package com.sshtools.jaul.toolbox.cli;

import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.List;
import java.util.ResourceBundle;
import java.util.concurrent.Semaphore;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sshtools/jaul/toolbox/cli/PromptingCertManager.class */
public abstract class PromptingCertManager implements X509TrustManager, HostnameVerifier {
    static Logger log = LoggerFactory.getLogger(PromptingCertManager.class);
    private SSLContext sslContext;
    private SSLParameters sslParameters;
    private final ResourceBundle bundle;
    private final boolean strictSSL;

    /* loaded from: input_file:com/sshtools/jaul/toolbox/cli/PromptingCertManager$PromptType.class */
    public enum PromptType {
        NONE,
        INFORMATION,
        WARNING,
        CONFIRMATION,
        ERROR
    }

    public PromptingCertManager(ResourceBundle resourceBundle) {
        this(resourceBundle, "true".equals(System.getProperty("vnsee-agent.strictSSL", "true")));
    }

    public PromptingCertManager(ResourceBundle resourceBundle, boolean z) {
        this.bundle = resourceBundle;
        this.strictSSL = z;
        installCertificateVerifier();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new UnsupportedOperationException();
    }

    protected boolean isStrictSSL() {
        return this.strictSSL;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (isStrictSSL()) {
            ArrayList arrayList = new ArrayList();
            for (X509Certificate x509Certificate : x509CertificateArr) {
                try {
                    if (log.isDebugEnabled()) {
                        log.debug(String.format("Validating: %s", x509Certificate));
                    }
                    arrayList.add(x509Certificate.getSubjectDN().toString());
                    x509Certificate.checkValidity();
                } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                    String hash = hash(x509Certificate.getPublicKey().getEncoded());
                    if (isAccepted(hash)) {
                        log.debug(String.format("Accepting server certificate, it has previously been accepted.", new Object[0]));
                        return;
                    }
                    String string = this.bundle.getString(e instanceof CertificateExpiredException ? "certificate.certificateExpired.title" : "certificate.certificateNotYetValid.title");
                    String string2 = this.bundle.getString(e instanceof CertificateExpiredException ? "certificate.certificateExpired.content" : "certificate.certificateNotYetValid.content");
                    if (isToolkitThread()) {
                        if (promptForCertificate(PromptType.WARNING, string, string2, hash, x509Certificate.getSubjectDN().toString(), e.getMessage())) {
                            accept(hash);
                        } else {
                            reject(hash);
                        }
                        throw e;
                    }
                    AtomicBoolean atomicBoolean = new AtomicBoolean();
                    Semaphore semaphore = new Semaphore(1);
                    try {
                        semaphore.acquire();
                        runOnToolkitThread(() -> {
                            atomicBoolean.set(promptForCertificate(PromptType.WARNING, string, string2, hash, x509Certificate.getSubjectDN().toString(), e.getMessage()));
                            semaphore.release();
                        });
                        semaphore.acquire();
                        semaphore.release();
                        if (atomicBoolean.get()) {
                            accept(hash);
                            return;
                        }
                        return;
                    } catch (InterruptedException e2) {
                        throw e;
                    }
                }
            }
        }
    }

    public abstract boolean isAccepted(String str);

    public abstract void accept(String str);

    public abstract void reject(String str);

    private void installCertificateVerifier() {
        if (!isStrictSSL()) {
            log.warn("NOT FOR PRODUCTION USE. All SSL certificates will be trusted regardless of status. This should only be used for testing.");
        }
        Security.insertProviderAt(new ClientTrustProvider(this), 1);
        Security.setProperty("ssl.TrustManagerFactory.algorithm", ClientTrustProvider.TRUST_PROVIDER_ALG);
        try {
            this.sslContext = SSLContext.getInstance("SSL");
            this.sslContext.init(null, new TrustManager[]{this}, new SecureRandom());
            this.sslParameters = this.sslContext.getDefaultSSLParameters();
            this.sslParameters.setEndpointIdentificationAlgorithm(null);
            HttpsURLConnection.setDefaultSSLSocketFactory(this.sslContext.getSocketFactory());
            SSLContext.setDefault(this.sslContext);
            HttpsURLConnection.setDefaultHostnameVerifier(this);
        } catch (GeneralSecurityException e) {
            throw new IllegalStateException("Could not initialise SSL.", e);
        }
    }

