package com.networknt.client.ssl;

import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/networknt/client/ssl/ClientX509ExtendedTrustManager.class */
public class ClientX509ExtendedTrustManager extends X509ExtendedTrustManager implements X509TrustManager {
    private final X509TrustManager trustManager;
    private final EndpointIdentificationAlgorithm identityAlg;
    private final Set<String> trustedNameSet = new HashSet();

    public ClientX509ExtendedTrustManager(X509TrustManager x509TrustManager, TLSConfig tLSConfig) {
        this.trustManager = (X509TrustManager) Objects.requireNonNull(x509TrustManager);
        this.identityAlg = tLSConfig.getEndpointIdentificationAlgorithm();
        this.trustedNameSet.addAll(tLSConfig.getTrustedNameSet());
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkClientTrusted(x509CertificateArr, str, (Socket) null);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkServerTrusted(x509CertificateArr, str, (Socket) null);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        try {
            EndpointIdentificationAlgorithm.setup(socket, this.identityAlg);
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                ((X509ExtendedTrustManager) this.trustManager).checkClientTrusted(x509CertificateArr, str, socket);
            } else {
                this.trustManager.checkClientTrusted(x509CertificateArr, str);
                checkIdentity(socket, x509CertificateArr[0]);
            }
        } catch (Throwable th) {
            SSLUtils.handleTrustValidationErrors(th);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        try {
            EndpointIdentificationAlgorithm.setup(socket, this.identityAlg);
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                ((X509ExtendedTrustManager) this.trustManager).checkServerTrusted(x509CertificateArr, str, socket);
            } else {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
                checkIdentity(socket, x509CertificateArr[0]);
            }
            doCustomServerIdentityCheck(x509CertificateArr[0]);
        } catch (Throwable th) {
            SSLUtils.handleTrustValidationErrors(th);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        try {
            EndpointIdentificationAlgorithm.setup(sSLEngine, this.identityAlg);
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                ((X509ExtendedTrustManager) this.trustManager).checkClientTrusted(x509CertificateArr, str, sSLEngine);
            } else {
                this.trustManager.checkClientTrusted(x509CertificateArr, str);
                checkIdentity(sSLEngine, x509CertificateArr[0]);
            }
        } catch (Throwable th) {
            SSLUtils.handleTrustValidationErrors(th);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        try {
            EndpointIdentificationAlgorithm.setup(sSLEngine, this.identityAlg);
            if (this.trustManager instanceof X509ExtendedTrustManager) {
                ((X509ExtendedTrustManager) this.trustManager).checkServerTrusted(x509CertificateArr, str, sSLEngine);
            } else {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
                checkIdentity(sSLEngine, x509CertificateArr[0]);
            }
            doCustomServerIdentityCheck(x509CertificateArr[0]);
        } catch (Throwable th) {
            SSLUtils.handleTrustValidationErrors(th);
        }
    }

    private void doCustomServerIdentityCheck(X509Certificate x509Certificate) throws CertificateException {
        if (EndpointIdentificationAlgorithm.APIS == this.identityAlg) {
            APINameChecker.verifyAndThrow(this.trustedNameSet, x509Certificate);
        }
    }

    private void checkIdentity(SSLEngine sSLEngine, X509Certificate x509Certificate) throws CertificateException {
        if (null != sSLEngine) {
            checkIdentity(sSLEngine.getHandshakeSession(), x509Certificate);
        }
    }

    private void checkIdentity(Socket socket, X509Certificate x509Certificate) throws CertificateException {
        if (socket != null && socket.isConnected() && (socket instanceof SSLSocket)) {
            checkIdentity(((SSLSocket) socket).getHandshakeSession(), x509Certificate);
        }
    }

    private void checkIdentity(SSLSession sSLSession, X509Certificate x509Certificate) throws CertificateException {
        if (sSLSession == null) {
            throw new CertificateException("No handshake session");
        }
        if (EndpointIdentificationAlgorithm.HTTPS == this.identityAlg) {
            APINameChecker.verifyAndThrow(sSLSession.getPeerHost(), x509Certificate);
        }
    }

    public static TrustManager[] decorate(TrustManager[] trustManagerArr, TLSConfig tLSConfig) {
        if (null == trustManagerArr || trustManagerArr.length <= 0) {
            return trustManagerArr;
        }
        TrustManager[] trustManagerArr2 = new TrustManager[trustManagerArr.length];
        for (int i = 0; i < trustManagerArr.length; i++) {
            TrustManager trustManager = trustManagerArr[i];
            if (trustManager instanceof X509TrustManager) {
                trustManagerArr2[i] = new ClientX509ExtendedTrustManager((X509TrustManager) trustManager, tLSConfig);
            } else {
                trustManagerArr2[i] = trustManager;
            }
        }
        return trustManagerArr2;
    }
}
