package com.oracle.apm.deepdive.common.ssl;

import com.oracle.apm.agent.repackaged.oracle.security.pki.OraclePKIProvider;
import com.oracle.apm.deepdive.common.logging.ILogger;
import com.oracle.apm.deepdive.common.logging.Level;
import com.oracle.apm.deepdive.common.logging.Logger;
import com.oracle.apm.deepdive.common.util.StringUtil;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/oracle/apm/deepdive/common/ssl/SSLTrustManager.class */
public class SSLTrustManager implements X509TrustManager {
    private static final String TRUST_MANAGER_NAME_DEFAULT = "default";
    private static final String TRUST_MANAGER_NAME_ORACLEPKI = "oraclepki";
    private static final String COMMA_REGEX = ",";
    private final String sslManagerNameProperty;
    private final boolean sslTrustAllCertificate;
    private String sslCertificateDirProperty;
    private final ILogger logger = Logger.getLogger((Class<?>) SSLTrustManager.class);
    private boolean trustEstablished = false;
    private X509Certificate[] certificates = readCertificates();
    private final X509TrustManager defaultTrustManager = initializeDefaultTrustManager();
    private final X509TrustManager oraclepkiTrustManager = initializeOraclePKITrustManager();

    public SSLTrustManager(boolean z, String str, String str2) {
        this.sslManagerNameProperty = str;
        this.sslTrustAllCertificate = z;
        this.sslCertificateDirProperty = str2;
    }

    public X509TrustManager getDefaultTrustManager() {
        return this.defaultTrustManager;
    }

    private X509Certificate[] readCertificates() {
        if (this.sslCertificateDirProperty == null) {
            this.sslCertificateDirProperty = ".";
        }
        File file = new File(this.sslCertificateDirProperty);
        if (!file.isDirectory() && !file.exists()) {
            this.logger.info(String.format("Config directory [%s] does not exist", file.getAbsolutePath()));
            return new X509Certificate[0];
        }
        File[] listFiles = file.listFiles((file2, str) -> {
            return str.endsWith(".cer");
        });
        if (listFiles == null || listFiles.length == 0) {
            this.logger.info(String.format("No certificate is found in config directory [%s]", file.getAbsolutePath()));
            return new X509Certificate[0];
        }
        HashSet hashSet = new HashSet();
        for (File file3 : listFiles) {
            X509Certificate readCertificate = readCertificate(file3);
            if (readCertificate != null) {
                hashSet.add(readCertificate);
            }
        }
        return (X509Certificate[]) hashSet.toArray(new X509Certificate[hashSet.size()]);
    }

    private X509Certificate readCertificate(File file) {
        if (file == null) {
            this.logger.log(Level.WARNING, "Certificate file path is null");
            return null;
        }
        if (!file.exists()) {
            this.logger.log(Level.WARNING, String.format("Certificate file [%s] not exists", file.getAbsolutePath()));
            return null;
        }
        if (!file.canRead()) {
            this.logger.log(Level.WARNING, String.format("Certificate file [%s] is not readable", file.getAbsolutePath()));
            return null;
        }
        FileInputStream fileInputStream = null;
        try {
            try {
                fileInputStream = new FileInputStream(file);
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
                this.logger.log(Level.INFO, String.format("Certificate file read [%s]", file.getAbsolutePath()));
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e) {
                        this.logger.log(Level.DEBUG, String.format("Failed to read certificate [%s]", file.getAbsolutePath()), e);
                    }
                }
                return x509Certificate;
            } catch (Exception e2) {
                this.logger.log(Level.WARNING, String.format("Failed to read certificate [%s]", file.getAbsolutePath()), e2);
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e3) {
                        this.logger.log(Level.DEBUG, String.format("Failed to read certificate [%s]", file.getAbsolutePath()), e3);
                        return null;
                    }
                }
                return null;
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e4) {
                    this.logger.log(Level.DEBUG, String.format("Failed to read certificate [%s]", file.getAbsolutePath()), e4);
                    throw th;
                }
            }
            throw th;
        }
    }

    private X509TrustManager initializeDefaultTrustManager() {
        if (!Arrays.asList(this.sslManagerNameProperty.split(",")).contains("default")) {
            return null;
        }
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    this.logger.info(String.format("Trust manager %s initialized", "default"));
                    return (X509TrustManager) trustManager;
                }
            }
            return null;
        } catch (Exception e) {
            this.logger.severe(String.format("Cannot initialize %s trust manager", "default"), e);
            return null;
        }
    }

