package software.netcore.unimus.licensing.offline.certificate;

import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/unimus-licensing-impl-3.10.1-STAGE.jar:software/netcore/unimus/licensing/offline/certificate/CertificateVerifierImpl.class */
public class CertificateVerifierImpl implements CertificateVerifier {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CertificateVerifierImpl.class);
    private static String X1_ROOT = "cert/CA_Root_X1.crt";
    private static String L1_LICENSING_AUTHORITY = "cert/Licensing_Authority_L1.crt";
    private static String L1_CRL = "cert/L1_CRL.pem";
    private static BigInteger X1_ROOT_SERIAL = new BigInteger("115C28CB54A1EC49", 16);
    private static String X1_ROOT_ISSUER_ORGANIZATION_NAME = "O=NetCore j.s.a.";
    private static String X1_ROOT_ISSUER_COMMON_NAME = "CN=NetCore Root X1";
    private static byte[] X1_ROOT_HASH = {-58, -115, -42, -63, 112, -64, -65, -5, -35, 7, 93, 0, Byte.MAX_VALUE, 35, -4, 118, 17, 12, 16, 84, 24, -80, -25, 40, 80, -85, -69, -99, 30, 38, -49, -105};

    @NonNull
    private final ServerTimeProvider serverTimeProvider;

    @NonNull
    private final BuildTimeProvider buildTimeProvider;

    @Override // software.netcore.unimus.licensing.offline.certificate.CertificateVerifier
    public void verify(@NonNull String str) throws CertificateVerificationException {
        if (str == null) {
            throw new NullPointerException("file is marked non-null but is null");
        }
        log.debug("Verifying user license key '{}'", str);
        X509Certificate loadInternalCert = loadInternalCert(X1_ROOT);
        verifyCertHash(loadInternalCert);
        verifyCertSerial(loadInternalCert);
        verifyCertOrganizationName(loadInternalCert);
        verifyCertCommonName(loadInternalCert);
        X509Certificate loadInternalCert2 = loadInternalCert(L1_LICENSING_AUTHORITY);
        verifySigned(loadInternalCert2, loadInternalCert.getPublicKey(), true);
        X509CRL loadCRL = loadCRL();
        verifySigned(loadCRL, loadInternalCert2.getPublicKey());
        X509Certificate loadUserCert = loadUserCert(str);
        verifySigned(loadUserCert, loadInternalCert2.getPublicKey(), false);
        verifyRevocation(loadUserCert, loadCRL);
        verifyCertValidity(loadUserCert);
        verifyServerTimeIsAfterAppBuild();
        verifyServerTimeIsAfterL1NotBefore(loadInternalCert2);
    }

    private void verifyCertHash(X509Certificate x509Certificate) throws CertificateVerificationException {
        log.debug("Verifying license key hash");
        try {
            if (Arrays.equals(MessageDigest.getInstance("SHA-256").digest(x509Certificate.getEncoded()), X1_ROOT_HASH)) {
                return;
            }
            log.warn("License key hash verification failed, hash mismatch");
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            log.warn("License key hash verification failed", e);
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
    }

    private void verifyCertSerial(X509Certificate x509Certificate) throws CertificateVerificationException {
        log.debug("Verifying license key serial number");
        if (X1_ROOT_SERIAL.equals(x509Certificate.getSerialNumber())) {
            return;
        }
        log.warn("License key serial number verification failed, serial number mismatch");
        throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
    }

    private void verifyCertOrganizationName(X509Certificate x509Certificate) throws CertificateVerificationException {
        log.debug("Verifying license key organization name");
        if (!x509Certificate.getSubjectX500Principal().getName().contains(X1_ROOT_ISSUER_ORGANIZATION_NAME)) {
            log.warn("License key subject organization name verification failed, organization name mismatch");
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
        if (x509Certificate.getIssuerX500Principal().getName().contains(X1_ROOT_ISSUER_ORGANIZATION_NAME)) {
            return;
        }
        log.warn("License key issuer organization name verification failed, organization name mismatch");
        throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
    }

    private void verifyCertCommonName(X509Certificate x509Certificate) throws CertificateVerificationException {
        log.debug("Verifying license key common name");
        if (!x509Certificate.getSubjectX500Principal().getName().contains(X1_ROOT_ISSUER_COMMON_NAME)) {
            log.warn("License key subject common name verification failed, common name mismatch");
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
        if (x509Certificate.getIssuerX500Principal().getName().contains(X1_ROOT_ISSUER_COMMON_NAME)) {
            return;
        }
        log.warn("License key issuer common name verification failed, common name mismatch");
        throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
    }

    private void verifySigned(X509CRL x509crl, PublicKey publicKey) throws CertificateVerificationException {
        log.debug("Verifying CRL signature");
        try {
            x509crl.verify(publicKey);
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CRLException e) {
            log.warn("CRL signature verification failed", e);
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
    }

    private void verifySigned(X509Certificate x509Certificate, PublicKey publicKey, boolean z) throws CertificateVerificationException {
        log.debug("Verifying license key signature, internal '{}'", Boolean.valueOf(z));
        try {
            x509Certificate.verify(publicKey);
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            log.warn("License key signature verification failed", e);
            if (!z) {
                throw new CertificateVerificationException(ECommonErrorType.LIC_CERTIFICATE_SIGNATURE_VERIFICATION_FAILED);
            }
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
    }

