package eu.emi.security.authn.x509.impl;

import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker;
import eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:eu/emi/security/authn/x509/impl/SocketFactoryCreator.class */
public class SocketFactoryCreator {
    public static X509TrustManager getSSLTrustManager(X509CertChainValidator x509CertChainValidator) {
        return new SSLTrustManager(x509CertChainValidator);
    }

    public static SSLContext getSSLContext(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator, SecureRandom secureRandom) {
        KeyManager[] keyManagerArr = x509Credential == null ? null : new KeyManager[]{x509Credential.getKeyManager()};
        SSLTrustManager sSLTrustManager = new SSLTrustManager(x509CertChainValidator);
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            try {
                sSLContext.init(keyManagerArr, new TrustManager[]{sSLTrustManager}, secureRandom);
                return sSLContext;
            } catch (KeyManagementException e) {
                throw new RuntimeException("Shouldn't happen - SSLContext can't be initiated?", e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("The TLS protocol is unsupported by the JDK, a serious installation problem?", e2);
        }
    }

    public static SSLServerSocketFactory getServerSocketFactory(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator, SecureRandom secureRandom) {
        return getSSLContext(x509Credential, x509CertChainValidator, secureRandom).getServerSocketFactory();
    }

    public static SSLServerSocketFactory getServerSocketFactory(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator) {
        return getServerSocketFactory(x509Credential, x509CertChainValidator, new SecureRandom());
    }

    public static SSLSocketFactory getSocketFactory(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator, SecureRandom secureRandom) {
        return getSSLContext(x509Credential, x509CertChainValidator, secureRandom).getSocketFactory();
    }

    public static SSLSocketFactory getSocketFactory(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator) {
        return getSocketFactory(x509Credential, x509CertChainValidator, new SecureRandom());
    }

    public static void connectWithHostnameChecking(SSLSocket sSLSocket, HostnameMismatchCallback hostnameMismatchCallback) throws SSLPeerUnverifiedException {
        HostnameToCertificateChecker hostnameToCertificateChecker = new HostnameToCertificateChecker();
        Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length == 0) {
            throw new IllegalStateException("JDK BUG? Got null or empty peer certificate array");
        }
        if (!(peerCertificates[0] instanceof X509Certificate)) {
            throw new ClassCastException("Peer certificate should be an X.509 certificate, but is " + peerCertificates[0].getClass().getName());
        }
        X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
        String hostName = sSLSocket.getInetAddress().getHostName();
        try {
            if (!hostnameToCertificateChecker.checkMatching(hostName, x509Certificate)) {
                hostnameMismatchCallback.nameMismatch(sSLSocket, x509Certificate, hostName);
            }
        } catch (Exception e) {
            throw new IllegalStateException("Can't check peer's address against its certificate", e);
        }
    }

    static {
        CertificateUtils.configureSecProvider();
    }
}
