package net.consensys.cava.net.tls;

import java.net.Socket;
import java.nio.file.Path;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedTrustManager;
import net.consensys.cava.bytes.Bytes;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;

/* loaded from: input_file:net/consensys/cava/net/tls/ClientFingerprintTrustManager.class */
final class ClientFingerprintTrustManager extends X509ExtendedTrustManager {
    private static final X509Certificate[] EMPTY_X509_CERTIFICATES = new X509Certificate[0];
    private final FingerprintRepository repository;
    private final boolean acceptNewFingerprints;
    private final boolean updateFingerprints;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ClientFingerprintTrustManager record(Path path) {
        return new ClientFingerprintTrustManager(path, true, true);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ClientFingerprintTrustManager tofa(Path path) {
        return new ClientFingerprintTrustManager(path, true, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ClientFingerprintTrustManager whitelist(Path path) {
        return new ClientFingerprintTrustManager(path, false, false);
    }

    private ClientFingerprintTrustManager(Path path, boolean z, boolean z2) {
        this.repository = new FingerprintRepository(path);
        this.acceptNewFingerprints = z;
        this.updateFingerprints = z2;
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkTrusted(x509CertificateArr, IETFUtils.valueToString(new JcaX509CertificateHolder(x509CertificateArr[0]).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue()));
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        throw new UnsupportedOperationException();
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkTrusted(x509CertificateArr, IETFUtils.valueToString(new JcaX509CertificateHolder(x509CertificateArr[0]).getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue()));
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        throw new UnsupportedOperationException();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        throw new UnsupportedOperationException();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        throw new UnsupportedOperationException();
    }

    private void checkTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509Certificate x509Certificate = x509CertificateArr[0];
        Bytes wrap = Bytes.wrap(TLS.certificateFingerprint(x509Certificate));
        if (this.repository.contains(str, wrap)) {
            return;
        }
        if (this.repository.contains(str)) {
            if (!this.updateFingerprints) {
                throw new CertificateException(String.format("Client identification has changed!! Certificate for %s (%s) has fingerprint %s", str, x509Certificate.getSubjectDN(), wrap.toHexString().substring(2).toLowerCase()));
            }
        } else if (!this.acceptNewFingerprints) {
            throw new CertificateException(String.format("Certificate for %s (%s) has unknown fingerprint %s", str, x509Certificate.getSubjectDN(), wrap.toHexString().substring(2).toLowerCase()));
        }
        this.repository.addFingerprint(str, wrap);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return EMPTY_X509_CERTIFICATES;
    }
}
