package com.avaya.jtapi.tsapi.tsapiInterface.oio;

import java.net.InetSocketAddress;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.log4j.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:ecsjtapia.jar:com/avaya/jtapi/tsapi/tsapiInterface/oio/TLSServerCertificateValidator.class */
public class TLSServerCertificateValidator {
    private static Logger log = Logger.getLogger(TLSServerCertificateValidator.class);
    private SSLSocket socket;
    private X509Certificate[] certificates;
    private X509Certificate certificate;
    private X509TrustManager trustManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TLSServerCertificateValidator(SSLSocket sSLSocket, SSLSession sSLSession, TrustManager[] trustManagerArr) throws CertificateException {
        this.certificates = null;
        this.trustManager = null;
        if (sSLSocket == null) {
            throw new NullPointerException("Socket is null");
        }
        this.socket = sSLSocket;
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates.length == 0) {
                throw new CertificateException("Cannot authenticate server; the server's certificate chain is empty.");
            }
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                throw new CertificateException("Cannot authenticate server; the server certificate is not an X509 certificate.");
            }
            this.certificates = (X509Certificate[]) peerCertificates;
            this.certificate = this.certificates[0];
            if (trustManagerArr != null) {
                int i = 0;
                while (true) {
                    if (i >= trustManagerArr.length) {
                        break;
                    }
                    TrustManager trustManager = trustManagerArr[i];
                    if (trustManager instanceof X509TrustManager) {
                        this.trustManager = (X509TrustManager) trustManager;
                        break;
                    }
                    i++;
                }
            }
            if (this.trustManager == null) {
                throw new CertificateException("Cannot authenticate server; no X509 trust managers found.");
            }
        } catch (SSLPeerUnverifiedException e) {
            throw new CertificateException(e);
        }
    }

    public void validateAll() throws CertificateException {
        validateDateWindow();
        validateCommonName();
        validateServerCertificateChain();
    }

    public void validateDateWindow() throws CertificateException {
        this.certificate.checkValidity();
    }

    public void validateCommonName() throws CertificateException {
        String nameFromX509v3;
        Collection<List<?>> subjectAlternativeNames = this.certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames == null) {
            log.info("The peer's certificate is not X509v3.  Parsing the CN out of the certificate.");
            nameFromX509v3 = getNameFromX509(this.certificate);
        } else {
            log.info("The peer's certificate is X509v3.  Examining subjectAltNames for dNSName.");
            nameFromX509v3 = getNameFromX509v3(subjectAlternativeNames);
            if (nameFromX509v3.equals("")) {
                log.info("Didn't find dNSName in subjectAltNames.  Falling back to parsing the CN out of the certificate.");
                nameFromX509v3 = getNameFromX509(this.certificate);
            }
        }
        compareToResolvedName(nameFromX509v3);
    }

    private String getNameFromX509(X509Certificate x509Certificate) {
        String str = "";
        String name = x509Certificate.getSubjectX500Principal().getName("RFC1779");
        log.info("X500Principal name = \"" + name + "\"");
        StringTokenizer stringTokenizer = new StringTokenizer(name);
        while (true) {
            if (!stringTokenizer.hasMoreTokens()) {
                break;
            }
            String nextToken = stringTokenizer.nextToken();
            log.info("token = \"" + nextToken + "\"");
            if (nextToken.startsWith("CN=")) {
                str = nextToken.endsWith(",") ? nextToken.substring(3, nextToken.length() - 1) : nextToken.substring(3, nextToken.length());
            }
        }
        return str;
    }

    private String getNameFromX509v3(Collection<List<?>> collection) {
        String str = "";
        Iterator<List<?>> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            List<?> next = it.next();
            if (((Integer) next.get(0)).intValue() == 2) {
                str = (String) next.get(1);
                break;
            }
        }
        return str;
    }

    private void compareToResolvedName(String str) throws CertificateException {
        InetSocketAddress inetSocketAddress = (InetSocketAddress) this.socket.getRemoteSocketAddress();
        log.info("Verifying that the certificate's common name \"" + str + " matches the peer's hostname.");
        if (inetSocketAddress.isUnresolved()) {
            throw new CertificateException("Unable to validate peer certificate: " + inetSocketAddress + " could not be resolved to a host name.");
        }
        if (!inetSocketAddress.getHostName().equalsIgnoreCase(str)) {
            throw new CertificateException("The Common Name (CN) in the server's certificate (" + str + ") does not match the server's resolved host name (" + inetSocketAddress.getHostName() + ").");
        }
    }

    public void validateServerCertificateChain() throws CertificateException {
        this.trustManager.checkServerTrusted(this.certificates, "RSA");
    }
}
