package org.wildfly.security.ssl;

import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.server.MechanismConfigurationSelector;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.credential.X509CertificateChainCredential;
import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;
import org.wildfly.security.x500.util.X500PrincipalUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-ssl-1.17.1.Final.jar:org/wildfly/security/ssl/SecurityDomainTrustManager.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.5.Final.jar:org/wildfly/security/ssl/SecurityDomainTrustManager.class */
public class SecurityDomainTrustManager extends X509ExtendedTrustManager {
    private final X509ExtendedTrustManager delegate;
    private final SecurityDomain securityDomain;
    private final boolean authenticationOptional;
    private final MechanismConfigurationSelector mechanismConfigurationSelector;

    SecurityDomainTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, SecurityDomain securityDomain, boolean z, MechanismConfigurationSelector mechanismConfigurationSelector) {
        this.delegate = x509ExtendedTrustManager;
        this.securityDomain = securityDomain;
        this.authenticationOptional = z;
        this.mechanismConfigurationSelector = mechanismConfigurationSelector;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityDomainTrustManager(X509TrustManager x509TrustManager, SecurityDomain securityDomain, boolean z, MechanismConfigurationSelector mechanismConfigurationSelector) {
        this(x509TrustManager instanceof X509ExtendedTrustManager ? (X509ExtendedTrustManager) x509TrustManager : new WrappingX509ExtendedTrustManager(x509TrustManager), securityDomain, z, mechanismConfigurationSelector);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str, socket);
        doClientTrustCheck(x509CertificateArr, str, ((SSLSocket) socket).getHandshakeSession());
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        doClientTrustCheck(x509CertificateArr, str, sSLEngine.getHandshakeSession());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str);
        doClientTrustCheck(x509CertificateArr, str, null);
    }

    private void doClientTrustCheck(X509Certificate[] x509CertificateArr, String str, SSLSession sSLSession) throws CertificateException {
        Assert.checkNotNullParam("chain", x509CertificateArr);
        Assert.checkNotNullParam("authType", str);
        if (x509CertificateArr.length == 0) {
            throw ElytronMessages.log.emptyChainNotTrusted();
        }
        X500Principal asX500Principal = X500PrincipalUtil.asX500Principal(x509CertificateArr[0].getSubjectX500Principal());
        if (asX500Principal == null) {
            throw ElytronMessages.log.notTrusted(null);
        }
        try {
            ServerAuthenticationContext createNewAuthenticationContext = this.securityDomain.createNewAuthenticationContext(this.mechanismConfigurationSelector);
            try {
                createNewAuthenticationContext.setAuthenticationPrincipal(asX500Principal);
                if (!createNewAuthenticationContext.exists()) {
                    if (!this.authenticationOptional) {
                        throw ElytronMessages.log.notTrusted(asX500Principal);
                    }
                    ElytronMessages.log.tracef("Credential validation failed: no identity found for principal [%s], ignoring as authentication is optional", asX500Principal);
                    if (createNewAuthenticationContext != null) {
                        createNewAuthenticationContext.close();
                        return;
                    }
                    return;
                }
                if (createNewAuthenticationContext.getCredentialAcquireSupport(X509CertificateChainCredential.class).mayBeSupported()) {
                    X509CertificateChainCredential x509CertificateChainCredential = (X509CertificateChainCredential) createNewAuthenticationContext.getCredential(X509CertificateChainCredential.class);
                    if (x509CertificateChainCredential == null) {
                        if (!this.authenticationOptional) {
                            throw ElytronMessages.log.notTrusted(asX500Principal);
                        }
                        ElytronMessages.log.tracef("Credential validation failed: no trusted certificate found for principal [%s], ignoring as authentication is optional", asX500Principal);
                        if (createNewAuthenticationContext != null) {
                            createNewAuthenticationContext.close();
                            return;
                        }
                        return;
                    }
                    if (!x509CertificateChainCredential.getFirstCertificate().equals(x509CertificateArr[0])) {
                        if (!this.authenticationOptional) {
                            throw ElytronMessages.log.notTrusted(asX500Principal);
                        }
                        ElytronMessages.log.tracef("Credential validation failed: certificate does not match for principal [%s], ignoring as authentication is optional", asX500Principal);
                        if (createNewAuthenticationContext != null) {
                            createNewAuthenticationContext.close();
                            return;
                        }
                        return;
                    }
                } else if (createNewAuthenticationContext.getEvidenceVerifySupport(X509PeerCertificateChainEvidence.class).mayBeSupported() && !createNewAuthenticationContext.verifyEvidence(new X509PeerCertificateChainEvidence(x509CertificateArr))) {
                    if (!this.authenticationOptional) {
                        throw ElytronMessages.log.notTrusted(asX500Principal);
                    }
                    ElytronMessages.log.tracef("Credential validation failed: no trusted certificate found for principal [%s], ignoring as authentication is optional", asX500Principal);
                    if (createNewAuthenticationContext != null) {
                        createNewAuthenticationContext.close();
                        return;
                    }
                    return;
                }
                if (createNewAuthenticationContext.authorize()) {
                    ElytronMessages.log.tracef("Authentication succeed for principal [%s]", asX500Principal);
                    createNewAuthenticationContext.succeed();
                    if (sSLSession != null) {
                        sSLSession.putValue(SSLUtils.SSL_SESSION_IDENTITY_KEY, createNewAuthenticationContext.getAuthorizedIdentity());
                    }
                    if (createNewAuthenticationContext != null) {
                        createNewAuthenticationContext.close();
                    }
                    return;
                }
                if (!this.authenticationOptional) {
                    throw ElytronMessages.log.notTrusted(asX500Principal);
                }
                ElytronMessages.log.tracef("Credential validation failed: identity is not authorized principal [%s], ignoring as authentication is optional", asX500Principal);
                if (createNewAuthenticationContext != null) {
                    createNewAuthenticationContext.close();
                }
            } finally {
            }
        } catch (RealmUnavailableException e) {
            throw ElytronMessages.log.notTrustedRealmProblem(e, asX500Principal);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str, socket);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str, sSLEngine);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.getAcceptedIssuers();
    }
}
