package org.snmp4j.transport.tls;

import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.snmp4j.TransportStateReference;
import org.snmp4j.event.CounterEvent;
import org.snmp4j.log.LogAdapter;
import org.snmp4j.log.LogFactory;
import org.snmp4j.mp.CounterSupport;
import org.snmp4j.mp.SnmpConstants;
import org.snmp4j.smi.IpAddress;
import org.snmp4j.smi.OctetString;

/* loaded from: input_file:org/snmp4j/transport/tls/TLSTMExtendedTrustManager.class */
public class TLSTMExtendedTrustManager extends X509ExtendedTrustManager {
    private static final LogAdapter logger = LogFactory.getLogger((Class<?>) TLSTMExtendedTrustManager.class);
    X509TrustManager trustManager;
    private boolean useClientMode;
    private TransportStateReference tmStateReference;
    private CounterSupport tlstmCounters;
    private TlsTmSecurityCallback<X509Certificate> securityCallback;

    public TLSTMExtendedTrustManager(CounterSupport counterSupport, TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback, X509TrustManager x509TrustManager, boolean z, TransportStateReference transportStateReference) {
        this.tlstmCounters = counterSupport;
        this.securityCallback = tlsTmSecurityCallback;
        this.trustManager = x509TrustManager;
        this.useClientMode = z;
        this.tmStateReference = transportStateReference;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (checkClientTrustedIntern(x509CertificateArr)) {
            return;
        }
        try {
            this.trustManager.checkClientTrusted(x509CertificateArr, str);
        } catch (CertificateException e) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
            logger.warn("Client certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (preCheckServerTrusted(x509CertificateArr)) {
            return;
        }
        try {
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
            postCheckServerTrusted(x509CertificateArr);
        } catch (CertificateException e) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionUnknownServerCertificate));
            logger.warn("Server certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e;
        }
    }

    private boolean isMatchingFingerprint(X509Certificate[] x509CertificateArr, OctetString octetString) {
        if (octetString == null || octetString.length() <= 0) {
            return false;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            OctetString fingerprint = TLSTMUtil.getFingerprint(x509Certificate);
            if (logger.isDebugEnabled()) {
                logger.debug("Comparing certificate fingerprint " + fingerprint + " with " + octetString);
            }
            if (fingerprint == null) {
                logger.error("Failed to determine fingerprint for certificate " + x509Certificate + " and algorithm " + x509Certificate.getSigAlgName());
            } else if (fingerprint.equals(octetString)) {
                if (!logger.isInfoEnabled()) {
                    return true;
                }
                logger.info("Peer is trusted by fingerprint '" + octetString + "' of certificate: '" + x509Certificate + "'");
                return true;
            }
        }
        return false;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] acceptedIssuers = this.trustManager.getAcceptedIssuers();
        if (acceptedIssuers == null || this.securityCallback == null) {
            return acceptedIssuers;
        }
        ArrayList arrayList = new ArrayList(acceptedIssuers.length);
        for (X509Certificate x509Certificate : acceptedIssuers) {
            if (this.securityCallback.isAcceptedIssuer(x509Certificate)) {
                arrayList.add(x509Certificate);
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        logger.debug("checkClientTrusted with socket");
        if (checkClientTrustedIntern(x509CertificateArr)) {
            return;
        }
        try {
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                logger.debug("extended checkClientTrusted with socket");
                ((X509ExtendedTrustManager) this.trustManager).checkClientTrusted(x509CertificateArr, str, socket);
            } else {
                this.trustManager.checkClientTrusted(x509CertificateArr, str);
            }
        } catch (CertificateException e) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
            logger.warn("Client certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e;
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        logger.debug("checkClientTrusted with socket");
        if (preCheckServerTrusted(x509CertificateArr)) {
            return;
        }
        try {
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                logger.debug("extended checkClientTrusted with socket");
                ((X509ExtendedTrustManager) this.trustManager).checkServerTrusted(x509CertificateArr, str, socket);
            } else {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
            }
            postCheckServerTrusted(x509CertificateArr);
        } catch (CertificateException e) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionUnknownServerCertificate));
            logger.warn("Server certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e;
        }
    }

