package org.snmp4j.transport.tls;

import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.snmp4j.TransportStateReference;
import org.snmp4j.event.CounterEvent;
import org.snmp4j.log.LogAdapter;
import org.snmp4j.log.LogFactory;
import org.snmp4j.mp.CounterSupport;
import org.snmp4j.mp.SnmpConstants;
import org.snmp4j.smi.IpAddress;
import org.snmp4j.smi.OctetString;

/* JADX WARN: Classes with same name are omitted:
  input_file:org/snmp4j/transport/tls/TlsTrustManager.class
 */
/* loaded from: input_file:commons-updater.jar:org/snmp4j/transport/tls/TlsTrustManager.class */
public class TlsTrustManager implements X509TrustManager {
    private LogAdapter LOGGER = LogFactory.getLogger((Class<?>) TlsTrustManager.class);
    X509TrustManager trustManager;
    private boolean useClientMode;
    private TransportStateReference tmStateReference;
    private CounterSupport tlstmCounters;
    private TlsTmSecurityCallback<X509Certificate> securityCallback;

    public TlsTrustManager(X509TrustManager x509TrustManager, boolean z, TransportStateReference transportStateReference, CounterSupport counterSupport, TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback) {
        this.trustManager = x509TrustManager;
        this.useClientMode = z;
        this.tmStateReference = transportStateReference;
        this.tlstmCounters = counterSupport;
        this.securityCallback = tlsTmSecurityCallback;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.tmStateReference == null || this.tmStateReference.getCertifiedIdentity() == null || !isMatchingFingerprint(x509CertificateArr, this.tmStateReference.getCertifiedIdentity().getClientFingerprint())) {
            TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback = this.securityCallback;
            if (!this.useClientMode && tlsTmSecurityCallback != null && tlsTmSecurityCallback.isClientCertificateAccepted(x509CertificateArr[0])) {
                if (this.LOGGER.isInfoEnabled()) {
                    this.LOGGER.info("Client is trusted with certificate '" + x509CertificateArr[0] + "'");
                }
            } else {
                try {
                    this.trustManager.checkClientTrusted(x509CertificateArr, str);
                } catch (CertificateException e) {
                    this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
                    this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
                    this.LOGGER.warn("Client certificate validation failed for '" + x509CertificateArr[0] + "'");
                    throw e;
                }
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X500Principal subjectX500Principal;
        if (this.tmStateReference.getCertifiedIdentity() == null || !isMatchingFingerprint(x509CertificateArr, this.tmStateReference.getCertifiedIdentity().getServerFingerprint())) {
            Object obj = null;
            try {
                obj = TLSTMUtil.getSubjAltName(x509CertificateArr[0].getSubjectAlternativeNames(), 2);
            } catch (CertificateParsingException e) {
                this.LOGGER.error("CertificateParsingException while verifying server certificate " + Arrays.asList(x509CertificateArr));
            }
            if (obj == null && (subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal()) != null) {
                obj = subjectX500Principal.getName();
            }
            if (obj != null) {
                String lowerCase = ((String) obj).toLowerCase();
                String canonicalHostName = ((IpAddress) this.tmStateReference.getAddress()).getInetAddress().getCanonicalHostName();
                if (lowerCase.length() > 0) {
                    if (lowerCase.charAt(0) == '*') {
                        canonicalHostName = canonicalHostName.substring(canonicalHostName.indexOf(46));
                        lowerCase = lowerCase.substring(1);
                    }
                    if (canonicalHostName.equalsIgnoreCase(lowerCase)) {
                        if (this.LOGGER.isInfoEnabled()) {
                            this.LOGGER.info("Peer hostname " + canonicalHostName + " matches dNSName " + lowerCase);
                            return;
                        }
                        return;
                    }
                }
                if (this.LOGGER.isDebugEnabled()) {
                    this.LOGGER.debug("Peer hostname " + canonicalHostName + " did not match dNSName " + lowerCase);
                }
            }
            try {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
                TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback = this.securityCallback;
                if (!this.useClientMode || tlsTmSecurityCallback == null || tlsTmSecurityCallback.isServerCertificateAccepted(x509CertificateArr)) {
                    return;
                }
                this.LOGGER.info("Server is NOT trusted with certificate '" + Arrays.asList(x509CertificateArr) + "'");
                throw new CertificateException("Server's certificate is not trusted by this application (although it was trusted by the JRE): " + Arrays.asList(x509CertificateArr));
            } catch (CertificateException e2) {
                this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
                this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionUnknownServerCertificate));
                this.LOGGER.warn("Server certificate validation failed for '" + x509CertificateArr[0] + "'");
                throw e2;
            }
        }
    }

    private boolean isMatchingFingerprint(X509Certificate[] x509CertificateArr, OctetString octetString) {
        if (octetString == null || octetString.length() <= 0) {
            return false;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            OctetString fingerprint = TLSTMUtil.getFingerprint(x509Certificate);
            if (this.LOGGER.isDebugEnabled()) {
                this.LOGGER.debug("Comparing certificate fingerprint " + fingerprint + " with " + octetString);
            }
            if (fingerprint == null) {
                this.LOGGER.error("Failed to determine fingerprint for certificate " + x509Certificate + " and algorithm " + x509Certificate.getSigAlgName());
            } else if (fingerprint.equals(octetString)) {
                if (!this.LOGGER.isInfoEnabled()) {
                    return true;
                }
                this.LOGGER.info("Peer is trusted by fingerprint '" + octetString + "' of certificate: '" + x509Certificate + "'");
                return true;
            }
        }
        return false;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback = this.securityCallback;
        X509Certificate[] acceptedIssuers = this.trustManager.getAcceptedIssuers();
        if (acceptedIssuers == null || tlsTmSecurityCallback == null) {
            return acceptedIssuers;
        }
        ArrayList arrayList = new ArrayList(acceptedIssuers.length);
        for (X509Certificate x509Certificate : acceptedIssuers) {
            if (tlsTmSecurityCallback.isAcceptedIssuer(x509Certificate)) {
                arrayList.add(x509Certificate);
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }
}
