package com.unboundid.util.ssl;

import com.unboundid.util.Debug;
import com.unboundid.util.NotMutable;
import com.unboundid.util.NotNull;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ThreadSafety;
import com.unboundid.util.ThreadSafetyLevel;
import com.unboundid.util.Validator;
import com.unboundid.util.ssl.cert.CertException;
import com.unboundid.util.ssl.cert.X509Certificate;
import com.unboundid.util.ssl.cert.X509PEMFileReader;
import java.io.File;
import java.io.IOException;
import java.io.Serializable;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.X509TrustManager;

@ThreadSafety(level = ThreadSafetyLevel.COMPLETELY_THREADSAFE)
@NotMutable
/* loaded from: input_file:BOOT-INF/lib/unboundid-ldapsdk-6.0.6.jar:com/unboundid/util/ssl/PEMFileTrustManager.class */
public final class PEMFileTrustManager implements X509TrustManager, Serializable {
    private static final long serialVersionUID = 1973401278035832777L;

    @NotNull
    private final Map<X509Certificate, java.security.cert.X509Certificate> trustedCertificates;

    public PEMFileTrustManager(@NotNull File... fileArr) throws KeyStoreException {
        this((List<File>) StaticUtils.toList(fileArr));
    }

    public PEMFileTrustManager(@NotNull List<File> list) throws KeyStoreException {
        Validator.ensureNotNullWithMessage(list, "PEMFileTrustManager.pemFiles must not be null.");
        Validator.ensureFalse(list.isEmpty(), "PEMFileTrustManager.pemFiles must not be empty.");
        HashMap hashMap = new HashMap();
        Iterator<File> it = list.iterator();
        while (it.hasNext()) {
            readTrustedCertificates(it.next(), hashMap);
        }
        this.trustedCertificates = Collections.unmodifiableMap(hashMap);
    }

    private static void readTrustedCertificates(@NotNull File file, @NotNull Map<X509Certificate, java.security.cert.X509Certificate> map) throws KeyStoreException {
        if (!file.exists()) {
            throw new KeyStoreException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_NO_SUCH_FILE.get(file.getAbsolutePath()));
        }
        try {
            if (file.isDirectory()) {
                for (File file2 : file.listFiles()) {
                    readTrustedCertificates(file2, map);
                }
            } else {
                X509PEMFileReader x509PEMFileReader = new X509PEMFileReader(file);
                Throwable th = null;
                boolean z = false;
                while (true) {
                    try {
                        try {
                            X509Certificate readCertificate = x509PEMFileReader.readCertificate();
                            if (readCertificate == null) {
                                break;
                            }
                            z = true;
                            map.put(readCertificate, (java.security.cert.X509Certificate) readCertificate.toCertificate());
                        } finally {
                        }
                    } catch (Throwable th2) {
                        if (x509PEMFileReader != null) {
                            if (th != null) {
                                try {
                                    x509PEMFileReader.close();
                                } catch (Throwable th3) {
                                    th.addSuppressed(th3);
                                }
                            } else {
                                x509PEMFileReader.close();
                            }
                        }
                        throw th2;
                    }
                }
                if (!z) {
                    throw new KeyStoreException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_EMPTY_FILE.get(file.getAbsolutePath()));
                }
                if (x509PEMFileReader != null) {
                    if (0 != 0) {
                        try {
                            x509PEMFileReader.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        x509PEMFileReader.close();
                    }
                }
            }
        } catch (CertException e) {
            Debug.debugException(e);
            throw new KeyStoreException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_ERROR_PARSING_CERT.get(file.getAbsolutePath(), e.getMessage()), e);
        } catch (IOException e2) {
            Debug.debugException(e2);
            throw new KeyStoreException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_ERROR_READING_FILE.get(file.getAbsolutePath(), StaticUtils.getExceptionMessage(e2)), e2);
        } catch (KeyStoreException e3) {
            Debug.debugException(e3);
            throw e3;
        } catch (Exception e4) {
            Debug.debugException(e4);
            throw new KeyStoreException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_ERROR_PROCESSING_FILE.get(file.getAbsolutePath(), StaticUtils.getExceptionMessage(e4)), e4);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(@NotNull java.security.cert.X509Certificate[] x509CertificateArr, @NotNull String str) throws CertificateException {
        try {
            checkTrusted(x509CertificateArr);
        } catch (CertificateException e) {
            Debug.debugException(e);
            throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_CLIENT_NOT_TRUSTED.get(e.getMessage()), e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(@NotNull java.security.cert.X509Certificate[] x509CertificateArr, @NotNull String str) throws CertificateException {
        try {
            checkTrusted(x509CertificateArr);
        } catch (CertificateException e) {
            Debug.debugException(e);
            throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_SERVER_NOT_TRUSTED.get(e.getMessage()), e);
        }
    }

    private void checkTrusted(@NotNull java.security.cert.X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_EMPTY_CHAIN.get());
        }
        boolean z = false;
        X509Certificate x509Certificate = null;
        X509Certificate x509Certificate2 = null;
        for (java.security.cert.X509Certificate x509Certificate3 : x509CertificateArr) {
            try {
                X509Certificate x509Certificate4 = new X509Certificate(x509Certificate3.getEncoded());
                if (x509Certificate == null) {
                    x509Certificate = x509Certificate4;
                }
                if (!x509Certificate4.isWithinValidityWindow()) {
                    throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_CERT_NOT_VALID.get(String.valueOf(x509Certificate4.getSubjectDN()), StaticUtils.encodeRFC3339Time(x509Certificate4.getNotBeforeDate()), StaticUtils.encodeRFC3339Time(x509Certificate4.getNotAfterDate())));
                }
                if (x509Certificate2 != null && !x509Certificate4.isIssuerFor(x509Certificate2)) {
                    throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_CERT_NOT_ISSUER.get(String.valueOf(x509Certificate4.getSubjectDN()), String.valueOf(x509Certificate2.getSubjectDN())));
                }
                z |= this.trustedCertificates.containsKey(x509Certificate4);
                x509Certificate2 = x509Certificate4;
            } catch (CertException e) {
                Debug.debugException(e);
                throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_CANNOT_PARSE_CERT_FROM_CHAIN.get(x509Certificate3.getSubjectX500Principal().getName("RFC2253"), StaticUtils.getExceptionMessage(e)), e);
            }
        }
        if (!z && !x509Certificate2.isSelfSigned()) {
            Iterator<X509Certificate> it = this.trustedCertificates.keySet().iterator();
            while (true) {
                if (it.hasNext()) {
                    if (it.next().isIssuerFor(x509Certificate2)) {
                        z = true;
                        break;
                    }
                } else {
                    break;
                }
            }
        }
        if (!z) {
            throw new CertificateException(SSLMessages.ERR_PEM_FILE_TRUST_MANAGER_NOT_TRUSTED.get(String.valueOf(x509Certificate.getSubjectDN())));
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    @NotNull
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        long currentTimeMillis = System.currentTimeMillis();
        ArrayList arrayList = new ArrayList(this.trustedCertificates.size());
        for (Map.Entry<X509Certificate, java.security.cert.X509Certificate> entry : this.trustedCertificates.entrySet()) {
            if (entry.getKey().isWithinValidityWindow(currentTimeMillis)) {
                arrayList.add(entry.getValue());
            }
        }
        return (java.security.cert.X509Certificate[]) arrayList.toArray(new java.security.cert.X509Certificate[arrayList.size()]);
    }
}
