package jptools.net.ssl.trustmanager;

import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Properties;
import jptools.logger.Level;
import jptools.logger.LogInformation;
import jptools.logger.Logger;
import jptools.logger.StackTraceLogger;
import jptools.net.ssl.SSLConfig;
import jptools.parser.LDAPParser;
import jptools.parser.ParseException;
import jptools.resource.Configurator;
import jptools.security.cert.PKIUtil;
import jptools.util.ByteArray;

/* loaded from: input_file:jptools/net/ssl/trustmanager/AbstractJPToolsTrustManager.class */
public abstract class AbstractJPToolsTrustManager implements JPToolsTrustManager {
    private static final int CERT_NOT_CHECKED = 0;
    private static final int CERT_CHECKFAILED = 1;
    private static final int CERT_INVALIDSIGNATURE = 2;
    private static final int CERT_CERTEXPIRED = 3;
    private static final int CERT_CAEXPIRED = 4;
    private static final int CERT_UNKNOWNCA = 5;
    private static final int CERT_INVALIDCOMMONNAME = 6;
    private LogInformation logInfo = null;
    private SSLConfig config = null;
    private HashMap<String, X509Certificate> trustedCerts = new HashMap<>();
    private int certCheckResult = 0;
    private static X509Certificate[] lastClientCertificateChain;
    private static X509Certificate[] lastServerCertificateChain;

    public AbstractJPToolsTrustManager() {
        lastClientCertificateChain = null;
        lastServerCertificateChain = null;
    }

    @Override // jptools.net.ssl.trustmanager.JPToolsTrustManager
    public LogInformation getLogInformation() {
        return this.logInfo;
    }

    @Override // jptools.net.ssl.trustmanager.JPToolsTrustManager
    public void setLogInformation(LogInformation logInformation) {
        this.logInfo = logInformation;
    }

    @Override // jptools.net.ssl.trustmanager.JPToolsTrustManager
    public SSLConfig getSSLConfig() {
        return this.config;
    }

    @Override // jptools.net.ssl.trustmanager.JPToolsTrustManager
    public void setSSLConfig(SSLConfig sSLConfig) {
        this.config = sSLConfig;
        Properties subConfig = Configurator.getSubConfig(sSLConfig.getProperties(), SSLConfig.TRUSTED_CERTIFICATES, true);
        if (subConfig == null || subConfig.size() <= 0) {
            return;
        }
        PKIUtil pKIUtil = new PKIUtil(getLogInformation());
        Enumeration elements = subConfig.elements();
        while (elements.hasMoreElements()) {
            String str = (String) elements.nextElement();
            if (str != null && str.length() > 0) {
                try {
                    for (X509Certificate x509Certificate : pKIUtil.getX509Certificates(pKIUtil.formatPKCS7(new ByteArray(str)))) {
                        addTrustedCertificate(x509Certificate);
                    }
                } catch (CertificateException e) {
                    getLogger().error(getLogInformation(), "Could not create certificate from '" + str + "'!", e);
                }
            }
        }
    }

    public void addTrustedCertificate(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return;
        }
        Logger logger = getLogger();
        if (logger.isDebugEnabled()) {
            logger.debug(getLogInformation(), "Adding trust certificate: " + x509Certificate.getIssuerDN());
        }
        this.trustedCerts.put(x509Certificate.getIssuerDN().getName(), x509Certificate);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        lastClientCertificateChain = x509CertificateArr;
        if (x509CertificateArr.length == 0) {
            getLogger().warn(getLogInformation(), "The received client certificate was empty!");
        } else {
            verifyCertificateChain(x509CertificateArr, str);
        }
    }

    public static X509Certificate[] getLastClientCertificateChain() {
        return lastClientCertificateChain;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        lastServerCertificateChain = x509CertificateArr;
        if (x509CertificateArr.length == 0) {
            getLogger().warn(getLogInformation(), "The received server certificate was empty!");
            return;
        }
        for (int i = 0; i < x509CertificateArr.length; i++) {
            getLogger().debug(getLogInformation(), "Server certificate #" + (i + 1) + ": \n" + new PKIUtil(getLogInformation()).formatPKCS7(x509CertificateArr[i]));
            if (trustServerCertificate(x509CertificateArr[i])) {
                addTrustedCertificate(x509CertificateArr[i]);
            }
        }
        if (this.config == null) {
            throw new IllegalStateException("No SSL configuration found!");
        }
        if (this.config.getPropertyAsBoolean(SSLConfig.CHECK_SERVER_CERTIFICATE, "false")) {
            verifyCertificateChain(x509CertificateArr, str);
        }
    }

    public static X509Certificate[] getLastServerCertificateChain() {
        return lastServerCertificateChain;
    }

