package pl.edu.icm.unity.oauth.client;

import eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.util.httpclient.ServerHostnameCheckingMode;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;

/* loaded from: input_file:pl/edu/icm/unity/oauth/client/CanlHostnameVerifierJDK.class */
public class CanlHostnameVerifierJDK implements HostnameVerifier {
    private ServerHostnameCheckingMode mode;
    private static final Logger log = Log.getLogger("unicore.security", CanlHostnameVerifierJDK.class);

    public CanlHostnameVerifierJDK(ServerHostnameCheckingMode serverHostnameCheckingMode) {
        this.mode = serverHostnameCheckingMode;
    }

    @Override // javax.net.ssl.HostnameVerifier
    public boolean verify(String str, SSLSession sSLSession) {
        if (this.mode == ServerHostnameCheckingMode.NONE) {
            return true;
        }
        HostnameToCertificateChecker hostnameToCertificateChecker = new HostnameToCertificateChecker();
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length == 0) {
                throw new IllegalStateException("JDK BUG? Got null or empty peer certificate array");
            }
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                throw new ClassCastException("Peer certificate should be an X.509 certificate, but is " + peerCertificates[0].getClass().getName());
            }
            X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
            try {
                if (hostnameToCertificateChecker.checkMatching(str, x509Certificate)) {
                    return true;
                }
                return handleMismatch(str, x509Certificate);
            } catch (Exception e) {
                return false;
            }
        } catch (SSLPeerUnverifiedException e2) {
            return false;
        }
    }

    private boolean handleMismatch(String str, X509Certificate x509Certificate) {
        if (this.mode == ServerHostnameCheckingMode.FAIL) {
            return false;
        }
        log.warn("The server hostname is not matching its certificate subject. This might mean that somebody is trying to perform a man-in-the-middle attack by pretending to be the server you are trying to connect to. However it is also possible that the server uses a certificate which was not associated with its address. The server DNS name is: '" + str + "' and its certificate subject is: '" + X500NameUtils.getReadableForm(x509Certificate.getSubjectX500Principal()) + "'.");
        return true;
    }
}
