package com.unboundid.util.ssl;

import com.unboundid.asn1.ASN1OctetString;
import com.unboundid.util.Debug;
import com.unboundid.util.NotMutable;
import com.unboundid.util.ObjectPair;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ThreadSafety;
import com.unboundid.util.ThreadSafetyLevel;
import com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension;
import com.unboundid.util.ssl.cert.SubjectKeyIdentifierExtension;
import com.unboundid.util.ssl.cert.X509CertificateExtension;
import java.io.File;
import java.io.FileInputStream;
import java.io.Serializable;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.X509TrustManager;

@ThreadSafety(level = ThreadSafetyLevel.COMPLETELY_THREADSAFE)
@NotMutable
/* loaded from: input_file:WEB-INF/lib/unboundid-ldapsdk-4.0.14.jar:com/unboundid/util/ssl/JVMDefaultTrustManager.class */
public final class JVMDefaultTrustManager implements X509TrustManager, Serializable {
    private static final String PROPERTY_JAVA_HOME = "java.home";
    private static final long serialVersionUID = -8587938729712485943L;
    private final CertificateException certificateException;
    private final File caCertsFile;
    private final KeyStore keystore;
    private final Map<ASN1OctetString, X509Certificate> trustedCertsBySignature;
    private final Map<ASN1OctetString, com.unboundid.util.ssl.cert.X509Certificate> trustedCertsByKeyID;
    private static final AtomicReference<JVMDefaultTrustManager> INSTANCE = new AtomicReference<>();
    static final String[] FILE_EXTENSIONS = {".jks", ".p12", ".pkcs12", ".pfx"};
    private static final X509Certificate[] NO_CERTIFICATES = new X509Certificate[0];

    JVMDefaultTrustManager(String str) {
        String systemProperty = StaticUtils.getSystemProperty(str);
        if (systemProperty == null) {
            this.certificateException = new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_NO_JAVA_HOME.get(str));
            this.caCertsFile = null;
            this.keystore = null;
            this.trustedCertsBySignature = Collections.emptyMap();
            this.trustedCertsByKeyID = Collections.emptyMap();
            return;
        }
        File file = new File(systemProperty);
        if (!file.exists() || !file.isDirectory()) {
            this.certificateException = new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_INVALID_JAVA_HOME.get(str, systemProperty));
            this.caCertsFile = null;
            this.keystore = null;
            this.trustedCertsBySignature = Collections.emptyMap();
            this.trustedCertsByKeyID = Collections.emptyMap();
            return;
        }
        try {
            ObjectPair<KeyStore, File> jVMDefaultKeyStore = getJVMDefaultKeyStore(file);
            this.keystore = jVMDefaultKeyStore.getFirst();
            this.caCertsFile = jVMDefaultKeyStore.getSecond();
            LinkedHashMap linkedHashMap = new LinkedHashMap(StaticUtils.computeMapCapacity(50));
            LinkedHashMap linkedHashMap2 = new LinkedHashMap(StaticUtils.computeMapCapacity(50));
            try {
                Enumeration<String> aliases = this.keystore.aliases();
                while (aliases.hasMoreElements()) {
                    try {
                        X509Certificate x509Certificate = (X509Certificate) this.keystore.getCertificate(aliases.nextElement());
                        if (x509Certificate != null) {
                            linkedHashMap.put(new ASN1OctetString(x509Certificate.getSignature()), x509Certificate);
                            try {
                                com.unboundid.util.ssl.cert.X509Certificate x509Certificate2 = new com.unboundid.util.ssl.cert.X509Certificate(x509Certificate.getEncoded());
                                for (X509CertificateExtension x509CertificateExtension : x509Certificate2.getExtensions()) {
                                    if (x509CertificateExtension instanceof SubjectKeyIdentifierExtension) {
                                        linkedHashMap2.put(new ASN1OctetString(((SubjectKeyIdentifierExtension) x509CertificateExtension).getKeyIdentifier().getValue()), x509Certificate2);
                                    }
                                }
                            } catch (Exception e) {
                                Debug.debugException(e);
                            }
                        }
                    } catch (Exception e2) {
                        Debug.debugException(e2);
                    }
                }
                this.trustedCertsBySignature = Collections.unmodifiableMap(linkedHashMap);
                this.trustedCertsByKeyID = Collections.unmodifiableMap(linkedHashMap2);
                this.certificateException = null;
            } catch (Exception e3) {
                Debug.debugException(e3);
                this.certificateException = new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_ERROR_ITERATING_THROUGH_CACERTS.get(this.caCertsFile.getAbsolutePath(), StaticUtils.getExceptionMessage(e3)), e3);
                this.trustedCertsBySignature = Collections.emptyMap();
                this.trustedCertsByKeyID = Collections.emptyMap();
            }
        } catch (CertificateException e4) {
            Debug.debugException(e4);
            this.certificateException = e4;
            this.caCertsFile = null;
            this.keystore = null;
            this.trustedCertsBySignature = Collections.emptyMap();
            this.trustedCertsByKeyID = Collections.emptyMap();
        }
    }

