package weblogic.security.SSL.jsseadapter;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Level;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import weblogic.kernel.Kernel;
import weblogic.security.SSL.jsseadapter.JaLogger;
import weblogic.security.pki.revocation.common.RevocationCertPathChecker;
import weblogic.security.pki.revocation.wls.WlsCertRevocContext;

/* loaded from: input_file:weblogic/security/SSL/jsseadapter/JaTrustManager.class */
class JaTrustManager implements X509TrustManager {
    private final X509Certificate[] trustedCAs;
    private final Set<TrustAnchor> trustAnchors;
    private X509TrustManager xTm;
    private static final String ID_CE_BASIC_CONSTRAINTS = "2.5.29.19";
    private static final int CERT_X509_V1 = 1;
    private static final int CERT_X509_V3 = 3;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JaTrustManager(X509Certificate[] x509CertificateArr) {
        this.trustedCAs = copyCerts(x509CertificateArr);
        this.trustAnchors = Collections.unmodifiableSet(createTrustAnchors(x509CertificateArr));
        TrustManagerFactory trustManagerFactory = null;
        try {
            trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            if (Kernel.isServer()) {
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.trustAnchors, new X509CertSelector());
                pKIXBuilderParameters.setRevocationEnabled(false);
                pKIXBuilderParameters.addCertPathChecker(RevocationCertPathChecker.getInstance(new WlsCertRevocContext(toUnmodifiableSet(this.trustedCAs))));
                trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
            } else {
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                loadCerts(keyStore, this.trustedCAs);
                trustManagerFactory.init(keyStore);
            }
        } catch (Exception e) {
            if (JaLogger.isLoggable(Level.WARNING)) {
                JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, e, "Error initializing trust manager factory: {0}.", e.getMessage());
            }
        }
        if (trustManagerFactory != null) {
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            int length = trustManagers.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                TrustManager trustManager = trustManagers[i];
                if (trustManager instanceof X509TrustManager) {
                    this.xTm = (X509TrustManager) trustManager;
                    break;
                }
                i++;
            }
        }
        if (null == this.xTm) {
            if (JaLogger.isLoggable(Level.WARNING)) {
                JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, "Unable to determine TrustManager.", new Object[0]);
            }
            throw new IllegalStateException("Unable to determine TrustManager.");
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.xTm.checkClientTrusted(x509CertificateArr, str);
        checkCertPath(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.xTm.checkServerTrusted(x509CertificateArr, str);
        checkCertPath(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return !Boolean.getBoolean("weblogic.security.SSL.sendEmptyCAList") ? copyCerts(this.trustedCAs) : new X509Certificate[0];
    }

    void checkCertPath(X509Certificate[] x509CertificateArr) throws CertificateException {
        if ((null == x509CertificateArr || x509CertificateArr.length <= 0) && JaLogger.isLoggable(Level.FINEST)) {
            JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "Empty peer certificate chain.", new Object[0]);
        }
        PKIXCertPathBuilderResult buildPKIXCertPath = buildPKIXCertPath(x509CertificateArr);
        if (!hasCertPath(buildPKIXCertPath)) {
            if (JaLogger.isLoggable(Level.FINEST)) {
                JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "Additional cert path checks encountered empty cert path.", new Object[0]);
            }
        } else {
            if (JaSSLSupport.isNoV1CAs() && hasV1CAs(buildPKIXCertPath)) {
                if (JaLogger.isLoggable(Level.WARNING)) {
                    JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, "The certificate path has a version 1 CA certificate. Version 1 CA certificates are disallowed.", new Object[0]);
                }
                throw new CertificateException("The certificate path has a version 1 CA certificate. Version 1 CA certificates are disallowed.");
            }
            if (!JaSSLSupport.isX509BasicConstraintsStrict() || isBasicConstraintsExtensionMarkedCritical(buildPKIXCertPath)) {
                return;
            }
            if (JaLogger.isLoggable(Level.WARNING)) {
                JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, "The Basic Constraints extension of at least one of the version 3 CA certificates in the chain is not marked critical.  This is being rejected due to the strict enforcement of Basic Constraints.", new Object[0]);
            }
            throw new CertificateException("The Basic Constraints extension of at least one of the version 3 CA certificates in the chain is not marked critical.  This is being rejected due to the strict enforcement of Basic Constraints.");
        }
    }

    private static void loadCerts(KeyStore keyStore, Certificate[] certificateArr) {
        for (Certificate certificate : certificateArr) {
            if (null == certificate) {
                try {
                    if (JaLogger.isLoggable(Level.FINEST)) {
                        JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "Null trusted certificate encountered.", new Object[0]);
                    }
                } catch (KeyStoreException e) {
                    if (JaLogger.isLoggable(Level.WARNING)) {
                        JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, e, "Unable to add certificate to keystore: cert={0}, message={1}.", certificate.toString(), e.getMessage());
                    }
                }
            } else {
                keyStore.setCertificateEntry(certificate.toString(), certificate);
            }
        }
    }

