package de.trustable.ca3s.challenge;

import de.trustable.ca3s.challenge.exception.ChallengeDNSException;
import de.trustable.ca3s.challenge.exception.ChallengeDNSIdentifierException;
import de.trustable.ca3s.challenge.exception.ChallengeUnknownHostException;
import de.trustable.ca3s.challenge.exception.ChallengeValidationFailedException;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.SocketTimeoutException;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.HttpResponse;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.conn.ConnectTimeoutException;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.LaxRedirectStrategy;
import org.bouncycastle.asn1.ASN1OctetString;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.Lookup;
import org.xbill.DNS.Name;
import org.xbill.DNS.NameTooLongException;
import org.xbill.DNS.Record;
import org.xbill.DNS.SimpleResolver;
import org.xbill.DNS.TXTRecord;
import org.xbill.DNS.TextParseException;
import org.xbill.DNS.Type;

/* loaded from: input_file:BOOT-INF/lib/acmeChallengeHandler-1.0.0.jar:de/trustable/ca3s/challenge/ChallengeValidator.class */
public class ChallengeValidator {
    transient Logger LOG = LoggerFactory.getLogger((Class<?>) ChallengeValidator.class);
    public static final String ACME_CHALLENGE_PREFIX_STRING = "_acme-challenge";
    public static final Name ACME_CHALLENGE_PREFIX = Name.fromConstantString(ACME_CHALLENGE_PREFIX_STRING);
    public static final String ACME_VALIDATION_OID = "1.3.6.1.5.5.7.1.31";
    public static final String ACME_TLS_1_PROTOCOL = "acme-tls/1";
    private final int[] ports;
    private final int[] httpsPorts;
    private final long timeoutMilliSec;
    private boolean dnsActive;
    private SimpleResolver dnsResolver;

    public ChallengeValidator(String str, int i, long j, int[] iArr, int[] iArr2) {
        if (str == null || str.isEmpty()) {
            this.dnsActive = false;
            this.dnsResolver = null;
        } else {
            try {
                this.dnsResolver = new SimpleResolver(str);
                this.dnsResolver.setPort(i);
                this.LOG.info("Applying default DNS resolver {}", this.dnsResolver.getAddress());
                this.dnsActive = true;
            } catch (UnknownHostException e) {
                this.dnsActive = false;
                this.LOG.info("Intialization of DNS resolver at '" + str + "':" + i + " failed!");
            }
        }
        this.timeoutMilliSec = j;
        if (iArr == null || iArr.length == 0) {
            this.ports = new int[]{80, 5544, 8800};
        } else {
            this.ports = iArr;
        }
        if (iArr2 == null || iArr2.length == 0) {
            this.httpsPorts = new int[]{443, 8443};
        } else {
            this.httpsPorts = iArr2;
        }
    }

    public Collection<String> retrieveChallengeDNS(String str) throws ChallengeDNSIdentifierException, ChallengeDNSException {
        try {
            Name fromString = Name.fromString(str, Name.root);
            this.LOG.info("DNS TXT lookup for identifier '" + str + "'");
            Name concatenate = Name.concatenate(ACME_CHALLENGE_PREFIX, fromString);
            Lookup lookup = new Lookup(concatenate, 16);
            lookup.setResolver(this.dnsResolver);
            lookup.setCache(null);
            this.LOG.info("DNS lookup: {} records of '{}' (via resolver '{}')", Type.string(16), concatenate, this.dnsResolver.getAddress());
            Instant now = Instant.now();
            Record[] run = lookup.run();
            this.LOG.info("lookupOperation result {}, error: {}", Integer.valueOf(lookup.getResult()), lookup.getErrorString());
            switch (lookup.getResult()) {
                case 0:
                    this.LOG.info("DNS lookup yields: {} (took {})", Arrays.toString(run), Duration.between(now, Instant.now()));
                    return extractTokenFrom(run);
                case 1:
                    throw new ChallengeDNSException("Problem accessing DNS resolver: UNRECOVERABLE");
                case 2:
                    throw new ChallengeDNSException("Problem accessing DNS resolver: TRY_AGAIN");
                case 3:
                    throw new ChallengeDNSException("Problem accessing DNS resolver: HOST_NOT_FOUND");
                case 4:
                    return Collections.EMPTY_LIST;
                default:
                    this.LOG.warn("Unexpected DNS lookup result: " + lookup.getResult());
                    throw new ChallengeDNSException("Problem accessing DNS resolver: UNRECOVERABLE");
            }
        } catch (NameTooLongException | TextParseException e) {
            throw new ChallengeDNSIdentifierException("problem while DNS lookup of identifier '" + str + "'");
        }
    }

