package org.cesecore.certificates.ocsp.cache;

import java.math.BigInteger;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.log4j.Logger;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID;
import org.cesecore.certificates.ocsp.SHA1DigestCalculator;
import org.cesecore.certificates.ocsp.exception.OcspFailureException;
import org.cesecore.config.OcspConfiguration;
import org.cesecore.util.CertTools;

/* loaded from: input_file:org/cesecore/certificates/ocsp/cache/OcspSigningCache.class */
public enum OcspSigningCache {
    INSTANCE;

    private static final Logger log = Logger.getLogger(OcspSigningCache.class);
    private Map<Integer, OcspSigningCacheEntry> cache = new HashMap();
    private Map<Integer, OcspSigningCacheEntry> staging = new HashMap();
    private OcspSigningCacheEntry defaultResponderCacheEntry = null;
    private final ReentrantLock lock = new ReentrantLock(false);
    private volatile boolean loggedDefaultResponder = false;
    private volatile boolean loggedNoDefaultResponder = false;

    OcspSigningCache() {
    }

    public OcspSigningCacheEntry getEntry(CertificateID certificateID) {
        return this.cache.get(Integer.valueOf(getCacheIdFromCertificateID(certificateID)));
    }

    public OcspSigningCacheEntry getDefaultEntry() {
        return this.defaultResponderCacheEntry;
    }

    public Collection<OcspSigningCacheEntry> getEntries() {
        return this.cache.values();
    }

    public void stagingStart() {
        this.lock.lock();
        this.staging = new HashMap();
    }

    public void stagingAdd(OcspSigningCacheEntry ocspSigningCacheEntry) {
        this.staging.put(Integer.valueOf(getCacheIdFromCertificateID(ocspSigningCacheEntry.getCertificateID())), ocspSigningCacheEntry);
    }

    public void stagingCommit() {
        OcspSigningCacheEntry ocspSigningCacheEntry = null;
        Iterator<OcspSigningCacheEntry> it = this.staging.values().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            OcspSigningCacheEntry next = it.next();
            if (next.getOcspSigningCertificate() == null) {
                if (CertTools.getSubjectDN(next.getCaCertificateChain().get(0)).equals(OcspConfiguration.getDefaultResponderId())) {
                    ocspSigningCacheEntry = next;
                    if (!this.loggedDefaultResponder) {
                        log.info("Setting CA with DN " + OcspConfiguration.getDefaultResponderId() + " as default OCSP responder.");
                        this.loggedDefaultResponder = true;
                    }
                }
            } else if (CertTools.getIssuerDN(next.getOcspSigningCertificate()).equals(OcspConfiguration.getDefaultResponderId())) {
                ocspSigningCacheEntry = next;
                if (!this.loggedDefaultResponder) {
                    log.info("Setting keybinding with ID" + next.getOcspKeyBinding().getId() + " and DN " + OcspConfiguration.getDefaultResponderId() + " as default OCSP responder.");
                    this.loggedDefaultResponder = true;
                }
            }
        }
        if (ocspSigningCacheEntry == null) {
            if (!this.loggedNoDefaultResponder) {
                log.info("The default OCSP responder with subject '" + OcspConfiguration.getDefaultResponderId() + "' was not found. OCSP requests for certificates issued by unknown CAs will return \"unauthorized\" as per RFC6960, Section 2.3");
                this.loggedNoDefaultResponder = true;
            }
            this.loggedDefaultResponder = false;
        } else {
            this.loggedNoDefaultResponder = false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Committing the following to OCSP cache:");
            for (Integer num : this.staging.keySet()) {
                OcspSigningCacheEntry ocspSigningCacheEntry2 = this.staging.get(num);
                log.debug(" KeyBindingId: " + num + ", SubjectDN '" + CertTools.getSubjectDN(ocspSigningCacheEntry2.getFullCertificateChain().get(0)) + "', IssuerDN '" + CertTools.getIssuerDN(ocspSigningCacheEntry2.getFullCertificateChain().get(0)) + "', SerialNumber " + ocspSigningCacheEntry2.getFullCertificateChain().get(0).getSerialNumber().toString() + CertTools.PERMANENTIDENTIFIER_SEP + ocspSigningCacheEntry2.getFullCertificateChain().get(0).getSerialNumber().toString(16));
                if (ocspSigningCacheEntry2.getOcspKeyBinding() != null) {
                    log.debug("   keyPairAlias: " + ocspSigningCacheEntry2.getOcspKeyBinding().getKeyPairAlias());
                }
            }
        }
        this.cache = this.staging;
        this.defaultResponderCacheEntry = ocspSigningCacheEntry;
    }

    public void stagingRelease() {
        this.lock.unlock();
    }

    public void addSingleEntry(OcspSigningCacheEntry ocspSigningCacheEntry) {
        int cacheIdFromCertificateID = getCacheIdFromCertificateID(ocspSigningCacheEntry.getCertificateID());
        this.lock.lock();
        try {
            if (!this.cache.containsKey(Integer.valueOf(cacheIdFromCertificateID))) {
                this.cache.put(Integer.valueOf(cacheIdFromCertificateID), ocspSigningCacheEntry);
            }
        } finally {
            this.lock.unlock();
        }
    }

    public static int getCacheIdFromCertificateID(CertificateID certificateID) {
        int hashCode = new BigInteger(certificateID.getIssuerNameHash()).hashCode() ^ new BigInteger(certificateID.getIssuerKeyHash()).hashCode();
        if (log.isDebugEnabled()) {
            log.debug("Using getIssuerNameHash " + new BigInteger(certificateID.getIssuerNameHash()).toString(16) + " and getIssuerKeyHash " + new BigInteger(certificateID.getIssuerKeyHash()).toString(16) + " to produce id " + hashCode);
        }
        return hashCode;
    }

    public static CertificateID getCertificateIDFromCertificate(X509Certificate x509Certificate) {
        try {
            if (log.isTraceEnabled()) {
                log.trace("Building CertificateId from certificate with subjectDN '" + CertTools.getSubjectDN(x509Certificate) + "'.");
            }
            return new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), x509Certificate, x509Certificate.getSerialNumber());
        } catch (CertificateEncodingException e) {
            throw new OcspFailureException(e);
        } catch (OCSPException e2) {
            throw new OcspFailureException((Throwable) e2);
        }
    }
}
