package org.jivesoftware.sparkimpl.certificates;

import java.awt.HeadlessException;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import javax.naming.InvalidNameException;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang3.ArrayUtils;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.jivesoftware.spark.util.log.Log;

/* loaded from: input_file:org/jivesoftware/sparkimpl/certificates/SparkTrustManager.class */
public class SparkTrustManager extends GeneralTrustManager implements X509TrustManager {
    static X509Certificate[] lastFailedChain;
    private CertStore crlStore;
    private KeyStore trustStore;
    private KeyStore displayedCaCerts;
    private final Collection<X509CRL> crlCollection = new ArrayList();
    private final X509TrustManager exceptionsTrustManager = new SparkExceptionsTrustManager();
    private final boolean checkCRL = this.localPref.isCheckCRL();
    private final boolean checkOCSP = this.localPref.isCheckOCSP();
    private final boolean acceptExpired = this.localPref.isAcceptExpired();
    private final boolean acceptNotValidYet = this.localPref.isAcceptNotValidYet();
    private final boolean acceptRevoked = this.localPref.isAcceptRevoked();
    private final boolean acceptSelfSigned = this.localPref.isAcceptSelfSigned();
    private final boolean allowSoftFail = this.localPref.isAllowSoftFail();

    public SparkTrustManager() {
        loadKeyStores();
    }

    public static X509TrustManager[] getTrustManagerList() {
        return new X509TrustManager[]{new SparkTrustManager()};
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        throw new UnsupportedOperationException("This implementation cannot be used to validate client-provided certificate chains.");
    }

    public static X509Certificate[] getLastFailedChain() {
        return lastFailedChain;
    }

    public void addChain(X509Certificate[] x509CertificateArr) {
        this.certControll.addChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        try {
            doTheChecks(x509CertificateArr, str);
            lastFailedChain = null;
        } catch (CertPathValidatorException e) {
            lastFailedChain = x509CertificateArr;
            throw new CertificateException(e);
        }
    }

    private void doTheChecks(X509Certificate[] x509CertificateArr, String str) throws CertificateException, CertPathValidatorException {
        try {
            this.exceptionsTrustManager.checkServerTrusted(x509CertificateArr, str);
        } catch (CertificateException e) {
            checkDateValidity(x509CertificateArr);
            if (!isSelfSigned(x509CertificateArr)) {
                try {
                    validatePath(x509CertificateArr);
                    return;
                } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | CertPathValidatorException e2) {
                    Log.error("Validating path failed", e2);
                    throw new CertPathValidatorException("Certificate path validation failed", e2);
                }
            }
            if (isSelfSigned(x509CertificateArr) && !this.acceptSelfSigned) {
                throw new CertificateException("Self Signed certificate");
            }
            if (!isSelfSigned(x509CertificateArr) || !this.acceptSelfSigned) {
                throw new CertificateException("Certificate chain cannot be trusted");
            }
            if (!ArrayUtils.contains(getAcceptedIssuers(), x509CertificateArr[0])) {
                throw new CertPathValidatorException("Certificate not in the TrustStore");
            }
            try {
                loadCRL(x509CertificateArr);
                Iterator<X509CRL> it = this.crlCollection.iterator();
                while (it.hasNext()) {
                    if (it.next().isRevoked(x509CertificateArr[0])) {
                        throw new CertificateException("Certificate is revoked");
                    }
                }
            } catch (IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CRLException e3) {
                Log.warning("Couldn't load CRL");
            }
        }
    }

    public static boolean isSelfSigned(X509Certificate[] x509CertificateArr) {
        return x509CertificateArr[0].getIssuerX500Principal().getName().equals(x509CertificateArr[0].getSubjectX500Principal().getName()) && x509CertificateArr.length == 1;
    }

    public static boolean isRootCACertificate(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerX500Principal().getName().equals(x509Certificate.getSubjectX500Principal().getName()) && x509Certificate.getBasicConstraints() > -1;
    }

    public boolean containsTrustAnchorFor(X509Certificate[] x509CertificateArr) {
        Collection collection = (Collection) Arrays.stream(getAcceptedIssuers()).map(x509Certificate -> {
            return x509Certificate.getSubjectDN().getName();
        }).collect(Collectors.toSet());
        return Arrays.stream(x509CertificateArr).anyMatch(x509Certificate2 -> {
            return collection.contains(x509Certificate2.getIssuerDN().getName());
        });
    }

