package com.unboundid.ldap.sdk.unboundidds;

import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.util.Base64;
import com.unboundid.util.CryptoHelper;
import com.unboundid.util.Debug;
import com.unboundid.util.NotNull;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ThreadSafety;
import com.unboundid.util.ThreadSafetyLevel;
import com.unboundid.util.ssl.cert.X509PEMFileReader;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.Serializable;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.X509TrustManager;

@ThreadSafety(level = ThreadSafetyLevel.COMPLETELY_THREADSAFE)
/* loaded from: input_file:BOOT-INF/lib/unboundid-ldapsdk-6.0.11.jar:com/unboundid/ldap/sdk/unboundidds/TopologyRegistryTrustManager.class */
public final class TopologyRegistryTrustManager implements X509TrustManager, Serializable {

    @NotNull
    private static final String INTER_SERVER_CERT_OC = "ds-cfg-server-instance";

    @NotNull
    private static final String INTER_SERVER_CERT_AT = "ds-cfg-inter-server-certificate";

    @NotNull
    private static final String LISTENER_CERT_OC = "ds-cfg-server-instance-listener";

    @NotNull
    private static final String LISTENER_CERT_AT = "ds-cfg-listener-certificate";

    @NotNull
    static final X509Certificate[] NO_CERTIFICATES = new X509Certificate[0];
    private static final long serialVersionUID = -1535917071172094611L;

    @NotNull
    private final AtomicLong cacheExpirationTime;

    @NotNull
    private final AtomicReference<Set<X509Certificate>> cachedCertificates;
    private final boolean ignoreIssuerCertificateValidityWindow;
    private final boolean ignorePeerCertificateValidityWindow;
    private final boolean requirePeerCertificateInTopologyRegistry;

    @NotNull
    private final File configurationFile;
    private final long cacheDurationMillis;

    public TopologyRegistryTrustManager(@NotNull File file, long j) {
        this(getDefaultProperties(file, j));
    }

    @NotNull
    private static TopologyRegistryTrustManagerProperties getDefaultProperties(@NotNull File file, long j) {
        TopologyRegistryTrustManagerProperties topologyRegistryTrustManagerProperties = new TopologyRegistryTrustManagerProperties(file);
        topologyRegistryTrustManagerProperties.setCacheDuration(j, TimeUnit.MILLISECONDS);
        return topologyRegistryTrustManagerProperties;
    }

    public TopologyRegistryTrustManager(@NotNull TopologyRegistryTrustManagerProperties topologyRegistryTrustManagerProperties) {
        this.configurationFile = topologyRegistryTrustManagerProperties.getConfigurationFile();
        this.cacheDurationMillis = topologyRegistryTrustManagerProperties.getCacheDurationMillis();
        this.requirePeerCertificateInTopologyRegistry = topologyRegistryTrustManagerProperties.requirePeerCertificateInTopologyRegistry();
        this.ignorePeerCertificateValidityWindow = topologyRegistryTrustManagerProperties.ignorePeerCertificateValidityWindow();
        this.ignoreIssuerCertificateValidityWindow = topologyRegistryTrustManagerProperties.ignoreIssuerCertificateValidityWindow();
        this.cacheExpirationTime = new AtomicLong(0L);
        this.cachedCertificates = new AtomicReference<>(Collections.emptySet());
    }

    @NotNull
    public File getConfigurationFile() {
        return this.configurationFile;
    }

    public long getCacheDurationMillis() {
        return this.cacheDurationMillis;
    }

    public boolean requirePeerCertificateInTopologyRegistry() {
        return this.requirePeerCertificateInTopologyRegistry;
    }

    public boolean ignorePeerCertificateValidityWindow() {
        return this.ignorePeerCertificateValidityWindow;
    }

    public boolean ignoreIssuerCertificateValidityWindow() {
        return this.ignoreIssuerCertificateValidityWindow;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(@NotNull X509Certificate[] x509CertificateArr, @NotNull String str) throws CertificateException {
        checkTrusted(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(@NotNull X509Certificate[] x509CertificateArr, @NotNull String str) throws CertificateException {
        checkTrusted(x509CertificateArr);
    }

