package cfca.sadk.tls.sun.security.ssl;

import cfca.sadk.tls.java.security.CFCAAlgorithmConstraints;
import cfca.sadk.tls.javax.net.ssl.CFCAExtendedSSLSession;
import cfca.sadk.tls.javax.net.ssl.CFCASSLEngine;
import cfca.sadk.tls.javax.net.ssl.CFCASSLSocket;
import cfca.sadk.tls.javax.net.ssl.CFCAX509ExtendedTrustManager;
import cfca.sadk.tls.sun.security.provider.certpath.CFCAAlgorithmChecker;
import cfca.sadk.tls.sun.security.ssl.sec.SSLAlgorithmConstraints;
import cfca.sadk.tls.sun.security.util.CFCASSLHelper;
import java.net.Socket;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

/* JADX INFO: Access modifiers changed from: package-private */
/* compiled from: SSLContextImpl.java */
/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/AbstractTrustManagerWrapper.class */
public final class AbstractTrustManagerWrapper extends CFCAX509ExtendedTrustManager implements X509TrustManager {
    private final X509TrustManager tm;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractTrustManagerWrapper(X509TrustManager x509TrustManager) {
        this.tm = x509TrustManager;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.tm.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.tm.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.tm.getAcceptedIssuers();
    }

    @Override // cfca.sadk.tls.javax.net.ssl.CFCAX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.tm.checkClientTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, socket, true);
    }

    @Override // cfca.sadk.tls.javax.net.ssl.CFCAX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.tm.checkServerTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, socket, false);
    }

    @Override // cfca.sadk.tls.javax.net.ssl.CFCAX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, CFCASSLEngine cFCASSLEngine) throws CertificateException {
        this.tm.checkClientTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, cFCASSLEngine, true);
    }

    @Override // cfca.sadk.tls.javax.net.ssl.CFCAX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, CFCASSLEngine cFCASSLEngine) throws CertificateException {
        this.tm.checkServerTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, cFCASSLEngine, false);
    }

    private void checkAdditionalTrust(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z) throws CertificateException {
        if (socket != null && socket.isConnected() && (socket instanceof CFCASSLSocket)) {
            CFCASSLSocket cFCASSLSocket = (CFCASSLSocket) socket;
            SSLSession handshakeSession = cFCASSLSocket.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            String endpointIdentificationAlgorithm = cFCASSLSocket.getCFCASSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                CFCASSLHelper.checkIdentity(x509CertificateArr[0], endpointIdentificationAlgorithm, handshakeSession.getPeerHost());
            }
            checkAlgorithmConstraints(x509CertificateArr, ProtocolVersion.valueOf(handshakeSession.getProtocol()).isStandardTLS12() ? handshakeSession instanceof CFCAExtendedSSLSession ? new SSLAlgorithmConstraints(cFCASSLSocket, ((CFCAExtendedSSLSession) handshakeSession).getLocalSupportedSignatureAlgorithms(), true) : new SSLAlgorithmConstraints(cFCASSLSocket, true) : new SSLAlgorithmConstraints(cFCASSLSocket, true));
        }
    }

    private void checkAdditionalTrust(X509Certificate[] x509CertificateArr, String str, CFCASSLEngine cFCASSLEngine, boolean z) throws CertificateException {
        if (cFCASSLEngine != null) {
            SSLSession handshakeSession = cFCASSLEngine.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            String endpointIdentificationAlgorithm = cFCASSLEngine.getCFCASSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                CFCASSLHelper.checkIdentity(x509CertificateArr[0], endpointIdentificationAlgorithm, handshakeSession.getPeerHost());
            }
            checkAlgorithmConstraints(x509CertificateArr, ProtocolVersion.valueOf(handshakeSession.getProtocol()).isStandardTLS12() ? handshakeSession instanceof CFCAExtendedSSLSession ? new SSLAlgorithmConstraints(cFCASSLEngine, ((CFCAExtendedSSLSession) handshakeSession).getLocalSupportedSignatureAlgorithms(), true) : new SSLAlgorithmConstraints(cFCASSLEngine, true) : new SSLAlgorithmConstraints(cFCASSLEngine, true));
        }
    }

    private void checkAlgorithmConstraints(X509Certificate[] x509CertificateArr, CFCAAlgorithmConstraints cFCAAlgorithmConstraints) throws CertificateException {
        try {
            int length = x509CertificateArr.length - 1;
            HashSet hashSet = new HashSet();
            X509Certificate[] acceptedIssuers = this.tm.getAcceptedIssuers();
            if (acceptedIssuers != null && acceptedIssuers.length > 0) {
                Collections.addAll(hashSet, acceptedIssuers);
            }
            if (hashSet.contains(x509CertificateArr[length])) {
                length--;
            }
            if (length >= 0) {
                CFCAAlgorithmChecker cFCAAlgorithmChecker = new CFCAAlgorithmChecker(cFCAAlgorithmConstraints);
                cFCAAlgorithmChecker.init(false);
                for (int i = length; i >= 0; i--) {
                    cFCAAlgorithmChecker.check(x509CertificateArr[i], Collections.emptySet());
                }
            }
        } catch (CertPathValidatorException e) {
            throw new CertificateException("Certificates does not conform to algorithm constraints");
        }
    }
}
