package org.jsslutils.sslcontext.trustmanagers;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.jsslutils.sslcontext.X509TrustManagerWrapper;

/* loaded from: input_file:org/jsslutils/sslcontext/trustmanagers/GsiWrappingTrustManager.class */
public class GsiWrappingTrustManager implements X509TrustManager {
    private final X509TrustManager trustManager;

    /* loaded from: input_file:org/jsslutils/sslcontext/trustmanagers/GsiWrappingTrustManager$Wrapper.class */
    public static class Wrapper implements X509TrustManagerWrapper {
        @Override // org.jsslutils.sslcontext.X509TrustManagerWrapper
        public X509TrustManager wrapTrustManager(X509TrustManager x509TrustManager) {
            return new GsiWrappingTrustManager(x509TrustManager);
        }
    }

    public GsiWrappingTrustManager(X509TrustManager x509TrustManager) {
        this.trustManager = x509TrustManager;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        int length = x509CertificateArr.length - 1;
        while (length >= 0 && x509CertificateArr[length].getBasicConstraints() != -1) {
            length--;
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length - length];
        for (int i = length; i < x509CertificateArr.length; i++) {
            x509CertificateArr2[i - length] = x509CertificateArr[i];
        }
        this.trustManager.checkClientTrusted(x509CertificateArr2, str);
        boolean z = false;
        X509Certificate x509Certificate = x509CertificateArr[length];
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        subjectX500Principal.getName("RFC2253");
        issuerX500Principal.getName("RFC2253");
        for (int i2 = length - 1; i2 >= 0; i2--) {
            X509Certificate x509Certificate2 = x509Certificate;
            X500Principal x500Principal = subjectX500Principal;
            x509Certificate = x509CertificateArr[i2];
            subjectX500Principal = x509Certificate.getSubjectX500Principal();
            X500Principal issuerX500Principal2 = x509Certificate.getIssuerX500Principal();
            String name = subjectX500Principal.getName("RFC2253");
            String name2 = issuerX500Principal2.getName("RFC2253");
            x509Certificate.checkValidity();
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
                if (z) {
                    throw new CertificateException("Previous proxy is limited!");
                }
                if (!name.endsWith(name2)) {
                    throw new CertificateException("Proxy subject DN must end with issuer DN, got '" + name + "'!");
                }
                if (!name.startsWith("CN=")) {
                    throw new CertificateException("Proxy must start with 'CN=', got '" + name + "'!");
                }
                if (name.startsWith("CN=limited proxy")) {
                    z = true;
                }
            } catch (InvalidKeyException e) {
                throw new CertificateException("Failed to verify certificate '" + name + "' issued by '" + name2 + "' with public key from '" + x500Principal.getName("RFC2253") + "'.", e);
            } catch (NoSuchAlgorithmException e2) {
                throw new CertificateException("Failed to verify certificate '" + name + "' issued by '" + name2 + "' with public key from '" + x500Principal.getName("RFC2253") + "'.", e2);
            } catch (NoSuchProviderException e3) {
                throw new CertificateException("Failed to verify certificate '" + name + "' issued by '" + name2 + "' with public key from '" + x500Principal.getName("RFC2253") + "'.", e3);
            } catch (SignatureException e4) {
                throw new CertificateException("Failed to verify certificate '" + name + "' issued by '" + name2 + "' with public key from '" + x500Principal.getName("RFC2253") + "'.", e4);
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.trustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }
}
