package org.jivesoftware.openfire.keystore;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/keystore/OpenfireX509TrustManager.class */
public class OpenfireX509TrustManager implements X509TrustManager {
    private static final Logger Log = LoggerFactory.getLogger(OpenfireX509TrustManager.class);
    private static final Provider PROVIDER = new BouncyCastleProvider();
    protected final boolean acceptSelfSigned;
    private final boolean checkValidity;
    protected final Set<X509Certificate> trustedIssuers;

    public OpenfireX509TrustManager(KeyStore keyStore, boolean z, boolean z2) throws NoSuchAlgorithmException, KeyStoreException {
        this.acceptSelfSigned = z;
        this.checkValidity = z2;
        HashSet hashSet = new HashSet();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isCertificateEntry(nextElement)) {
                Certificate certificate = keyStore.getCertificate(nextElement);
                if (certificate instanceof X509Certificate) {
                    hashSet.add((X509Certificate) certificate);
                }
            }
        }
        this.trustedIssuers = Collections.unmodifiableSet(hashSet);
        Log.debug("Constructed trust manager. Number of trusted issuers: {}, accepts self-signed: {}, checks validity: {}", new Object[]{Integer.valueOf(this.trustedIssuers.size()), Boolean.valueOf(z), Boolean.valueOf(z2)});
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate identifyEndEntityCertificate = CertificateUtils.identifyEndEntityCertificate(Arrays.asList(x509CertificateArr));
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(identifyEndEntityCertificate);
        try {
            checkChainTrusted(x509CertSelector, x509CertificateArr);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException e) {
            throw new CertificateException(e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate identifyEndEntityCertificate = CertificateUtils.identifyEndEntityCertificate(Arrays.asList(x509CertificateArr));
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(identifyEndEntityCertificate);
        try {
            checkChainTrusted(x509CertSelector, x509CertificateArr);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException e) {
            throw new CertificateException(e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        Set<X509Certificate> filterValid = this.checkValidity ? CertificateUtils.filterValid(this.trustedIssuers) : this.trustedIssuers;
        return (X509Certificate[]) filterValid.toArray(new X509Certificate[filterValid.size()]);
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected CertPath checkChainTrusted(CertSelector certSelector, X509Certificate... x509CertificateArr) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, CertPathBuilderException {
        CertPathBuilder certPathBuilder;
        if (certSelector == null) {
            throw new IllegalArgumentException("Argument 'selector' cannot be null");
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Argument 'chain' cannot be null or an empty array.");
        }
        Log.debug("Attempting to verify a chain of {} certificates.", Integer.valueOf(x509CertificateArr.length));
        Set hashSet = new HashSet();
        hashSet.addAll(this.trustedIssuers);
        if (this.acceptSelfSigned && x509CertificateArr.length == 1) {
            Log.debug("Attempting to accept the self-signed certificate of this chain of length one, as instructed by configuration.");
            X509Certificate x509Certificate = x509CertificateArr[0];
            if (x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
                Log.debug("Chain of one appears to be self-signed. Adding it to the set of trusted issuers.");
                hashSet.add(x509Certificate);
            } else {
                Log.debug("Chain of one is not self-signed. Not adding it to the set of trusted issuers.");
            }
        }
        Set<X509Certificate> filterValid = this.checkValidity ? CertificateUtils.filterValid(hashSet) : hashSet;
        Set<TrustAnchor> trustAnchors = CertificateUtils.toTrustAnchors(filterValid);
        CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr)));
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustAnchors, certSelector);
        if (!this.checkValidity) {
            Log.debug("Attempting to ignore any validity (expiry) issues, as instructed by configuration.");
            Date findValidPointInTime = CertificateUtils.findValidPointInTime(x509CertificateArr);
            if (findValidPointInTime == null) {
                Log.warn("The existing implementation is unable to fully ignore certificate validity periods for this chain, even though it is configured to do so. Certificate checks might fail because of expiration for end entity: " + x509CertificateArr[0]);
            } else {
                pKIXBuilderParameters.setDate(findValidPointInTime);
            }
        }
        pKIXBuilderParameters.addCertStore(certStore);
        pKIXBuilderParameters.setRevocationEnabled(false);
        Log.debug("Validating chain with {} certificates, using {} trust anchors.", Integer.valueOf(x509CertificateArr.length), Integer.valueOf(trustAnchors.size()));
        try {
            certPathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
        } catch (NoSuchProviderException e) {
            Log.warn("Unable to use the BC provider! Trying to use a fallback provider.", e);
            certPathBuilder = CertPathBuilder.getInstance("PKIX");
        }
        try {
            return certPathBuilder.build(pKIXBuilderParameters).getCertPath();
        } catch (CertPathBuilderException e2) {
            Log.debug("** Accepted Issuers (trust anchors, \"root CA's\"):");
            for (X509Certificate x509Certificate2 : filterValid) {
                Log.debug("   - " + x509Certificate2.getSubjectDN() + "/" + x509Certificate2.getIssuerDN());
            }
            Log.debug("** Chain to be validated:");
            Log.debug("   length: " + x509CertificateArr.length);
            for (int i = 0; i < x509CertificateArr.length; i++) {
                Log.debug(" Certificate[{}] (valid from {} to {}):", new Object[]{Integer.valueOf(i), x509CertificateArr[i].getNotBefore(), x509CertificateArr[i].getNotAfter()});
                Log.debug("   subjectDN: " + x509CertificateArr[i].getSubjectDN());
                Log.debug("   issuerDN: " + x509CertificateArr[i].getIssuerDN());
                for (X509Certificate x509Certificate3 : filterValid) {
                    if (x509Certificate3.getIssuerDN().equals(x509CertificateArr[i].getIssuerDN())) {
                        Log.debug("Found accepted issuer with same DN: " + x509Certificate3.getIssuerDN());
                    }
                }
            }
            throw e2;
        }
    }

    static {
        Security.addProvider(PROVIDER);
    }
}
