package com.unboundid.util.ssl;

import com.unboundid.asn1.ASN1OctetString;
import com.unboundid.ldap.matchingrules.CaseIgnoreStringMatchingRule;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.RDN;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.util.Debug;
import com.unboundid.util.NotMutable;
import com.unboundid.util.NotNull;
import com.unboundid.util.Nullable;
import com.unboundid.util.ObjectPair;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ThreadSafety;
import com.unboundid.util.ThreadSafetyLevel;
import com.unboundid.util.args.IPAddressArgumentValueValidator;
import java.net.InetAddress;
import java.net.URI;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.opensaml.security.x509.X500DNHandler;
import org.opensaml.security.x509.X509Support;

@ThreadSafety(level = ThreadSafetyLevel.COMPLETELY_THREADSAFE)
@NotMutable
/* loaded from: input_file:BOOT-INF/lib/unboundid-ldapsdk-6.0.10.jar:com/unboundid/util/ssl/HostNameSSLSocketVerifier.class */
public final class HostNameSSLSocketVerifier extends SSLSocketVerifier implements HostnameVerifier {

    @NotNull
    public static final String PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT = HostNameSSLSocketVerifier.class.getName() + ".checkCNWhenSubjectAltNameIsPresent";
    static final boolean DEFAULT_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT;
    private final boolean allowWildcards;
    private final boolean checkCNWhenSubjectAltNameIsPresent;

    public HostNameSSLSocketVerifier(boolean z) {
        this(z, DEFAULT_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT);
    }

    public HostNameSSLSocketVerifier(boolean z, boolean z2) {
        this.allowWildcards = z;
        this.checkCNWhenSubjectAltNameIsPresent = z2;
    }

    @Override // com.unboundid.util.ssl.SSLSocketVerifier
    public void verifySSLSocket(@NotNull String str, int i, @NotNull SSLSocket sSLSocket) throws LDAPException {
        verifySSLSession(str, i, sSLSocket.getSession());
    }

    private void verifySSLSession(@NotNull String str, int i, @NotNull SSLSession sSLSession) throws LDAPException {
        try {
            if (sSLSession == null) {
                throw new LDAPException(ResultCode.CONNECT_ERROR, SSLMessages.ERR_HOST_NAME_SSL_SOCKET_VERIFIER_NO_SESSION.get(str, Integer.valueOf(i)));
            }
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length == 0) {
                throw new LDAPException(ResultCode.CONNECT_ERROR, SSLMessages.ERR_HOST_NAME_SSL_SOCKET_VERIFIER_NO_PEER_CERTS.get(str, Integer.valueOf(i)));
            }
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                throw new LDAPException(ResultCode.CONNECT_ERROR, SSLMessages.ERR_HOST_NAME_SSL_SOCKET_VERIFIER_PEER_NOT_X509.get(str, Integer.valueOf(i), peerCertificates[0].getType()));
            }
            StringBuilder sb = new StringBuilder();
            if (!certificateIncludesHostname(str, (X509Certificate) peerCertificates[0], this.allowWildcards, this.checkCNWhenSubjectAltNameIsPresent, sb)) {
                throw new LDAPException(ResultCode.CONNECT_ERROR, SSLMessages.ERR_HOST_NAME_SSL_SOCKET_VERIFIER_HOSTNAME_NOT_FOUND.get(str, sb.toString()));
            }
        } catch (LDAPException e) {
            Debug.debugException(e);
            throw e;
        } catch (Exception e2) {
            Debug.debugException(e2);
            throw new LDAPException(ResultCode.CONNECT_ERROR, SSLMessages.ERR_HOST_NAME_SSL_SOCKET_VERIFIER_EXCEPTION.get(str, Integer.valueOf(i), StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean certificateIncludesHostname(@NotNull String str, @NotNull X509Certificate x509Certificate, boolean z, boolean z2, @NotNull StringBuilder sb) {
        InetAddress inetAddress = null;
        if (IPAddressArgumentValueValidator.isValidNumericIPAddress(str)) {
            try {
                inetAddress = LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(str);
                if (inetAddress.isLoopbackAddress()) {
                    return true;
                }
            } catch (Exception e) {
                Debug.debugException(e);
            }
        }
        String name = x509Certificate.getSubjectX500Principal().getName(X500DNHandler.FORMAT_RFC2253);
        sb.append("subject='");
        sb.append(name);
        sb.append('\'');
        boolean z3 = false;
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    switch (((Integer) list.get(0)).intValue()) {
                        case 2:
                            String str2 = (String) list.get(1);
                            sb.append(" dnsName='");
                            sb.append(str2);
                            sb.append('\'');
                            if (hostnameMatches(str, str2, z)) {
                                return true;
                            }
                            z3 = true;
                            break;
                        case 6:
                            String str3 = (String) list.get(1);
                            sb.append(" uniformResourceIdentifier='");
                            sb.append(str3);
                            sb.append('\'');
                            String hostFromURI = getHostFromURI(str3);
                            if (hostFromURI != null) {
                                if (IPAddressArgumentValueValidator.isValidNumericIPAddress(hostFromURI)) {
                                    if (inetAddress != null && ipAddressMatches(inetAddress, hostFromURI)) {
                                        return true;
                                    }
                                } else if (hostnameMatches(str, hostFromURI, z)) {
                                    return true;
                                }
                            }
                            z3 = true;
                            break;
                        case 7:
                            String str4 = (String) list.get(1);
                            sb.append(" ipAddress='");
                            sb.append(str4);
                            sb.append('\'');
                            if (inetAddress != null && ipAddressMatches(inetAddress, str4)) {
                                return true;
                            }
                            z3 = true;
                            break;
                            break;
                    }
                }
            }
        } catch (Exception e2) {
            Debug.debugException(e2);
        }
        if (z3 && !z2) {
            return false;
        }
        try {
            for (RDN rdn : new DN(name).getRDNs()) {
                String[] attributeNames = rdn.getAttributeNames();
                String[] attributeValues = rdn.getAttributeValues();
                for (int i = 0; i < attributeNames.length; i++) {
                    String lowerCase = StaticUtils.toLowerCase(attributeNames[i]);
                    if (lowerCase.equals("cn") || lowerCase.equals("commonname") || lowerCase.equals(X509Support.CN_OID)) {
                        String str5 = attributeValues[i];
                        if (!IPAddressArgumentValueValidator.isValidNumericIPAddress(str5)) {
                            if (hostnameMatches(str, str5, z)) {
                                return true;
                            }
                        } else if (inetAddress != null && ipAddressMatches(inetAddress, str5)) {
                            return true;
                        }
                    }
                }
            }
            return false;
        } catch (Exception e3) {
            Debug.debugException(e3);
            return false;
        }
    }

