package eu.emi.security.authn.x509.helpers.ssl;

import eu.emi.security.authn.x509.ValidationResult;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.impl.HostnameMismatchCallback2;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedTrustManager;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/ssl/SSLTrustManagerWithHostnameChecking.class */
public class SSLTrustManagerWithHostnameChecking extends X509ExtendedTrustManager {
    protected final X509CertChainValidator validator;
    private final HostnameToCertificateChecker hostnameChecker = new HostnameToCertificateChecker();
    private final HostnameMismatchCallback2 hostnameMismatchCallback;

    public SSLTrustManagerWithHostnameChecking(X509CertChainValidator x509CertChainValidator, HostnameMismatchCallback2 hostnameMismatchCallback2) {
        this.validator = x509CertChainValidator;
        this.hostnameMismatchCallback = hostnameMismatchCallback2 == null ? new DisabledNameMismatchCallback() : hostnameMismatchCallback2;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkIfTrusted(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkIfTrusted(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.validator.getTrustedIssuers();
    }

    protected void checkIfTrusted(X509Certificate[] x509CertificateArr) throws CertificateException {
        ValidationResult validate = this.validator.validate(x509CertificateArr);
        if (validate.isValid()) {
            return;
        }
        validate.toString();
        String str = "";
        if (x509CertificateArr != null && x509CertificateArr.length > 0) {
            str = x509CertificateArr[0].getSubjectX500Principal().getName();
        }
        throw new CertificateException("The peer's certificate with subject's DN " + str + " was rejected. The peer's certificate status is: " + validate.toString());
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkIfTrusted(x509CertificateArr);
        if (socket == null || !(socket instanceof SSLSocket)) {
            return;
        }
        verifyHostname(x509CertificateArr, (SSLSocket) socket);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkIfTrusted(x509CertificateArr);
        if (socket == null || !(socket instanceof SSLSocket)) {
            return;
        }
        verifyHostname(x509CertificateArr, (SSLSocket) socket);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkIfTrusted(x509CertificateArr);
        if (sSLEngine != null) {
            verifyHostname(x509CertificateArr, sSLEngine);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkIfTrusted(x509CertificateArr);
        if (sSLEngine != null) {
            verifyHostname(x509CertificateArr, sSLEngine);
        }
    }

    private void verifyHostname(X509Certificate[] x509CertificateArr, SSLEngine sSLEngine) throws CertificateException {
        verifyHostname(x509CertificateArr[0], sSLEngine.getPeerHost());
    }

    private void verifyHostname(X509Certificate[] x509CertificateArr, SSLSocket sSLSocket) throws CertificateException {
        verifyHostname(x509CertificateArr[0], sSLSocket.getInetAddress().getHostName());
    }

    private void verifyHostname(X509Certificate x509Certificate, String str) throws CertificateException {
        try {
            if (this.hostnameChecker.checkMatching(str, x509Certificate)) {
                return;
            }
            this.hostnameMismatchCallback.nameMismatch(x509Certificate, str);
        } catch (Exception e) {
            throw new IllegalStateException("Can't check peer's address against its certificate", e);
        }
    }
}
