package org.apache.zookeeper.common;

import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.X509ExtendedTrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/zookeeper-3.9.1.jar:org/apache/zookeeper/common/ZKTrustManager.class */
public class ZKTrustManager extends X509ExtendedTrustManager {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ZKTrustManager.class);
    private final X509ExtendedTrustManager x509ExtendedTrustManager;
    private final boolean serverHostnameVerificationEnabled;
    private final boolean clientHostnameVerificationEnabled;
    private final ZKHostnameVerifier hostnameVerifier;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ZKTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, boolean z, boolean z2) {
        this(x509ExtendedTrustManager, z, z2, new ZKHostnameVerifier());
    }

    ZKTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, boolean z, boolean z2, ZKHostnameVerifier zKHostnameVerifier) {
        this.x509ExtendedTrustManager = x509ExtendedTrustManager;
        this.serverHostnameVerificationEnabled = z;
        this.clientHostnameVerificationEnabled = z2;
        this.hostnameVerifier = zKHostnameVerifier;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.x509ExtendedTrustManager.getAcceptedIssuers();
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.x509ExtendedTrustManager.checkClientTrusted(x509CertificateArr, str, socket);
        if (this.clientHostnameVerificationEnabled) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Check client trusted socket.getInetAddress(): {}, {}", socket.getInetAddress(), socket);
            }
            performHostVerification(socket.getInetAddress(), x509CertificateArr[0]);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.x509ExtendedTrustManager.checkServerTrusted(x509CertificateArr, str, socket);
        if (this.serverHostnameVerificationEnabled) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Check server trusted socket.getInetAddress(): {}, {}", socket.getInetAddress(), socket);
            }
            performHostVerification(socket.getInetAddress(), x509CertificateArr[0]);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.x509ExtendedTrustManager.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        if (this.clientHostnameVerificationEnabled) {
            try {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Check client trusted engine.getPeerHost(): {}, {}", sSLEngine.getPeerHost(), sSLEngine);
                }
                performHostVerification(InetAddress.getByName(sSLEngine.getPeerHost()), x509CertificateArr[0]);
            } catch (UnknownHostException e) {
                throw new CertificateException("Failed to verify host", e);
            }
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.x509ExtendedTrustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        if (this.serverHostnameVerificationEnabled) {
            try {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Check server trusted engine.getPeerHost(): {}, {}", sSLEngine.getPeerHost(), sSLEngine);
                }
                performHostVerification(InetAddress.getByName(sSLEngine.getPeerHost()), x509CertificateArr[0]);
            } catch (UnknownHostException e) {
                throw new CertificateException("Failed to verify host", e);
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.x509ExtendedTrustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.x509ExtendedTrustManager.checkServerTrusted(x509CertificateArr, str);
    }

    private void performHostVerification(InetAddress inetAddress, X509Certificate x509Certificate) throws CertificateException {
        String str = "";
        String str2 = "";
        try {
            str = inetAddress.getHostAddress();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Trying to verify host address first: {}", str);
            }
            this.hostnameVerifier.verify(str, x509Certificate);
        } catch (SSLException e) {
            try {
                str2 = inetAddress.getHostName();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Failed to verify host address: {}, trying to verify host name: {}", str, str2);
                }
                this.hostnameVerifier.verify(str2, x509Certificate);
            } catch (SSLException e2) {
                LOG.error("Failed to verify host address: {}", str, e);
                LOG.error("Failed to verify hostname: {}", str2, e2);
                throw new CertificateException("Failed to verify both host address and host name", e2);
            }
        }
    }
}
