package com.dmdirc;

import com.dmdirc.config.ConfigManager;
import com.dmdirc.config.IdentityManager;
import com.dmdirc.logger.ErrorLevel;
import com.dmdirc.logger.Logger;
import com.dmdirc.ui.core.dialogs.sslcertificate.CertificateAction;
import com.dmdirc.ui.core.dialogs.sslcertificate.SSLCertificateDialogModel;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Semaphore;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509TrustManager;
import net.miginfocom.Base64;

/* loaded from: input_file:com/dmdirc/CertificateManager.class */
public class CertificateManager implements X509TrustManager {
    private final String cacertpass;
    private final String serverName;
    private final ConfigManager config;
    private boolean checkDate;
    private boolean checkIssuer;
    private boolean checkHost;
    private CertificateAction action;
    private Set<X509Certificate> globalTrustedCAs = new HashSet();
    private final Semaphore actionSem = new Semaphore(0);

    /* loaded from: input_file:com/dmdirc/CertificateManager$CertificateDoesntMatchHostException.class */
    public static class CertificateDoesntMatchHostException extends CertificateException {
        private static final long serialVersionUID = 1;

        public CertificateDoesntMatchHostException(String str) {
            super(str);
        }
    }

    /* loaded from: input_file:com/dmdirc/CertificateManager$CertificateNotTrustedException.class */
    public static class CertificateNotTrustedException extends CertificateException {
        private static final long serialVersionUID = 1;

        public CertificateNotTrustedException(String str) {
            super(str);
        }
    }

    /* loaded from: input_file:com/dmdirc/CertificateManager$TrustResult.class */
    public enum TrustResult {
        TRUSTED_CA(true),
        TRUSTED_MANUALLY(true),
        UNTRUSTED_EXCEPTION(false),
        UNTRUSTED_GENERAL(false);

        private final boolean trusted;

        TrustResult(boolean z) {
            this.trusted = z;
        }

        public boolean isTrusted() {
            return this.trusted;
        }
    }

    public CertificateManager(String str, ConfigManager configManager) {
        this.serverName = str;
        this.config = configManager;
        this.cacertpass = configManager.getOption("ssl", "cacertpass");
        this.checkDate = configManager.getOptionBool("ssl", "checkdate");
        this.checkIssuer = configManager.getOptionBool("ssl", "checkissuer");
        this.checkHost = configManager.getOptionBool("ssl", "checkhost");
        loadTrustedCAs();
    }

    protected void loadTrustedCAs() {
        FileInputStream fileInputStream = null;
        try {
            try {
                try {
                    try {
                        fileInputStream = new FileInputStream(System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar));
                        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                        keyStore.load(fileInputStream, this.cacertpass.toCharArray());
                        Iterator<TrustAnchor> it = new PKIXParameters(keyStore).getTrustAnchors().iterator();
                        while (it.hasNext()) {
                            this.globalTrustedCAs.add(it.next().getTrustedCert());
                        }
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e) {
                            }
                        }
                    } catch (Throwable th) {
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e2) {
                            }
                        }
                        throw th;
                    }
                } catch (NoSuchAlgorithmException e3) {
                    Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", e3);
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e4) {
                        }
                    }
                }
            } catch (KeyStoreException e5) {
                Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", e5);
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e6) {
                    }
                }
            } catch (CertificateException e7) {
                Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", e7);
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e8) {
                    }
                }
            }
        } catch (IOException e9) {
            Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", e9);
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e10) {
                }
            }
        } catch (InvalidAlgorithmParameterException e11) {
            Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", e11);
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e12) {
                }
            }
        }
    }

    public KeyManager[] getKeyManager() {
        if (!this.config.hasOptionString("ssl", "clientcert.file")) {
            return null;
        }
        FileInputStream fileInputStream = null;
        try {
            try {
                try {
                    try {
                        char[] charArray = this.config.hasOptionString("ssl", "clientcert.pass") ? this.config.getOption("ssl", "clientcert.pass").toCharArray() : null;
                        fileInputStream = new FileInputStream(this.config.getOption("ssl", "clientcert.file"));
                        KeyStore keyStore = KeyStore.getInstance("pkcs12");
                        keyStore.load(fileInputStream, charArray);
                        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                        keyManagerFactory.init(keyStore, charArray);
                        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e) {
                            }
                        }
                        return keyManagers;
                    } catch (Throwable th) {
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e2) {
                            }
                        }
                        throw th;
                    }
                } catch (IOException e3) {
                    Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", e3);
                    if (fileInputStream == null) {
                        return null;
                    }
                    try {
                        fileInputStream.close();
                        return null;
                    } catch (IOException e4) {
                        return null;
                    }
                }
            } catch (UnrecoverableKeyException e5) {
                Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", e5);
                if (fileInputStream == null) {
                    return null;
                }
                try {
                    fileInputStream.close();
                    return null;
                } catch (IOException e6) {
                    return null;
                }
            } catch (CertificateException e7) {
                Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", e7);
                if (fileInputStream == null) {
                    return null;
                }
                try {
                    fileInputStream.close();
                    return null;
                } catch (IOException e8) {
                    return null;
                }
            }
        } catch (KeyStoreException e9) {
            Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", e9);
            if (fileInputStream == null) {
                return null;
            }
            try {
                fileInputStream.close();
                return null;
            } catch (IOException e10) {
                return null;
            }
        } catch (NoSuchAlgorithmException e11) {
            Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", e11);
            if (fileInputStream == null) {
                return null;
            }
            try {
                fileInputStream.close();
                return null;
            } catch (IOException e12) {
                return null;
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Not supported.");
    }

