package org.opends.admin.ads.util;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.DN;
import org.opends.server.util.Platform;

/* loaded from: input_file:WEB-INF/lib/opendj.jar:org/opends/admin/ads/util/ApplicationTrustManager.class */
public class ApplicationTrustManager implements X509TrustManager {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private X509TrustManager trustManager;
    private String lastRefusedAuthType;
    private X509Certificate[] lastRefusedChain;
    private Cause lastRefusedCause;
    private final KeyStore keystore;
    private final List<X509Certificate[]> acceptedChains = new ArrayList();
    private final List<String> acceptedAuthTypes = new ArrayList();
    private final List<String> acceptedHosts = new ArrayList();
    private String host;

    /* loaded from: input_file:WEB-INF/lib/opendj.jar:org/opends/admin/ads/util/ApplicationTrustManager$Cause.class */
    public enum Cause {
        NOT_TRUSTED,
        HOST_NAME_MISMATCH
    }

    public ApplicationTrustManager(KeyStore keyStore) {
        TrustManagerFactory trustManagerFactory;
        this.keystore = keyStore;
        String property = System.getProperty("org.opends.admin.trustmanageralgo");
        String property2 = System.getProperty("org.opends.admin.trustmanagerprovider");
        if (property == null && Platform.isVendor("IBM")) {
            property = "IbmX509";
        }
        if (property2 == null && Platform.isVendor("IBM")) {
            property2 = "IBMJSSE2";
        }
        String[] strArr = {property2, "SunJSSE", null, null};
        String[] strArr2 = {property, "SunX509", "SunX509", TrustManagerFactory.getDefaultAlgorithm()};
        for (int i = 0; i < strArr.length && this.trustManager == null; i++) {
            String str = strArr[i];
            String str2 = strArr2[i];
            if (str2 != null) {
                if (str != null) {
                    try {
                        trustManagerFactory = TrustManagerFactory.getInstance(str2, str);
                    } catch (KeyStoreException e) {
                        logger.warn(LocalizableMessage.raw("Error with the keystore", e));
                    } catch (NoSuchAlgorithmException e2) {
                        logger.warn(LocalizableMessage.raw("Error with the algorithm: " + str2, e2));
                    } catch (NoSuchProviderException e3) {
                        logger.warn(LocalizableMessage.raw("Error with the provider: " + str, e3));
                    }
                } else {
                    trustManagerFactory = TrustManagerFactory.getInstance(str2);
                }
                trustManagerFactory.init(keyStore);
                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                int length = trustManagers.length;
                int i2 = 0;
                while (true) {
                    if (i2 >= length) {
                        break;
                    }
                    TrustManager trustManager = trustManagers[i2];
                    if (trustManager instanceof X509TrustManager) {
                        this.trustManager = (X509TrustManager) trustManager;
                        break;
                    }
                    i2++;
                }
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        try {
            if (this.trustManager != null) {
                try {
                    this.trustManager.checkClientTrusted(x509CertificateArr, str);
                } catch (CertificateException e) {
                    verifyAcceptedCertificates(x509CertificateArr, str);
                    z = true;
                }
            } else {
                verifyAcceptedCertificates(x509CertificateArr, str);
                z = true;
            }
        } catch (CertificateException e2) {
            manageException(x509CertificateArr, str, e2, Cause.NOT_TRUSTED);
        }
        if (z) {
            return;
        }
        try {
            verifyHostName(x509CertificateArr);
        } catch (CertificateException e3) {
            manageException(x509CertificateArr, str, e3, Cause.HOST_NAME_MISMATCH);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        try {
            if (this.trustManager != null) {
                try {
                    this.trustManager.checkServerTrusted(x509CertificateArr, str);
                } catch (CertificateException e) {
                    verifyAcceptedCertificates(x509CertificateArr, str);
                    z = true;
                }
            } else {
                verifyAcceptedCertificates(x509CertificateArr, str);
                z = true;
            }
        } catch (CertificateException e2) {
            manageException(x509CertificateArr, str, e2, Cause.NOT_TRUSTED);
        }
        if (z) {
            return;
        }
        try {
            verifyHostName(x509CertificateArr);
        } catch (CertificateException e3) {
            manageException(x509CertificateArr, str, e3, Cause.HOST_NAME_MISMATCH);
        }
    }

