package org.openjsse.sun.security.ssl;

import java.net.Socket;
import java.security.AlgorithmConstraints;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.openjsse.javax.net.ssl.ExtendedSSLSession;
import org.openjsse.javax.net.ssl.SSLSocket;
import org.openjsse.sun.security.util.HostnameChecker;
import org.openjsse.sun.security.validator.Validator;
import sun.security.util.AnchorCertificates;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/X509TrustManagerImpl.class */
public final class X509TrustManagerImpl extends X509ExtendedTrustManager implements X509TrustManager {
    private final String validatorType;
    private final Collection<X509Certificate> trustedCerts;
    private final PKIXBuilderParameters pkixParams;
    private volatile Validator clientValidator;
    private volatile Validator serverValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManagerImpl(String str, Collection<X509Certificate> collection) {
        this.validatorType = str;
        this.pkixParams = null;
        collection = collection == null ? Collections.emptySet() : collection;
        this.trustedCerts = collection;
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("adding as trusted certificates", collection.toArray(new X509Certificate[0]));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManagerImpl(String str, PKIXBuilderParameters pKIXBuilderParameters) {
        this.validatorType = str;
        this.pkixParams = pKIXBuilderParameters;
        Validator validator = getValidator("tls server");
        this.trustedCerts = validator.getTrustedCertificates();
        this.serverValidator = validator;
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("adding as trusted certificates", this.trustedCerts.toArray(new X509Certificate[0]));
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, (Socket) null, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, (Socket) null, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCerts.size()];
        this.trustedCerts.toArray(x509CertificateArr);
        return x509CertificateArr;
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkTrusted(x509CertificateArr, str, socket, true);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkTrusted(x509CertificateArr, str, socket, false);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkTrusted(x509CertificateArr, str, sSLEngine, true);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkTrusted(x509CertificateArr, str, sSLEngine, false);
    }

    private Validator checkTrustedInit(X509Certificate[] x509CertificateArr, String str, boolean z) {
        Validator validator;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("null or zero-length certificate chain");
        }
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length authentication type");
        }
        if (z) {
            validator = this.clientValidator;
            if (validator == null) {
                synchronized (this) {
                    validator = this.clientValidator;
                    if (validator == null) {
                        validator = getValidator("tls client");
                        this.clientValidator = validator;
                    }
                }
            }
        } else {
            validator = this.serverValidator;
            if (validator == null) {
                synchronized (this) {
                    validator = this.serverValidator;
                    if (validator == null) {
                        validator = getValidator("tls server");
                        this.serverValidator = validator;
                    }
                }
            }
        }
        return validator;
    }

    private void checkTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z) throws CertificateException {
        X509Certificate[] validate;
        Validator checkTrustedInit = checkTrustedInit(x509CertificateArr, str, z);
        if (socket != null && socket.isConnected() && (socket instanceof SSLSocket)) {
            SSLSocket sSLSocket = (SSLSocket) socket;
            SSLSession handshakeSession = sSLSocket.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            boolean z2 = handshakeSession instanceof ExtendedSSLSession;
            SSLAlgorithmConstraints sSLAlgorithmConstraints = (z2 && ProtocolVersion.useTLS12PlusSpec(handshakeSession.getProtocol())) ? new SSLAlgorithmConstraints(sSLSocket, ((ExtendedSSLSession) handshakeSession).getLocalSupportedSignatureAlgorithms(), false) : new SSLAlgorithmConstraints(sSLSocket, false);
            List<byte[]> emptyList = Collections.emptyList();
            if (!z && z2) {
                emptyList = ((ExtendedSSLSession) handshakeSession).getStatusResponses();
            }
            validate = validate(checkTrustedInit, x509CertificateArr, emptyList, sSLAlgorithmConstraints, z ? null : str);
            String endpointIdentificationAlgorithm = sSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                checkIdentity(handshakeSession, validate, endpointIdentificationAlgorithm, z);
            }
        } else {
            validate = validate(checkTrustedInit, x509CertificateArr, Collections.emptyList(), null, z ? null : str);
        }
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("Found trusted certificate", validate[validate.length - 1]);
        }
    }