    public TrustResult isTrusted(X509Certificate x509Certificate) {
        try {
            String encodeToString = Base64.encodeToString(x509Certificate.getSignature(), false);
            if (this.config.hasOptionString("ssl", "trusted") && this.config.getOptionList("ssl", "trusted").contains(encodeToString)) {
                return TrustResult.TRUSTED_MANUALLY;
            }
            for (X509Certificate x509Certificate2 : this.globalTrustedCAs) {
                if (Arrays.equals(x509Certificate.getSignature(), x509Certificate2.getSignature()) && x509Certificate.getIssuerDN().getName().equals(x509Certificate2.getIssuerDN().getName())) {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    return TrustResult.TRUSTED_CA;
                }
            }
            return TrustResult.UNTRUSTED_GENERAL;
        } catch (Exception e) {
            return TrustResult.UNTRUSTED_EXCEPTION;
        }
    }

    public boolean isValidHost(X509Certificate x509Certificate) {
        Map<String, String> dNFieldsFromCert = getDNFieldsFromCert(x509Certificate);
        if (dNFieldsFromCert.containsKey("CN") && dNFieldsFromCert.get("CN").equals(this.serverName)) {
            return true;
        }
        try {
            if (x509Certificate.getSubjectAlternativeNames() != null) {
                for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
                    int intValue = ((Integer) list.get(0)).intValue();
                    if ((intValue == 2 || intValue == 7) && list.get(1).equals(this.serverName)) {
                        return true;
                    }
                }
            }
            return false;
        } catch (CertificateParsingException e) {
            return false;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        boolean z2 = false;
        if (this.checkHost) {
            if (!isValidHost(x509CertificateArr[0])) {
                arrayList.add(new CertificateDoesntMatchHostException("Certificate was not issued to " + this.serverName));
            }
            z = false;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            TrustResult isTrusted = isTrusted(x509Certificate);
            if (this.checkDate) {
                try {
                    x509Certificate.checkValidity();
                } catch (CertificateException e) {
                    arrayList.add(e);
                }
            }
            if (this.checkIssuer) {
                z |= isTrusted.isTrusted();
            }
            if (isTrusted == TrustResult.TRUSTED_MANUALLY) {
                z2 = true;
            }
        }
        if (!z && this.checkIssuer) {
            arrayList.add(new CertificateNotTrustedException("Issuer is not trusted"));
        }
        if (arrayList.isEmpty() || z2) {
            return;
        }
        Main.getUI().showSSLCertificateDialog(new SSLCertificateDialogModel(x509CertificateArr, arrayList, this));
        try {
            this.actionSem.acquire();
            switch (this.action) {
                case DISCONNECT:
                    throw new CertificateException("Not trusted");
                case IGNORE_PERMANENTY:
                    ArrayList arrayList2 = new ArrayList(this.config.getOptionList("ssl", "trusted"));
                    arrayList2.add(Base64.encodeToString(x509CertificateArr[0].getSignature(), false));
                    IdentityManager.getConfigIdentity().setOption("ssl", "trusted", arrayList2);
                    return;
                case IGNORE_TEMPORARILY:
                default:
                    return;
            }
        } catch (InterruptedException e2) {
            throw new CertificateException("Thread aborted, ");
        }
    }

    public void setAction(CertificateAction certificateAction) {
        this.action = certificateAction;
        this.actionSem.release();
    }

    public String getServerName() {
        return this.serverName;
    }

    public static Map<String, String> getDNFieldsFromCert(X509Certificate x509Certificate) {
        HashMap hashMap = new HashMap();
        try {
            for (Rdn rdn : new LdapName(x509Certificate.getSubjectX500Principal().getName()).getRdns()) {
                hashMap.put(rdn.getType(), rdn.getValue().toString());
            }
        } catch (InvalidNameException e) {
        }
        return hashMap;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return (X509Certificate[]) this.globalTrustedCAs.toArray(new X509Certificate[this.globalTrustedCAs.size()]);
    }
}
