package org.opends.admin.ads.util;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.ldap.LdapName;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:org/opends/admin/ads/util/ApplicationTrustManager.class */
public class ApplicationTrustManager implements X509TrustManager {
    private static final Logger LOG = Logger.getLogger(ApplicationTrustManager.class.getName());
    private X509TrustManager sunJSSEX509TrustManager;
    private String lastRefusedAuthType;
    private X509Certificate[] lastRefusedChain;
    private Cause lastRefusedCause = null;
    private ArrayList<X509Certificate[]> acceptedChains = new ArrayList<>();
    private ArrayList<String> acceptedAuthTypes = new ArrayList<>();
    private ArrayList<String> acceptedHosts = new ArrayList<>();
    private String host;

    /* loaded from: input_file:org/opends/admin/ads/util/ApplicationTrustManager$Cause.class */
    public enum Cause {
        NOT_TRUSTED,
        HOST_NAME_MISMATCH
    }

    public ApplicationTrustManager(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
            trustManagerFactory.init(keyStore);
            this.sunJSSEX509TrustManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
        } catch (KeyStoreException e) {
            LOG.log(Level.WARNING, "Error with the keystore", (Throwable) e);
        } catch (NoSuchAlgorithmException e2) {
            LOG.log(Level.WARNING, "Error with the algorithm", (Throwable) e2);
        } catch (NoSuchProviderException e3) {
            LOG.log(Level.WARNING, "Error with the provider", (Throwable) e3);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        try {
            if (this.sunJSSEX509TrustManager != null) {
                try {
                    this.sunJSSEX509TrustManager.checkClientTrusted(x509CertificateArr, str);
                } catch (CertificateException e) {
                    verifyAcceptedCertificates(x509CertificateArr, str);
                    z = true;
                }
            } else {
                verifyAcceptedCertificates(x509CertificateArr, str);
                z = true;
            }
            if (z) {
                return;
            }
            try {
                verifyHostName(x509CertificateArr, str);
            } catch (CertificateException e2) {
                this.lastRefusedChain = x509CertificateArr;
                this.lastRefusedAuthType = str;
                this.lastRefusedCause = Cause.HOST_NAME_MISMATCH;
                OpendsCertificateException opendsCertificateException = new OpendsCertificateException(x509CertificateArr);
                opendsCertificateException.initCause(e2);
                throw opendsCertificateException;
            }
        } catch (CertificateException e3) {
            this.lastRefusedChain = x509CertificateArr;
            this.lastRefusedAuthType = str;
            this.lastRefusedCause = Cause.NOT_TRUSTED;
            OpendsCertificateException opendsCertificateException2 = new OpendsCertificateException(x509CertificateArr);
            opendsCertificateException2.initCause(e3);
            throw opendsCertificateException2;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        try {
            if (this.sunJSSEX509TrustManager != null) {
                try {
                    this.sunJSSEX509TrustManager.checkServerTrusted(x509CertificateArr, str);
                } catch (CertificateException e) {
                    verifyAcceptedCertificates(x509CertificateArr, str);
                    z = true;
                }
            } else {
                verifyAcceptedCertificates(x509CertificateArr, str);
                z = true;
            }
            if (z) {
                return;
            }
            try {
                verifyHostName(x509CertificateArr, str);
            } catch (CertificateException e2) {
                this.lastRefusedChain = x509CertificateArr;
                this.lastRefusedAuthType = str;
                this.lastRefusedCause = Cause.HOST_NAME_MISMATCH;
                OpendsCertificateException opendsCertificateException = new OpendsCertificateException(x509CertificateArr);
                opendsCertificateException.initCause(e2);
                throw opendsCertificateException;
            }
        } catch (CertificateException e3) {
            this.lastRefusedChain = x509CertificateArr;
            this.lastRefusedAuthType = str;
            this.lastRefusedCause = Cause.NOT_TRUSTED;
            OpendsCertificateException opendsCertificateException2 = new OpendsCertificateException(x509CertificateArr);
            opendsCertificateException2.initCause(e3);
            throw opendsCertificateException2;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.sunJSSEX509TrustManager != null ? this.sunJSSEX509TrustManager.getAcceptedIssuers() : new X509Certificate[0];
    }

    public void acceptCertificate(X509Certificate[] x509CertificateArr, String str, String str2) {
        this.acceptedChains.add(x509CertificateArr);
        this.acceptedAuthTypes.add(str);
        this.acceptedHosts.add(str2);
    }

    public void setHost(String str) {
        this.host = str;
    }

    public void resetLastRefusedItems() {
        this.lastRefusedAuthType = null;
        this.lastRefusedChain = null;
        this.lastRefusedCause = null;
    }

    public ApplicationTrustManager createCopy() {
        ApplicationTrustManager applicationTrustManager = new ApplicationTrustManager(null);
        applicationTrustManager.lastRefusedAuthType = this.lastRefusedAuthType;
        applicationTrustManager.lastRefusedChain = this.lastRefusedChain;
        applicationTrustManager.lastRefusedCause = this.lastRefusedCause;
        applicationTrustManager.acceptedChains.addAll(this.acceptedChains);
        applicationTrustManager.acceptedAuthTypes.addAll(this.acceptedAuthTypes);
        applicationTrustManager.acceptedHosts.addAll(this.acceptedHosts);
        applicationTrustManager.host = this.host;
        return applicationTrustManager;
    }

    private void verifyAcceptedCertificates(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        for (int i = 0; i < this.acceptedChains.size() && !z; i++) {
            if (str.equals(this.acceptedAuthTypes.get(i))) {
                X509Certificate[] x509CertificateArr2 = this.acceptedChains.get(i);
                z = x509CertificateArr2.length == x509CertificateArr.length;
                for (int i2 = 0; i2 < x509CertificateArr.length && z; i2++) {
                    z = x509CertificateArr[i2].equals(x509CertificateArr2[i2]);
                }
            }
        }
        if (!z) {
            throw new OpendsCertificateException("Certificate not in list of accepted certificates", x509CertificateArr);
        }
    }

    private void verifyHostName(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.host != null) {
            boolean z = false;
            try {
                z = this.host.equalsIgnoreCase(new LdapName(x509CertificateArr[0].getSubjectX500Principal().getName()).getRdn(0).getValue().toString());
            } catch (Throwable th) {
                LOG.log(Level.WARNING, "Error parsing subject dn: " + x509CertificateArr[0].getSubjectX500Principal(), th);
            }
            if (!z) {
                throw new OpendsCertificateException("Hostname mismatch between host name " + this.host + " and subject DN: " + x509CertificateArr[0].getSubjectX500Principal(), x509CertificateArr);
            }
        }
    }

    public String getLastRefusedAuthType() {
        return this.lastRefusedAuthType;
    }

    public Cause getLastRefusedCause() {
        return this.lastRefusedCause;
    }

    public X509Certificate[] getLastRefusedChain() {
        return this.lastRefusedChain;
    }
}
