package org.forgerock.opendj.ldap;

import com.forgerock.opendj.ldap.CoreMessages;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.ldap.schema.Schema;
import org.forgerock.util.Reject;

/* loaded from: input_file:org/forgerock/opendj/ldap/TrustManagers.class */
public final class TrustManagers {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();

    /* loaded from: input_file:org/forgerock/opendj/ldap/TrustManagers$CheckHostName.class */
    private static final class CheckHostName implements X509TrustManager {
        private final X509TrustManager trustManager;
        private final String hostName;

        private CheckHostName(X509TrustManager x509TrustManager, String str) {
            this.trustManager = x509TrustManager;
            this.hostName = str;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            verifyHostName(x509CertificateArr);
            this.trustManager.checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            verifyHostName(x509CertificateArr);
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.trustManager.getAcceptedIssuers();
        }

        private void verifyHostName(X509Certificate[] x509CertificateArr) throws CertificateException {
            X500Principal subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal();
            try {
                ArrayList arrayList = new ArrayList(0);
                ArrayList arrayList2 = new ArrayList(0);
                ArrayList arrayList3 = new ArrayList(0);
                getSanGeneralNames(x509CertificateArr[0], arrayList, arrayList2, arrayList3);
                boolean sanCriticality = getSanCriticality(x509CertificateArr[0]);
                InetAddress ipAddress = toIpAddress(this.hostName);
                if (ipAddress != null) {
                    if (verifyIpAddresses(ipAddress, arrayList2, subjectX500Principal, sanCriticality)) {
                        return;
                    }
                } else if (verifyDnsNamePatterns(this.hostName, arrayList, subjectX500Principal, sanCriticality)) {
                    return;
                }
                if (!arrayList3.isEmpty() && sanCriticality) {
                    throw new CertificateException(CoreMessages.ERR_CERT_NO_MATCH_ALLOTHERS.get(subjectX500Principal, this.hostName).toString());
                }
                if (!hostNameMatchesPattern(this.hostName, getLowestCommonName(DN.valueOf(subjectX500Principal.getName(), Schema.getCoreSchema())))) {
                    throw new CertificateException(CoreMessages.ERR_CERT_NO_MATCH_SUBJECT.get(subjectX500Principal, this.hostName).toString());
                }
            } catch (CertificateException e) {
                TrustManagers.logger.warn(LocalizableMessage.raw("Certificate verification problem for: %s", subjectX500Principal), e);
                throw e;
            }
        }

        private void getSanGeneralNames(X509Certificate x509Certificate, List<String> list, List<String> list2, List<Object> list3) {
            try {
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames == null) {
                    return;
                }
                for (List<?> list4 : subjectAlternativeNames) {
                    switch (((Integer) list4.get(0)).intValue()) {
                        case 2:
                            list.add((String) list4.get(1));
                            break;
                        case 7:
                            list2.add((String) list4.get(1));
                            break;
                        default:
                            list3.add(list4.get(1));
                            break;
                    }
                }
            } catch (CertificateParsingException e) {
            }
        }

        private boolean getSanCriticality(X509Certificate x509Certificate) {
            Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
            return criticalExtensionOIDs != null && criticalExtensionOIDs.contains("2.5.29.17");
        }

        private static InetAddress toIpAddress(String str) {
            try {
                if (InetAddressValidator.isValid(str)) {
                    return InetAddress.getByName(str);
                }
                return null;
            } catch (UnknownHostException e) {
                return null;
            }
        }

        private boolean verifyIpAddresses(InetAddress inetAddress, List<String> list, X500Principal x500Principal, boolean z) throws CertificateException {
            if (list.isEmpty()) {
                return false;
            }
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (InetAddress.getByName(it.next()).equals(inetAddress)) {
                    return true;
                }
            }
            if (z) {
                throw new CertificateException(CoreMessages.ERR_CERT_NO_MATCH_IP.get(x500Principal, this.hostName).toString());
            }
            return false;
        }

        private boolean verifyDnsNamePatterns(String str, List<String> list, X500Principal x500Principal, boolean z) throws CertificateException {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (hostNameMatchesPattern(str, it.next())) {
                    return true;
                }
            }
            if (z) {
                throw new CertificateException(CoreMessages.ERR_CERT_NO_MATCH_DNS.get(x500Principal, str).toString());
            }
            return false;
        }