    public String retrieveChallengeHttp(String str, String str2) throws ChallengeUnknownHostException, ChallengeValidationFailedException {
        HttpResponse execute;
        int statusCode;
        String str3 = "/.well-known/acme-challenge/" + str2;
        for (int i : this.ports) {
            try {
                try {
                    URL url = new URL("http", str, i, str3);
                    this.LOG.debug("Opening connection to  : " + url);
                    CloseableHttpClient build = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build();
                    HttpGet httpGet = new HttpGet(url.toString());
                    httpGet.addHeader("User-Agent", "CA3S_ACME");
                    httpGet.setConfig(RequestConfig.custom().setConnectionRequestTimeout((int) this.timeoutMilliSec).setConnectTimeout((int) this.timeoutMilliSec).setSocketTimeout((int) this.timeoutMilliSec).build());
                    execute = build.execute((HttpUriRequest) httpGet);
                    statusCode = execute.getStatusLine().getStatusCode();
                    this.LOG.debug("\nSending 'GET' request to URL : " + url);
                    this.LOG.debug("Response Code : " + statusCode);
                } catch (SocketTimeoutException | ConnectTimeoutException e) {
                    this.LOG.info("timeout connecting to " + str + ":" + i + "  checking HTTP-01 challenge!");
                }
            } catch (UnknownHostException e2) {
                String str4 = "unable to resolve hostname: '" + str + "' checking HTTP-01 challenge.";
                this.LOG.info(str4);
                throw new ChallengeUnknownHostException(str4);
            } catch (IOException e3) {
                this.LOG.info("problem reading HTTP-01 challenge response on " + str + ":" + i + " : " + e3.getMessage());
                this.LOG.debug("exception occurred reading challenge response", (Throwable) e3);
            }
            if (statusCode == 200) {
                return readChallengeResponse(execute.getEntity().getContent());
            }
            this.LOG.info("read challenge responded with unexpected code : " + statusCode);
        }
        throw new ChallengeValidationFailedException();
    }

    private String readChallengeResponse(HttpURLConnection httpURLConnection) throws IOException {
        return readChallengeResponse(httpURLConnection.getInputStream());
    }

    private String readChallengeResponse(InputStream inputStream) throws IOException {
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
        StringBuffer stringBuffer = new StringBuffer();
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                break;
            }
            stringBuffer.append(readLine);
            if (stringBuffer.length() > 1000) {
                this.LOG.debug("limiting read of challenge response to 1000 characters.");
                break;
            }
        }
        bufferedReader.close();
        String trim = stringBuffer.toString().trim();
        if (trim.length() > 100) {
            this.LOG.debug("read challenge response (truncated): " + trim.substring(0, 100) + " ...");
        } else {
            this.LOG.debug("read challenge response: " + trim);
        }
        return trim;
    }

    public String retrieveChallengeALPN(String str) throws GeneralSecurityException, ChallengeUnknownHostException, ChallengeValidationFailedException {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: de.trustable.ca3s.challenge.ChallengeValidator.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str2) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str2) {
            }
        }};
        for (int i : this.httpsPorts) {
            try {
                return validateALPNChallenge(str, trustManagerArr, i);
            } catch (UnknownHostException e) {
                String str2 = "unable to resolve hostname: '" + str + "'";
                this.LOG.info(str2);
                throw new ChallengeUnknownHostException(str2);
            } catch (IOException e2) {
                this.LOG.info("problem reading alpn certificate on " + str + ":" + i + " : " + e2.getMessage());
                this.LOG.debug("exception occurred reading challenge response", (Throwable) e2);
            } catch (KeyManagementException | NoSuchAlgorithmException e3) {
                throw new GeneralSecurityException(e3);
            } catch (CertificateException e4) {
                this.LOG.info("problem reading alpn challenge response in certificate provided by " + str + ":" + i + " : " + e4.getMessage());
                this.LOG.debug("exception occurred reading alpn challenge response certificate", (Throwable) e4);
            }
        }
        throw new ChallengeValidationFailedException();
    }

