package com.oracle.apm.agent.ssl;

import com.oracle.apm.agent.config.DirectoryLocation;
import com.oracle.apm.agent.config.PropertyNames;
import com.oracle.apm.agent.config.property.PropertyConfig;
import com.oracle.apm.agent.config.property.PropertyValue;
import com.oracle.apm.agent.config.property.PropertyValueChangeListener;
import com.oracle.apm.agent.core.ComponentInitializationException;
import com.oracle.apm.agent.core.ComponentStatus;
import com.oracle.apm.agent.core.IAgentCommon;
import com.oracle.apm.agent.core.IComponentLifecycle;
import com.oracle.apm.agent.repackaged.oracle.security.pki.OraclePKIProvider;
import com.oracle.apm.agent.status.StatusFormatUtil;
import com.oracle.apm.agent.utility.Base64;
import com.oracle.apm.agent.utility.logging.ILogger;
import com.oracle.apm.agent.utility.logging.Level;
import com.oracle.apm.agent.utility.logging.Logger;
import java.io.File;
import java.io.FileInputStream;
import java.io.FilenameFilter;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/oracle/apm/agent/ssl/SSLTrustManager.class */
public class SSLTrustManager implements X509TrustManager, IComponentLifecycle<SSLTrustManager> {
    private static final ILogger logger = Logger.getLogger("SSL");
    private final PropertyConfig propertyConfig;
    private static final String TRUST_MANAGER_NAME_default = "default";
    private static final String TRUST_MANAGER_NAME_oraclepki = "oraclepki";
    private X509TrustManager defaultTrustManager;
    private X509TrustManager oraclepkiTrustManager;
    private PropertyValue<String> sslCertificateDirProperty;
    private PropertyValue<Boolean> sslTrustAllProperty;
    private PropertyValue<String> sslManagerNameProperty;
    private final String name = getClass().getSimpleName();
    private ComponentStatus status = ComponentStatus.Created;
    private X509Certificate[] certificates = new X509Certificate[0];
    private boolean trustEstablished = false;
    private final IAgentCommon agentCommon = null;

    public SSLTrustManager(PropertyConfig propertyConfig) {
        this.propertyConfig = propertyConfig;
        this.sslTrustAllProperty = this.propertyConfig.getProperty(PropertyNames.PROP_NAME_SSL_TRUST_ALL, (String) true);
        this.sslManagerNameProperty = this.propertyConfig.getProperty(PropertyNames.PROP_NAME_SSL_TRUST_MANAGER, PropertyNames.PROP_VALUE_SSL_TRUST_MANAGER);
        PropertyConfig propertyConfig2 = this.propertyConfig;
        String configDir = DirectoryLocation.getConfigDir();
        this.sslCertificateDirProperty = propertyConfig2.getProperty(PropertyNames.PROP_NAME_SSL_CERTIFICATE_DIR, configDir != null ? configDir : ".");
        new PropertyValueChangeListener() { // from class: com.oracle.apm.agent.ssl.SSLTrustManager.1
            {
                SSLTrustManager.this.sslTrustAllProperty.setValueChangeListener(this);
                SSLTrustManager.this.sslManagerNameProperty.setValueChangeListener(this);
                SSLTrustManager.this.sslCertificateDirProperty.setValueChangeListener(this);
            }

            @Override // com.oracle.apm.agent.config.property.PropertyValueChangeListener
            public void notifyValueChange() {
                if (SSLTrustManager.this.status.equals(ComponentStatus.Initialized)) {
                    SSLTrustManager.logger.log(Level.INFO, String.format("Resetting [%s] due to configuration change", SSLTrustManager.this.getName()));
                }
                SSLTrustManager.this.certificates = null;
                SSLTrustManager.this.defaultTrustManager = null;
                SSLTrustManager.this.oraclepkiTrustManager = null;
                try {
                    SSLTrustManager.this.certificates = SSLTrustManager.this.readCertificates();
                    SSLTrustManager.this.defaultTrustManager = SSLTrustManager.this.initializeDefaultTrustManager();
                    SSLTrustManager.this.oraclepkiTrustManager = SSLTrustManager.this.initializeOraclepkiTrustManager();
                } catch (Exception e) {
                    SSLTrustManager.this.certificates = null;
                    SSLTrustManager.this.defaultTrustManager = null;
                    SSLTrustManager.this.oraclepkiTrustManager = null;
                    SSLTrustManager.logger.log(Level.WARNING, "Failed to read certificate or initialize trust manager", e);
                }
                if (SSLTrustManager.this.defaultTrustManager == null && SSLTrustManager.this.oraclepkiTrustManager == null) {
                    SSLTrustManager.logger.log(Level.WARNING, "No trust manager initialized");
                }
                SSLTrustManager.this.trustEstablished = false;
            }
        };
    }

