package com.sun.jndi.ldap.ext;

import com.sun.jndi.ldap.Connection;
import daikon.dcomp.DCRuntime;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.kerberos.KerberosPrincipal;
import net.fortuna.ical4j.model.property.RequestStatus;
import sun.security.util.HostnameChecker;

/* loaded from: input_file:dcomp-rt/com/sun/jndi/ldap/ext/StartTlsResponseImpl.class */
public final class StartTlsResponseImpl extends StartTlsResponse {
    private static final boolean debug = false;
    private static final int DNSNAME_TYPE = 2;
    private transient String hostname;
    private transient Connection ldapConnection;
    private transient InputStream originalInputStream;
    private transient OutputStream originalOutputStream;
    private transient SSLSocket sslSocket;
    private transient SSLSocketFactory defaultFactory;
    private transient SSLSocketFactory currentFactory;
    private transient String[] suites;
    private transient HostnameVerifier verifier;
    private transient boolean isClosed;
    private static final long serialVersionUID = -1126624615143411328L;

    public StartTlsResponseImpl() {
        this.hostname = null;
        this.ldapConnection = null;
        this.originalInputStream = null;
        this.originalOutputStream = null;
        this.sslSocket = null;
        this.defaultFactory = null;
        this.currentFactory = null;
        this.suites = null;
        this.verifier = null;
        this.isClosed = true;
    }

    @Override // javax.naming.ldap.StartTlsResponse
    public void setEnabledCipherSuites(String[] strArr) {
        this.suites = strArr;
    }

    @Override // javax.naming.ldap.StartTlsResponse
    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        this.verifier = hostnameVerifier;
    }

    @Override // javax.naming.ldap.StartTlsResponse
    public SSLSession negotiate() throws IOException {
        return negotiate((SSLSocketFactory) null);
    }

    @Override // javax.naming.ldap.StartTlsResponse
    public SSLSession negotiate(SSLSocketFactory sSLSocketFactory) throws IOException {
        if (this.isClosed && this.sslSocket != null) {
            throw new IOException("TLS connection is closed.");
        }
        if (sSLSocketFactory == null) {
            sSLSocketFactory = getDefaultFactory();
        }
        SSLSession session = startHandshake(sSLSocketFactory).getSession();
        SSLPeerUnverifiedException sSLPeerUnverifiedException = null;
        try {
            if (verify(this.hostname, session)) {
                this.isClosed = false;
                return session;
            }
        } catch (SSLPeerUnverifiedException e) {
            sSLPeerUnverifiedException = e;
        }
        if (this.verifier != null && this.verifier.verify(this.hostname, session)) {
            this.isClosed = false;
            return session;
        }
        close();
        session.invalidate();
        if (sSLPeerUnverifiedException == null) {
            sSLPeerUnverifiedException = new SSLPeerUnverifiedException("hostname of the server '" + this.hostname + "' does not match the hostname in the server's certificate.");
        }
        throw sSLPeerUnverifiedException;
    }

    @Override // javax.naming.ldap.StartTlsResponse
    public void close() throws IOException {
        if (this.isClosed) {
            return;
        }
        this.ldapConnection.replaceStreams(this.originalInputStream, this.originalOutputStream);
        this.sslSocket.close();
        this.isClosed = true;
    }

    public void setConnection(Connection connection, String str) {
        this.ldapConnection = connection;
        this.hostname = str != null ? str : connection.host;
        this.originalInputStream = connection.inStream;
        this.originalOutputStream = connection.outStream;
    }

    private SSLSocketFactory getDefaultFactory() throws IOException {
        if (this.defaultFactory != null) {
            return this.defaultFactory;
        }
        SSLSocketFactory sSLSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
        this.defaultFactory = sSLSocketFactory;
        return sSLSocketFactory;
    }