    public static JVMDefaultTrustManager getInstance() {
        JVMDefaultTrustManager jVMDefaultTrustManager = INSTANCE.get();
        if (jVMDefaultTrustManager != null) {
            return jVMDefaultTrustManager;
        }
        JVMDefaultTrustManager jVMDefaultTrustManager2 = new JVMDefaultTrustManager(PROPERTY_JAVA_HOME);
        return INSTANCE.compareAndSet(null, jVMDefaultTrustManager2) ? jVMDefaultTrustManager2 : INSTANCE.get();
    }

    KeyStore getKeyStore() throws CertificateException {
        if (this.certificateException != null) {
            throw this.certificateException;
        }
        return this.keystore;
    }

    public File getCACertsFile() throws CertificateException {
        if (this.certificateException != null) {
            throw this.certificateException;
        }
        return this.caCertsFile;
    }

    public Collection<X509Certificate> getTrustedIssuerCertificates() throws CertificateException {
        if (this.certificateException != null) {
            throw this.certificateException;
        }
        return this.trustedCertsBySignature.values();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        if (this.certificateException != null) {
            return NO_CERTIFICATES;
        }
        return (X509Certificate[]) this.trustedCertsBySignature.values().toArray(new X509Certificate[this.trustedCertsBySignature.size()]);
    }

    private static ObjectPair<KeyStore, File> getJVMDefaultKeyStore(File file) throws CertificateException {
        File constructPath = StaticUtils.constructPath(file, "lib", "security", "cacerts");
        File constructPath2 = StaticUtils.constructPath(file, "jre", "lib", "security", "cacerts");
        ArrayList arrayList = new ArrayList((2 * FILE_EXTENSIONS.length) + 2);
        arrayList.add(constructPath);
        arrayList.add(constructPath2);
        for (String str : FILE_EXTENSIONS) {
            arrayList.add(new File(constructPath.getAbsolutePath() + str));
            arrayList.add(new File(constructPath2.getAbsolutePath() + str));
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            File file2 = (File) it.next();
            KeyStore loadKeyStore = loadKeyStore(file2);
            if (loadKeyStore != null) {
                return new ObjectPair<>(loadKeyStore, file2);
            }
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap(StaticUtils.computeMapCapacity(1));
        ObjectPair<KeyStore, File> searchForKeyStore = searchForKeyStore(file, linkedHashMap);
        if (searchForKeyStore != null) {
            return searchForKeyStore;
        }
        if (linkedHashMap.isEmpty()) {
            throw new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_CACERTS_NOT_FOUND_NO_EXCEPTION.get());
        }
        StringBuilder sb = new StringBuilder();
        sb.append(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_CACERTS_NOT_FOUND_WITH_EXCEPTION.get());
        for (Map.Entry entry : linkedHashMap.entrySet()) {
            if (sb.charAt(sb.length() - 1) != '.') {
                sb.append('.');
            }
            sb.append("  ");
            sb.append(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_LOAD_ERROR.get(((File) entry.getKey()).getAbsolutePath(), StaticUtils.getExceptionMessage((Throwable) entry.getValue())));
        }
        throw new CertificateException(sb.toString());
    }