    private void validatePath(X509Certificate[] x509CertificateArr) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertificateException {
        if (isSelfSigned(x509CertificateArr)) {
            throw new IllegalArgumentException("Method cannot be used with self-signed certificate.");
        }
        CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath((List<? extends Certificate>) Arrays.stream(x509CertificateArr).filter(x509Certificate -> {
            return !isRootCACertificate(x509Certificate);
        }).collect(Collectors.toList()));
        if (generateCertPath.getCertificates().isEmpty()) {
            throw new CertificateException("Unable to build a certificate path from the provided chain.");
        }
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate((X509Certificate) generateCertPath.getCertificates().get(0));
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.allStore, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        if (!this.acceptRevoked) {
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
            EnumSet noneOf = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
            if (this.allowSoftFail) {
                noneOf.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            }
            if (this.checkOCSP && this.checkCRL) {
                pKIXRevocationChecker.setOptions(noneOf);
                pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            } else if (!this.checkOCSP && this.checkCRL) {
                noneOf.add(PKIXRevocationChecker.Option.PREFER_CRLS);
                noneOf.add(PKIXRevocationChecker.Option.NO_FALLBACK);
                pKIXRevocationChecker.setOptions(noneOf);
                pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            }
        }
        try {
            X509Certificate trustedCert = ((PKIXCertPathValidatorResult) certPathValidator.validate(generateCertPath, pKIXBuilderParameters)).getTrustAnchor().getTrustedCert();
            if (trustedCert == null) {
                throw new CertificateException("certificate path failed: Trusted CA is NULL");
            }
            checkBasicConstraints(generateCertPath, trustedCert);
        } catch (CertPathValidatorException e) {
            if (e.getReason() == CertPathValidatorException.BasicReason.EXPIRED && this.acceptExpired) {
                Log.debug("Chain validation detected expiry, but Spark is configured to allow this. Not failing validation.");
                return;
            }
            if (e.getReason() == CertPathValidatorException.BasicReason.NOT_YET_VALID && this.acceptNotValidYet) {
                Log.debug("Chain validation detected not-yet-valid, but Spark is configured to allow this. Not failing validation.");
            } else {
                if (e.getReason() != CertPathValidatorException.BasicReason.UNSPECIFIED || !e.getMessage().equals("Certificate does not specify OCSP responder")) {
                    throw e;
                }
                Log.debug("Certificate does not specify OCSP responder");
            }
        } catch (CertificateRevokedException e2) {
            Log.warning("Certificate was revoked", e2);
            Iterator<? extends Certificate> it = generateCertPath.getCertificates().iterator();
            while (it.hasNext()) {
                X509Certificate x509Certificate2 = (X509Certificate) it.next();
                Iterator<X509CRL> it2 = this.crlCollection.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (it2.next().isRevoked(x509Certificate2)) {
                        try {
                            addToBlackList(x509Certificate2);
                            break;
                        } catch (HeadlessException | InvalidNameException e3) {
                            Log.error("Couldn't move to the blacklist", e3);
                        }
                    }
                }
            }
            throw new CertificateException("Certificate was revoked");
        }
    }

    private void checkDateValidity(X509Certificate[] x509CertificateArr) throws CertificateException {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            try {
                x509Certificate.checkValidity();
            } catch (CertificateExpiredException e) {
                Log.warning("Certificate is expired " + x509Certificate.getSubjectX500Principal().getName(), e);
                if (!this.acceptExpired) {
                    throw new CertificateException("Certificate is expired");
                }
            } catch (CertificateNotYetValidException e2) {
                Log.warning("Certificate is not valid yet " + x509Certificate.getSubjectX500Principal().getName(), e2);
                if (!this.acceptNotValidYet) {
                    throw new CertificateException("Certificate is not valid yet");
                }
            }
        }
    }

    private void checkBasicConstraints(CertPath certPath, X509Certificate x509Certificate) throws CertificateException {
        for (int i = 1; i < certPath.getCertificates().size(); i++) {
            int basicConstraints = ((X509Certificate) certPath.getCertificates().get(i)).getBasicConstraints();
            int i2 = i - 1;
            if (i2 > basicConstraints) {
                throw new CertificateException("Certificate number " + i + " in the chain failed the BasicConstraints check: " + (basicConstraints == -1 ? "CA flag not set" : "pathLenConstraint to small (was: " + basicConstraints + " needed:" + i2 + ")"));
            }
        }
        int basicConstraints2 = x509Certificate.getBasicConstraints();
        int size = certPath.getCertificates().size() - 1;
        if (size > basicConstraints2) {
            throw new CertificateException("Trust anchor of the chain failed the BasicConstraints check: " + (basicConstraints2 == -1 ? "CA flag not set" : "pathLenConstraint to small (was: " + basicConstraints2 + " needed:" + size + ")"));
        }
    }

    @Override // org.jivesoftware.sparkimpl.certificates.GeneralTrustManager
    protected void loadKeyStores() {
        this.certControll.loadKeyStores();
        this.trustStore = this.certControll.openKeyStore(CertificateController.TRUSTED);
        this.displayedCaCerts = this.certControll.openCacertsKeyStore();
        loadAllStore();
        try {
            addKeyStoreContentToAllStore(this.trustStore);
        } catch (HeadlessException | KeyStoreException | InvalidNameException e) {
            Log.error("Cannot add trustStore content to allStore", e);
        }
        try {
            addKeyStoreContentToAllStore(this.displayedCaCerts);
        } catch (HeadlessException | KeyStoreException | InvalidNameException e2) {
            Log.error("Cannot add displayedCaCerts to the allStore", e2);
        }
    }

    public Collection<X509CRL> loadCRL(X509Certificate[] x509CertificateArr) throws IOException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, CRLException {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId()) != null) {
                for (DistributionPoint distributionPoint : CRLDistPoint.getInstance(JcaX509ExtensionUtils.parseExtensionValue(x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId()))).getDistributionPoints()) {
                    DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                    if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                        for (GeneralName generalName : GeneralNames.getInstance(distributionPoint2.getName()).getNames()) {
                            try {
                                this.crlCollection.add(downloadCRL(new URL(generalName.getName().toString())));
                            } catch (CRLException | CertificateException e) {
                                throw new CRLException("Couldn't download CRL");
                            }
                        }
                    }
                }
            } else {
                Log.warning("Certificate " + x509Certificate.getSubjectX500Principal().getName() + " have no CRLs");
            }
            this.crlStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.crlCollection));
        }
        return this.crlCollection;
    }

    private void addToBlackList(X509Certificate x509Certificate) throws KeyStoreException, HeadlessException, InvalidNameException {
        this.certControll.addCertificateToBlackList(x509Certificate);
    }

    private X509CRL downloadCRL(URL url) throws IOException, CertificateException, CRLException {
        InputStream openStream = url.openStream();
        try {
            X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(openStream);
            if (openStream != null) {
                openStream.close();
            }
            return x509crl;
        } catch (Throwable th) {
            if (openStream != null) {
                try {
                    openStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