    private String validateALPNChallenge(String str, TrustManager[] trustManagerArr, int i) throws IOException, CertificateException, NoSuchAlgorithmException, KeyManagementException {
        this.LOG.debug("Opening ALPN connection to {}:{} ", str, Integer.valueOf(i));
        SSLSocket sSLSocket = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, trustManagerArr, new SecureRandom());
                sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(str, i);
                SSLParameters sSLParameters = sSLSocket.getSSLParameters();
                sSLParameters.setServerNames(Collections.singletonList(new SNIHostName(str)));
                sSLParameters.setApplicationProtocols(new String[]{ACME_TLS_1_PROTOCOL});
                sSLSocket.setSSLParameters(sSLParameters);
                sSLSocket.startHandshake();
                this.LOG.debug("Application Protocol server side: \"" + sSLSocket.getApplicationProtocol() + "\"");
                Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
                if (sSLSocket != null) {
                    sSLSocket.close();
                }
                if (peerCertificates.length == 0) {
                    String str2 = "no certificate available after connection with " + str + ":" + i;
                    this.LOG.info(str2);
                    throw new CertificateException(str2);
                }
                if (peerCertificates.length > 1) {
                    String str3 = "more than one (#" + peerCertificates.length + ") certificate returned " + str + ":" + i + ", expecting a single selfsigned certificate";
                    this.LOG.info(str3);
                    throw new CertificateException(str3);
                }
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(peerCertificates[0].getEncoded()));
                validateALPNCertificate(str, i, x509Certificate);
                ASN1OctetString aSN1OctetString = (ASN1OctetString) ASN1OctetString.fromByteArray(((ASN1OctetString) ASN1OctetString.fromByteArray(x509Certificate.getExtensionValue(ACME_VALIDATION_OID))).getOctets());
                String encodeToString = Base64.getEncoder().encodeToString(aSN1OctetString.getOctets());
                if (aSN1OctetString.getOctets().length <= 32) {
                    this.LOG.debug("read challenge response: " + encodeToString);
                    return encodeToString;
                }
                String str4 = "actualContent has unexpected length of rfc8737OctetString : " + aSN1OctetString.getOctets().length;
                this.LOG.info(str4);
                throw new CertificateException(str4);
            } catch (KeyManagementException | NoSuchAlgorithmException e) {
                this.LOG.warn("algorithm initialization problem ", e);
                throw e;
            }
        } catch (Throwable th) {
            if (sSLSocket != null) {
                sSLSocket.close();
            }
            throw th;
        }
    }

    private void validateALPNCertificate(String str, int i, X509Certificate x509Certificate) throws CertificateException {
        if (this.LOG.isDebugEnabled()) {
            try {
                this.LOG.debug("alpn certificate : {}", Base64.getEncoder().encodeToString(x509Certificate.getEncoded()));
            } catch (CertificateEncodingException e) {
                this.LOG.info("Encoding problem parsing ALPN certificate");
                throw e;
            }
        }
        if (x509Certificate.getSubjectAlternativeNames() == null || x509Certificate.getSubjectAlternativeNames().isEmpty()) {
            String str2 = "no SAN entry available in certificate provided by " + str + ":" + i;
            this.LOG.info(str2);
            throw new CertificateException(str2);
        }
        if (x509Certificate.getSubjectAlternativeNames().size() > 1) {
            String str3 = "more than one SAN entry (#" + x509Certificate.getSubjectAlternativeNames().size() + ") included in certificate provided by " + str + ":" + i;
            this.LOG.info(str3);
            throw new CertificateException(str3);
        }
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames != null) {
            for (List<?> list : subjectAlternativeNames) {
                int intValue = ((Integer) list.get(0)).intValue();
                if (2 != intValue) {
                    String str4 = "unexpected SAN entry type (" + intValue + ") in alpn certificate provided by '" + str + ":" + i + "', 'DNS' (2) expected.";
                    this.LOG.info(str4);
                    throw new CertificateException(str4);
                }
                String str5 = "";
                if (list.get(1) instanceof String) {
                    str5 = ((String) list.get(1)).toLowerCase();
                } else if (list.get(1) instanceof byte[]) {
                    str5 = new String((byte[]) list.get(1)).toLowerCase();
                }
                if (!str.equalsIgnoreCase(str5)) {
                    String str6 = "SAN entry value (" + str5 + ") in alpn certificate provided by '" + str + ":" + i + "', does not match expected host '" + str + "'";
                    this.LOG.info(str6);
                    throw new CertificateException(str6);
                }
                this.LOG.debug("SAN entry '{}' machtes expected host '{}'", str5, str);
            }
        }
        if (!x509Certificate.getCriticalExtensionOIDs().contains(ACME_VALIDATION_OID)) {
            String str7 = "ACME validation oid is NOT present and NOT marked as critical in certificate provided by '" + str + ":" + i + "'";
            this.LOG.info(str7);
            throw new CertificateException(str7);
        }
        this.LOG.debug("ACME validation oid is present and marked as critical!");
    }

    private List<String> extractTokenFrom(Record[] recordArr) {
        ArrayList arrayList = new ArrayList();
        if (recordArr != null) {
            for (Record record : recordArr) {
                this.LOG.debug("Found DNS entry solving '{}'", record);
                arrayList.addAll(((TXTRecord) record).getStrings());
            }
        }
        return arrayList;
    }
}
