package sviolet.slate.common.x.net.loadbalance.classic;

import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.internal.Util;
import okhttp3.internal.platform.Platform;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sviolet.thistle.util.conversion.Base64Utils;
import sviolet.thistle.util.crypto.CertificateUtils;
import sviolet.thistle.util.judge.CheckUtils;
import sviolet.thistle.util.net.SimpleHostnameVerifier;

/* loaded from: input_file:sviolet/slate/common/x/net/loadbalance/classic/SslUtils.class */
public class SslUtils {
    private static final Logger logger = LoggerFactory.getLogger(SslUtils.class);

    /* loaded from: input_file:sviolet/slate/common/x/net/loadbalance/classic/SslUtils$CustomIssuersX509TrustManager.class */
    public static class CustomIssuersX509TrustManager implements X509TrustManager {
        private final X509TrustManager systemTrustManager;
        private final X509TrustManager customTrustManager;
        private final X509Certificate[] acceptedIssuers;
        private final String[] customIssuersEncoded;

        public static X509TrustManager newInstance(X509Certificate[] x509CertificateArr) throws CertificateException {
            if (x509CertificateArr == null) {
                throw new IllegalArgumentException("customIssuers is null");
            }
            try {
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                int i = 0;
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    int i2 = i;
                    i++;
                    keyStore.setCertificateEntry(String.valueOf(i2), x509Certificate);
                }
                return new CustomIssuersX509TrustManager(keyStore);
            } catch (Exception e) {
                throw new CertificateException("Error while converting X509Certificates to KeyStore", e);
            }
        }

        public static X509TrustManager newInstance(KeyStore keyStore) throws CertificateException {
            return new CustomIssuersX509TrustManager(keyStore);
        }

        private CustomIssuersX509TrustManager(KeyStore keyStore) throws CertificateException {
            if (keyStore == null) {
                throw new IllegalArgumentException("customKeyStore is null");
            }
            this.systemTrustManager = Util.platformTrustManager();
            try {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                    throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
                }
                this.customTrustManager = (X509TrustManager) trustManagers[0];
                X509Certificate[] acceptedIssuers = this.systemTrustManager.getAcceptedIssuers();
                X509Certificate[] acceptedIssuers2 = this.customTrustManager.getAcceptedIssuers();
                this.acceptedIssuers = new X509Certificate[acceptedIssuers.length + acceptedIssuers2.length];
                System.arraycopy(acceptedIssuers2, 0, this.acceptedIssuers, 0, acceptedIssuers2.length);
                System.arraycopy(acceptedIssuers, 0, this.acceptedIssuers, acceptedIssuers2.length, acceptedIssuers.length);
                this.customIssuersEncoded = new String[acceptedIssuers2.length];
                for (int i = 0; i < acceptedIssuers2.length; i++) {
                    this.customIssuersEncoded[i] = Base64Utils.encodeToString(CertificateUtils.parseCertificateToEncoded(acceptedIssuers2[i]));
                }
            } catch (Exception e) {
                throw new CertificateException("Error while building TrustManager by X509Certificates (KeyStore)", e);
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            try {
                this.customTrustManager.checkClientTrusted(x509CertificateArr, str);
            } catch (CertificateException e) {
                try {
                    this.systemTrustManager.checkClientTrusted(x509CertificateArr, str);
                } catch (CertificateException e2) {
                    e.addSuppressed(e2);
                    throw e;
                }
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            try {
                this.customTrustManager.checkServerTrusted(x509CertificateArr, str);
            } catch (CertificateException e) {
                try {
                    this.systemTrustManager.checkServerTrusted(x509CertificateArr, str);
                } catch (CertificateException e2) {
                    e.addSuppressed(e2);
                    throw e;
                }
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.acceptedIssuers;
        }

        public String toString() {
            return "CustomIssuersX509TrustManager{" + Arrays.toString(this.customIssuersEncoded) + '}';
        }
    }

    public static void setX509TrustManager(MultiHostOkHttpClient multiHostOkHttpClient, X509TrustManager x509TrustManager) {
        if (multiHostOkHttpClient == null) {
            return;
        }
        if (x509TrustManager == null) {
            multiHostOkHttpClient.setSSLSocketFactory(null);
            multiHostOkHttpClient.setX509TrustManager(null);
            return;
        }
        try {
            SSLContext sSLContext = Platform.get().getSSLContext();
            sSLContext.init(null, new TrustManager[]{x509TrustManager}, null);
            multiHostOkHttpClient.setSSLSocketFactory(sSLContext.getSocketFactory());
            multiHostOkHttpClient.setX509TrustManager(x509TrustManager);
        } catch (KeyManagementException e) {
            throw new RuntimeException("Error while initializing SSLSocketFactory and setting X509TrustManager to MultiHostOkHttpClient", e);
        }
    }

