package weblogic.security.utils;

import java.io.IOException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.impl.SSLSocketImpl;
import javax.security.cert.CertificateEncodingException;
import javax.security.cert.X509Certificate;
import weblogic.logging.Loggable;
import weblogic.security.KeyManagementException;
import weblogic.security.MessageDigestUtils;
import weblogic.security.SSL.TrustManager;
import weblogic.security.SSL.TrustManagerJSSE;
import weblogic.security.SecurityLogger;
import weblogic.security.X509;

/* loaded from: input_file:weblogic.jar:weblogic/security/utils/SSLTrustValidator.class */
public class SSLTrustValidator implements SSLTruster {
    private boolean peerCertsRequired = false;
    private boolean overrideAllowed = true;
    private TrustManager userTrustManager = null;
    private TrustManagerJSSE userTrustManagerJSSE = null;
    private byte[][] rootCAFingerPrints = null;

    public void setUserTrustManager(TrustManager trustManager) {
        this.userTrustManager = trustManager;
    }

    public void setUserTrustManagerJSSE(TrustManagerJSSE trustManagerJSSE) {
        this.userTrustManagerJSSE = trustManagerJSSE;
    }

    public void setRootCAFingerPrints(byte[][] bArr) {
        this.rootCAFingerPrints = bArr;
    }

    public void setPeerCertsRequired(boolean z) {
        this.peerCertsRequired = z;
    }

    public void setAllowOverride(boolean z) {
        this.overrideAllowed = z;
    }

    @Override // weblogic.security.utils.SSLTruster
    public int validationCallback(X509Certificate[] x509CertificateArr, int i, SSLSocket sSLSocket) {
        X509[] x509Arr = null;
        int i2 = i;
        SSLSetup.debug(3, new StringBuffer().append("validationCallback: validateErr = ").append(i2).toString());
        if (x509CertificateArr != null && x509CertificateArr.length > 0 && ((this.rootCAFingerPrints != null && (i2 & 16) != 0) || this.userTrustManager != null)) {
            try {
                x509Arr = SSLCertUtility.toX509(x509CertificateArr);
            } catch (IOException e) {
            } catch (CertificateEncodingException e2) {
            } catch (KeyManagementException e3) {
            }
            if (x509Arr == null) {
                if (SSLSetup.logSSLRejections()) {
                    SSLSocketImpl sSLSocketImpl = (SSLSocketImpl) sSLSocket;
                    Loggable logTrustValidationCertExceptionErrorLoggable = SecurityLogger.logTrustValidationCertExceptionErrorLoggable(SSLSetup.getPeerName(sSLSocketImpl));
                    logTrustValidationCertExceptionErrorLoggable.log();
                    if (sSLSocketImpl != null) {
                        sSLSocketImpl.setFailureDetails(logTrustValidationCertExceptionErrorLoggable.getMessage());
                    }
                }
                SSLSetup.debug(3, "Problem converting back to legacy certificate format");
            }
        }
        if (SSLSetup.getDebugLevel() >= 3 && x509CertificateArr != null) {
            for (int i3 = 0; i3 < x509CertificateArr.length; i3++) {
                SSLSetup.debug(3, new StringBuffer().append("  cert[").append(i3).append("] = ").append(x509CertificateArr[i3]).toString());
            }
        }
        if ((i2 & 16) != 0 && this.rootCAFingerPrints != null && x509Arr != null && x509Arr.length > 0) {
            byte[] fingerprint = x509Arr[x509Arr.length - 1].getFingerprint();
            int i4 = 0;
            while (true) {
                if (i4 >= this.rootCAFingerPrints.length) {
                    break;
                }
                if (MessageDigestUtils.isEqual(fingerprint, this.rootCAFingerPrints[i4])) {
                    i2 &= -21;
                    SSLSetup.debug(3, "Untrusted cert now trusted by legacy check");
                    break;
                }
                i4++;
            }
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            if (this.peerCertsRequired) {
                SSLSetup.debug(3, "Required peer certificates not supplied by peer");
                i2 |= 4;
            } else {
                SSLSetup.debug(3, "Peer certificates are not required and were not supplied by peer");
                i2 = 0;
            }
        }
        if (this.userTrustManager != null) {
            if (this.userTrustManager.certificateCallback(x509Arr, i2)) {
                i2 = 0;
            }
            SSLSetup.debug(3, new StringBuffer().append("weblogic user specified trustmanager validation status ").append(i2).toString());
        }
        if (this.userTrustManagerJSSE != null) {
            i2 = this.userTrustManagerJSSE.certificateCallback(x509CertificateArr, i2) ? 0 : 16;
            SSLSetup.debug(3, new StringBuffer().append("weblogic user specified trustmanagerJSSE validation status ").append(i2).toString());
        }
        if (i2 != 0) {
            logValidationError(i2, (SSLSocketImpl) sSLSocket);
            if (!this.overrideAllowed) {
                SSLSetup.debug(3, "User defined JSSE trustmanagers not allowed to override");
                i2 |= 64;
            }
        }
        SSLSetup.debug(3, new StringBuffer().append("SSLTrustValidator returns: ").append(i2).toString());
        return i2;
    }

    private static void logValidationError(int i, SSLSocketImpl sSLSocketImpl) {
        if (SSLSetup.logSSLRejections()) {
            String peerName = SSLSetup.getPeerName(sSLSocketImpl);
            Loggable[] loggableArr = new Loggable[4];
            int i2 = 0;
            if ((i & 1) != 0) {
                i2 = 0 + 1;
                loggableArr[0] = SecurityLogger.logHandshakeCertInvalidErrorLoggable(peerName);
            }
            if ((i & 2) != 0) {
                int i3 = i2;
                i2++;
                loggableArr[i3] = SecurityLogger.logHandshakeCertExpiredErrorLoggable(peerName);
            }
            if ((i & 4) != 0) {
                int i4 = i2;
                i2++;
                loggableArr[i4] = SSLSetup.isFatClient() ? SecurityLogger.logFatClientHandshakeCertIncompleteErrorLoggable(peerName) : SecurityLogger.logHandshakeCertIncompleteErrorLoggable(peerName);
            }
            if ((i & 16) != 0) {
                int i5 = i2;
                i2++;
                loggableArr[i5] = SSLSetup.isFatClient() ? SecurityLogger.logFatClientHandshakeCertUntrustedErrorLoggable(peerName) : SecurityLogger.logHandshakeCertUntrustedErrorLoggable(peerName);
            }
            if (i2 > 0) {
                StringBuffer stringBuffer = sSLSocketImpl != null ? new StringBuffer() : null;
                for (int i6 = 0; i6 < i2; i6++) {
                    loggableArr[i6].log();
                    if (sSLSocketImpl != null) {
                        if (i6 > 0) {
                            stringBuffer.append(", ");
                        }
                        stringBuffer.append(loggableArr[i6].getMessage());
                    }
                }
                if (sSLSocketImpl != null) {
                    sSLSocketImpl.setFailureDetails(stringBuffer.toString());
                }
            }
        }
        if (SSLSetup.getDebugLevel() >= 3) {
            SSLSetup.debug(3, new StringBuffer().append("Validation error = ").append(i).toString());
            if ((i & 1) != 0) {
                SSLSetup.debug(3, "Certificate chain is invalid");
            }
            if ((i & 2) != 0) {
                SSLSetup.debug(3, "Expired certificate");
            }
            if ((i & 4) != 0) {
                SSLSetup.debug(3, "Certificate chain is incomplete");
            }
            if ((i & 16) != 0) {
                SSLSetup.debug(3, "Certificate chain is untrusted");
            }
        }
    }
}
