package be.iminds.ilabt.jfed.util;

import be.iminds.ilabt.jfed.lowlevel.connection.JFedConnection;
import be.iminds.ilabt.jfed.util.SshServerProxyHelper;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Socket;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.http.HttpException;
import org.apache.http.HttpResponse;
import org.apache.http.HttpResponseInterceptor;
import org.apache.http.conn.HttpRoutedConnection;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.protocol.HttpContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/iminds/ilabt/jfed/util/SSLCertificateDownloader.class */
public class SSLCertificateDownloader {
    private static final Logger LOG = LoggerFactory.getLogger(SSLCertificateDownloader.class);
    private static final Pattern CN_PATTERN = Pattern.compile(".*CN=([^ ,]*)[ ,]*.*");
    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    /* loaded from: input_file:be/iminds/ilabt/jfed/util/SSLCertificateDownloader$CertificateInterceptor.class */
    private static class CertificateInterceptor implements HttpResponseInterceptor {
        private List<X509Certificate> certificateList;
        private X509Certificate[] certificateArr;

        private CertificateInterceptor() {
        }

        @Override // org.apache.http.HttpResponseInterceptor
        public void process(HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
            HttpRoutedConnection httpRoutedConnection = (HttpRoutedConnection) httpContext.getAttribute("http.connection");
            Certificate[] peerCertificates = httpRoutedConnection.getSSLSession() != null ? httpRoutedConnection.getSSLSession().getPeerCertificates() : null;
            SSLCertificateDownloader.LOG.debug("processing HttpResponse. secure=" + httpRoutedConnection.isSecure() + " certs:" + (peerCertificates == null ? null : Arrays.asList(peerCertificates)));
            if (!httpRoutedConnection.isSecure() || peerCertificates == null) {
                return;
            }
            this.certificateList = new ArrayList();
            for (Certificate certificate : peerCertificates) {
                if (certificate instanceof X509Certificate) {
                    this.certificateList.add((X509Certificate) certificate);
                } else {
                    SSLCertificateDownloader.LOG.warn("Not an X509 cert in chain: " + certificate);
                }
            }
            this.certificateArr = new X509Certificate[this.certificateList.size()];
            this.certificateArr = (X509Certificate[]) this.certificateList.toArray(this.certificateArr);
        }
    }

    /* loaded from: input_file:be/iminds/ilabt/jfed/util/SSLCertificateDownloader$SSLCertificateJFedInfo.class */
    public static class SSLCertificateJFedInfo {
        private X509Certificate cert;
        private X509Certificate[] certchain;
        private String urn;
        private String urnAuthPart;
        private String subject;
        private Boolean selfSigned;
        private Boolean subjectMatchesHostname;
        private final URL url;
        private final String hostname;
        private final boolean connectionError;
        private final Exception connectionException;
        private boolean trusted;

        private SSLCertificateJFedInfo(X509Certificate x509Certificate, String str, String str2, String str3, boolean z, URL url, String str4) {
            this.cert = x509Certificate;
            this.urn = str;
            this.urnAuthPart = str2;
            this.subject = str3;
            this.selfSigned = Boolean.valueOf(z);
            this.url = url;
            this.hostname = str4;
            this.connectionError = false;
            this.connectionException = null;
            this.trusted = false;
        }

        public SSLCertificateJFedInfo(X509Certificate x509Certificate, URL url, String str) {
            this.cert = x509Certificate;
            this.urn = null;
            this.urnAuthPart = null;
            this.subject = null;
            this.selfSigned = null;
            this.subjectMatchesHostname = null;
            this.url = url;
            this.hostname = str;
            this.connectionError = false;
            this.connectionException = null;
            this.trusted = false;
        }