    private void postCheckServerTrusted(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (!this.useClientMode || this.securityCallback == null || this.securityCallback.isServerCertificateAccepted(x509CertificateArr)) {
            return;
        }
        logger.info("Server is NOT trusted with certificate '" + Arrays.asList(x509CertificateArr) + "'");
        throw new CertificateException("Server's certificate is not trusted by this application (although it was trusted by the JRE): " + Arrays.asList(x509CertificateArr));
    }

    private boolean preCheckServerTrusted(X509Certificate[] x509CertificateArr) {
        X500Principal subjectX500Principal;
        if (this.tmStateReference.getCertifiedIdentity() != null && isMatchingFingerprint(x509CertificateArr, this.tmStateReference.getCertifiedIdentity().getServerFingerprint())) {
            return true;
        }
        Object obj = null;
        try {
            obj = TLSTMUtil.getSubjAltName(x509CertificateArr[0].getSubjectAlternativeNames(), 2);
        } catch (CertificateParsingException e) {
            logger.error("CertificateParsingException while verifying server certificate " + Arrays.asList(x509CertificateArr));
        }
        if (obj == null && (subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal()) != null) {
            obj = subjectX500Principal.getName();
        }
        if (obj == null) {
            return false;
        }
        String lowerCase = ((String) obj).toLowerCase();
        String canonicalHostName = ((IpAddress) this.tmStateReference.getAddress()).getInetAddress().getCanonicalHostName();
        if (lowerCase != null && lowerCase.length() > 0) {
            if (lowerCase.charAt(0) == '*') {
                canonicalHostName = canonicalHostName.substring(canonicalHostName.indexOf(46));
                lowerCase = lowerCase.substring(1);
            }
            if (canonicalHostName.equalsIgnoreCase(lowerCase)) {
                if (!logger.isInfoEnabled()) {
                    return true;
                }
                logger.info("Peer hostname " + canonicalHostName + " matches dNSName " + lowerCase);
                return true;
            }
        }
        if (!logger.isDebugEnabled()) {
            return false;
        }
        logger.debug("Peer hostname " + canonicalHostName + " did not match dNSName " + lowerCase);
        return false;
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        logger.debug("checkClientTrusted with sslEngine");
        if (checkClientTrustedIntern(x509CertificateArr)) {
            return;
        }
        try {
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                logger.debug("extended checkClientTrusted with sslEngine");
                ((X509ExtendedTrustManager) this.trustManager).checkClientTrusted(x509CertificateArr, str, sSLEngine);
            } else {
                this.trustManager.checkClientTrusted(x509CertificateArr, str);
            }
        } catch (CertificateException e) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
            logger.warn("Client certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e;
        }
    }

    private boolean checkClientTrustedIntern(X509Certificate[] x509CertificateArr) {
        if (this.tmStateReference != null && this.tmStateReference.getCertifiedIdentity() != null && isMatchingFingerprint(x509CertificateArr, this.tmStateReference.getCertifiedIdentity().getClientFingerprint())) {
            return true;
        }
        if (this.useClientMode || this.securityCallback == null || !this.securityCallback.isClientCertificateAccepted(x509CertificateArr[0])) {
            return false;
        }
        if (!logger.isInfoEnabled()) {
            return true;
        }
        logger.info("Client is trusted with certificate '" + x509CertificateArr[0] + "'");
        return true;
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        logger.debug("checkServerTrusted with sslEngine");
        if (preCheckServerTrusted(x509CertificateArr)) {
            return;
        }
        try {
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                logger.debug("extended checkServerTrusted with sslEngine");
                ((X509ExtendedTrustManager) this.trustManager).checkServerTrusted(x509CertificateArr, str, sSLEngine);
            } else {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
            }
            postCheckServerTrusted(x509CertificateArr);
        } catch (CertificateException e) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionUnknownServerCertificate));
            logger.warn("Server certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e;
        }
    }
}