    @Override // com.oracle.apm.agent.core.IComponentLifecycle
    public String getName() {
        return this.name;
    }

    public X509TrustManager getDefaultTrustManager() {
        return this.defaultTrustManager;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.oracle.apm.agent.core.IComponentLifecycle
    public SSLTrustManager initialize(Object... objArr) throws ComponentInitializationException {
        this.status = this.status.changeStatus(ComponentStatus.Initializing);
        logger.info(String.format("Initializing [%s] with name [%s]", getClass().getSimpleName(), getName()));
        try {
            this.sslCertificateDirProperty.forceChangeNotify();
            this.status = this.status.changeStatus(ComponentStatus.Initialized);
            return this;
        } catch (Exception e) {
            this.status = ComponentStatus.Failed;
            throw new ComponentInitializationException(String.format("Failed to initialize [%s]", getClass().getSimpleName()), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509TrustManager initializeDefaultTrustManager() {
        if (!Arrays.asList(this.sslManagerNameProperty.get().split(StatusFormatUtil.COMMA)).contains("default")) {
            return null;
        }
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    logger.log(Level.INFO, String.format("Trust manager [%s] initialized", "default"));
                    return (X509TrustManager) trustManager;
                }
            }
            return null;
        } catch (Exception e) {
            logger.log(Level.WARNING, String.format("Cannot initialize [%s] trust manager", "default"), e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509TrustManager initializeOraclepkiTrustManager() {
        if (!Arrays.asList(this.sslManagerNameProperty.get().split(StatusFormatUtil.COMMA)).contains(TRUST_MANAGER_NAME_oraclepki)) {
            return null;
        }
        Class<?> cls = null;
        try {
            cls = Class.forName("java.security.cert.CertificateRevokedException");
        } catch (Exception e) {
        }
        if (cls == null) {
            logger.log(Level.INFO, String.format("[oraclepki] trust manager is not enabled. Required Java 7 or above", TRUST_MANAGER_NAME_oraclepki));
            return null;
        }
        try {
            OraclePKIProvider oraclePKIProvider = new OraclePKIProvider();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("OracleX509", oraclePKIProvider);
            KeyStore keyStore = KeyStore.getInstance("PKCS12", oraclePKIProvider);
            keyStore.load(null, new char[0]);
            int i = 0;
            for (X509Certificate x509Certificate : this.certificates) {
                int i2 = i;
                i++;
                keyStore.setCertificateEntry("trustedApmAgentCert" + i2, x509Certificate);
            }
            trustManagerFactory.init(keyStore);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    logger.log(Level.INFO, String.format("Trust manager [%s] initialized", TRUST_MANAGER_NAME_oraclepki));
                    return (X509TrustManager) trustManager;
                }
            }
            return null;
        } catch (ThreadDeath e2) {
            throw e2;
        } catch (Throwable th) {
            logger.log(Level.WARNING, String.format("Cannot initialize [%s] trust manager", TRUST_MANAGER_NAME_oraclepki), th);
            return null;
        }
    }

    @Override // com.oracle.apm.agent.core.IComponentLifecycle
    public void shutdown() {
        componentCleaner.clean(this, this.propertyConfig);
    }

    @Override // com.oracle.apm.agent.core.IComponentLifecycle
    public ComponentStatus getStatus() {
        return this.status;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509Certificate[] readCertificates() {
        String str = this.sslCertificateDirProperty.get();
        if (str == null) {
            str = ".";
        }
        File file = new File(str);
        if (!file.isDirectory() && !file.exists()) {
            logger.log(Level.INFO, String.format("Agent config directory [%s] does not exist", file.getAbsolutePath()));
            return new X509Certificate[0];
        }
        File[] listFiles = file.listFiles(new FilenameFilter() { // from class: com.oracle.apm.agent.ssl.SSLTrustManager.2
            @Override // java.io.FilenameFilter
            public boolean accept(File file2, String str2) {
                return str2.endsWith(".cer");
            }
        });
        if (listFiles == null || listFiles.length == 0) {
            logger.log(Level.INFO, String.format("No certificate is found in Agent config directory [%s]", file.getAbsolutePath()));
        }
        HashSet hashSet = new HashSet();
        for (File file2 : listFiles) {
            X509Certificate readCertificate = readCertificate(file2);
            if (readCertificate != null) {
                hashSet.add(readCertificate);
            }
        }
        return (X509Certificate[]) hashSet.toArray(new X509Certificate[hashSet.size()]);
    }