    private void verifyRevocation(X509Certificate x509Certificate, CRL crl) throws CertificateVerificationException {
        log.debug("Verifying license key revocation");
        if (crl.isRevoked(x509Certificate)) {
            log.warn("License key is revoked");
            throw new CertificateVerificationException(ECommonErrorType.LIC_CERTIFICATE_REVOKED);
        }
    }

    private void verifyCertValidity(X509Certificate x509Certificate) throws CertificateVerificationException {
        log.debug("Verifying license key validity");
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            log.warn("License key is not valid");
            throw new CertificateVerificationException(ECommonErrorType.LIC_CERTIFICATE_VALIDITY_VERIFICATION_FAILED);
        }
    }

    private void verifyServerTimeIsAfterAppBuild() throws CertificateVerificationException {
        log.debug("Verifying server time against app build time");
        if (this.serverTimeProvider.getServerTime().isBefore(this.buildTimeProvider.getBuildTime())) {
            log.warn("Server time is before app build time");
            throw new CertificateVerificationException(ECommonErrorType.LIC_CERTIFICATE_SERVER_TIME_BEFORE_APP_BUILD_TIME);
        }
    }

    private void verifyServerTimeIsAfterL1NotBefore(X509Certificate x509Certificate) throws CertificateVerificationException {
        log.debug("Verifying server time against license key notBefore");
        if (this.serverTimeProvider.getServerTime().isBefore(x509Certificate.getNotBefore().toInstant())) {
            log.warn("Server time is before app build time");
            throw new CertificateVerificationException(ECommonErrorType.LIC_CERTIFICATE_SERVER_TIME_BEFORE_L1_NOT_BEFORE_TIME);
        }
    }

    private X509CRL loadCRL() throws CertificateVerificationException {
        try {
            InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream(L1_CRL);
            try {
                X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(resourceAsStream);
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return x509crl;
            } catch (Throwable th) {
                if (resourceAsStream != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException | CRLException | CertificateException e) {
            log.warn("Loading CRL failed", e);
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
    }

    private X509Certificate loadInternalCert(String str) throws CertificateVerificationException {
        log.debug("Loading internal license key file '{}'", str);
        try {
            InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream(str);
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(resourceAsStream);
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return x509Certificate;
            } finally {
            }
        } catch (IOException | CertificateException e) {
            log.warn("Loading internal license key failed", e);
            throw new CertificateVerificationException(ECommonErrorType.LIC_GEN_OPERATION_FAILED);
        }
    }

    private X509Certificate loadUserCert(String str) throws CertificateVerificationException {
        log.debug("Loading user license key file '{}'", str);
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]);
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(newInputStream);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return x509Certificate;
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException | InvalidPathException | CertificateException e) {
            log.warn("Loading user license key failed", e);
            throw new CertificateVerificationException(ECommonErrorType.LIC_CERTIFICATE_LOADING_FAILED);
        }
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof CertificateVerifierImpl)) {
            return false;
        }
        CertificateVerifierImpl certificateVerifierImpl = (CertificateVerifierImpl) obj;
        if (!certificateVerifierImpl.canEqual(this)) {
            return false;
        }
        ServerTimeProvider serverTimeProvider = this.serverTimeProvider;
        ServerTimeProvider serverTimeProvider2 = certificateVerifierImpl.serverTimeProvider;
        if (serverTimeProvider == null) {
            if (serverTimeProvider2 != null) {
                return false;
            }
        } else if (!serverTimeProvider.equals(serverTimeProvider2)) {
            return false;
        }
        BuildTimeProvider buildTimeProvider = this.buildTimeProvider;
        BuildTimeProvider buildTimeProvider2 = certificateVerifierImpl.buildTimeProvider;
        return buildTimeProvider == null ? buildTimeProvider2 == null : buildTimeProvider.equals(buildTimeProvider2);
    }

    protected boolean canEqual(Object obj) {
        return obj instanceof CertificateVerifierImpl;
    }

    public int hashCode() {
        ServerTimeProvider serverTimeProvider = this.serverTimeProvider;
        int hashCode = (1 * 59) + (serverTimeProvider == null ? 43 : serverTimeProvider.hashCode());
        BuildTimeProvider buildTimeProvider = this.buildTimeProvider;
        return (hashCode * 59) + (buildTimeProvider == null ? 43 : buildTimeProvider.hashCode());
    }

    public CertificateVerifierImpl(@NonNull ServerTimeProvider serverTimeProvider, @NonNull BuildTimeProvider buildTimeProvider) {
        if (serverTimeProvider == null) {
            throw new NullPointerException("serverTimeProvider is marked non-null but is null");
        }
        if (buildTimeProvider == null) {
            throw new NullPointerException("buildTimeProvider is marked non-null but is null");
        }
        this.serverTimeProvider = serverTimeProvider;
        this.buildTimeProvider = buildTimeProvider;
    }
}
