package com.unboundid.util.ssl;

import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.RDN;
import com.unboundid.util.Debug;
import com.unboundid.util.ObjectPair;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.args.IPAddressArgumentValueValidator;
import com.unboundid.util.ssl.cert.BasicConstraintsExtension;
import com.unboundid.util.ssl.cert.CertException;
import com.unboundid.util.ssl.cert.ExtendedKeyUsageExtension;
import com.unboundid.util.ssl.cert.ExtendedKeyUsageID;
import com.unboundid.util.ssl.cert.KeyUsageExtension;
import com.unboundid.util.ssl.cert.SubjectAlternativeNameExtension;
import com.unboundid.util.ssl.cert.X509Certificate;
import com.unboundid.util.ssl.cert.X509CertificateExtension;
import java.net.InetAddress;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/unboundid/util/ssl/PromptTrustManagerProcessor.class */
final class PromptTrustManagerProcessor {
    private PromptTrustManagerProcessor() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ObjectPair<Boolean, List<String>> shouldPrompt(String str, X509Certificate[] x509CertificateArr, boolean z, boolean z2, Map<String, Boolean> map, List<String> list) {
        boolean z3 = false;
        ArrayList arrayList = new ArrayList(5);
        long currentTimeMillis = System.currentTimeMillis();
        int i = 0;
        while (i < x509CertificateArr.length) {
            if (!x509CertificateArr[i].isWithinValidityWindow(currentTimeMillis)) {
                z3 = true;
                String str2 = i == 0 ? z ? SSLMessages.WARN_PROMPT_PROCESSOR_LABEL_SERVER.get() : SSLMessages.WARN_PROMPT_PROCESSOR_LABEL_CLIENT.get() : SSLMessages.WARN_PROMPT_PROCESSOR_LABEL_ISSUER.get();
                if (currentTimeMillis > x509CertificateArr[i].getNotAfterTime()) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_CERT_EXPIRED.get(str2, String.valueOf(x509CertificateArr[i].getSubjectDN()), formatDate(x509CertificateArr[i].getNotAfterDate()), StaticUtils.secondsToHumanReadableDuration(Math.round((currentTimeMillis - x509CertificateArr[i].getNotAfterTime()) / 1000.0d))));
                } else {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_CERT_NOT_YET_VALID.get(str2, String.valueOf(x509CertificateArr[i].getSubjectDN()), formatDate(x509CertificateArr[i].getNotBeforeDate()), StaticUtils.secondsToHumanReadableDuration(Math.round((x509CertificateArr[i].getNotBeforeTime() - currentTimeMillis) / 1000.0d))));
                }
            }
            i++;
        }
        SubjectAlternativeNameExtension subjectAlternativeNameExtension = null;
        for (X509CertificateExtension x509CertificateExtension : x509CertificateArr[0].getExtensions()) {
            if (x509CertificateExtension instanceof ExtendedKeyUsageExtension) {
                ExtendedKeyUsageExtension extendedKeyUsageExtension = (ExtendedKeyUsageExtension) x509CertificateExtension;
                if (z) {
                    if (!extendedKeyUsageExtension.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID())) {
                        arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_EKU_MISSING_SERVER_AUTH.get(x509CertificateArr[0].getSubjectDN()));
                    }
                } else if (!extendedKeyUsageExtension.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID())) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_EKU_MISSING_CLIENT_AUTH.get(x509CertificateArr[0].getSubjectDN()));
                }
            } else if (x509CertificateExtension instanceof SubjectAlternativeNameExtension) {
                subjectAlternativeNameExtension = (SubjectAlternativeNameExtension) x509CertificateExtension;
            }
        }
        if (x509CertificateArr.length != 1) {
            for (int i2 = 1; i2 < x509CertificateArr.length; i2++) {
                if (x509CertificateArr[i2].isIssuerFor(x509CertificateArr[i2 - 1])) {
                    try {
                        x509CertificateArr[i2 - 1].verifySignature(x509CertificateArr[i2]);
                    } catch (CertException e) {
                        Debug.debugException(e);
                        arrayList.add(e.getMessage());
                    }
                } else {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_CHAIN_ISSUER_MISMATCH.get(x509CertificateArr[i2].getSubjectDN(), x509CertificateArr[i2 - 1].getSubjectDN()));
                }
                BasicConstraintsExtension basicConstraintsExtension = null;
                KeyUsageExtension keyUsageExtension = null;
                for (X509CertificateExtension x509CertificateExtension2 : x509CertificateArr[i2].getExtensions()) {
                    if (x509CertificateExtension2 instanceof BasicConstraintsExtension) {
                        basicConstraintsExtension = (BasicConstraintsExtension) x509CertificateExtension2;
                    } else if (x509CertificateExtension2 instanceof KeyUsageExtension) {
                        keyUsageExtension = (KeyUsageExtension) x509CertificateExtension2;
                    }
                }
                if (basicConstraintsExtension == null) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_NO_BC_EXTENSION.get(x509CertificateArr[i2].getSubjectDN()));