        private SSLCertificateJFedInfo(URL url, String str) {
            this.cert = null;
            this.urn = null;
            this.urnAuthPart = null;
            this.subject = null;
            this.selfSigned = null;
            this.subjectMatchesHostname = null;
            this.url = url;
            this.hostname = str;
            this.connectionError = false;
            this.connectionException = null;
            this.trusted = false;
        }

        private SSLCertificateJFedInfo(URL url, String str, Exception exc) {
            this.cert = null;
            this.urn = null;
            this.urnAuthPart = null;
            this.subject = null;
            this.selfSigned = null;
            this.subjectMatchesHostname = null;
            this.url = url;
            this.hostname = str;
            this.connectionError = true;
            this.connectionException = exc;
            this.trusted = false;
        }

        public X509Certificate getCert() {
            return this.cert;
        }

        public String getUrn() {
            return this.urn;
        }

        public String getUrnAuthPart() {
            return this.urnAuthPart;
        }

        public String getSubject() {
            return this.subject;
        }

        public Boolean isSelfSigned() {
            return this.selfSigned;
        }

        public Boolean getSubjectMatchesHostname() {
            return this.subjectMatchesHostname;
        }

        public X509Certificate[] getChain() {
            return this.certchain;
        }

        public X509Certificate getChainRoot() {
            if (this.certchain == null) {
                return null;
            }
            return this.certchain[this.certchain.length - 1];
        }

        public URL getUrl() {
            return this.url;
        }

        public String getHostname() {
            return this.hostname;
        }

        public boolean isConnectionError() {
            return this.connectionError;
        }

        public Exception getConnectionException() {
            return this.connectionException;
        }

        public String toString() {
            return "SSLCertificateJFedInfo{cert=" + (this.cert == null ? "none" : "present") + ", certchain has " + (this.certchain == null ? null : Integer.valueOf(this.certchain.length)) + " elements, urn='" + this.urn + "', urnAuthPart='" + this.urnAuthPart + "', subject='" + this.subject + "', selfSigned=" + this.selfSigned + ", subjectMatchesHostname=" + this.subjectMatchesHostname + ", url=" + this.url + ", hostname=" + this.hostname + ", trusted=" + this.trusted + "}";
        }

        public boolean isTrusted() {
            return this.trusted;
        }
    }

    /* loaded from: input_file:be/iminds/ilabt/jfed/util/SSLCertificateDownloader$SavingTrustManager.class */
    public static class SavingTrustManager implements X509TrustManager {
        private final X509TrustManager tm;
        public X509Certificate[] chain;

        public SavingTrustManager(X509TrustManager x509TrustManager) {
            this.tm = x509TrustManager;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.chain = x509CertificateArr;
            this.tm.checkServerTrusted(x509CertificateArr, str);
        }
    }

    private static String toHexString(byte[] bArr) {
        StringBuilder sb = new StringBuilder(bArr.length * 3);
        for (byte b : bArr) {
            int i = b & 255;
            sb.append(HEXDIGITS[i >> 4]);
            sb.append(HEXDIGITS[i & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    public static X509Certificate getCertificate(URL url) {
        return getCertificate(url, null);
    }

    public static X509Certificate getCertificate(URL url, JFedConnection.SshProxyInfo sshProxyInfo) {
        return getCertificateInfo(url, sshProxyInfo).getCert();
    }

    public static SSLCertificateJFedInfo getCertificateInfo(URL url) {
        return getCertificateInfo(url, null);
    }

