package divconq.api.internal;

import divconq.util.KeyUtil;
import divconq.xml.XElement;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.CopyOnWriteArraySet;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:divconq/api/internal/ApiTrustManager.class */
public class ApiTrustManager implements X509TrustManager {
    protected CopyOnWriteArraySet<String> trustedCerts = new CopyOnWriteArraySet<>();
    protected boolean validatessl = false;
    protected boolean limittrust = false;

    public void init(XElement xElement) {
        if (xElement == null) {
            return;
        }
        if (xElement.hasAttribute("Thumbprint")) {
            this.trustedCerts.add(xElement.getAttribute("Thumbprint").toLowerCase().replace(":", ""));
        }
        for (XElement xElement2 : xElement.selectAll("Trust")) {
            if (xElement2.hasAttribute("Thumbprint")) {
                this.trustedCerts.add(xElement2.getAttribute("Thumbprint").toLowerCase().replace(":", ""));
            }
        }
        this.validatessl = xElement.getAttribute("Validate", "Disabled").contains("SSL");
        this.limittrust = xElement.getAttribute("Validate", "Disabled").contains("Trust");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr.length == 0) {
            throw new CertificateException("MISSING CLIENT CERTIFICATE");
        }
        x509CertificateArr[0].checkValidity();
        String certThumbprint = KeyUtil.getCertThumbprint(x509CertificateArr[0]);
        String principal = x509CertificateArr[0].getSubjectDN().toString();
        if (certThumbprint == null) {
            throw new CertificateException("BAD CLIENT CERTIFICATE - CANNOT COMPUTE THUMBPRINT: " + principal);
        }
        if (this.trustedCerts.contains(certThumbprint)) {
            System.err.println("TRUSTED CLIENT CERTIFICATE: " + principal + " - thumbprint: " + certThumbprint);
        } else {
            System.err.println("UNTRUSTED CLIENT CERTIFICATE: " + principal + " - thumbprint: " + certThumbprint);
            throw new CertificateException("UNTRUSTED CLIENT CERTIFICATE: " + principal);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr.length == 0) {
            throw new CertificateException("MISSING SERVER CERTIFICATE");
        }
        if (this.validatessl) {
            x509CertificateArr[0].checkValidity();
        }
        String principal = x509CertificateArr[0].getSubjectDN().toString();
        String certThumbprint = KeyUtil.getCertThumbprint(x509CertificateArr[0]);
        if (certThumbprint == null) {
            throw new CertificateException("BAD SERVER CERTIFICATE - CANNOT COMPUTE THUMBPRINT: " + principal);
        }
        if (!this.limittrust || this.trustedCerts.contains(certThumbprint)) {
            System.err.println("TRUSTED SERVER CERTIFICATE: " + principal + " - thumbprint: " + certThumbprint);
        } else {
            System.err.println("UNTRUSTED SERVER CERTIFICATE: " + principal + " - thumbprint: " + certThumbprint);
            throw new CertificateException("UNTRUSTED SERVER CERTIFICATE: " + principal);
        }
    }
}
