package com.ghc.ssl;

import com.ghc.identity.IdentityObject;
import com.ghc.identity.IdentityStoreResource;
import com.ghc.ssl.nls.GHMessages;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERUTF8String;

/* loaded from: input_file:com/ghc/ssl/SSLTrustManager.class */
public class SSLTrustManager implements X509TrustManager {
    private final List<HandshakeFailedListener> m_listeners = new ArrayList();
    private final IdentityStoreResource m_trustStore;
    private final X509TrustManager m_trustManager;
    private final boolean m_specifyTrusted;
    private final boolean m_verifyCerts;
    private final boolean m_performAuthentication;
    private final String m_host;

    public SSLTrustManager(X509TrustManager x509TrustManager, IdentityStoreResource identityStoreResource, String str, boolean z, boolean z2, boolean z3) {
        this.m_trustStore = identityStoreResource;
        this.m_trustManager = x509TrustManager;
        this.m_specifyTrusted = z;
        this.m_verifyCerts = z2;
        this.m_performAuthentication = z3;
        this.m_host = str;
    }

    public void addHandshakeFailedListener(HandshakeFailedListener handshakeFailedListener) {
        if (this.m_listeners.contains(handshakeFailedListener)) {
            return;
        }
        this.m_listeners.add(handshakeFailedListener);
    }

    public void removeHandshakeFailedListener(HandshakeFailedListener handshakeFailedListener) {
        if (this.m_listeners.contains(handshakeFailedListener)) {
            this.m_listeners.remove(handshakeFailedListener);
        }
    }

    public void checkTrusted(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (this.m_performAuthentication) {
            try {
                if (this.m_verifyCerts) {
                    Principal principal = null;
                    for (int i = 0; i < x509CertificateArr.length; i++) {
                        X509Certificate x509Certificate = x509CertificateArr[i];
                        Principal issuerDN = x509Certificate.getIssuerDN();
                        Principal subjectDN = x509Certificate.getSubjectDN();
                        if (principal != null) {
                            if (!subjectDN.equals(principal)) {
                                throw new CertificateException("Subject/Issuer verification failed");
                            }
                            try {
                                x509CertificateArr[i - 1].verify(x509CertificateArr[i].getPublicKey());
                            } catch (GeneralSecurityException e) {
                                throw new CertificateException(e);
                            }
                        }
                        principal = issuerDN;
                    }
                    for (X509Certificate x509Certificate2 : x509CertificateArr) {
                        x509Certificate2.checkValidity();
                    }
                }
                if (this.m_specifyTrusted) {
                    boolean z = false;
                    String str = null;
                    List<X509Certificate> X_getTrustedCertificates = X_getTrustedCertificates();
                    if (X_getTrustedCertificates.size() < 1) {
                        throw new CertificateException("Specified trusted certificates but no trusted certificates were found in the keystore");
                    }
                    Iterator<X509Certificate> it = X_getTrustedCertificates.iterator();
                    while (it.hasNext()) {
                        if (it.next().equals(x509CertificateArr[0])) {
                            z = true;
                        }
                    }
                    if (!z) {
                        loop3: for (int length = x509CertificateArr.length - 1; length >= 0; length--) {
                            X509Certificate x509Certificate3 = x509CertificateArr[length];
                            Principal issuerDN2 = x509Certificate3.getIssuerDN();
                            for (X509Certificate x509Certificate4 : X_getTrustedCertificates) {
                                if (issuerDN2.equals(x509Certificate4.getSubjectDN())) {
                                    try {
                                        try {
                                            try {
                                                x509Certificate3.verify(x509Certificate4.getPublicKey());
                                                z = true;
                                                break loop3;
                                            } catch (NoSuchProviderException e2) {
                                                str = "A remote certificate matching the provided root certificate was found. However the signature could not be verified. " + e2.getMessage();
                                            }
                                        } catch (NoSuchAlgorithmException e3) {
                                            str = "A remote certificate matching the provided root certificate was found. However the signature could not be verified. " + e3.getMessage();
                                        }
                                    } catch (InvalidKeyException e4) {
                                        str = "A remote certificate matching the provided root certificate was found. However the signature could not be verified. " + e4.getMessage();
                                    } catch (SignatureException e5) {
                                        str = "A remote certificate matching the provided root certificate was found. However the signature could not be verified. " + e5.getMessage();
                                    }
                                }
                            }
                        }
                    }
                    if (z) {
                        return;
                    }
                    if (str == null) {
                        throw new CertificateException("The remote certificate issuer was not found within the trust store");
                    }
                    throw new CertificateException(str);
                }
            } catch (CertificateException e6) {
                X_fireHandshakeFailed();
                throw new CertificateException(e6.getMessage());
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.m_trustManager != null ? this.m_trustManager.getAcceptedIssuers() : new X509Certificate[0];
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr);
        if (this.m_performAuthentication && this.m_verifyCerts) {
            if (this.m_host == null) {
                throw new CertificateException(GHMessages.SSLTrustManager_nullHostError);
            }
            X509Certificate x509Certificate = x509CertificateArr[0];
            if (x509Certificate.getSubjectAlternativeNames() == null) {
                checkCN(x509Certificate);
                return;
            }
            try {
                checkCN(x509Certificate);
            } catch (CertificateException unused) {
                checkAlternativeNames(x509Certificate.getSubjectAlternativeNames());
            }
        }
    }