    public SSLContext getSSLContext() {
        return this.sslContext;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    @Override // javax.net.ssl.HostnameVerifier
    public synchronized boolean verify(String str, SSLSession sSLSession) {
        log.debug(String.format("Verify hostname %s: %s", str, sSLSession));
        if (!isStrictSSL()) {
            return true;
        }
        try {
            String hash = hash(((X509Certificate) sSLSession.getPeerCertificates()[0]).getPublicKey().getEncoded());
            try {
                if (isAccepted(hash)) {
                    log.debug(String.format("Accepting certificate for hostname %s, it has previously been accepted: %s", str, sSLSession));
                    return true;
                }
                verifyHostname(sSLSession);
                return true;
            } catch (SSLPeerUnverifiedException e) {
                if (isToolkitThread()) {
                    boolean promptForCertificate = promptForCertificate(PromptType.WARNING, this.bundle.getString("certificate.invalidCertificate.title"), this.bundle.getString("certificate.invalidCertificate.content"), hash, str, e.getMessage());
                    if (promptForCertificate) {
                        accept(hash);
                    } else {
                        reject(hash);
                    }
                    return promptForCertificate;
                }
                AtomicBoolean atomicBoolean = new AtomicBoolean();
                Semaphore semaphore = new Semaphore(1);
                try {
                    semaphore.acquire();
                    runOnToolkitThread(() -> {
                        atomicBoolean.set(promptForCertificate(PromptType.WARNING, this.bundle.getString("certificate.invalidCertificate.title"), this.bundle.getString("certificate.invalidCertificate.content"), hash, str, e.getMessage()));
                        semaphore.release();
                    });
                    semaphore.acquire();
                    semaphore.release();
                    boolean z = atomicBoolean.get();
                    if (z) {
                        accept(hash);
                    }
                    return z;
                } catch (InterruptedException e2) {
                    return false;
                }
            }
        } catch (SSLPeerUnverifiedException e3) {
            throw new IllegalStateException("Failed to extract certificate.", e3);
        }
    }

    protected void verifyHostname(SSLSession sSLSession) throws SSLPeerUnverifiedException {
        String commonName;
        try {
            String peerHost = sSLSession.getPeerHost();
            X509Certificate x509Certificate = (X509Certificate) sSLSession.getPeerCertificates()[0];
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (isIpv4Address(peerHost)) {
                for (List<?> list : subjectAlternativeNames) {
                    if (list.size() == 2 && ((Integer) list.get(0)).intValue() == 7 && peerHost.equalsIgnoreCase((String) list.get(1))) {
                        return;
                    }
                }
                throw new SSLPeerUnverifiedException(MessageFormat.format(this.bundle.getString("certificate.verify.error.noIpv4HostnameMatch"), peerHost));
            }
            boolean z = false;
            for (List<?> list2 : subjectAlternativeNames) {
                if (list2.size() == 2 && ((Integer) list2.get(0)).intValue() == 2) {
                    z = true;
                    if (matchHostname(peerHost, (String) list2.get(1))) {
                        return;
                    }
                }
            }
            if (z || (commonName = getCommonName(x509Certificate)) == null || !matchHostname(peerHost, commonName)) {
                throw new SSLPeerUnverifiedException(MessageFormat.format(this.bundle.getString("certificate.verify.error.noSanHostnameMatch"), peerHost));
            }
        } catch (CertificateParsingException e) {
            throw new SSLPeerUnverifiedException(MessageFormat.format(this.bundle.getString("certificate.verify.error.failedToParse"), e.getMessage()));
        }
    }

    public boolean matchHostname(String str, String str2) {
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        String[] split = str2.split(".");
        String[] split2 = str2.split(".");
        if (split.length != split2.length) {
            return false;
        }
        for (int i = 1; i < split.length; i++) {
            if (!split2[i].equalsIgnoreCase(split[i])) {
                return false;
            }
        }
        return split.length > 0 && "*".equals(split[0]);
    }

    public String getCommonName(X509Certificate x509Certificate) {
        try {
            String str = null;
            for (Rdn rdn : new LdapName(x509Certificate.getSubjectX500Principal().getName()).getRdns()) {
                if ("CN".equalsIgnoreCase(rdn.getType())) {
                    str = rdn.getValue().toString();
                }
            }
            return str;
        } catch (InvalidNameException e) {
            return null;
        }
    }

    public boolean isIpv4Address(String str) {
        String[] split = str.split("\\.");
        if (split.length != 4) {
            return false;
        }
        for (String str2 : split) {
            try {
                int parseInt = Integer.parseInt(str2);
                if (parseInt < 0 || parseInt > 255) {
                    return false;
                }
            } catch (NumberFormatException e) {
                return false;
            }
        }
        return true;
    }

    protected abstract boolean isToolkitThread();

    protected abstract void runOnToolkitThread(Runnable runnable);

    public abstract boolean promptForCertificate(PromptType promptType, String str, String str2, String str3, String str4, String str5);

    public abstract void save(String str);

    public SSLParameters getSSLParameters() {
        return this.sslParameters;
    }

    static String hash(byte[] bArr) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(bArr);
            return Base64.getEncoder().encodeToString(messageDigest.digest());
        } catch (Exception e) {
            throw new IllegalStateException("Failed to hash.", e);
        }
    }
}