                } else if (!basicConstraintsExtension.isCA()) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_BC_NOT_CA.get(x509CertificateArr[i2].getSubjectDN()));
                } else if (basicConstraintsExtension.getPathLengthConstraint() != null && basicConstraintsExtension.getPathLengthConstraint().intValue() < x509CertificateArr.length) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_BC_PATH_LENGTH_EXCEEDED.get(x509CertificateArr[i2].getSubjectDN(), basicConstraintsExtension.getPathLengthConstraint(), Integer.valueOf(x509CertificateArr.length)));
                }
                if (keyUsageExtension != null && !keyUsageExtension.isKeyCertSignBitSet()) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_KU_NO_KEY_CERT_SIGN.get(x509CertificateArr[i2].getSubjectDN()));
                }
            }
            if (x509CertificateArr[x509CertificateArr.length - 1].isSelfSigned()) {
                try {
                    x509CertificateArr[x509CertificateArr.length - 1].verifySignature(x509CertificateArr[x509CertificateArr.length - 1]);
                } catch (CertException e2) {
                    Debug.debugException(e2);
                    arrayList.add(e2.getMessage());
                }
            } else {
                arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_CHAIN_NOT_COMPLETE.get(x509CertificateArr[x509CertificateArr.length - 1].getSubjectDN()));
            }
        } else if (x509CertificateArr[0].isSelfSigned()) {
            arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_CERT_IS_SELF_SIGNED.get());
            try {
                x509CertificateArr[0].verifySignature(x509CertificateArr[0]);
            } catch (CertException e3) {
                Debug.debugException(e3);
                arrayList.add(e3.getMessage());
            }
        } else {
            arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_CHAIN_NOT_COMPLETE.get(x509CertificateArr[0].getSubjectDN()));
        }
        if (z && list != null && !list.isEmpty()) {
            boolean z4 = false;
            StringBuilder sb = new StringBuilder();
            for (RDN rdn : x509CertificateArr[0].getSubjectDN().getRDNs()) {
                String[] attributeNames = rdn.getAttributeNames();
                int i3 = 0;
                while (true) {
                    if (i3 >= attributeNames.length) {
                        break;
                    }
                    if (attributeNames[i3].equalsIgnoreCase("cn") || attributeNames[i3].equalsIgnoreCase("commonName") || attributeNames[i3].equalsIgnoreCase("2.5.4.3")) {
                        String str3 = rdn.getAttributeValues()[i3];
                        String lowerCase = StaticUtils.toLowerCase(str3);
                        if (isHostnameOrIPAddress(lowerCase)) {
                            commaAppend(sb, str3);
                            if (isAllowedHostnameOrIPAddress(lowerCase, list)) {
                                z4 = true;
                                break;
                            }
                        } else {
                            continue;
                        }
                    }
                    i3++;
                }
                if (z4) {
                    break;
                }
            }
            if (!z4 && subjectAlternativeNameExtension != null) {
                Iterator<String> it = subjectAlternativeNameExtension.getDNSNames().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String next = it.next();
                    commaAppend(sb, next);
                    if (isAllowedHostnameOrIPAddress(next, list)) {
                        z4 = true;
                        break;
                    }
                }
                if (!z4) {
                    Iterator<InetAddress> it2 = subjectAlternativeNameExtension.getIPAddresses().iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        InetAddress next2 = it2.next();
                        commaAppend(sb, next2.getHostAddress());
                        if (isAllowedIPAddress(next2, list)) {
                            z4 = true;
                            break;
                        }
                    }
                }
            }
            if (!z4 && sb.length() != 0) {
                if (sb.indexOf(",") > 0) {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_MULTIPLE_ADDRESSES_NOT_MATCHED.get(x509CertificateArr[0].getSubjectDN(), sb));
                } else {
                    arrayList.add(SSLMessages.WARN_PROMPT_PROCESSOR_SINGLE_ADDRESS_NOT_MATCHED.get(x509CertificateArr[0].getSubjectDN(), sb));
                }
            }
        }
        Boolean bool = map.get(str);
        return bool == null ? new ObjectPair<>(Boolean.TRUE, arrayList) : bool.booleanValue() ? new ObjectPair<>(Boolean.FALSE, arrayList) : new ObjectPair<>(Boolean.valueOf(z3), arrayList);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String formatDate(Date date) {
        return SSLMessages.WARN_PROMPT_PROCESSOR_DATE_TIME.get(new SimpleDateFormat("EEEE, MMMM d, yyyy").format(date), new SimpleDateFormat("hh:mm:ss aa z").format(date));
    }