    /* JADX WARN: Code restructure failed: missing block: B:30:0x00d3, code lost:
    
        continue;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static com.unboundid.util.ObjectPair<java.security.KeyStore, java.io.File> searchForKeyStore(java.io.File r5, java.util.Map<java.io.File, java.security.cert.CertificateException> r6) {
        /*
            r0 = r5
            java.io.File[] r0 = r0.listFiles()
            r7 = r0
            r0 = r7
            int r0 = r0.length
            r8 = r0
            r0 = 0
            r9 = r0
        Lb:
            r0 = r9
            r1 = r8
            if (r0 >= r1) goto Ld9
            r0 = r7
            r1 = r9
            r0 = r0[r1]
            r10 = r0
            r0 = r10
            boolean r0 = r0.isDirectory()
            if (r0 == 0) goto L32
            r0 = r10
            r1 = r6
            com.unboundid.util.ObjectPair r0 = searchForKeyStore(r0, r1)
            r11 = r0
            r0 = r11
            if (r0 == 0) goto L2f
            r0 = r11
            return r0
        L2f:
            goto Ld3
        L32:
            r0 = r10
            java.lang.String r0 = r0.getName()
            java.lang.String r0 = com.unboundid.util.StaticUtils.toLowerCase(r0)
            r11 = r0
            r0 = r11
            java.lang.String r1 = "cacerts"
            boolean r0 = r0.equals(r1)
            if (r0 == 0) goto L6e
            r0 = r10
            java.security.KeyStore r0 = loadKeyStore(r0)     // Catch: java.security.cert.CertificateException -> L59
            r12 = r0
            com.unboundid.util.ObjectPair r0 = new com.unboundid.util.ObjectPair     // Catch: java.security.cert.CertificateException -> L59
            r1 = r0
            r2 = r12
            r3 = r10
            r1.<init>(r2, r3)     // Catch: java.security.cert.CertificateException -> L59
            return r0
        L59:
            r12 = move-exception
            r0 = r12
            com.unboundid.util.Debug.debugException(r0)
            r0 = r6
            r1 = r10
            r2 = r12
            java.lang.Object r0 = r0.put(r1, r2)
            goto Ld3
        L6e:
            java.lang.String[] r0 = com.unboundid.util.ssl.JVMDefaultTrustManager.FILE_EXTENSIONS
            r12 = r0
            r0 = r12
            int r0 = r0.length
            r13 = r0
            r0 = 0
            r14 = r0
        L7b:
            r0 = r14
            r1 = r13
            if (r0 >= r1) goto Ld3
            r0 = r12
            r1 = r14
            r0 = r0[r1]
            r15 = r0
            r0 = r11
            java.lang.StringBuilder r1 = new java.lang.StringBuilder
            r2 = r1
            r2.<init>()
            java.lang.String r2 = "cacerts"
            java.lang.StringBuilder r1 = r1.append(r2)
            r2 = r15
            java.lang.StringBuilder r1 = r1.append(r2)
            java.lang.String r1 = r1.toString()
            boolean r0 = r0.equals(r1)
            if (r0 == 0) goto Lcd
            r0 = r10
            java.security.KeyStore r0 = loadKeyStore(r0)     // Catch: java.security.cert.CertificateException -> Lb8
            r16 = r0
            com.unboundid.util.ObjectPair r0 = new com.unboundid.util.ObjectPair     // Catch: java.security.cert.CertificateException -> Lb8
            r1 = r0
            r2 = r16
            r3 = r10
            r1.<init>(r2, r3)     // Catch: java.security.cert.CertificateException -> Lb8
            return r0
        Lb8:
            r16 = move-exception
            r0 = r16
            com.unboundid.util.Debug.debugException(r0)
            r0 = r6
            r1 = r10
            r2 = r16
            java.lang.Object r0 = r0.put(r1, r2)
            goto Ld3
        Lcd:
            int r14 = r14 + 1
            goto L7b
        Ld3:
            int r9 = r9 + 1
            goto Lb
        Ld9:
            r0 = 0
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.unboundid.util.ssl.JVMDefaultTrustManager.searchForKeyStore(java.io.File, java.util.Map):com.unboundid.util.ObjectPair");
    }

