package org.nhindirect.stagent.cert.impl;

import com.google.inject.Inject;
import com.google.inject.internal.Nullable;
import java.io.ByteArrayInputStream;
import java.net.UnknownHostException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jcs.JCS;
import org.apache.jcs.access.exception.CacheException;
import org.apache.jcs.engine.behavior.ICompositeCacheAttributes;
import org.apache.jcs.engine.behavior.IElementAttributes;
import org.nhindirect.stagent.NHINDException;
import org.nhindirect.stagent.cert.CacheableCertStore;
import org.nhindirect.stagent.cert.CertCacheFactory;
import org.nhindirect.stagent.cert.CertStoreCachePolicy;
import org.nhindirect.stagent.cert.CertificateStore;
import org.nhindirect.stagent.cert.impl.annotation.DNSCertStoreBootstrap;
import org.nhindirect.stagent.cert.impl.annotation.DNSCertStoreCachePolicy;
import org.nhindirect.stagent.cert.impl.annotation.DNSCertStoreServers;
import org.nhindirect.stagent.options.OptionsManager;
import org.nhindirect.stagent.options.OptionsParameter;
import org.xbill.DNS.CERTRecord;
import org.xbill.DNS.CNAMERecord;
import org.xbill.DNS.ExtendedResolver;
import org.xbill.DNS.Lookup;
import org.xbill.DNS.NSRecord;
import org.xbill.DNS.Name;
import org.xbill.DNS.Record;
import org.xbill.DNS.ResolverConfig;

/* loaded from: input_file:org/nhindirect/stagent/cert/impl/DNSCertificateStore.class */
public class DNSCertificateStore extends CertificateStore implements CacheableCertStore {
    private static final String CACHE_NAME = "DNS_REMOTE_CERT_CACHE";
    protected static final int DEFAULT_DNS_TIMEOUT = 3;
    protected static final int DEFAULT_DNS_RETRIES = 2;
    protected static final boolean DEFAULT_DNS_USE_TCP = true;
    protected static final int DEFAULT_DNS_MAX_CAHCE_ITEMS = 1000;
    protected static final int DEFAULT_DNS_TTL = 3600;
    protected CertificateStore localStoreDelegate;
    protected List<String> servers = new ArrayList();
    protected JCS cache;
    protected CertStoreCachePolicy cachePolicy;
    protected int timeout;
    protected int retries;
    protected boolean useTCP;
    private static final Log LOGGER = LogFactory.getFactory().getInstance(DNSCertificateStore.class);

    /* loaded from: input_file:org/nhindirect/stagent/cert/impl/DNSCertificateStore$DefaultDNSCachePolicy.class */
    public static class DefaultDNSCachePolicy implements CertStoreCachePolicy {
        protected final int maxItems = OptionsParameter.getParamValueAsInteger(OptionsManager.getInstance().getParameter(OptionsParameter.DNS_CERT_RESOLVER_MAX_CACHE_SIZE), DNSCertificateStore.DEFAULT_DNS_MAX_CAHCE_ITEMS);
        protected final int subjectTTL = OptionsParameter.getParamValueAsInteger(OptionsManager.getInstance().getParameter(OptionsParameter.DNS_CERT_RESOLVER_CACHE_TTL), DNSCertificateStore.DEFAULT_DNS_TTL);

        @Override // org.nhindirect.stagent.cert.CertStoreCachePolicy
        public int getMaxItems() {
            return this.maxItems;
        }

        @Override // org.nhindirect.stagent.cert.CertStoreCachePolicy
        public int getSubjectTTL() {
            return this.subjectTTL;
        }
    }

    public DNSCertificateStore() {
        getServerQuerySettings();
        setServers(null);
        createCache();
    }

    public DNSCertificateStore(Collection<String> collection) {
        getServerQuerySettings();
        setServers(collection);
        createCache();
    }