    private void checkTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine, boolean z) throws CertificateException {
        X509Certificate[] validate;
        Validator checkTrustedInit = checkTrustedInit(x509CertificateArr, str, z);
        if (sSLEngine != null) {
            SSLSession handshakeSession = sSLEngine.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            boolean z2 = handshakeSession instanceof ExtendedSSLSession;
            SSLAlgorithmConstraints sSLAlgorithmConstraints = (z2 && ProtocolVersion.useTLS12PlusSpec(handshakeSession.getProtocol())) ? new SSLAlgorithmConstraints(sSLEngine, ((ExtendedSSLSession) handshakeSession).getLocalSupportedSignatureAlgorithms(), false) : new SSLAlgorithmConstraints(sSLEngine, false);
            List<byte[]> emptyList = Collections.emptyList();
            if (!z && z2) {
                emptyList = ((ExtendedSSLSession) handshakeSession).getStatusResponses();
            }
            validate = validate(checkTrustedInit, x509CertificateArr, emptyList, sSLAlgorithmConstraints, z ? null : str);
            String endpointIdentificationAlgorithm = sSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                checkIdentity(handshakeSession, validate, endpointIdentificationAlgorithm, z);
            }
        } else {
            validate = validate(checkTrustedInit, x509CertificateArr, Collections.emptyList(), null, z ? null : str);
        }
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("Found trusted certificate", validate[validate.length - 1]);
        }
    }

    private Validator getValidator(String str) {
        return this.pkixParams == null ? Validator.getInstance(this.validatorType, str, this.trustedCerts) : Validator.getInstance(this.validatorType, str, this.pkixParams);
    }

    private static X509Certificate[] validate(Validator validator, X509Certificate[] x509CertificateArr, List<byte[]> list, AlgorithmConstraints algorithmConstraints, String str) throws CertificateException {
        Object beginFipsProvider = JsseJce.beginFipsProvider();
        try {
            X509Certificate[] validate = validator.validate(x509CertificateArr, null, list, algorithmConstraints, str);
            JsseJce.endFipsProvider(beginFipsProvider);
            return validate;
        } catch (Throwable th) {
            JsseJce.endFipsProvider(beginFipsProvider);
            throw th;
        }
    }

    private static String getHostNameInSNI(List<SNIServerName> list) {
        SNIHostName sNIHostName = null;
        Iterator<SNIServerName> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SNIServerName next = it.next();
            if (next.getType() == 0) {
                if (next instanceof SNIHostName) {
                    sNIHostName = (SNIHostName) next;
                } else {
                    try {
                        sNIHostName = new SNIHostName(next.getEncoded());
                    } catch (IllegalArgumentException e) {
                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
                            SSLLogger.fine("Illegal server name: " + ((Object) next), new Object[0]);
                        }
                    }
                }
            }
        }
        if (sNIHostName != null) {
            return sNIHostName.getAsciiName();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<SNIServerName> getRequestedServerNames(Socket socket) {
        return (socket != null && socket.isConnected() && (socket instanceof SSLSocket)) ? getRequestedServerNames(((SSLSocket) socket).getHandshakeSession()) : Collections.emptyList();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<SNIServerName> getRequestedServerNames(SSLEngine sSLEngine) {
        return sSLEngine != null ? getRequestedServerNames(sSLEngine.getHandshakeSession()) : Collections.emptyList();
    }

    private static List<SNIServerName> getRequestedServerNames(SSLSession sSLSession) {
        return (sSLSession == null || !(sSLSession instanceof ExtendedSSLSession)) ? Collections.emptyList() : ((ExtendedSSLSession) sSLSession).getRequestedServerNames();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void checkIdentity(SSLSession sSLSession, X509Certificate[] x509CertificateArr, String str, boolean z) throws CertificateException {
        String hostNameInSNI;
        boolean contains = AnchorCertificates.contains(x509CertificateArr[x509CertificateArr.length - 1]);
        boolean z2 = false;
        String peerHost = sSLSession.getPeerHost();
        if (!z && (hostNameInSNI = getHostNameInSNI(getRequestedServerNames(sSLSession))) != null) {
            try {
                checkIdentity(hostNameInSNI, x509CertificateArr[0], str, contains);
                z2 = true;
            } catch (CertificateException e) {
                if (hostNameInSNI.equalsIgnoreCase(peerHost)) {
                    throw e;
                }
            }
        }
        if (z2) {
            return;
        }
        checkIdentity(peerHost, x509CertificateArr[0], str, contains);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void checkIdentity(String str, X509Certificate x509Certificate, String str2) throws CertificateException {
        checkIdentity(str, x509Certificate, str2, false);
    }

    private static void checkIdentity(String str, X509Certificate x509Certificate, String str2, boolean z) throws CertificateException {
        if (str2 == null || str2.length() == 0) {
            return;
        }
        if (str != null && str.startsWith("[") && str.endsWith("]")) {
            str = str.substring(1, str.length() - 1);
        }
        if (str2.equalsIgnoreCase("HTTPS")) {
            HostnameChecker.getInstance((byte) 1).match(str, x509Certificate, z);
        } else {
            if (!str2.equalsIgnoreCase("LDAP") && !str2.equalsIgnoreCase("LDAPS")) {
                throw new CertificateException("Unknown identification algorithm: " + str2);
            }
            HostnameChecker.getInstance((byte) 2).match(str, x509Certificate, z);
        }
    }
}
