package org.snmp4j.transport.tls;

import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.snmp4j.CertifiedIdentity;
import org.snmp4j.TransportStateReference;
import org.snmp4j.event.CounterEvent;
import org.snmp4j.log.LogAdapter;
import org.snmp4j.log.LogFactory;
import org.snmp4j.mp.CounterSupport;
import org.snmp4j.mp.SnmpConstants;
import org.snmp4j.smi.OctetString;

/* loaded from: classes2.dex */
public class TlsTrustManager implements X509TrustManager {
    private static LogAdapter LOGGER = LogFactory.getLogger((Class<?>) TlsTrustManager.class);
    private TlsTmSecurityCallback<X509Certificate> securityCallback;
    private CounterSupport tlstmCounters;
    private TransportStateReference tmStateReference;
    X509TrustManager trustManager;
    private boolean useClientMode;

    public TlsTrustManager(X509TrustManager x509TrustManager, boolean z5, TransportStateReference transportStateReference, CounterSupport counterSupport, TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback) {
        this.trustManager = x509TrustManager;
        this.useClientMode = z5;
        this.tmStateReference = transportStateReference;
        this.tlstmCounters = counterSupport;
        this.securityCallback = tlsTmSecurityCallback;
    }

    public static X509Certificate[] getAcceptedIssuers(X509TrustManager x509TrustManager, TlsTmSecurityCallback<X509Certificate> tlsTmSecurityCallback) {
        X509Certificate[] acceptedIssuers = x509TrustManager.getAcceptedIssuers();
        if (acceptedIssuers == null || tlsTmSecurityCallback == null) {
            return acceptedIssuers;
        }
        ArrayList arrayList = new ArrayList(acceptedIssuers.length);
        for (X509Certificate x509Certificate : acceptedIssuers) {
            try {
                if (tlsTmSecurityCallback.isAcceptedIssuer(x509Certificate)) {
                    arrayList.add(x509Certificate);
                }
            } catch (CertificateException e5) {
                LOGGER.debug("Security callback " + tlsTmSecurityCallback + " rejected " + x509Certificate + ": " + e5.getMessage());
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    private boolean isMatchingFingerprint(X509Certificate[] x509CertificateArr, OctetString octetString, boolean z5) {
        return TLSTMUtil.isMatchingFingerprint(x509CertificateArr, octetString, z5, this.tlstmCounters, LOGGER, this);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        if (TransportStateReference.hasCertifiedIdentity(this.tmStateReference)) {
            OctetString clientFingerprint = ((CertifiedIdentity) this.tmStateReference.getTarget()).getClientFingerprint();
            if (isMatchingFingerprint(x509CertificateArr, clientFingerprint, false)) {
                return;
            }
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
            throw new CertificateException("Client certificate validation by fingerprint failed for '" + x509CertificateArr[0] + "' (does not match " + clientFingerprint.toHexString() + ")");
        }
        TlsTmSecurityCallback<X509Certificate> securityCallback = getSecurityCallback();
        try {
            if (this.useClientMode || securityCallback == null) {
                this.trustManager.checkClientTrusted(x509CertificateArr, str);
                return;
            }
            if (!securityCallback.isClientCertificateAccepted(x509CertificateArr[0])) {
                this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
                throw new CertificateException("Client certificate validation by fingerprint failed for '" + x509CertificateArr[0] + "'");
            }
            if (LOGGER.isInfoEnabled()) {
                LOGGER.info("Client is trusted with certificate '" + x509CertificateArr[0] + "'");
            }
        } catch (CertificateException e5) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidClientCertificates));
            LOGGER.warn("Client certificate validation failed for '" + x509CertificateArr[0] + "':" + e5.getMessage());
            throw e5;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        OctetString octetString;
        X500Principal subjectX500Principal;
        Object obj = null;
        if (TransportStateReference.hasCertifiedIdentity(this.tmStateReference)) {
            octetString = ((CertifiedIdentity) this.tmStateReference.getTarget()).getServerFingerprint();
            if (isMatchingFingerprint(x509CertificateArr, octetString, true)) {
                return;
            }
        } else {
            octetString = null;
        }
        try {
            obj = TLSTMUtil.getSubjAltName(x509CertificateArr[0].getSubjectAlternativeNames(), 2);
        } catch (CertificateParsingException unused) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidServerCertificates));
            LOGGER.warn("CertificateParsingException while verifying server certificate " + Arrays.asList(x509CertificateArr));
        }
        if (obj == null && (subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal()) != null) {
            obj = subjectX500Principal.getName();
        }
        if (obj != null && octetString != null && octetString.length() == 0 && TransportStateReference.hasCertifiedIdentity(this.tmStateReference) && ((CertifiedIdentity) this.tmStateReference.getTarget()).getIdentity() != null) {
            String lowerCase = ((String) obj).toLowerCase();
            String octetString2 = ((CertifiedIdentity) this.tmStateReference.getTarget()).getIdentity().toString();
            if (octetString2.length() > 0) {
                if (octetString2.charAt(0) == '*') {
                    int indexOf = lowerCase.indexOf(46);
                    if (indexOf > 0) {
                        lowerCase = lowerCase.substring(indexOf);
                    }
                    octetString2 = octetString2.substring(1);
                }
                if (octetString2.equalsIgnoreCase(lowerCase)) {
                    if (LOGGER.isInfoEnabled()) {
                        LOGGER.info("Peer hostname " + octetString2 + " matches dNSName " + lowerCase);
                        return;
                    }
                    return;
                }
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Peer hostname " + octetString2 + " did not match dNSName " + lowerCase);
            }
        }
        try {
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
            TlsTmSecurityCallback<X509Certificate> securityCallback = getSecurityCallback();
            if (!this.useClientMode || securityCallback == null || securityCallback.isServerCertificateAccepted(x509CertificateArr)) {
                return;
            }
            LOGGER.info("Server is NOT trusted with certificate '" + Arrays.asList(x509CertificateArr) + "'");
            throw new CertificateException("Server's certificate is not trusted by this application (although it was trusted by the JRE): " + Arrays.asList(x509CertificateArr));
        } catch (CertificateException e5) {
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionOpenErrors));
            this.tlstmCounters.fireIncrementCounter(new CounterEvent(this, SnmpConstants.snmpTlstmSessionInvalidServerCertificates));
            LOGGER.warn("Server certificate validation failed for '" + x509CertificateArr[0] + "'");
            throw e5;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return getAcceptedIssuers(this.trustManager, getSecurityCallback());
    }

    public TlsTmSecurityCallback<X509Certificate> getSecurityCallback() {
        TlsX509CertifiedTarget tlsX509CertifiedTarget;
        return (!TransportStateReference.hasCertifiedIdentity(this.tmStateReference) || !(this.tmStateReference.getTarget() instanceof TlsX509CertifiedTarget) || (tlsX509CertifiedTarget = (TlsX509CertifiedTarget) this.tmStateReference.getTarget()) == null || tlsX509CertifiedTarget.getTlsTmSecurityCallback() == null) ? this.securityCallback : tlsX509CertifiedTarget.getTlsTmSecurityCallback();
    }
}