        private boolean hostNameMatchesPattern(String str, String str2) {
            String[] split = str.split("\\.");
            String[] split2 = str2.split("\\.");
            boolean z = split.length == split2.length;
            for (int i = 0; i < split.length && z; i++) {
                String str3 = split[i];
                String str4 = split2[i];
                if (!str4.equals("*")) {
                    z = str3.equalsIgnoreCase(str4);
                }
            }
            return z;
        }

        private String getLowestCommonName(DN dn) {
            AttributeType attributeType = Schema.getDefaultSchema().getAttributeType("cn");
            Iterator<RDN> it = dn.iterator();
            while (it.hasNext()) {
                Iterator<AVA> it2 = it.next().iterator();
                while (it2.hasNext()) {
                    AVA next = it2.next();
                    if (next.getAttributeType().equals(attributeType)) {
                        return next.getAttributeValue().toString();
                    }
                }
            }
            return null;
        }
    }

    /* loaded from: input_file:org/forgerock/opendj/ldap/TrustManagers$CheckValidityDates.class */
    private static final class CheckValidityDates implements X509TrustManager {
        private final X509TrustManager trustManager;

        private CheckValidityDates(X509TrustManager x509TrustManager) {
            this.trustManager = x509TrustManager;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            verifyExpiration(x509CertificateArr);
            this.trustManager.checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            verifyExpiration(x509CertificateArr);
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.trustManager.getAcceptedIssuers();
        }

        private void verifyExpiration(X509Certificate[] x509CertificateArr) throws CertificateException {
            Date date = new Date();
            for (X509Certificate x509Certificate : x509CertificateArr) {
                try {
                    x509Certificate.checkValidity(date);
                } catch (CertificateExpiredException e) {
                    TrustManagers.logger.warn(LocalizableMessage.raw("Refusing to trust security certificate '%s' because it expired on %s", x509Certificate.getSubjectDN().getName(), x509Certificate.getNotAfter()));
                    throw e;
                } catch (CertificateNotYetValidException e2) {
                    TrustManagers.logger.warn(LocalizableMessage.raw("Refusing to trust security  certificate '%s' because it is not valid until %s", x509Certificate.getSubjectDN().getName(), x509Certificate.getNotBefore()));
                    throw e2;
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/opendj/ldap/TrustManagers$DistrustAll.class */
    public static final class DistrustAll implements X509TrustManager {
        private static final DistrustAll INSTANCE = new DistrustAll();

        private DistrustAll() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new CertificateException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new CertificateException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    /* loaded from: input_file:org/forgerock/opendj/ldap/TrustManagers$TrustAll.class */
    private static final class TrustAll implements X509TrustManager {
        private static final TrustAll INSTANCE = new TrustAll();

        private TrustAll() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    public static X509TrustManager checkHostName(String str, X509TrustManager x509TrustManager) {
        Reject.ifNull(x509TrustManager, str);
        return new CheckHostName(x509TrustManager, str);
    }

    public static X509TrustManager checkUsingTrustStore(String str) throws GeneralSecurityException, IOException {
        return checkUsingTrustStore(str, null, null);
    }

    public static X509TrustManager checkUsingTrustStore(String str, char[] cArr, String str2) throws GeneralSecurityException, IOException {
        Reject.ifNull(str);
        File file = new File(str);
        KeyStore keyStore = KeyStore.getInstance(str2 != null ? str2 : isFips() ? "JKS" : KeyStore.getDefaultType());
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            keyStore.load(fileInputStream, cArr);
            fileInputStream.close();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    return (X509TrustManager) trustManager;
                }
            }
            throw new NoSuchAlgorithmException();
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static X509TrustManager checkUsingPkcs11TrustStore() throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("PKCS11");
        keyStore.load(null, null);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new NoSuchAlgorithmException();
    }

    public static boolean isFips() {
        for (Provider provider : Security.getProviders()) {
            if (provider.getName().toLowerCase().contains("fips")) {
                return true;
            }
        }
        return false;
    }

    public static X509TrustManager checkValidityDates(X509TrustManager x509TrustManager) {
        Reject.ifNull(x509TrustManager);
        return new CheckValidityDates(x509TrustManager);
    }

    public static X509TrustManager distrustAll() {
        return DistrustAll.INSTANCE;
    }

    public static X509TrustManager trustAll() {
        return TrustAll.INSTANCE;
    }

    private TrustManagers() {
    }
}
