package cfca.sadk.tls.sun.security.ssl.manager;

import cfca.sadk.tls.javax.net.ssl.GMSSLEngine;
import cfca.sadk.tls.javax.net.ssl.GMSSLSocket;
import cfca.sadk.tls.javax.net.ssl.GMSSLTransfer;
import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.ssl.sec.SSLAlgorithmConstraints;
import cfca.sadk.tls.sun.security.util.GMSSLHelper;
import cfca.sadk.tls.sun.security.validator.TLSValidator;
import cfca.sadk.tls.sun.security.validator.TLSValidatorVariant;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.util.Collection;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/manager/GMX509TrustManager.class */
final class GMX509TrustManager extends GMX509ExtendedTrustManager implements X509TrustManager {
    private final Collection<X509Certificate> trustedCerts;
    private final PKIXBuilderParameters pkixParams;
    private volatile TLSValidator clientValidator;
    private volatile TLSValidator serverValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GMX509TrustManager(KeyStore keyStore) throws KeyStoreException {
        this.pkixParams = null;
        this.trustedCerts = GMSSLHelper.getTrustedCerts(keyStore);
        showTrustedCerts();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GMX509TrustManager(PKIXBuilderParameters pKIXBuilderParameters) {
        this.pkixParams = pKIXBuilderParameters;
        TLSValidator validator = getValidator(TLSValidatorVariant.TLS_SERVER);
        this.trustedCerts = this.serverValidator.getTrustedCertificates();
        this.serverValidator = validator;
        showTrustedCerts();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, (Socket) null, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, (Socket) null, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return (X509Certificate[]) this.trustedCerts.toArray(new X509Certificate[0]);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkTrusted(x509CertificateArr, str, socket, true);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkTrusted(x509CertificateArr, str, socket, false);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, GMSSLEngine gMSSLEngine) throws CertificateException {
        checkTrusted(x509CertificateArr, str, (GMSSLTransfer) gMSSLEngine, true);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, GMSSLEngine gMSSLEngine) throws CertificateException {
        checkTrusted(x509CertificateArr, str, (GMSSLTransfer) gMSSLEngine, false);
    }

    private final void checkTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z) throws CertificateException {
        GMSSLSocket gMSSLSocket = null;
        if (socket != null && socket.isConnected() && (socket instanceof GMSSLSocket)) {
            gMSSLSocket = (GMSSLSocket) socket;
        }
        checkTrusted(x509CertificateArr, str, (GMSSLTransfer) gMSSLSocket, z);
    }

    private final void checkTrusted(X509Certificate[] x509CertificateArr, String str, GMSSLTransfer gMSSLTransfer, boolean z) throws CertificateException {
        SSLAlgorithmConstraints sSLAlgorithmConstraints = null;
        if (gMSSLTransfer != null) {
            SSLSession handshakeSession = gMSSLTransfer.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            String endpointIdentificationAlgorithm = gMSSLTransfer.getCFCASSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm == null || endpointIdentificationAlgorithm.length() == 0) {
                GMSSLHelper.checkIdentity(handshakeSession, x509CertificateArr[0], "TCP", z);
            } else {
                GMSSLHelper.checkIdentity(handshakeSession, x509CertificateArr[0], endpointIdentificationAlgorithm, z);
            }
            sSLAlgorithmConstraints = new SSLAlgorithmConstraints(gMSSLTransfer, false);
        }
        if (LRUTrustCerts.INSTANCE.findTrustedChain(x509CertificateArr, z) != null) {
            Debugger.handshaker.debug("Found trusted certificate form cache");
            return;
        }
        X509Certificate[] validate = GMSSLHelper.validate(checkTrustedInit(x509CertificateArr, str, z), x509CertificateArr, sSLAlgorithmConstraints, str, z);
        LRUTrustCerts.INSTANCE.putTrustedChain(validate, z);
        if (Debugger.handshaker.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder(2048);
            sb.append("\nFound trusted certificate:");
            if (validate == null || validate.length < 1) {
                sb.append("NONE");
            } else {
                sb.append(validate[validate.length - 1]);
            }
            Debugger.handshaker.debug(sb.toString());
        }
    }

    private final TLSValidator checkTrustedInit(X509Certificate[] x509CertificateArr, String str, boolean z) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("null or zero-length certificate chain");
        }
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length authentication type");
        }
        return z ? getSingletonClientValidator() : getSingletonServerValidator();
    }

    private final TLSValidator getSingletonClientValidator() {
        TLSValidator tLSValidator = this.clientValidator;
        if (tLSValidator == null) {
            synchronized (this) {
                tLSValidator = this.clientValidator;
                if (tLSValidator == null) {
                    tLSValidator = getValidator(TLSValidatorVariant.TLS_CLIENT);
                    this.clientValidator = tLSValidator;
                }
            }
        }
        return tLSValidator;
    }

    private final TLSValidator getSingletonServerValidator() {
        TLSValidator tLSValidator = this.serverValidator;
        if (tLSValidator == null) {
            synchronized (this) {
                tLSValidator = this.serverValidator;
                if (tLSValidator == null) {
                    tLSValidator = getValidator(TLSValidatorVariant.TLS_SERVER);
                    this.serverValidator = tLSValidator;
                }
            }
        }
        return tLSValidator;
    }

    private void showTrustedCerts() {
        if (Debugger.handshaker.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder();
            if (this.trustedCerts == null) {
                sb.append("\nnone trusted cert:");
            } else {
                for (X509Certificate x509Certificate : this.trustedCerts) {
                    sb.append("\nadding as trusted cert:");
                    sb.append("\n  Subject: " + x509Certificate.getSubjectX500Principal());
                    sb.append("\n  Issuer:  " + x509Certificate.getIssuerX500Principal());
                    sb.append("\n  Algorithm: " + x509Certificate.getPublicKey().getAlgorithm() + "; Serial number: 0x" + x509Certificate.getSerialNumber().toString(16));
                    sb.append("\n  Valid from " + x509Certificate.getNotBefore() + " until " + x509Certificate.getNotAfter());
                    sb.append('\n');
                }
            }
            Debugger.handshaker.debug(sb.toString());
        }
    }

    private TLSValidator getValidator(TLSValidatorVariant tLSValidatorVariant) {
        return this.pkixParams == null ? TLSValidator.getInstance(tLSValidatorVariant, this.trustedCerts) : TLSValidator.getInstance(tLSValidatorVariant, this.pkixParams);
    }
}