    @Inject
    public DNSCertificateStore(@DNSCertStoreServers Collection<String> collection, @Nullable @DNSCertStoreBootstrap CertificateStore certificateStore, @DNSCertStoreCachePolicy CertStoreCachePolicy certStoreCachePolicy) {
        getServerQuerySettings();
        setServers(collection);
        this.cachePolicy = certStoreCachePolicy;
        this.localStoreDelegate = certificateStore;
        createCache();
        if (this.localStoreDelegate != null) {
            loadBootStrap();
        }
    }

    private void getServerQuerySettings() {
        this.timeout = OptionsParameter.getParamValueAsInteger(OptionsManager.getInstance().getParameter(OptionsParameter.DNS_CERT_RESOLVER_TIMEOUT), DEFAULT_DNS_TIMEOUT);
        this.retries = OptionsParameter.getParamValueAsInteger(OptionsManager.getInstance().getParameter(OptionsParameter.DNS_CERT_RESOLVER_RETRIES), DEFAULT_DNS_RETRIES);
        this.useTCP = OptionsParameter.getParamValueAsBoolean(OptionsManager.getInstance().getParameter(OptionsParameter.DNS_CERT_RESOLVER_USE_TCP), true);
    }

    private synchronized JCS getCache() {
        if (this.cache == null) {
            createCache();
        }
        return this.cache;
    }

    private void createCache() {
        try {
            this.cache = CertCacheFactory.getInstance().getCertCache(CACHE_NAME, this.cachePolicy == null ? getDefaultPolicy() : this.cachePolicy);
            if (this.cachePolicy == null) {
                this.cachePolicy = getDefaultPolicy();
            }
        } catch (CacheException e) {
            LOGGER.warn("DNSCertificateStore - Could not create certificate cache DNS_REMOTE_CERT_CACHE", e);
        }
    }

    private CertStoreCachePolicy getDefaultPolicy() {
        return new DefaultDNSCachePolicy();
    }

    public void setServers(Collection<String> collection) {
        if (collection != null && collection.size() != 0) {
            this.servers.clear();
            this.servers.addAll(collection);
        } else {
            String[] servers = ResolverConfig.getCurrentConfig().servers();
            if (servers != null) {
                this.servers.addAll(Arrays.asList(servers));
            }
        }
    }

    @Override // org.nhindirect.stagent.cert.CertificateStore, org.nhindirect.stagent.cert.X509Store
    public boolean contains(X509Certificate x509Certificate) {
        if (this.localStoreDelegate == null) {
            return false;
        }
        return this.localStoreDelegate.contains(x509Certificate);
    }

    @Override // org.nhindirect.stagent.cert.CertificateStore, org.nhindirect.stagent.cert.X509Store
    public void add(X509Certificate x509Certificate) {
        if (this.localStoreDelegate != null) {
            this.localStoreDelegate.add(x509Certificate);
        }
    }

    @Override // org.nhindirect.stagent.cert.CertificateStore, org.nhindirect.stagent.cert.X509Store
    public void remove(X509Certificate x509Certificate) {
        if (this.localStoreDelegate != null) {
            this.localStoreDelegate.remove(x509Certificate);
        }
    }

    @Override // org.nhindirect.stagent.cert.CertificateStore, org.nhindirect.stagent.cert.X509Store
    public Collection<X509Certificate> getCertificates(String str) {
        Collection<X509Certificate> lookupDNS;
        int indexOf = str.indexOf("EMAILADDRESS=");
        String substring = indexOf > -1 ? str.substring(indexOf + "EMAILADDRESS=".length()) : str;
        JCS cache = getCache();
        if (cache != null) {
            lookupDNS = (Collection) cache.get(substring);
            if (lookupDNS == null || lookupDNS.size() == 0) {
                lookupDNS = lookupDNS(substring);
                if (lookupDNS == null || lookupDNS.size() == 0) {
                    LOGGER.info("getCertificates(String subjectName) - Could not find a DNS certificate for subject " + str);
                }
            }
        } else {
            lookupDNS = lookupDNS(substring);
            if (lookupDNS.size() == 0) {
                if (this.localStoreDelegate != null) {
                    lookupDNS = this.localStoreDelegate.getCertificates(substring);
                    if (lookupDNS == null || lookupDNS.size() == 0) {
                        LOGGER.info("getCertificates(String subjectName) - Could not find a DNS certificate for subject " + str);
                    }
                } else {
                    LOGGER.info("getCertificates(String subjectName) - Could not find a DNS certificate for subject " + str);
                }
            }
        }
        return lookupDNS;
    }