    static boolean isHostnameOrIPAddress(String str) {
        if (str.isEmpty()) {
            return false;
        }
        if (IPAddressArgumentValueValidator.isValidNumericIPAddress(str)) {
            return true;
        }
        boolean z = false;
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (charAt >= 'a' && charAt <= 'z') {
                z = false;
            } else if (charAt >= '0' && charAt <= '9') {
                if (i == 0 || z) {
                    return false;
                }
                z = false;
            } else if (charAt == '.') {
                if (i == 0 || z) {
                    return false;
                }
                z = true;
            } else if (charAt != '*') {
                continue;
            } else {
                if (i > 0 || str.length() == 1 || str.charAt(1) != '.') {
                    return false;
                }
                z = false;
            }
        }
        return !z;
    }

    private static boolean isAllowedHostnameOrIPAddress(String str, List<String> list) {
        int indexOf;
        if (IPAddressArgumentValueValidator.isValidNumericIPAddress(str)) {
            try {
                InetAddress byName = LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(str);
                for (String str2 : list) {
                    if (IPAddressArgumentValueValidator.isValidNumericIPAddress(str2) && byName.equals(LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(str2))) {
                        return true;
                    }
                }
            } catch (Exception e) {
                Debug.debugException(e);
            }
        }
        for (String str3 : list) {
            if (str.equalsIgnoreCase(str3)) {
                return true;
            }
            if (str.startsWith("*.") && (indexOf = str3.indexOf(46)) > 0 && str.substring(2).equalsIgnoreCase(str3.substring(indexOf + 1))) {
                return true;
            }
        }
        return false;
    }

    private static boolean isAllowedIPAddress(InetAddress inetAddress, List<String> list) {
        for (String str : list) {
            try {
                if (IPAddressArgumentValueValidator.isValidNumericIPAddress(str) && inetAddress.equals(LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(str))) {
                    return true;
                }
            } catch (Exception e) {
                Debug.debugException(e);
            }
        }
        return false;
    }

    private static void commaAppend(StringBuilder sb, String str) {
        if (sb.length() > 0) {
            sb.append(", ");
        }
        sb.append(str);
    }
}
