package org.apache.servicecomb.foundation.ssl;

import java.io.File;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.Socket;
import java.net.SocketException;
import java.security.cert.CRL;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedTrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/foundation-ssl-2.7.9.jar:org/apache/servicecomb/foundation/ssl/TrustManagerExt.class */
public class TrustManagerExt extends X509ExtendedTrustManager {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TrustManagerExt.class);
    private static final int WHITE_SIZE = 1024;
    private final X509ExtendedTrustManager trustManager;
    private final SSLOption option;
    private final SSLCustom custom;

    public TrustManagerExt(X509ExtendedTrustManager x509ExtendedTrustManager, SSLOption sSLOption, SSLCustom sSLCustom) {
        this.trustManager = x509ExtendedTrustManager;
        this.option = sSLOption;
        this.custom = sSLCustom;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.option.isAuthPeer()) {
            checkTrustedCustom(x509CertificateArr, null);
            this.trustManager.checkClientTrusted(x509CertificateArr, str);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.option.isAuthPeer()) {
            checkTrustedCustom(x509CertificateArr, null);
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        InetAddress inetAddress;
        if (this.option.isAuthPeer()) {
            String str2 = null;
            if (socket != null && socket.isConnected() && (socket instanceof SSLSocket) && (inetAddress = socket.getInetAddress()) != null) {
                str2 = inetAddress.getHostAddress();
            }
            checkTrustedCustom(x509CertificateArr, str2);
            this.trustManager.checkClientTrusted(x509CertificateArr, str, socket);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        if (this.option.isAuthPeer()) {
            String str2 = null;
            if (sSLEngine != null) {
                str2 = sSLEngine.getHandshakeSession().getPeerHost();
            }
            checkTrustedCustom(x509CertificateArr, str2);
            this.trustManager.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        InetAddress inetAddress;
        if (this.option.isAuthPeer()) {
            String str2 = null;
            if (socket != null && socket.isConnected() && (socket instanceof SSLSocket) && (inetAddress = socket.getInetAddress()) != null) {
                str2 = inetAddress.getHostAddress();
            }
            checkTrustedCustom(x509CertificateArr, str2);
            this.trustManager.checkServerTrusted(x509CertificateArr, str, socket);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        if (this.option.isAuthPeer()) {
            String str2 = null;
            if (sSLEngine != null) {
                str2 = sSLEngine.getHandshakeSession().getPeerHost();
            }
            checkTrustedCustom(x509CertificateArr, str2);
            this.trustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        }
    }

    private void checkTrustedCustom(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkCNHost(x509CertificateArr, str);
        checkCNWhite(x509CertificateArr);
        checkCRL(x509CertificateArr);
    }

    private void checkCNHost(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.option.isCheckCNHost()) {
            Set<String> cn = CertificateUtil.getCN(CertificateUtil.findOwner(x509CertificateArr));
            String host = str == null ? this.custom.getHost() : str;
            if ("127.0.0.1".equals(host)) {
                try {
                    Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
                    if (networkInterfaces != null) {
                        while (networkInterfaces.hasMoreElements()) {
                            Enumeration<InetAddress> inetAddresses = networkInterfaces.nextElement().getInetAddresses();
                            while (inetAddresses.hasMoreElements()) {
                                if (cnValid(cn, inetAddresses.nextElement().getHostAddress())) {
                                    return;
                                }
                            }
                        }
                    }
                } catch (SocketException e) {
                    throw new CertificateException("Get local adrress fail.");
                }
            } else if (cnValid(cn, host)) {
                return;
            }
            LOG.error("CN does not match IP: e=" + cn + ",t=" + str);
            throw new CertificateException("CN does not match IP: e=" + cn + ",t=" + str);
        }
    }

    private boolean cnValid(Set<String> set, String str) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().equals(str)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Removed duplicated region for block: B:60:0x0104 A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void checkCNWhite(java.security.cert.X509Certificate[] r7) throws java.security.cert.CertificateException {
        /*
            Method dump skipped, instructions count: 296
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.servicecomb.foundation.ssl.TrustManagerExt.checkCNWhite(java.security.cert.X509Certificate[]):void");
    }

    private void checkCRL(X509Certificate[] x509CertificateArr) throws CertificateException {
        String fullPath = this.custom.getFullPath(this.option.getCrl());
        if (new File(fullPath).exists()) {
            CRL[] createCRL = KeyStoreUtil.createCRL(fullPath);
            X509Certificate findOwner = CertificateUtil.findOwner(x509CertificateArr);
            for (CRL crl : createCRL) {
                if (crl.isRevoked(findOwner)) {
                    LOG.error("certificate revoked");
                    throw new CertificateException("certificate revoked");
                }
            }
        }
    }

    private static void ignore() {
    }
}
