.issuerStore == null || (issuerForFp = this.issuerStore.getIssuerForFp(requestIssuer)) == null) {
            return null;
        }
        return issuerForFp.getCert();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isInitialized() {
        return this.initialized;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Set<X509Cert> parseCerts(Collection<String> collection) throws OcspStoreException {
        HashSet hashSet = new HashSet(collection.size());
        for (String str : collection) {
            try {
                hashSet.add(X509Util.parseCert(new File(str)));
            } catch (IOException | CertificateException e) {
                throw new OcspStoreException("could not parse X.509 certificate from file " + str + ": " + e.getMessage(), e);
            }
        }
        return hashSet;
    }

    public static HashAlgo getCertHashAlgo(DataSourceWrapper dataSourceWrapper) throws DataAccessException {
        String str = (String) dataSourceWrapper.getFirstValue(null, "DBSCHEMA", "VALUE2", "NAME='CERTHASH_ALGO'", String.class);
        if (str == null) {
            throw new DataAccessException("Column with NAME='CERTHASH_ALGO' is not defined in table DBSCHEMA");
        }
        return HashAlgo.getNonNullInstance(str);
    }
}