    @Override // org.nhindirect.stagent.cert.CertificateStore, org.nhindirect.stagent.cert.X509Store
    public Collection<X509Certificate> getAllCertificates() {
        if (this.localStoreDelegate == null) {
            return null;
        }
        return this.localStoreDelegate.getAllCertificates();
    }

    private Collection<X509Certificate> lookupDNS(String str) {
        String replace = str.replace('@', '.');
        Collection<X509Certificate> arrayList = new ArrayList();
        int indexOf = str.indexOf("@");
        String substring = indexOf > -1 ? str.substring(indexOf + DEFAULT_DNS_USE_TCP) : str;
        try {
            Lookup lookup = new Lookup(new Name(replace), 37);
            lookup.setResolver(createExResolver((String[]) this.servers.toArray(new String[this.servers.size()]), this.retries, this.timeout));
            Record[] run = lookup.run();
            if (run == null || run.length == 0) {
                Lookup lookup2 = new Lookup(new Name(replace), 5);
                lookup2.setResolver(createExResolver((String[]) this.servers.toArray(new String[this.servers.size()]), this.retries, this.timeout));
                CNAMERecord[] run2 = lookup2.run();
                for (Name name = (run2 == null || run2.length <= 0) ? new Name(substring) : run2[0].getTarget(); name.labels() > DEFAULT_DNS_USE_TCP; name = new Name(name.toString().substring(name.toString().indexOf(".") + DEFAULT_DNS_USE_TCP))) {
                    Lookup lookup3 = new Lookup(name, DEFAULT_DNS_RETRIES);
                    lookup3.setResolver(createExResolver((String[]) this.servers.toArray(new String[this.servers.size()]), this.retries, this.timeout));
                    run2 = lookup3.run();
                    if (run2 != null && run2.length > 0) {
                        break;
                    }
                }
                if (run2 == null || run2.length == 0) {
                    return arrayList;
                }
                String[] strArr = new String[run2.length];
                for (int i = 0; i < strArr.length - 0; i += DEFAULT_DNS_USE_TCP) {
                    strArr[i] = ((NSRecord) run2[i]).getTarget().toString();
                }
                Lookup lookup4 = new Lookup(new Name(replace), 37);
                lookup4.setResolver(createExResolver(strArr, DEFAULT_DNS_RETRIES, DEFAULT_DNS_TIMEOUT));
                run = lookup4.run();
            }
            if (run != null) {
                arrayList = new ArrayList();
                Record[] recordArr = run;
                int length = recordArr.length;
                for (int i2 = 0; i2 < length; i2 += DEFAULT_DNS_USE_TCP) {
                    Record record = recordArr[i2];
                    if (record instanceof CERTRecord) {
                        CERTRecord cERTRecord = (CERTRecord) record;
                        switch (cERTRecord.getCertType()) {
                            case DEFAULT_DNS_USE_TCP /* 1 */:
                                Certificate convertPXIXRecordToCert = convertPXIXRecordToCert(cERTRecord);
                                if (convertPXIXRecordToCert != null && (convertPXIXRecordToCert instanceof X509Certificate)) {
                                    arrayList.add((X509Certificate) convertPXIXRecordToCert);
                                    break;
                                }
                                break;
                            case 253:
                            default:
                                LOGGER.warn("Unknown CERT type " + cERTRecord.getCertType() + " encountered for lookup name" + replace);
                                break;
                        }
                    }
                }
            } else if (substring.length() < str.length()) {
                arrayList = lookupDNS(substring);
            }
            if (arrayList != null && arrayList.size() > 0 && this.localStoreDelegate != null) {
                for (X509Certificate x509Certificate : arrayList) {
                    if (this.localStoreDelegate != null) {
                        if (this.localStoreDelegate.contains(x509Certificate)) {
                            this.localStoreDelegate.update(x509Certificate);
                        } else {
                            this.localStoreDelegate.add(x509Certificate);
                        }
                    }
                }
                try {
                    if (this.cache != null) {
                        this.cache.put(str, arrayList);
                    }
                } catch (CacheException e) {
                }
            }
            return arrayList;
        } catch (Exception e2) {
            e2.printStackTrace();
            throw new NHINDException(e2);
        }
    }