    private SSLSocket startHandshake(SSLSocketFactory sSLSocketFactory) throws IOException {
        if (this.ldapConnection == null) {
            throw new IllegalStateException("LDAP connection has not been set. TLS requires an existing LDAP connection.");
        }
        if (sSLSocketFactory != this.currentFactory) {
            this.sslSocket = (SSLSocket) sSLSocketFactory.createSocket(this.ldapConnection.sock, this.ldapConnection.host, this.ldapConnection.port, false);
            this.currentFactory = sSLSocketFactory;
        }
        if (this.suites != null) {
            this.sslSocket.setEnabledCipherSuites(this.suites);
        }
        try {
            this.sslSocket.startHandshake();
            this.ldapConnection.replaceStreams(this.sslSocket.getInputStream(), this.sslSocket.getOutputStream());
            return this.sslSocket;
        } catch (IOException e) {
            this.sslSocket.close();
            this.isClosed = true;
            throw e;
        }
    }

    private boolean verify(String str, SSLSession sSLSession) throws SSLPeerUnverifiedException {
        if (str != null && str.startsWith("[") && str.endsWith("]")) {
            str = str.substring(1, str.length() - 1);
        }
        try {
            HostnameChecker hostnameChecker = HostnameChecker.getInstance((byte) 2);
            Principal peerPrincipal = getPeerPrincipal(sSLSession);
            if (peerPrincipal instanceof KerberosPrincipal) {
                if (HostnameChecker.match(str, (KerberosPrincipal) peerPrincipal)) {
                    return true;
                }
                throw new SSLPeerUnverifiedException("hostname of the kerberos principal:" + ((Object) peerPrincipal) + " does not match the hostname:" + str);
            }
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                throw new SSLPeerUnverifiedException("Received a non X509Certificate from the server");
            }
            hostnameChecker.match(str, (X509Certificate) peerCertificates[0]);
            return true;
        } catch (CertificateException e) {
            throw ((SSLPeerUnverifiedException) new SSLPeerUnverifiedException("hostname of the server '" + str + "' does not match the hostname in the server's certificate.").initCause(e));
        } catch (SSLPeerUnverifiedException e2) {
            String cipherSuite = sSLSession.getCipherSuite();
            if (cipherSuite == null || cipherSuite.indexOf("_anon_") == -1) {
                throw e2;
            }
            return true;
        }
    }

    private static Principal getPeerPrincipal(SSLSession sSLSession) throws SSLPeerUnverifiedException {
        Principal principal;
        try {
            principal = sSLSession.getPeerPrincipal();
        } catch (AbstractMethodError e) {
            principal = null;
        }
        return principal;
    }

    /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
    /* JADX WARN: Multi-variable type inference failed */
    public StartTlsResponseImpl(DCompMarker dCompMarker) {
        super(null);
        DCRuntime.create_tag_frame("2");
        this.hostname = null;
        this.ldapConnection = null;
        this.originalInputStream = null;
        this.originalOutputStream = null;
        this.sslSocket = null;
        this.defaultFactory = null;
        this.currentFactory = null;
        this.suites = null;
        this.verifier = null;
        DCRuntime.push_const();
        isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$set_tag();
        this.isClosed = true;
        DCRuntime.normal_exit();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // javax.naming.ldap.StartTlsResponse
    public void setEnabledCipherSuites(String[] strArr, DCompMarker dCompMarker) {
        DCRuntime.create_tag_frame("3");
        this.suites = strArr;
        DCRuntime.normal_exit();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // javax.naming.ldap.StartTlsResponse
    public void setHostnameVerifier(HostnameVerifier hostnameVerifier, DCompMarker dCompMarker) {
        DCRuntime.create_tag_frame("3");
        this.verifier = hostnameVerifier;
        DCRuntime.normal_exit();
    }

    /* JADX WARN: Type inference failed for: r0v4, types: [java.lang.Throwable, javax.net.ssl.SSLSession] */
    @Override // javax.naming.ldap.StartTlsResponse
    public SSLSession negotiate(DCompMarker dCompMarker) throws IOException {
        DCRuntime.create_tag_frame("2");
        ?? negotiate = negotiate(null, null);
        DCRuntime.normal_exit();
        return negotiate;
    }