    private static KeyStore loadKeyStore(File file) throws CertificateException {
        if (!file.exists() || !file.isFile()) {
            return null;
        }
        CertificateException certificateException = null;
        CertificateException certificateException2 = null;
        for (String str : new String[]{"JKS", "PKCS12"}) {
            try {
                KeyStore keyStore = KeyStore.getInstance(str);
                try {
                    FileInputStream fileInputStream = new FileInputStream(file);
                    Throwable th = null;
                    try {
                        try {
                            keyStore.load(fileInputStream, null);
                            if (fileInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        fileInputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    fileInputStream.close();
                                }
                            }
                            return keyStore;
                        } catch (Throwable th3) {
                            th = th3;
                            throw th3;
                            break;
                        }
                    } finally {
                    }
                } catch (Exception e) {
                    Debug.debugException(e);
                    if (certificateException2 == null) {
                        certificateException2 = new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_CANNOT_ERROR_LOADING_KEYSTORE.get(file.getAbsolutePath(), StaticUtils.getExceptionMessage(e)), e);
                    }
                }
            } catch (Exception e2) {
                Debug.debugException(e2);
                if (certificateException == null) {
                    certificateException = new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_CANNOT_INSTANTIATE_KEYSTORE.get(str, StaticUtils.getExceptionMessage(e2)), e2);
                }
            }
        }
        if (certificateException2 != null) {
            throw certificateException2;
        }
        throw certificateException;
    }

    void checkTrusted(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (this.certificateException != null) {
            throw this.certificateException;
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_NO_CERTS_IN_CHAIN.get());
        }
        boolean z = false;
        Date date = new Date();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            Date notBefore = x509Certificate.getNotBefore();
            if (date.before(notBefore)) {
                throw new CertificateNotYetValidException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_CERT_NOT_YET_VALID.get(chainToString(x509CertificateArr), String.valueOf(x509Certificate.getSubjectDN()), String.valueOf(notBefore)));
            }
            Date notAfter = x509Certificate.getNotAfter();
            if (date.after(notAfter)) {
                throw new CertificateExpiredException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANAGER_CERT_EXPIRED.get(chainToString(x509CertificateArr), String.valueOf(x509Certificate.getSubjectDN()), String.valueOf(notAfter)));
            }
            z |= this.trustedCertsBySignature.get(new ASN1OctetString(x509Certificate.getSignature())) != null;
        }
        if (!z) {
            z = checkIncompleteChain(x509CertificateArr);
        }
        if (!z) {
            throw new CertificateException(SSLMessages.ERR_JVM_DEFAULT_TRUST_MANGER_NO_TRUSTED_ISSUER_FOUND.get(chainToString(x509CertificateArr)));
        }
    }

    private boolean checkIncompleteChain(X509Certificate[] x509CertificateArr) {
        try {
            com.unboundid.util.ssl.cert.X509Certificate x509Certificate = new com.unboundid.util.ssl.cert.X509Certificate(x509CertificateArr[x509CertificateArr.length - 1].getEncoded());
            if (x509Certificate.isSelfSigned()) {
                return false;
            }
            for (X509CertificateExtension x509CertificateExtension : x509Certificate.getExtensions()) {
                if (x509CertificateExtension instanceof AuthorityKeyIdentifierExtension) {
                    com.unboundid.util.ssl.cert.X509Certificate x509Certificate2 = this.trustedCertsByKeyID.get(new ASN1OctetString(((AuthorityKeyIdentifierExtension) x509CertificateExtension).getKeyIdentifier().getValue()));
                    if (x509Certificate2 != null && x509Certificate2.isWithinValidityWindow()) {
                        x509Certificate.verifySignature(x509Certificate2);
                        return true;
                    }
                }
            }
            return false;
        } catch (Exception e) {
            Debug.debugException(e);
            return false;
        }
    }

    static String chainToString(X509Certificate[] x509CertificateArr) {
        StringBuilder sb = new StringBuilder();
        switch (x509CertificateArr.length) {
            case 0:
                break;
            case 1:
                sb.append('\'');
                sb.append(x509CertificateArr[0].getSubjectDN());
                sb.append('\'');
                break;
            case 2:
                sb.append('\'');
                sb.append(x509CertificateArr[0].getSubjectDN());
                sb.append("' and '");
                sb.append(x509CertificateArr[1].getSubjectDN());
                sb.append('\'');
                break;
            default:
                for (int i = 0; i < x509CertificateArr.length; i++) {
                    if (i > 0) {
                        sb.append(", ");
                    }
                    if (i == x509CertificateArr.length - 1) {
                        sb.append("and ");
                    }
                    sb.append('\'');
                    sb.append(x509CertificateArr[i].getSubjectDN());
                    sb.append('\'');
                }
                break;
        }
        return sb.toString();
    }
}
