package org.jivesoftware.sparkimpl.certificates;

import java.awt.HeadlessException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import javax.naming.InvalidNameException;
import javax.net.ssl.X509TrustManager;
import org.jivesoftware.spark.util.log.Log;

/* loaded from: input_file:org/jivesoftware/sparkimpl/certificates/SparkExceptionsTrustManager.class */
public class SparkExceptionsTrustManager extends GeneralTrustManager implements X509TrustManager {
    KeyStore exceptionsStore;
    KeyStore cacertsExceptionsStore;

    public SparkExceptionsTrustManager() {
        loadKeyStores();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        throw new UnsupportedOperationException("This implementation cannot be used to validate client-provided certificate chains.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        try {
            if (!isFirstCertExempted(x509CertificateArr)) {
                validatePath(x509CertificateArr);
            }
        } catch (IllegalArgumentException | InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | CertPathValidatorException e) {
            Log.warning("Cannot build certificate chain", e);
            throw new CertificateException("Cannot build certificate chain");
        }
    }

    private void validatePath(X509Certificate[] x509CertificateArr) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertificateException, IllegalArgumentException {
        if (SparkTrustManager.isSelfSigned(x509CertificateArr)) {
            throw new IllegalArgumentException("Method cannot be used with self-signed certificate.");
        }
        CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath((List<? extends Certificate>) Arrays.stream(x509CertificateArr).filter(x509Certificate -> {
            return !SparkTrustManager.isRootCACertificate(x509Certificate);
        }).collect(Collectors.toList()));
        if (generateCertPath.getCertificates().isEmpty()) {
            throw new CertificateException("Unable to build a certificate path from the provided chain.");
        }
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate((X509Certificate) generateCertPath.getCertificates().get(0));
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.allStore, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        try {
            if (((PKIXCertPathValidatorResult) certPathValidator.validate(generateCertPath, pKIXBuilderParameters)).getTrustAnchor().getTrustedCert() == null) {
                throw new CertificateException("certificate path failed: Trusted CA is NULL");
            }
        } catch (CertPathValidatorException e) {
            if (e.getReason() == CertPathValidatorException.BasicReason.EXPIRED) {
                Log.debug("Chain validation detected expiry, but this 'exception' trust manager allows this Not failing validation.");
            } else {
                if (e.getReason() != CertPathValidatorException.BasicReason.NOT_YET_VALID) {
                    throw e;
                }
                Log.debug("Chain validation detected not-yet-valid, but this 'exception' trust manager allows this Not failing validation.");
            }
        }
    }

    private boolean isFirstCertExempted(X509Certificate[] x509CertificateArr) throws KeyStoreException {
        return isOrderFromSubjectToIssuer(x509CertificateArr) ? this.exceptionsStore.getCertificateAlias(x509CertificateArr[0]) != null : this.exceptionsStore.getCertificateAlias(x509CertificateArr[x509CertificateArr.length - 1]) != null;
    }

    @Override // org.jivesoftware.sparkimpl.certificates.GeneralTrustManager
    protected void loadKeyStores() {
        this.exceptionsStore = this.certControll.openKeyStore(CertificateController.EXCEPTIONS);
        this.cacertsExceptionsStore = this.certControll.openKeyStore(CertificateController.CACERTS_EXCEPTIONS);
        loadAllStore();
        try {
            addKeyStoreContentToAllStore(this.exceptionsStore);
        } catch (HeadlessException | KeyStoreException | InvalidNameException e) {
            Log.error("Cannot add exceptionStore content to allStore", e);
        }
        try {
            addKeyStoreContentToAllStore(this.cacertsExceptionsStore);
        } catch (HeadlessException | KeyStoreException | InvalidNameException e2) {
            Log.error("Cannot add cacertsExceptionsStore to allStore", e2);
        }
    }
}