    private X509Certificate readCertificate(File file) {
        if (file == null) {
            logger.log(Level.WARNING, "Certificate file path is null");
            return null;
        }
        if (!file.exists()) {
            logger.log(Level.WARNING, String.format("Certificate file [%s] not exists" + file.getAbsolutePath(), new Object[0]));
            return null;
        }
        if (!file.canRead()) {
            logger.log(Level.WARNING, String.format("Certificate file [%s] is not readable" + file.getAbsolutePath(), new Object[0]));
            return null;
        }
        FileInputStream fileInputStream = null;
        try {
            try {
                fileInputStream = new FileInputStream(file);
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
                logger.log(Level.INFO, String.format("Certificate file read [%s]", file.getAbsolutePath()));
                try {
                    fileInputStream.close();
                } catch (Exception e) {
                }
                return x509Certificate;
            } catch (Exception e2) {
                logger.log(Level.WARNING, String.format("Failed to read certificate [%s]", file.getAbsolutePath()), e2);
                try {
                    fileInputStream.close();
                } catch (Exception e3) {
                }
                return null;
            }
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Exception e4) {
            }
            throw th;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.trustEstablished) {
            return;
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            logger.log(Level.WARNING, String.format("No remote certificate available", new Object[0]));
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        logger.log(Level.INFO, "Starting certificate trust checks");
        for (X509Certificate x509Certificate2 : this.certificates) {
            if (x509Certificate.equals(x509Certificate2)) {
                logger.log(Level.INFO, "Trusting remote certificate - equal to local certificate");
                this.trustEstablished = true;
                return;
            }
            try {
                x509Certificate.checkValidity();
                x509Certificate.verify(x509Certificate2.getPublicKey());
                logger.log(Level.INFO, "Trusting remote certificate - equivalent to local certificate");
                this.trustEstablished = true;
                return;
            } catch (Exception e) {
            }
        }
        logger.log(Level.INFO, "Remote certificate not equal or equivalent to local certificate. Continue to check remote certificate.");
        boolean z = false;
        if (this.sslTrustAllProperty.get().booleanValue()) {
            logger.log(Level.INFO, "Trusting remote certificate - trust all");
            z = true;
        } else {
            List asList = Arrays.asList(this.sslManagerNameProperty.get().split(StatusFormatUtil.COMMA));
            Exception exc = null;
            Exception exc2 = null;
            if (asList.contains("default")) {
                if (this.defaultTrustManager == null) {
                    throw new CertificateException("No [default] trust manager to validate remote certificate.");
                }
                try {
                    this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
                    z = true;
                    logger.log(Level.INFO, "Trusting remote certificate - [default] trust manager");
                } catch (Exception e2) {
                    exc = e2;
                }
            }
            if (!z && asList.contains(TRUST_MANAGER_NAME_oraclepki)) {
                if (this.oraclepkiTrustManager == null) {
                    throw new CertificateException("No [oraclepki] trust manager to validate remote certificate.");
                }
                try {
                    this.oraclepkiTrustManager.checkServerTrusted(x509CertificateArr, str);
                    z = true;
                    logger.log(Level.INFO, "Trusting remote certificate - [oraclepki] trust manager");
                } catch (Exception e3) {
                    exc2 = e3;
                }
            }
            if (!z) {
                if (exc != null) {
                    logger.log(Level.WARNING, "Remote certificate not trusted by [default] trust manager");
                }
                if (exc2 != null) {
                    logger.log(Level.WARNING, "Remote certificate not trusted by [oraclepki] trust manager");
                }
            }
        }
        if (!z) {
            logger.log(Level.WARNING, String.format("Certificate trust check failed [trustManager=%s][trustAll=%s]", this.sslManagerNameProperty, this.sslTrustAllProperty));
            logger.log(Level.WARNING, "Dumping certificates:" + getAllCertLogString(x509Certificate, this.certificates));
            throw new CertificateException("No certificate trusted. See APM Agent log for more information");
        }
        X509Certificate[] x509CertificateArr2 = new X509Certificate[this.certificates.length + 1];
        System.arraycopy(this.certificates, 0, x509CertificateArr2, 0, this.certificates.length);
        x509CertificateArr2[x509CertificateArr2.length - 1] = x509Certificate;
        this.certificates = x509CertificateArr2;
        this.trustEstablished = true;
    }

    private String getAllCertLogString(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        StringBuilder sb = new StringBuilder(4096);
        printCert(x509Certificate, "REMOTE", sb);
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            printCert(x509Certificate, "PROVISIONED", sb);
        }
        return sb.toString();
    }

    private void printCert(X509Certificate x509Certificate, String str, StringBuilder sb) {
        sb.append("\n-----BEGIN [" + str + "] CERTIFICATE-----");
        sb.append("\n  [SubjectDN    = " + x509Certificate.getSubjectDN() + "]");
        sb.append("\n  [IssuerDN     = " + x509Certificate.getIssuerDN() + "]");
        sb.append("\n  [NotBefore    = " + x509Certificate.getNotBefore() + "]");
        sb.append("\n  [NotAfter     = " + x509Certificate.getNotAfter() + "]");
        sb.append("\n  [SerialNumber = " + x509Certificate.getSerialNumber().toString(16) + "]");
        try {
            sb.append("\n" + Base64.toBase64String(x509Certificate.getEncoded()));
        } catch (Exception e) {
            sb.append("\n" + e.getMessage());
        }
        sb.append("\n-----END [" + str + "] CERTIFICATE-----");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] acceptedIssuers = this.defaultTrustManager == null ? new X509Certificate[0] : this.defaultTrustManager.getAcceptedIssuers();
        if (this.certificates.length == 0) {
            return acceptedIssuers;
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) Arrays.copyOf(acceptedIssuers, acceptedIssuers.length + this.certificates.length);
        System.arraycopy(this.certificates, 0, x509CertificateArr, acceptedIssuers.length, this.certificates.length);
        return x509CertificateArr;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.defaultTrustManager == null) {
            throw new CertificateException("The defaultX509TrustManager is null. Cannot validate client certificate");
        }
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str);
    }
}
