package org.apache.catalina.security;

import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Set;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Server;
import org.apache.catalina.Service;
import org.apache.catalina.connector.Connector;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.res.StringManager;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.18.jar:org/apache/catalina/security/TLSCertificateReloadListener.class */
public class TLSCertificateReloadListener implements LifecycleListener {
    private static final Log log = LogFactory.getLog((Class<?>) TLSCertificateReloadListener.class);
    private static final StringManager sm = StringManager.getManager((Class<?>) TLSCertificateReloadListener.class);
    private final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssXXX");
    private int checkPeriod = 86400;
    private int daysBefore = 14;
    private Calendar nextCheck = Calendar.getInstance();

    public int getCheckPeriod() {
        return this.checkPeriod;
    }

    public void setCheckPeriod(int i) {
        this.checkPeriod = i;
    }

    public int getDaysBefore() {
        return this.daysBefore;
    }

    public void setDaysBefore(int i) {
        this.daysBefore = i;
    }

    @Override // org.apache.catalina.LifecycleListener
    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
        if (lifecycleEvent.getType().equals(Lifecycle.PERIODIC_EVENT)) {
            if (lifecycleEvent.getSource() instanceof Server) {
                checkCertificatesForRenewal((Server) lifecycleEvent.getSource());
            }
        } else {
            if (!lifecycleEvent.getType().equals(Lifecycle.BEFORE_INIT_EVENT) || (lifecycleEvent.getLifecycle() instanceof Server)) {
                return;
            }
            log.warn(sm.getString("listener.notServer", lifecycleEvent.getLifecycle().getClass().getSimpleName()));
        }
    }

    private void checkCertificatesForRenewal(Server server) {
        Calendar calendar = Calendar.getInstance();
        if (calendar.compareTo(this.nextCheck) > 0) {
            this.nextCheck.add(13, getCheckPeriod());
            calendar.add(5, getDaysBefore());
            for (Service service : server.findServices()) {
                for (Connector connector : service.findConnectors()) {
                    for (SSLHostConfig sSLHostConfig : connector.findSslHostConfigs()) {
                        if (!sSLHostConfig.certificatesExpiringBefore(calendar.getTime()).isEmpty()) {
                            try {
                                connector.getProtocolHandler().addSslHostConfig(sSLHostConfig, true);
                                Set<X509Certificate> certificatesExpiringBefore = sSLHostConfig.certificatesExpiringBefore(calendar.getTime());
                                log.info(sm.getString("tlsCertRenewalListener.reloadSuccess", connector, sSLHostConfig.getHostName()));
                                if (!certificatesExpiringBefore.isEmpty()) {
                                    for (X509Certificate x509Certificate : certificatesExpiringBefore) {
                                        log.warn(sm.getString("tlsCertRenewalListener.notRenewed", connector, sSLHostConfig.getHostName(), x509Certificate.getSubjectX500Principal().getName(), this.dateFormat.format(x509Certificate.getNotAfter())));
                                    }
                                }
                            } catch (IllegalArgumentException e) {
                                log.error(sm.getString("tlsCertRenewalListener.reloadFailed", connector, sSLHostConfig.getHostName()), e);
                            }
                        }
                    }
                }
            }
        }
    }
}
