package com.zimbra.common.net;

import com.zimbra.common.localconfig.LC;
import com.zimbra.common.util.ZimbraLog;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/zimbra/common/net/CustomTrustManager.class */
public class CustomTrustManager implements X509TrustManager {
    private final X509TrustManager defaultTrustManager;
    private X509TrustManager keyStoreTrustManager;
    private final KeyStore keyStore;
    private final Map<String, X509Certificate> pendingCerts;

    protected CustomTrustManager(X509TrustManager x509TrustManager) throws GeneralSecurityException {
        this.pendingCerts = new HashMap();
        try {
            this.defaultTrustManager = x509TrustManager;
            this.keyStore = loadKeyStore();
            resetKeyStoreTrustManager();
        } catch (GeneralSecurityException e) {
            ZimbraLog.security.error("trust manager init error", e);
            throw e;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CustomTrustManager() throws GeneralSecurityException {
        this(new DefaultTrustManager());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        getDefaultTrustManager().checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (ZimbraLog.security.isDebugEnabled()) {
            ZimbraLog.security.debug("Server certificate chain:");
            for (int i = 0; i < x509CertificateArr.length; i++) {
                ZimbraLog.security.debug("X509Certificate[" + i + "]=" + x509CertificateArr[i]);
            }
        }
        try {
            getDefaultTrustManager().checkServerTrusted(x509CertificateArr, str);
        } catch (CertificateException e) {
            try {
                if (this.keyStore.size() == 0) {
                    throw new CertificateException("key store empty");
                }
                getKeyStoreTrustManager().checkServerTrusted(x509CertificateArr, str);
            } catch (KeyStoreException e2) {
                throw new CertificateException(e2);
            } catch (CertificateException e3) {
                String certificateHostname = CustomSSLSocket.getCertificateHostname();
                if (certificateHostname == null) {
                    certificateHostname = SSLCertInfo.getCertificateCN(x509CertificateArr[0]);
                }
                throw new CertificateException(handleCertificateCheckFailure(certificateHostname, x509CertificateArr[0], false));
            }
        }
    }

    public String handleCertificateCheckFailure(String str, X509Certificate x509Certificate, boolean z) {
        String lowerCase = str.toLowerCase();
        String str2 = lowerCase + ":" + x509Certificate.getSerialNumber().toString(16).toUpperCase();
        if (LC.ssl_allow_accept_untrusted_certs.booleanValue()) {
            cachePendingCertificate(str2, x509Certificate);
        }
        String str3 = "";
        try {
            str3 = new SSLCertInfo(str2, lowerCase, x509Certificate, LC.ssl_allow_accept_untrusted_certs.booleanValue(), z).serialize();
        } catch (Exception e) {
        }
        return str3;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        try {
            return getKeyStoreTrustManager().getAcceptedIssuers();
        } catch (GeneralSecurityException e) {
            return new X509Certificate[0];
        }
    }

    private synchronized void cachePendingCertificate(String str, X509Certificate x509Certificate) {
        this.pendingCerts.put(str, x509Certificate);
    }

    public synchronized void acceptCertificates(String str) throws GeneralSecurityException {
        if (!NetConfig.getInstance().isAllowAcceptUntrustedCerts()) {
            throw new SecurityException("accepting untrusted certificates not allowed: " + str);
        }
        X509Certificate x509Certificate = this.pendingCerts.get(str);
        if (x509Certificate == null) {
            ZimbraLog.security.warn("Alias %s not found in cache; no certificates accepted.", str);
            return;
        }
        try {
            this.keyStore.setCertificateEntry(str, x509Certificate);
            saveKeyStore();
            resetKeyStoreTrustManager();
            this.pendingCerts.remove(str);
        } catch (KeyStoreException e) {
            ZimbraLog.security.warn("failed to accept certificates of %s", str);
        }
    }

    public synchronized boolean isCertificateAcceptedForHostname(String str, X509Certificate x509Certificate) {
        X509Certificate x509Certificate2;
        String str2 = str.toLowerCase() + ":";
        try {
            Enumeration<String> aliases = this.keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (nextElement.startsWith(str2) && (x509Certificate2 = (X509Certificate) this.keyStore.getCertificate(nextElement)) != null && x509Certificate2.equals(x509Certificate)) {
                    return true;
                }
            }
            return false;
        } catch (KeyStoreException e) {
            ZimbraLog.security.warn(e);
            return false;
        }
    }

