package cfca.sadk.tls.sun.security.ssl;

import cfca.sadk.tls.javax.net.ssl.GMSSLEngine;
import cfca.sadk.tls.javax.net.ssl.GMSSLSocket;
import cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager;
import cfca.sadk.tls.sun.security.ssl.sec.SSLAlgorithmConstraints;
import cfca.sadk.tls.sun.security.util.GMSSLHelper;
import cfca.sadk.tls.sun.security.validator.GMAlgorithmChecker;
import cfca.sadk.tls.sun.security.validator.GMAlgorithmConstraints;
import java.net.Socket;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

/* compiled from: SSLContextImpl.java */
/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/AbstractTrustManagerWrapper.class */
final class AbstractTrustManagerWrapper extends GMX509ExtendedTrustManager implements X509TrustManager {
    private final X509TrustManager tm;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractTrustManagerWrapper(X509TrustManager x509TrustManager) {
        this.tm = x509TrustManager;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.tm.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.tm.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.tm.getAcceptedIssuers();
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.tm.checkClientTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, socket, true);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.tm.checkServerTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, socket, false);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, GMSSLEngine gMSSLEngine) throws CertificateException {
        this.tm.checkClientTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, gMSSLEngine, true);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.manager.GMX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, GMSSLEngine gMSSLEngine) throws CertificateException {
        this.tm.checkServerTrusted(x509CertificateArr, str);
        checkAdditionalTrust(x509CertificateArr, str, gMSSLEngine, false);
    }

    private void checkAdditionalTrust(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z) throws CertificateException {
        if (socket != null && socket.isConnected() && (socket instanceof GMSSLSocket)) {
            GMSSLSocket gMSSLSocket = (GMSSLSocket) socket;
            SSLSession handshakeSession = gMSSLSocket.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            String endpointIdentificationAlgorithm = gMSSLSocket.getCFCASSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                GMSSLHelper.checkIdentity(x509CertificateArr[0], endpointIdentificationAlgorithm, handshakeSession.getPeerHost());
            }
            SSLAlgorithmConstraints sSLAlgorithmConstraints = null;
            if (ProtocolVersion.valueOf(handshakeSession.getProtocol()).isChinaTLS11()) {
                sSLAlgorithmConstraints = new SSLAlgorithmConstraints(gMSSLSocket, true);
            }
            checkAlgorithmConstraints(x509CertificateArr, sSLAlgorithmConstraints);
        }
    }

    private void checkAdditionalTrust(X509Certificate[] x509CertificateArr, String str, GMSSLEngine gMSSLEngine, boolean z) throws CertificateException {
        if (gMSSLEngine != null) {
            SSLSession handshakeSession = gMSSLEngine.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            String endpointIdentificationAlgorithm = gMSSLEngine.getCFCASSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                GMSSLHelper.checkIdentity(x509CertificateArr[0], endpointIdentificationAlgorithm, handshakeSession.getPeerHost());
            }
            SSLAlgorithmConstraints sSLAlgorithmConstraints = null;
            if (ProtocolVersion.valueOf(handshakeSession.getProtocol()).isChinaTLS11()) {
                sSLAlgorithmConstraints = new SSLAlgorithmConstraints(gMSSLEngine, true);
            }
            checkAlgorithmConstraints(x509CertificateArr, sSLAlgorithmConstraints);
        }
    }

    private void checkAlgorithmConstraints(X509Certificate[] x509CertificateArr, GMAlgorithmConstraints gMAlgorithmConstraints) throws CertificateException {
        try {
            int length = x509CertificateArr.length - 1;
            HashSet hashSet = new HashSet();
            X509Certificate[] acceptedIssuers = this.tm.getAcceptedIssuers();
            if (acceptedIssuers != null && acceptedIssuers.length > 0) {
                Collections.addAll(hashSet, acceptedIssuers);
            }
            if (hashSet.contains(x509CertificateArr[length])) {
                length--;
            }
            if (length >= 0) {
                GMAlgorithmChecker gMAlgorithmChecker = new GMAlgorithmChecker(gMAlgorithmConstraints);
                gMAlgorithmChecker.init(false);
                for (int i = length; i >= 0; i--) {
                    gMAlgorithmChecker.check(x509CertificateArr[i], Collections.emptySet());
                }
            }
        } catch (CertPathValidatorException e) {
            throw new CertificateException("Certificates does not conform to algorithm constraints");
        }
    }
}