    public static void setCustomServerIssuers(MultiHostOkHttpClient multiHostOkHttpClient, X509Certificate[] x509CertificateArr) throws CertificateException {
        setX509TrustManager(multiHostOkHttpClient, x509CertificateArr != null ? CustomIssuersX509TrustManager.newInstance(x509CertificateArr) : null);
    }

    public static void setCustomServerIssuer(MultiHostOkHttpClient multiHostOkHttpClient, X509Certificate x509Certificate) throws CertificateException {
        setCustomServerIssuers(multiHostOkHttpClient, x509Certificate != null ? new X509Certificate[]{x509Certificate} : null);
    }

    public static void setCustomServerIssuersEncoded(MultiHostOkHttpClient multiHostOkHttpClient, String[] strArr) throws CertificateException {
        if (strArr == null || strArr.length <= 0) {
            setCustomServerIssuers(multiHostOkHttpClient, null);
            return;
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[strArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509CertificateArr[i] = CertificateUtils.parseX509ToCertificate(Base64Utils.decode(strArr[i]));
            } catch (Throwable th) {
                throw new RuntimeException("Error while parsing custom issuer certificate from X509 encoded: " + strArr[i], th);
            }
        }
        setCustomServerIssuers(multiHostOkHttpClient, x509CertificateArr);
    }

    public static void setCustomServerIssuerEncoded(MultiHostOkHttpClient multiHostOkHttpClient, String str) throws CertificateException {
        if (!"UNSAFE-TRUST-ALL-ISSUERS".equals(str)) {
            setCustomServerIssuersEncoded(multiHostOkHttpClient, !CheckUtils.isEmptyOrBlank(str) ? new String[]{str} : null);
        } else {
            logger.warn("MultiHostOkHttpClient trust all issuers! UNSAFE !!!");
            setX509TrustManager(multiHostOkHttpClient, new X509TrustManager() { // from class: sviolet.slate.common.x.net.loadbalance.classic.SslUtils.1
                @Override // javax.net.ssl.X509TrustManager
                public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str2) throws CertificateException {
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str2) throws CertificateException {
                }

                @Override // javax.net.ssl.X509TrustManager
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            });
        }
    }

    public static void setVerifyServerCnByCustomHostname(MultiHostOkHttpClient multiHostOkHttpClient, final String str) {
        if (CheckUtils.isEmptyOrBlank(str)) {
            multiHostOkHttpClient.setHostnameVerifier(null);
        } else {
            multiHostOkHttpClient.setHostnameVerifier(new SimpleHostnameVerifier() { // from class: sviolet.slate.common.x.net.loadbalance.classic.SslUtils.2
                public boolean verify(String str2, SSLSession sSLSession) {
                    boolean verify = super.verify(str2, sSLSession);
                    if (!verify) {
                        SslUtils.logger.error("The certificate CN of the server does not match the specified hostname '" + str + "'");
                    }
                    return verify;
                }

                protected boolean isHostnameMatch(String str2, String str3) {
                    if ("UNSAFE-TRUST-ALL-CN".equals(str)) {
                        return true;
                    }
                    return super.isHostnameMatch(str, str3);
                }

                public String toString() {
                    return "MultiHostOkHttpClient$SimpleHostnameVerifier{customHostname='" + str + "'}";
                }
            });
        }
    }

    public static void setVerifyServerDnByCustomDn(MultiHostOkHttpClient multiHostOkHttpClient, final String str) {
        if (CheckUtils.isEmptyOrBlank(str)) {
            multiHostOkHttpClient.setHostnameVerifier(null);
        } else {
            multiHostOkHttpClient.setHostnameVerifier(new HostnameVerifier() { // from class: sviolet.slate.common.x.net.loadbalance.classic.SslUtils.3
                @Override // javax.net.ssl.HostnameVerifier
                public boolean verify(String str2, SSLSession sSLSession) {
                    if ("UNSAFE-TRUST-ALL-DN".equals(str)) {
                        return true;
                    }
                    try {
                        Certificate[] peerCertificates = sSLSession.getPeerCertificates();
                        if (peerCertificates == null || peerCertificates.length <= 0) {
                            SslUtils.logger.error("Server certificate not received, can not verify it's DN");
                            return false;
                        }
                        String name = ((X509Certificate) peerCertificates[0]).getSubjectX500Principal().getName();
                        boolean equals = str.equals(name);
                        if (!equals) {
                            SslUtils.logger.error("The certificate's DN '" + name + "' of the server does not match the specified DN '" + str + "'");
                        }
                        return equals;
                    } catch (Throwable th) {
                        SslUtils.logger.error("Error while verifying server certificate's DN", th);
                        return false;
                    }
                }

                public String toString() {
                    return "MultiHostOkHttpClient$HostnameVerifier{customDn='" + str + "'}";
                }
            });
        }
    }
}