    private void manageException(X509Certificate[] x509CertificateArr, String str, CertificateException certificateException, Cause cause) throws OpendsCertificateException {
        this.lastRefusedChain = x509CertificateArr;
        this.lastRefusedAuthType = str;
        this.lastRefusedCause = cause;
        throw new OpendsCertificateException(x509CertificateArr, certificateException);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager != null ? this.trustManager.getAcceptedIssuers() : new X509Certificate[0];
    }

    public void acceptCertificate(X509Certificate[] x509CertificateArr, String str, String str2) {
        this.acceptedChains.add(x509CertificateArr);
        this.acceptedAuthTypes.add(str);
        this.acceptedHosts.add(str2);
    }

    public void setHost(String str) {
        this.host = str;
    }

    public void resetLastRefusedItems() {
        this.lastRefusedAuthType = null;
        this.lastRefusedChain = null;
        this.lastRefusedCause = null;
    }

    public ApplicationTrustManager createCopy() {
        ApplicationTrustManager applicationTrustManager = new ApplicationTrustManager(this.keystore);
        applicationTrustManager.lastRefusedAuthType = this.lastRefusedAuthType;
        applicationTrustManager.lastRefusedChain = this.lastRefusedChain;
        applicationTrustManager.lastRefusedCause = this.lastRefusedCause;
        applicationTrustManager.acceptedChains.addAll(this.acceptedChains);
        applicationTrustManager.acceptedAuthTypes.addAll(this.acceptedAuthTypes);
        applicationTrustManager.acceptedHosts.addAll(this.acceptedHosts);
        applicationTrustManager.host = this.host;
        return applicationTrustManager;
    }

    private void verifyAcceptedCertificates(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        for (int i = 0; i < this.acceptedChains.size() && !z; i++) {
            if (str.equals(this.acceptedAuthTypes.get(i))) {
                X509Certificate[] x509CertificateArr2 = this.acceptedChains.get(i);
                z = x509CertificateArr2.length == x509CertificateArr.length;
                for (int i2 = 0; i2 < x509CertificateArr.length && z; i2++) {
                    z = x509CertificateArr[i2].equals(x509CertificateArr2[i2]);
                }
            }
        }
        if (!z) {
            throw new OpendsCertificateException("Certificate not in list of accepted certificates", x509CertificateArr);
        }
    }

    private void verifyHostName(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (this.host != null) {
            X500Principal subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal();
            boolean z = false;
            try {
                String byteString = DN.valueOf(subjectX500Principal.getName()).rdn().getFirstAVA().getAttributeValue().toString();
                z = hostMatch(byteString, this.host);
                if (!z) {
                    logger.warn(LocalizableMessage.raw("Subject DN RDN value is: " + byteString + " and does not match host value: " + this.host, new Object[0]));
                    for (int i = 0; i < this.acceptedHosts.size() && !z; i++) {
                        if (hostMatch(this.acceptedHosts.get(i), this.host)) {
                            X509Certificate[] x509CertificateArr2 = this.acceptedChains.get(i);
                            z = x509CertificateArr2.length == x509CertificateArr.length;
                            for (int i2 = 0; i2 < x509CertificateArr.length && z; i2++) {
                                z = x509CertificateArr[i2].equals(x509CertificateArr2[i2]);
                            }
                        }
                    }
                }
            } catch (Throwable th) {
                logger.warn(LocalizableMessage.raw("Error parsing subject dn: " + subjectX500Principal, th));
            }
            if (!z) {
                throw new OpendsCertificateException("Hostname mismatch between host name " + this.host + " and subject DN: " + subjectX500Principal, x509CertificateArr);
            }
        }
    }

    public String getLastRefusedAuthType() {
        return this.lastRefusedAuthType;
    }

    public Cause getLastRefusedCause() {
        return this.lastRefusedCause;
    }

    public X509Certificate[] getLastRefusedChain() {
        return this.lastRefusedChain;
    }

    private boolean hostMatch(String str, String str2) {
        if (str == null) {
            throw new IllegalArgumentException("The host1 parameter cannot be null");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("The host2 parameter cannot be null");
        }
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        boolean z = split.length == split2.length;
        for (int i = 0; i < split.length && z; i++) {
            if (!"*".equals(split[i]) && !"*".equals(split2[i])) {
                z = split[i].equalsIgnoreCase(split2[i]);
            }
        }
        return z;
    }

    public X509TrustManager getX509TrustManager() {
        return this.trustManager;
    }
}