    private X509TrustManager getDefaultTrustManager() throws CertificateException {
        if (this.defaultTrustManager == null) {
            throw new CertificateException("no default trust manager");
        }
        return this.defaultTrustManager;
    }

    private synchronized X509TrustManager getKeyStoreTrustManager() throws CertificateException {
        if (this.keyStoreTrustManager == null) {
            throw new CertificateException("no key store trust manager");
        }
        return this.keyStoreTrustManager;
    }

    private synchronized void setKeyStoreTrustManager(X509TrustManager x509TrustManager) {
        this.keyStoreTrustManager = x509TrustManager;
    }

    private synchronized void resetKeyStoreTrustManager() throws GeneralSecurityException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(this.keyStore);
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                setKeyStoreTrustManager((X509TrustManager) trustManager);
                return;
            }
        }
        throw new KeyStoreException(TrustManagerFactory.getDefaultAlgorithm() + " trust manager not supported");
    }

    private static KeyStore loadKeyStore() throws GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        boolean z = false;
        FileInputStream fileInputStream = null;
        try {
            try {
                fileInputStream = new FileInputStream(LC.mailboxd_keystore.value());
                try {
                    keyStore.load(fileInputStream, LC.mailboxd_keystore_password.value().toCharArray());
                    z = true;
                } catch (IOException e) {
                    ZimbraLog.security.warn("failed to read keystore file", e);
                } catch (CertificateException e2) {
                    ZimbraLog.security.warn("failed to load certificates", e2);
                }
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e3) {
                        ZimbraLog.security.warn("keystore file can't be closed after reading", e3);
                    }
                }
            } catch (FileNotFoundException e4) {
                ZimbraLog.security.info("keystore not present");
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e5) {
                        ZimbraLog.security.warn("keystore file can't be closed after reading", e5);
                    }
                }
            }
            try {
                if (!z) {
                    try {
                        FileInputStream fileInputStream2 = new FileInputStream(LC.mailboxd_keystore_base.value());
                        try {
                            keyStore.load(fileInputStream2, LC.mailboxd_keystore_base_password.value().toCharArray());
                            z = true;
                        } catch (IOException e6) {
                            ZimbraLog.security.warn("failed to read backup keystore file", e6);
                        } catch (CertificateException e7) {
                            ZimbraLog.security.warn("failed to load backup certificates", e7);
                        }
                        if (fileInputStream2 != null) {
                            try {
                                fileInputStream2.close();
                            } catch (IOException e8) {
                                ZimbraLog.security.warn("backup keystore file can't be closed after reading", e8);
                            }
                        }
                    } catch (FileNotFoundException e9) {
                        ZimbraLog.security.warn("backup keystore not found");
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e10) {
                                ZimbraLog.security.warn("backup keystore file can't be closed after reading", e10);
                            }
                        }
                    }
                }
                if (!z) {
                    keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                    try {
                        keyStore.load(null, new char[0]);
                    } catch (IOException e11) {
                        throw new KeyStoreException(e11);
                    }
                }
                return keyStore;
            } catch (Throwable th) {
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e12) {
                        ZimbraLog.security.warn("backup keystore file can't be closed after reading", e12);
                    }
                }
                throw th;
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                try {
                    fileInputStream.close();
                } catch (IOException e13) {
                    ZimbraLog.security.warn("keystore file can't be closed after reading", e13);
                }
            }
            throw th2;
        }
    }

    private synchronized void saveKeyStore() throws GeneralSecurityException {
        FileOutputStream fileOutputStream = null;
        try {
            try {
                fileOutputStream = new FileOutputStream(LC.mailboxd_keystore.value());
                try {
                    this.keyStore.store(fileOutputStream, LC.mailboxd_keystore_password.value().toCharArray());
                    if (fileOutputStream != null) {
                        try {
                            fileOutputStream.close();
                        } catch (IOException e) {
                            throw new KeyStoreException(e);
                        }
                    }
                } catch (IOException e2) {
                    throw new KeyStoreException(e2);
                }
            } catch (FileNotFoundException e3) {
                throw new KeyStoreException(e3);
            }
        } catch (Throwable th) {
            if (fileOutputStream != null) {
                try {
                    fileOutputStream.close();
                } catch (IOException e4) {
                    throw new KeyStoreException(e4);
                }
            }
            throw th;
        }
    }
}