    @Override // org.nhindirect.stagent.cert.CacheableCertStore
    public void flush(boolean z) {
        if (this.cache != null) {
            try {
                this.cache.clear();
            } catch (CacheException e) {
            }
            if (!z || this.localStoreDelegate == null) {
                return;
            }
            this.localStoreDelegate.remove(this.localStoreDelegate.getAllCertificates());
        }
    }

    @Override // org.nhindirect.stagent.cert.CacheableCertStore
    public void loadBootStrap() {
        if (this.localStoreDelegate == null) {
            throw new IllegalStateException("The boot strap store has not been set.");
        }
        JCS cache = getCache();
        if (cache != null) {
            HashMap hashMap = new HashMap();
            for (X509Certificate x509Certificate : this.localStoreDelegate.getAllCertificates()) {
            }
            for (Map.Entry entry : hashMap.entrySet()) {
                try {
                    cache.put(entry.getKey(), entry.getValue());
                } catch (CacheException e) {
                }
            }
        }
    }

    @Override // org.nhindirect.stagent.cert.CacheableCertStore
    public void loadBootStrap(CertificateStore certificateStore) {
        if (this.localStoreDelegate == null) {
            throw new IllegalArgumentException();
        }
        this.localStoreDelegate = certificateStore;
        loadBootStrap();
    }

    @Override // org.nhindirect.stagent.cert.CacheableCertStore
    public void setBootStrap(CertificateStore certificateStore) {
        if (this.localStoreDelegate == null) {
            throw new IllegalArgumentException();
        }
        this.localStoreDelegate = certificateStore;
    }

    @Override // org.nhindirect.stagent.cert.CacheableCertStore
    public void setCachePolicy(CertStoreCachePolicy certStoreCachePolicy) {
        this.cachePolicy = certStoreCachePolicy;
        applyCachePolicy(certStoreCachePolicy);
    }

    private void applyCachePolicy(CertStoreCachePolicy certStoreCachePolicy) {
        if (getCache() != null) {
            try {
                ICompositeCacheAttributes cacheAttributes = this.cache.getCacheAttributes();
                cacheAttributes.setMaxObjects(certStoreCachePolicy.getMaxItems());
                cacheAttributes.setUseLateral(false);
                cacheAttributes.setUseRemote(false);
                this.cache.setCacheAttributes(cacheAttributes);
                IElementAttributes defaultElementAttributes = this.cache.getDefaultElementAttributes();
                defaultElementAttributes.setMaxLifeSeconds(certStoreCachePolicy.getSubjectTTL());
                defaultElementAttributes.setIsEternal(false);
                defaultElementAttributes.setIsLateral(false);
                defaultElementAttributes.setIsRemote(false);
                this.cache.setDefaultElementAttributes(defaultElementAttributes);
            } catch (CacheException e) {
            }
        }
    }

    protected ExtendedResolver createExResolver(String[] strArr, int i, int i2) {
        ExtendedResolver extendedResolver = null;
        try {
            extendedResolver = new ExtendedResolver(strArr);
            extendedResolver.setRetries(i);
            extendedResolver.setTimeout(i2);
            extendedResolver.setTCP(this.useTCP);
        } catch (UnknownHostException e) {
        }
        return extendedResolver;
    }

    protected Certificate convertPXIXRecordToCert(CERTRecord cERTRecord) {
        X509Certificate x509Certificate = null;
        ByteArrayInputStream byteArrayInputStream = null;
        byte[] cert = cERTRecord.getCert();
        try {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                byteArrayInputStream = new ByteArrayInputStream(cert);
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
                IOUtils.closeQuietly(byteArrayInputStream);
            } catch (Exception e) {
                LOGGER.warn("Failed to convert certificate from DNS byte data.", e);
                IOUtils.closeQuietly(byteArrayInputStream);
            }
            return x509Certificate;
        } catch (Throwable th) {
            IOUtils.closeQuietly(byteArrayInputStream);
            throw th;
        }
    }

    static {
        Lookup.getDefaultCache(DEFAULT_DNS_USE_TCP).clearCache();
    }
}