    private X509TrustManager initializeOraclePKITrustManager() {
        if (!Arrays.asList(this.sslManagerNameProperty.split(",")).contains(TRUST_MANAGER_NAME_ORACLEPKI)) {
            return null;
        }
        Class<?> cls = null;
        try {
            cls = Class.forName("java.security.cert.CertificateRevokedException");
        } catch (Exception e) {
            this.logger.debug("Error occurred", e);
        }
        if (cls == null) {
            this.logger.info(String.format("%s trust manager is not enabled. Required Java 7 or above", TRUST_MANAGER_NAME_ORACLEPKI));
            return null;
        }
        try {
            OraclePKIProvider oraclePKIProvider = new OraclePKIProvider();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("OracleX509", oraclePKIProvider);
            KeyStore keyStore = KeyStore.getInstance("PKCS12", oraclePKIProvider);
            keyStore.load(null, new char[0]);
            int i = 0;
            for (X509Certificate x509Certificate : this.certificates) {
                int i2 = i;
                i++;
                keyStore.setCertificateEntry("trustedApmAgentCert" + i2, x509Certificate);
            }
            trustManagerFactory.init(keyStore);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    this.logger.info(String.format("Trust manager %s initialized", TRUST_MANAGER_NAME_ORACLEPKI));
                    return (X509TrustManager) trustManager;
                }
            }
            return null;
        } catch (ThreadDeath e2) {
            throw e2;
        } catch (Throwable th) {
            this.logger.severe(String.format("Cannot initialize %s trust manager", TRUST_MANAGER_NAME_ORACLEPKI), th);
            return null;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean isFoundTrust;
        if (this.trustEstablished) {
            return;
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            this.logger.warning("No remote certificate available");
            return;
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        this.logger.info("Starting certificate trust checks");
        if (isRemoteCertificateValid(x509Certificate)) {
            return;
        }
        this.logger.info("Remote certificate not equal or equivalent to local certificate. Continue to check remote certificate.");
        if (this.sslTrustAllCertificate) {
            this.logger.info("Trusting remote certificate - trust all");
            isFoundTrust = true;
        } else {
            isFoundTrust = isFoundTrust(x509CertificateArr, str);
        }
        if (!isFoundTrust) {
            this.logger.warning(String.format("Certificate trust check failed trustManager=%s, trustAll=%s", this.sslManagerNameProperty, Boolean.valueOf(this.sslTrustAllCertificate)));
            this.logger.warning(String.format("Dumping certificates: %s", getAllCertLogString(x509Certificate, this.certificates)));
            throw new CertificateException("No certificate trusted. See APM Agent log for more information");
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[this.certificates.length + 1];
        System.arraycopy(this.certificates, 0, x509CertificateArr2, 0, this.certificates.length);
        x509CertificateArr2[x509CertificateArr2.length - 1] = x509Certificate;
        this.certificates = x509CertificateArr2;
        this.trustEstablished = true;
    }

    private boolean isFoundTrust(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        List asList = Arrays.asList(this.sslManagerNameProperty.split(","));
        Exception exc = null;
        Exception exc2 = null;
        if (asList.contains("default")) {
            if (this.defaultTrustManager == null) {
                throw new CertificateException("No [default] trust manager to validate remote certificate.");
            }
            try {
                this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
                z = true;
                this.logger.info("Trusting remote certificate - [default] trust manager");
            } catch (Exception e) {
                exc2 = e;
            }
        }
        if (!z && asList.contains(TRUST_MANAGER_NAME_ORACLEPKI)) {
            if (this.oraclepkiTrustManager == null) {
                throw new CertificateException("No [oraclepki] trust manager to validate remote certificate.");
            }
            try {
                this.oraclepkiTrustManager.checkServerTrusted(x509CertificateArr, str);
                z = true;
                this.logger.info("Trusting remote certificate - [oraclepki] trust manager");
            } catch (Exception e2) {
                exc = e2;
            }
        }
        if (!z) {
            checkExceptions(exc, exc2);
        }
        return z;
    }

    private void checkExceptions(Exception exc, Exception exc2) {
        if (exc2 != null) {
            this.logger.warning("Remote certificate not trusted by [default] trust manager");
        }
        if (exc != null) {
            this.logger.warning("Remote certificate not trusted by [oraclepki] trust manager");
        }
    }

    private boolean isRemoteCertificateValid(X509Certificate x509Certificate) {
        for (X509Certificate x509Certificate2 : this.certificates) {
            if (x509Certificate.equals(x509Certificate2)) {
                this.logger.info("Trusting remote certificate - equal to local certificate");
                this.trustEstablished = true;
                return true;
            }
            try {
                x509Certificate.checkValidity();
                x509Certificate.verify(x509Certificate2.getPublicKey());
                this.logger.info("Trusting remote certificate - equivalent to local certificate");
                this.trustEstablished = true;
                return true;
            } catch (Exception e) {
                this.logger.debug("Error occurred", e);
            }
        }
        return false;
    }

    private String getAllCertLogString(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        StringBuilder sb = new StringBuilder(4096);
        printCert(x509Certificate, "REMOTE", sb);
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            printCert(x509Certificate2, "PROVISIONED", sb);
        }
        return sb.toString();
    }

    private void printCert(X509Certificate x509Certificate, String str, StringBuilder sb) {
        sb.append("\n-----BEGIN [").append(str).append("] CERTIFICATE-----");
        sb.append("\n  [SubjectDN    = ").append(x509Certificate.getSubjectDN()).append("]");
        sb.append("\n  [IssuerDN     = ").append(x509Certificate.getIssuerDN()).append("]");
        sb.append("\n  [NotBefore    = ").append(x509Certificate.getNotBefore()).append("]");
        sb.append("\n  [NotAfter     = ").append(x509Certificate.getNotAfter()).append("]");
        sb.append("\n  [SerialNumber = ").append(x509Certificate.getSerialNumber().toString(16)).append("]");
        try {
            sb.append("\n").append(StringUtil.toBase64String(x509Certificate.getEncoded()));
        } catch (Exception e) {
            sb.append("\n").append(e.getMessage());
        }
        sb.append("\n-----END [").append(str).append("] CERTIFICATE-----");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] acceptedIssuers = this.defaultTrustManager == null ? new X509Certificate[0] : this.defaultTrustManager.getAcceptedIssuers();
        if (this.certificates.length == 0) {
            return acceptedIssuers;
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) Arrays.copyOf(acceptedIssuers, acceptedIssuers.length + this.certificates.length);
        System.arraycopy(this.certificates, 0, x509CertificateArr, acceptedIssuers.length, this.certificates.length);
        return x509CertificateArr;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.defaultTrustManager == null) {
            throw new CertificateException("The defaultX509TrustManager is null. Cannot validate client certificate");
        }
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str);
    }
}