    private void checkCN(X509Certificate x509Certificate) throws CertificateException {
        String name = x509Certificate.getSubjectDN().getName();
        if (name.indexOf("CN=") != -1) {
            name = name.substring(name.indexOf("CN=") + 3);
        } else if (name.indexOf("cn=") != -1) {
            name = name.substring(name.indexOf("cn=") + 3);
        }
        if (name.indexOf(44) != -1) {
            name = name.substring(0, name.indexOf(44));
        }
        if (!checkSubject(name)) {
            throw new CertificateException(MessageFormat.format(GHMessages.SSLTrustManager_principalMatchFail, name, this.m_host));
        }
    }

    private void checkAlternativeNames(Collection<List<?>> collection) throws CertificateException {
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<List<?>> it = collection.iterator();
        while (it.hasNext()) {
            Object obj = it.next().get(1);
            String str = null;
            if (obj instanceof String) {
                str = (String) obj;
            } else if (obj instanceof byte[]) {
                try {
                    str = convertASN1Name((byte[]) obj);
                } catch (IOException e) {
                    Logger.getLogger(getClass().getName()).log(Level.SEVERE, "Failed to process ASN1 name", (Throwable) e);
                }
            }
            if (str != null) {
                if (checkSubject(str)) {
                    return;
                } else {
                    arrayList.add(str);
                }
            }
        }
        throw new CertificateException(MessageFormat.format(GHMessages.SSLTrustManager_hostNameMatchFail, arrayList, this.m_host));
    }

    private String convertASN1Name(byte[] bArr) throws IOException {
        DEROctetString dERObject = toDERObject(bArr);
        if (!(dERObject instanceof DEROctetString)) {
            return null;
        }
        DERObject dERObject2 = toDERObject(dERObject.getOctets());
        if (dERObject2 instanceof DERUTF8String) {
            return DERUTF8String.getInstance(dERObject2).getString();
        }
        return null;
    }

    private DERObject toDERObject(byte[] bArr) throws IOException {
        Throwable th = null;
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(bArr));
            try {
                DERObject readObject = aSN1InputStream.readObject();
                if (aSN1InputStream != null) {
                    aSN1InputStream.close();
                }
                return readObject;
            } catch (Throwable th2) {
                if (aSN1InputStream != null) {
                    aSN1InputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private boolean checkSubject(String str) {
        return this.m_host != null && Pattern.matches(str.replaceAll("\\.", "\\.").replaceAll("\\*", ".*"), this.m_host);
    }

    private List<X509Certificate> X_getTrustedCertificates() throws CertificateException {
        ArrayList arrayList = new ArrayList();
        if (this.m_trustStore != null) {
            try {
                Enumeration<String> aliases = this.m_trustStore.getKeyStore().aliases();
                while (aliases.hasMoreElements()) {
                    IdentityObject identityObject = this.m_trustStore.getIdentityObject(aliases.nextElement());
                    if (identityObject != null && (identityObject.entryType().equals(KeyIdObject.TRUSTED_CERTIFICATE_ENTRY) || identityObject.entryType().equals(KeyIdObject.KEY_ENTRY))) {
                        arrayList.add(identityObject.getCertificate());
                    }
                }
            } catch (KeyStoreException e) {
                throw new CertificateException(e);
            }
        }
        return arrayList;
    }

    private void X_fireHandshakeFailed() {
        for (int i = 0; i < this.m_listeners.size(); i++) {
            this.m_listeners.get(i).onHandshakeFailed();
        }
    }
}
