package com.ibm.ws.st.core.internal.security;

import com.ibm.ws.st.core.internal.Activator;
import com.ibm.ws.st.core.internal.Trace;
import com.ibm.ws.st.core.internal.security.LibertyX509CertPathValidatorResult;
import java.io.IOException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.net.ssl.X509TrustManager;
import org.eclipse.core.runtime.FileLocator;
import org.eclipse.core.runtime.Path;
import org.eclipse.core.runtime.Platform;
import org.osgi.framework.Bundle;

/* loaded from: input_file:com/ibm/ws/st/core/internal/security/LibertyX509TrustManager.class */
public class LibertyX509TrustManager implements X509TrustManager {
    private static final String CERTIFICATE_TYPE = "X.509";
    private static final String ALGORITHM_TYPE = "PKIX";
    private static final String TRUSTED_KEYSTORE = "libertycerts";

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        LibertyX509CertPathValidatorResult libertyX509CertPathValidatorResult;
        LibertyX509CertPathValidatorResult.Status status;
        if (Trace.ENABLED) {
            Trace.trace((byte) 9, "certs=[" + Arrays.toString(x509CertificateArr) + "] authType=[" + str + "]");
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
        if (Trace.ENABLED) {
            Trace.trace((byte) 9, "certificateFactory=[" + certificateFactory + "]");
        }
        CertPath generateCertPath = certificateFactory.generateCertPath(Arrays.asList(x509CertificateArr));
        if (Trace.ENABLED) {
            Trace.trace((byte) 9, "certPath=[" + generateCertPath + "]");
        }
        boolean z = false;
        Throwable th = null;
        CertPath certPath = null;
        Certificate certificate = null;
        int i = -1;
        String str2 = TRUSTED_KEYSTORE;
        if (Boolean.getBoolean("Liberty.Security.IgnorePredefined.KeyStore")) {
            str2 = str2 + "_ignore";
        }
        Bundle bundle = Platform.getBundle(Activator.PLUGIN_ID);
        URL find = bundle == null ? null : FileLocator.find(bundle, new Path(str2), (Map) null);
        if (find != null) {
            try {
                CertPathValidator certPathValidator = CertPathValidator.getInstance(ALGORITHM_TYPE);
                if (Trace.ENABLED) {
                    Trace.trace((byte) 9, "certPathValidator=[" + certPathValidator + "]");
                }
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                if (Trace.ENABLED) {
                    Trace.trace((byte) 9, "keystore=[" + keyStore + "]");
                }
                keyStore.load(find.openStream(), LibertyX509CertRegistry.getPassword().toCharArray());
                PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
                pKIXParameters.setRevocationEnabled(false);
                if (Trace.ENABLED) {
                    Trace.trace((byte) 9, "parameters=[" + pKIXParameters + "]");
                }
                certPathValidator.validate(generateCertPath, pKIXParameters);
                z = true;
            } catch (IOException e) {
                Trace.logError("Failed to open keystore input stream, or load the keystore from it.", e);
                th = e;
            } catch (InvalidAlgorithmParameterException e2) {
                Trace.logError("Failed to construct or use PKIXParameters.", e2);
                th = e2;
            } catch (KeyStoreException e3) {
                Trace.logError("KeyStore.getInstance() or new PKIXParameters(...) failed.", e3);
                th = e3;
            } catch (NoSuchAlgorithmException e4) {
                Trace.logError("CertPathValidator.getInstance() or KeyStore.load(...) failed.", e4);
                th = e4;
            } catch (CertPathValidatorException e5) {
                if (Trace.ENABLED) {
                    Trace.trace((byte) 9, "Server certificate validation failed.", e5);
                }
                th = e5;
                certPath = e5.getCertPath();
                if (certPath != null) {
                    List<? extends Certificate> certificates = certPath.getCertificates();
                    int size = certificates.size();
                    if (size > 0) {
                        i = e5.getIndex();
                        certificate = i >= 0 ? certificates.get(i) : certificates.get(size - 1);
                    }
                    if (Trace.ENABLED) {
                        Trace.trace((byte) 9, "nastyCertPath=[" + certPath + "] size=[" + size + "] nastyIndex=[" + i + "] nastyCert=[" + certificate + "]");
                    }
                }
            } catch (CertificateException e6) {
                if (Trace.ENABLED) {
                    Trace.trace((byte) 9, "No predefined KeyStore was found.", e6);
                }
                th = e6;
            }
        }
        if (!z) {
            if (certPath == null) {
                certPath = generateCertPath;
                List<? extends Certificate> certificates2 = generateCertPath.getCertificates();
                i = certificates2.size() - 1;
                if (i >= 0) {
                    certificate = certificates2.get(i);
                }
                if (Trace.ENABLED) {
                    Trace.trace((byte) 9, "nastyCertPath=[" + certPath + "] nastyIndex=[" + i + "] nastyCert=[" + certificate + "]");
                }
            }
            try {
                z = LibertyX509CertRegistry.instance().isTrusted(certificate);
            } catch (KeyStoreException e7) {
                Trace.logError("An unexpected error occurred while checking the registry.", e7);
            }
        }
        if (!z && certPath != null) {
            LibertyX509CertPathValidatorResult[] validate = LibertyX509CertPathValidatorRegistry.instance().validate(certPath, i, null, th);
            if (validate.length > 0 && (status = (libertyX509CertPathValidatorResult = validate[validate.length - 1]).getStatus()) != LibertyX509CertPathValidatorResult.Status.ABSTAINED && status != LibertyX509CertPathValidatorResult.Status.REJECTED) {
                z = true;
                try {
                    if (status == LibertyX509CertPathValidatorResult.Status.VALID_FOR_SESSION) {
                        LibertyX509CertRegistry.instance().trustCertificateTransiently(libertyX509CertPathValidatorResult.getCertificate());
                    } else if (status == LibertyX509CertPathValidatorResult.Status.VALID_FOR_WORKSPACE) {
                        LibertyX509CertRegistry.instance().trustCertificatePersistently(libertyX509CertPathValidatorResult.getCertificate());
                    }
                } catch (KeyStoreException e8) {
                    Trace.logError("Saving the trusted certificate to the KeyStore failed", e8);
                }
            }
        }
        if (Trace.ENABLED) {
            Trace.trace((byte) 9, "valid=[" + z + "]");
        }
        if (z) {
            return;
        }
        if (th != null) {
            throw new CertificateException(th);
        }
    }
}