    private void checkTrusted(@NotNull X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException(UnboundIDDSMessages.ERR_TR_TM_NO_CHAIN.get());
        }
        long currentTimeMillis = System.currentTimeMillis();
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (!this.ignorePeerCertificateValidityWindow) {
            if (currentTimeMillis < x509Certificate.getNotBefore().getTime()) {
                throw new CertificateException(UnboundIDDSMessages.ERR_TR_TM_PEER_NOT_YET_VALID.get(x509Certificate.getSubjectX500Principal().getName("RFC2253"), String.valueOf(x509Certificate.getNotBefore())));
            }
            if (currentTimeMillis > x509Certificate.getNotAfter().getTime()) {
                throw new CertificateException(UnboundIDDSMessages.ERR_TR_TM_PEER_EXPIRED.get(x509Certificate.getSubjectX500Principal().getName("RFC2253"), String.valueOf(x509Certificate.getNotAfter())));
            }
        }
        if (!this.ignoreIssuerCertificateValidityWindow) {
            for (int i = 1; i < x509CertificateArr.length; i++) {
                X509Certificate x509Certificate2 = x509CertificateArr[i];
                if (currentTimeMillis < x509Certificate2.getNotBefore().getTime()) {
                    throw new CertificateException(UnboundIDDSMessages.ERR_TR_TM_ISSUER_NOT_YET_VALID.get(x509Certificate.getSubjectX500Principal().getName("RFC2253"), x509Certificate2.getSubjectX500Principal().getName("RFC2253"), String.valueOf(x509Certificate.getNotBefore())));
                }
                if (currentTimeMillis > x509Certificate2.getNotAfter().getTime()) {
                    throw new CertificateException(UnboundIDDSMessages.ERR_TR_TM_ISSUER_EXPIRED.get(x509Certificate.getSubjectX500Principal().getName("RFC2253"), x509Certificate2.getSubjectX500Principal().getName("RFC2253"), String.valueOf(x509Certificate.getNotAfter())));
                }
            }
        }
        Set<X509Certificate> set = this.cachedCertificates.get();
        if (set.isEmpty() || this.cacheExpirationTime.get() < currentTimeMillis || !mayTrustChainBasedOnCertificateSet(x509CertificateArr, set)) {
            Set<X509Certificate> readTopologyRegistryCertificates = readTopologyRegistryCertificates();
            if (this.cacheDurationMillis > 0) {
                this.cachedCertificates.set(readTopologyRegistryCertificates);
                this.cacheExpirationTime.set(currentTimeMillis + this.cacheDurationMillis);
            }
            if (mayTrustChainBasedOnCertificateSet(x509CertificateArr, readTopologyRegistryCertificates)) {
                return;
            }
            if (!this.requirePeerCertificateInTopologyRegistry && x509CertificateArr.length != 1) {
                throw new CertificateException(UnboundIDDSMessages.ERR_TP_TM_PEER_OR_ISSUERS_NOT_FOUND.get(x509Certificate.getSubjectX500Principal().getName("RFC2253")));
            }
            throw new CertificateException(UnboundIDDSMessages.ERR_TP_TM_PEER_NOT_FOUND.get(x509Certificate.getSubjectX500Principal().getName("RFC2253")));
        }
    }

    private boolean mayTrustChainBasedOnCertificateSet(@NotNull X509Certificate[] x509CertificateArr, @NotNull Set<X509Certificate> set) {
        if (set.contains(x509CertificateArr[0])) {
            return true;
        }
        if (this.requirePeerCertificateInTopologyRegistry) {
            return false;
        }
        for (int i = 1; i < x509CertificateArr.length; i++) {
            if (set.contains(x509CertificateArr[i])) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Code restructure failed: missing block: B:25:0x005c, code lost:
    
        r0 = java.util.Collections.unmodifiableSet(r0);
     */
    /* JADX WARN: Code restructure failed: missing block: B:26:0x0063, code lost:
    
        if (r0 == null) goto L21;
     */
    /* JADX WARN: Code restructure failed: missing block: B:28:0x0067, code lost:
    
        if (0 == 0) goto L20;
     */
    /* JADX WARN: Code restructure failed: missing block: B:29:0x007c, code lost:
    
        r0.close();
     */
    /* JADX WARN: Code restructure failed: missing block: B:31:0x006a, code lost:
    
        r0.close();
     */
    /* JADX WARN: Code restructure failed: missing block: B:33:0x0071, code lost:
    
        r14 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:34:0x0073, code lost:
    
        r0.addSuppressed(r14);
     */
    @com.unboundid.util.NotNull
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.util.Set<java.security.cert.X509Certificate> readTopologyRegistryCertificates() throws java.security.cert.CertificateException {
        /*
            Method dump skipped, instructions count: 282
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.unboundid.ldap.sdk.unboundidds.TopologyRegistryTrustManager.readTopologyRegistryCertificates():java.util.Set");
    }

    private void parseCertificates(@NotNull Set<X509Certificate> set, @NotNull Attribute attribute) {
        StringBuilder sb = new StringBuilder();
        for (String str : attribute.getValues()) {
            try {
                for (String str2 : StaticUtils.stringToLines(str)) {
                    if (!str2.equalsIgnoreCase(X509PEMFileReader.BEGIN_CERTIFICATE_HEADER)) {
                        if (str2.equalsIgnoreCase(X509PEMFileReader.END_CERTIFICATE_FOOTER)) {
                            byte[] decode = Base64.decode(sb.toString());
                            sb.setLength(0);
                            set.add((X509Certificate) CryptoHelper.getCertificateFactory("X.509").generateCertificate(new ByteArrayInputStream(decode)));
                        } else {
                            sb.append(str2);
                        }
                    }
                }
            } catch (Exception e) {
                Debug.debugException(e);
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    @NotNull
    public X509Certificate[] getAcceptedIssuers() {
        return NO_CERTIFICATES;
    }

    @NotNull
    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString(sb);
        return sb.toString();
    }

    public void toString(@NotNull StringBuilder sb) {
        sb.append("TopologyRegistryTrustManager(configurationFile='");
        sb.append(this.configurationFile.getAbsolutePath());
        sb.append("', cacheDurationMillis=");
        sb.append(this.cacheDurationMillis);
        sb.append(", requirePeerCertificateInTopologyRegistry=");
        sb.append(this.requirePeerCertificateInTopologyRegistry);
        sb.append(", ignorePeerCertificateValidityWindow=");
        sb.append(this.ignorePeerCertificateValidityWindow);
        sb.append(", ignoreIssuerCertificateValidityWindow=");
        sb.append(this.ignoreIssuerCertificateValidityWindow);
        sb.append(')');
    }
}