    public int getCheckResult() {
        return this.certCheckResult;
    }

    public void verifyCertificateChain(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.certCheckResult = 0;
        if (x509CertificateArr.length == 0) {
            return;
        }
        checkCertificateChain(x509CertificateArr);
        Logger logger = getLogger();
        PKIUtil pKIUtil = new PKIUtil(getLogInformation());
        logger.info(this.logInfo, "Check client " + str + " certificate(s)...");
        if (logger.isDebugEnabled()) {
            logger.increaseHierarchyLevel(this.logInfo);
            pKIUtil.logCertificate(Level.DEBUG, this.logInfo, x509CertificateArr);
            logger.decreaseHierarchyLevel(this.logInfo);
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        String name = x509Certificate.getSubjectDN().getName();
        if (name == null) {
            this.certCheckResult = 1;
            StackTraceLogger.getInstance().log(3, "Fatal Error on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Fatal Error on Server Certificate Verification!");
        }
        String hostname = getHostname();
        if (hostname != null && hostname.length() > 0) {
            try {
                String str2 = new LDAPParser(name).parse().get("CN");
                if (!hostname.equalsIgnoreCase(str2)) {
                    StackTraceLogger.getInstance().log(3, "Common Name of Certificate different from Servername on Server Certificate Verification ([" + hostname + "] != [" + str2 + "]): ", Level.WARN, getLogInformation());
                    this.certCheckResult = 6;
                    throw new CertificateException("Common Name of Certificate different from Servername on Server Certificate Verification");
                }
            } catch (ParseException e) {
                StackTraceLogger.getInstance().log(3, "Invalid common name (" + name + "): ", Level.WARN, getLogInformation());
                this.certCheckResult = 6;
                throw new CertificateException("Invalid common name: " + name + ": " + e.getMessage());
            }
        }
        checkCertificate(x509Certificate);
        if (x509CertificateArr.length > 1) {
            for (int i = 1; i < x509CertificateArr.length; i++) {
                X509Certificate x509Certificate2 = x509CertificateArr[i];
                X509Certificate x509Certificate3 = this.trustedCerts.get(x509Certificate2.getIssuerDN().getName());
                if (x509Certificate3 == null || !x509Certificate2.equals(x509Certificate3)) {
                    this.certCheckResult = 5;
                    StackTraceLogger.getInstance().log(3, "Unknown CA, Server Certificate Verification: ", Level.WARN, getLogInformation());
                    throw new CertificateException("Unknown CA, Server Certificate Verification!");
                }
                checkCACertificate(x509Certificate2);
                checkCACertificate(x509Certificate3);
            }
        }
        logger.info(this.logInfo, "Checked successful client " + str + " certificate(s).");
    }

    protected void checkCertificate(X509Certificate x509Certificate) throws CertificateException {
        String name = x509Certificate.getIssuerDN().getName();
        X509Certificate x509Certificate2 = this.trustedCerts.get(name);
        if (x509Certificate2 == null || !x509Certificate.equals(x509Certificate2)) {
            this.certCheckResult = 5;
            StackTraceLogger.getInstance().log(3, "Unknown CA, Server Certificate Verification: ", Level.WARN, getLogInformation());
            if (getLogger().isDebugEnabled()) {
                getLogger().debug(getLogInformation(), "Unknown CA, Server Certificate for '" + name + "':\n" + new PKIUtil(getLogInformation()).formatPKCS7(x509Certificate));
            }
            throw new CertificateException("Unknown CA, Server Certificate Verification!");
        }
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            this.certCheckResult = 3;
            StackTraceLogger.getInstance().log(3, "Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Certificate Expired on Server Certificate Verification!");
        } catch (CertificateNotYetValidException e2) {
            this.certCheckResult = 3;
            StackTraceLogger.getInstance().log(3, "Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Certificate Expired on Server Certificate Verification!");
        } catch (Exception e3) {
            this.certCheckResult = 1;
            StackTraceLogger.getInstance().log(3, "Fatal Error on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Fatal Error on Server Certificate Verification!");
        }
    }

    protected void checkCACertificate(X509Certificate x509Certificate) throws CertificateException {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            this.certCheckResult = 4;
            StackTraceLogger.getInstance().log(3, "CA Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("CA Certificate Expired on Server Certificate Verification!");
        } catch (CertificateNotYetValidException e2) {
            this.certCheckResult = 4;
            StackTraceLogger.getInstance().log(3, "CA Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("CA Certificate Expired on Server Certificate Verification");
        } catch (Exception e3) {
            this.certCheckResult = 1;
            StackTraceLogger.getInstance().log(3, "Fatal Error on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Fatal Error on Server Certificate Verification!");
        }
    }

    protected void checkCertificateChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            new PKIUtil(getLogInformation()).verifyCertificateChain(x509CertificateArr);
        } catch (SignatureException e) {
            this.certCheckResult = 2;
            StackTraceLogger.getInstance().log(3, "Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Invalid Signature Error on Server Certificate Verification!");
        } catch (CertificateExpiredException e2) {
            this.certCheckResult = 3;
            StackTraceLogger.getInstance().log(3, "Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Certificate Expired on Server Certificate Verification!");
        } catch (CertificateNotYetValidException e3) {
            this.certCheckResult = 3;
            StackTraceLogger.getInstance().log(3, "Certificate Expired on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Certificate Expired on Server Certificate Verification!");
        } catch (Exception e4) {
            this.certCheckResult = 1;
            StackTraceLogger.getInstance().log(3, "Fatal Error on Server Certificate Verification: ", Level.WARN, getLogInformation());
            throw new CertificateException("Fatal Error on Server Certificate Verification!");
        }
    }

    protected boolean trustServerCertificate(X509Certificate x509Certificate) {
        return getSSLConfig().getPropertyAsBoolean(SSLConfig.TRUST_SERVER_CERTIFICATE, "true");
    }

    protected abstract Logger getLogger();

    private String getHostname() {
        return getSSLConfig().getProperty(SSLConfig.HOST_TO_VERIFY);
    }
}