    private static boolean hostnameMatches(@NotNull String str, @NotNull String str2, boolean z) {
        if (!str2.contains("*")) {
            return str.equalsIgnoreCase(str2);
        }
        if (!z) {
            return false;
        }
        ObjectPair<String, String> firstComponentAndRemainder = getFirstComponentAndRemainder(str);
        ObjectPair<String, String> firstComponentAndRemainder2 = getFirstComponentAndRemainder(str2);
        if (!firstComponentAndRemainder.getSecond().equalsIgnoreCase(firstComponentAndRemainder2.getSecond())) {
            return false;
        }
        String first = firstComponentAndRemainder2.getFirst();
        if (first.equals("*")) {
            return true;
        }
        try {
            Filter create = Filter.create("(hostname=" + first + ')');
            if (create.getFilterType() != -92) {
                return false;
            }
            return CaseIgnoreStringMatchingRule.getInstance().matchesSubstring(new ASN1OctetString(firstComponentAndRemainder.getFirst()), create.getRawSubInitialValue(), create.getRawSubAnyValues(), create.getRawSubFinalValue());
        } catch (Exception e) {
            Debug.debugException(e);
            return false;
        }
    }

    @NotNull
    private static ObjectPair<String, String> getFirstComponentAndRemainder(@NotNull String str) {
        int indexOf = str.indexOf(46);
        return indexOf < 0 ? new ObjectPair<>(str, "") : new ObjectPair<>(str.substring(0, indexOf), str.substring(indexOf));
    }

    private static boolean ipAddressMatches(@NotNull InetAddress inetAddress, @NotNull String str) {
        try {
            return inetAddress.equals(LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(str));
        } catch (Exception e) {
            Debug.debugException(e);
            return false;
        }
    }

    @Nullable
    private static String getHostFromURI(@NotNull String str) {
        String scheme;
        try {
            URI uri = new URI(str);
            String host = uri.getHost();
            if (host != null) {
                return host;
            }
            if (!str.contains("*") || (scheme = uri.getScheme()) == null || scheme.isEmpty() || !str.toLowerCase().startsWith(scheme)) {
                return null;
            }
            String substring = str.substring(scheme.length());
            if (substring.startsWith("://")) {
                substring = substring.substring(3);
            }
            int indexOf = substring.indexOf(47);
            if (indexOf >= 0) {
                substring = substring.substring(0, indexOf);
            }
            int indexOf2 = substring.indexOf(58);
            if (indexOf2 >= 0) {
                substring = substring.substring(0, indexOf2);
            }
            if (substring.isEmpty()) {
                return null;
            }
            return substring;
        } catch (Exception e) {
            Debug.debugException(e);
            return null;
        }
    }

    @Override // javax.net.ssl.HostnameVerifier
    public boolean verify(@NotNull String str, @NotNull SSLSession sSLSession) {
        try {
            verifySSLSession(str, sSLSession.getPeerPort(), sSLSession);
            return true;
        } catch (LDAPException e) {
            Debug.debugException(e);
            return false;
        }
    }

    static {
        boolean z = true;
        String systemProperty = StaticUtils.getSystemProperty(PROPERTY_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT);
        if (systemProperty != null && systemProperty.equalsIgnoreCase("false")) {
            z = false;
        }
        DEFAULT_CHECK_CN_WHEN_SUBJECT_ALT_NAME_IS_PRESENT = z;
    }
}