    public static SSLCertificateJFedInfo getCertificateInfo(URL url, JFedConnection.SshProxyInfo sshProxyInfo) {
        SSLSocket sSLSocket;
        try {
            KeyStore trustStore = new JFedTrustStore().getTrustStore();
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);
            SavingTrustManager savingTrustManager = new SavingTrustManager((X509TrustManager) trustManagerFactory.getTrustManagers()[0]);
            sSLContext.init(null, new TrustManager[]{savingTrustManager}, null);
            SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
            int port = url.getPort() < 0 ? 443 : url.getPort();
            if (sshProxyInfo == null) {
                sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(url.getHost(), port);
            } else {
                LOG.info("Tunneling SSL socket over SSH proxy");
                Socket createSocket = new SshServerProxyHelper.SslOverSshProxySocketFactory(sSLContext, NoopHostnameVerifier.INSTANCE, sshProxyInfo, url.getHost(), Integer.valueOf(port)).createSocket(null);
                createSocket.connect(new InetSocketAddress(url.getHost(), port), 5000);
                sSLSocket = (SSLSocket) socketFactory.createSocket(createSocket, url.getHost(), port, true);
            }
            sSLSocket.setSoTimeout(10000);
            try {
                sSLSocket.startHandshake();
                sSLSocket.close();
                LOG.info("SSL connection setup success");
            } catch (SSLException e) {
                LOG.info("SSL connection setup failed", e);
            }
            X509Certificate[] x509CertificateArr = savingTrustManager.chain;
            List<X509Certificate> asList = Arrays.asList(x509CertificateArr);
            SSLCertificateJFedInfo sSLCertificateJFedInfo = new SSLCertificateJFedInfo(url, url.getHost());
            LOG.debug("Got peer certificates from spy:" + (asList != null ? Collections.singletonList(asList) : null));
            if (x509CertificateArr == null || asList == null) {
                LOG.error("Could not obtain server certificate chain");
                return sSLCertificateJFedInfo;
            }
            Boolean bool = false;
            for (X509Certificate x509Certificate : asList) {
                try {
                    Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                    if (subjectAlternativeNames != null) {
                        for (List<?> list : subjectAlternativeNames) {
                            if (((Integer) list.get(0)).intValue() == 6) {
                                String str = (String) list.get(1);
                                GeniUrn parse = GeniUrn.parse(str);
                                if (parse == null) {
                                    LOG.warn("Warning: certificate alternative name URI is not a valid authority urn: \"" + str + "\"  (will be ignored)");
                                } else {
                                    sSLCertificateJFedInfo.urnAuthPart = parse.getEncodedTopLevelAuthority();
                                    sSLCertificateJFedInfo.urn = str;
                                }
                            }
                        }
                    }
                } catch (CertificateParsingException e2) {
                }
                if (Objects.equals(x509Certificate.getIssuerDN(), x509Certificate.getSubjectDN())) {
                    LOG.debug("Certificate has same issues and subject -> it's self signed!");
                    bool = true;
                }
                boolean z = false;
                try {
                    x509Certificate.verify(x509Certificate.getPublicKey());
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e3) {
                    z = true;
                }
                if (!z) {
                    LOG.debug("Certificate has signed itself -> it's self signed!");
                    bool = true;
                }
            }
            sSLCertificateJFedInfo.cert = x509CertificateArr[0];
            sSLCertificateJFedInfo.certchain = x509CertificateArr;
            Matcher matcher = CN_PATTERN.matcher(sSLCertificateJFedInfo.cert.getSubjectX500Principal().toString());
            sSLCertificateJFedInfo.subject = matcher.matches() ? matcher.group(1) : null;
            sSLCertificateJFedInfo.subjectMatchesHostname = Boolean.valueOf(Objects.equals(sSLCertificateJFedInfo.subject, url.getHost()));
            sSLCertificateJFedInfo.trusted = sSLCertificateJFedInfo.subjectMatchesHostname.booleanValue();
            sSLCertificateJFedInfo.selfSigned = bool;
            return sSLCertificateJFedInfo;
        } catch (Exception e4) {
            LOG.info("Failed to fetch SSL certificate: " + e4.getMessage(), e4);
            return new SSLCertificateJFedInfo(url, url.getHost(), e4);
        }
    }

    public static void main(String[] strArr) throws MalformedURLException {
        System.out.println("returned cert: " + getCertificateInfo(new URL("https://www.wall3.test.ibbt.be/")));
    }
}