    boolean isBasicConstraintsExtensionMarkedCritical(PKIXCertPathBuilderResult pKIXCertPathBuilderResult) {
        boolean z = true;
        for (Certificate certificate : pKIXCertPathBuilderResult.getCertPath().getCertificates()) {
            if (z) {
                z = false;
            } else if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                if (x509Certificate.getVersion() == 3) {
                    if (!isElementFound(x509Certificate.getCriticalExtensionOIDs(), "2.5.29.19")) {
                        if (!JaLogger.isLoggable(Level.FINE)) {
                            return false;
                        }
                        JaLogger.log(Level.FINE, JaLogger.Component.TRUSTSTORE_MANAGER, "Found v3 cert without critical BasicConstraints extension: {0}", x509Certificate.getSubjectDN().toString());
                        return false;
                    }
                } else if (JaLogger.isLoggable(Level.FINER)) {
                    JaLogger.log(Level.FINER, JaLogger.Component.TRUSTSTORE_MANAGER, "Checking for Critical Basic Constraint Extensions, skipping non-v3 cert: Version={0}, SubjectDN={1}.", Integer.valueOf(x509Certificate.getVersion()), x509Certificate.getSubjectDN().toString());
                }
            } else if (JaLogger.isLoggable(Level.FINEST)) {
                JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "Critical Basic Constraint Extensions check skipping non-X509Certificate instance: {0}", certificate);
            }
        }
        X509Certificate trustedCert = pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert();
        if (trustedCert.getVersion() != 3) {
            if (!JaLogger.isLoggable(Level.FINER)) {
                return true;
            }
            JaLogger.log(Level.FINER, JaLogger.Component.TRUSTSTORE_MANAGER, "Checking for Critical Basic Constraint Extensions, skipping non-v3 anchor cert: Version={0}, SubjectDN={1}.", Integer.valueOf(trustedCert.getVersion()), trustedCert.getSubjectDN().toString());
            return true;
        }
        if (isElementFound(trustedCert.getCriticalExtensionOIDs(), "2.5.29.19")) {
            return true;
        }
        if (!JaLogger.isLoggable(Level.FINE)) {
            return false;
        }
        JaLogger.log(Level.FINE, JaLogger.Component.TRUSTSTORE_MANAGER, "Found v3 anchor cert without critical BasicConstraints extension: {0}", trustedCert.getSubjectDN().toString());
        return false;
    }

    boolean hasV1CAs(PKIXCertPathBuilderResult pKIXCertPathBuilderResult) {
        boolean z = true;
        for (Certificate certificate : pKIXCertPathBuilderResult.getCertPath().getCertificates()) {
            if (z) {
                z = false;
            } else if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                if (x509Certificate.getVersion() == 1) {
                    if (!JaLogger.isLoggable(Level.FINE)) {
                        return true;
                    }
                    JaLogger.log(Level.FINE, JaLogger.Component.TRUSTSTORE_MANAGER, "Found version 1 certificate: {0}", x509Certificate.getSubjectDN().toString());
                    return true;
                }
            } else if (JaLogger.isLoggable(Level.FINEST)) {
                JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "V1 CA certificate check skipping non-X509Certificate instance: {0}", certificate);
            }
        }
        X509Certificate trustedCert = pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert();
        if (trustedCert.getVersion() != 1) {
            return false;
        }
        if (!JaLogger.isLoggable(Level.FINE)) {
            return true;
        }
        JaLogger.log(Level.FINE, JaLogger.Component.TRUSTSTORE_MANAGER, "Found version 1 anchor certificate: {0}", trustedCert.getSubjectDN().toString());
        return true;
    }

    public static boolean isElementFound(Set<String> set, String str) {
        if (set == null || str == null || set.size() <= 0) {
            return false;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (str.equalsIgnoreCase(it.next())) {
                return true;
            }
        }
        return false;
    }

    static Set<TrustAnchor> createTrustAnchors(X509Certificate[] x509CertificateArr) {
        HashSet hashSet = new HashSet();
        if (null == x509CertificateArr || x509CertificateArr.length <= 0) {
            if (JaLogger.isLoggable(Level.WARNING)) {
                JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, "No trusted CAs available to populate trust anchors.", new Object[0]);
            }
            return hashSet;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (null != x509Certificate) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            } else if (JaLogger.isLoggable(Level.FINEST)) {
                JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "Null certificate encountered while populating trust anchors.", new Object[0]);
            }
        }
        return hashSet;
    }

    PKIXCertPathBuilderResult buildPKIXCertPath(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setSubject(x509CertificateArr[0].getSubjectX500Principal());
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.trustAnchors, x509CertSelector);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr))));
            pKIXBuilderParameters.setRevocationEnabled(false);
            return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        } catch (Exception e) {
            if (JaLogger.isLoggable(Level.WARNING)) {
                JaLogger.log(Level.WARNING, JaLogger.Component.TRUSTSTORE_MANAGER, e, "Error using PKIX CertPathBuilder.", new Object[0]);
            }
            throw new IllegalStateException("Error using PKIX CertPathBuilder.", e);
        }
    }

    boolean hasCertPath(PKIXCertPathBuilderResult pKIXCertPathBuilderResult) {
        if (null == pKIXCertPathBuilderResult) {
            throw new IllegalArgumentException("Expected non-null PKIXCertPathBuilderResult.");
        }
        if (pKIXCertPathBuilderResult.getCertPath() == null || pKIXCertPathBuilderResult.getCertPath().getCertificates() == null || pKIXCertPathBuilderResult.getCertPath().getCertificates().size() <= 0) {
            return (pKIXCertPathBuilderResult.getTrustAnchor() == null || pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert() == null) ? false : true;
        }
        return true;
    }

    X509Certificate[] copyCerts(X509Certificate[] x509CertificateArr) {
        if (null == x509CertificateArr || x509CertificateArr.length <= 0) {
            if (JaLogger.isLoggable(Level.FINEST)) {
                JaLogger.log(Level.FINEST, JaLogger.Component.TRUSTSTORE_MANAGER, "No certs to copy.", new Object[0]);
            }
            return new X509Certificate[0];
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, x509CertificateArr.length);
        return x509CertificateArr2;
    }

    private Set<X509Certificate> toUnmodifiableSet(X509Certificate[] x509CertificateArr) {
        if (null == x509CertificateArr) {
            x509CertificateArr = new X509Certificate[0];
        }
        return Collections.unmodifiableSet(new HashSet(Arrays.asList(x509CertificateArr)));
    }
}
