package eu.peppol.outbound.ssl;

import eu.peppol.outbound.util.Log;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:eu/peppol/outbound/ssl/AccessPointX509TrustManager.class */
public class AccessPointX509TrustManager implements X509TrustManager {
    private Set<String> commonNames;
    private X509Certificate rootCertificate;
    private X509TrustManager defaultTrustManager;

    public AccessPointX509TrustManager(Set<String> set, X509Certificate x509Certificate) {
        this.defaultTrustManager = null;
        this.rootCertificate = x509Certificate;
        this.commonNames = set;
        this.defaultTrustManager = locateAndSaveDefaultTrustManager();
    }

    private X509TrustManager locateAndSaveDefaultTrustManager() {
        String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(defaultAlgorithm);
            trustManagerFactory.init((KeyStore) null);
            int length = trustManagerFactory.getTrustManagers().length;
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    return (X509TrustManager) trustManager;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            Log.error("Unable to initialize the trust manager");
            return null;
        } catch (NoSuchAlgorithmException e2) {
            Log.error("Unable to obtain instances of the TrustManagerFactory for algorithm " + defaultAlgorithm);
            return null;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        Log.debug("Checking client certificates");
        checkPrincipal(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            Log.debug("Inspecting peer certificate " + x509Certificate.getSubjectX500Principal() + ", issued by " + x509Certificate.getIssuerX500Principal());
        }
        try {
            if (this.defaultTrustManager != null) {
                this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
            } else {
                Log.warn("No default trust manager established upon creation of " + getClass().getSimpleName());
            }
        } catch (CertificateException e) {
            Log.warn("Server SSL sertificate " + x509CertificateArr[0] + " is not trusted: " + e + "\nThis cause might be a missing root certificate in your local truststore");
        }
        checkPrincipal(x509CertificateArr);
        Log.debug("Void SSL server certificate check performed.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public final X509Certificate[] getAcceptedIssuers() {
        Log.debug("Returning trusted root certificates");
        return new X509Certificate[]{this.rootCertificate};
    }

    private void checkPrincipal(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (this.commonNames == null) {
            return;
        }
        for (String str : x509CertificateArr[0].getSubjectX500Principal().toString().split(",")) {
            int indexOf = str.indexOf("CN=");
            if (indexOf >= 0) {
                if (this.commonNames.contains(str.substring(indexOf + 3))) {
                    Log.info("Accepted issuer: " + str.substring(indexOf + 3));
                    Log.info(new StringBuilder().append("Accepted issuer: ").append(str.substring(indexOf + 3)).toString());
                    return;
                }
            }
        }
        Log.error("No accepted issuer: " + x509CertificateArr[0].getSubjectX500Principal());
        throw new CertificateException("Remote principal is not trusted");
    }
}