    /* JADX WARN: Not initialized variable reg: 0, insn: 0x00ea: THROW (r0 I:java.lang.Throwable), block:B:34:0x00ea */
    @Override // javax.naming.ldap.StartTlsResponse
    public SSLSession negotiate(SSLSocketFactory sSLSocketFactory, DCompMarker dCompMarker) throws IOException {
        boolean verify;
        DCRuntime.create_tag_frame("6");
        isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$get_tag();
        boolean z = this.isClosed;
        DCRuntime.discard_tag(1);
        if (z && this.sslSocket != null) {
            IOException iOException = new IOException("TLS connection is closed.", (DCompMarker) null);
            DCRuntime.throw_op();
            throw iOException;
        }
        if (sSLSocketFactory == null) {
            sSLSocketFactory = getDefaultFactory(null);
        }
        SSLSession session = startHandshake(sSLSocketFactory, null).getSession(null);
        SSLPeerUnverifiedException sSLPeerUnverifiedException = null;
        try {
            verify = verify(this.hostname, session, null);
            DCRuntime.discard_tag(1);
        } catch (SSLPeerUnverifiedException e) {
            sSLPeerUnverifiedException = e;
        }
        if (verify) {
            DCRuntime.push_const();
            isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$set_tag();
            this.isClosed = false;
            DCRuntime.normal_exit();
            return session;
        }
        if (this.verifier != null) {
            boolean verify2 = this.verifier.verify(this.hostname, session, null);
            DCRuntime.discard_tag(1);
            if (verify2) {
                DCRuntime.push_const();
                isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$set_tag();
                this.isClosed = false;
                DCRuntime.normal_exit();
                return session;
            }
        }
        close(null);
        session.invalidate(null);
        if (sSLPeerUnverifiedException == null) {
            sSLPeerUnverifiedException = new SSLPeerUnverifiedException(new StringBuilder((DCompMarker) null).append("hostname of the server '", (DCompMarker) null).append(this.hostname, (DCompMarker) null).append("' does not match the hostname in the ", (DCompMarker) null).append("server's certificate.", (DCompMarker) null).toString(), null);
        }
        SSLPeerUnverifiedException sSLPeerUnverifiedException2 = sSLPeerUnverifiedException;
        DCRuntime.throw_op();
        throw sSLPeerUnverifiedException2;
    }

    /* JADX WARN: Not initialized variable reg: 0, insn: 0x0047: THROW (r0 I:java.lang.Throwable), block:B:10:0x0047 */
    @Override // javax.naming.ldap.StartTlsResponse
    public void close(DCompMarker dCompMarker) throws IOException {
        DCRuntime.create_tag_frame("2");
        isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$get_tag();
        boolean z = this.isClosed;
        DCRuntime.discard_tag(1);
        if (z) {
            DCRuntime.normal_exit();
            return;
        }
        this.ldapConnection.replaceStreams(this.originalInputStream, this.originalOutputStream, null);
        this.sslSocket.close(null);
        DCRuntime.push_const();
        isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$set_tag();
        this.isClosed = true;
        DCRuntime.normal_exit();
    }

    /* JADX WARN: Multi-variable type inference failed */
    public void setConnection(Connection connection, String str, DCompMarker dCompMarker) {
        DCRuntime.create_tag_frame(RequestStatus.SCHEDULING_ERROR);
        this.ldapConnection = connection;
        this.hostname = str != null ? str : connection.host;
        this.originalInputStream = connection.inStream;
        this.originalOutputStream = connection.outStream;
        DCRuntime.normal_exit();
    }

    /* JADX WARN: Not initialized variable reg: 0, insn: 0x0029: THROW (r0 I:java.lang.Throwable), block:B:10:0x0029 */
    private SSLSocketFactory getDefaultFactory(DCompMarker dCompMarker) throws IOException {
        DCRuntime.create_tag_frame("2");
        if (this.defaultFactory != null) {
            SSLSocketFactory sSLSocketFactory = this.defaultFactory;
            DCRuntime.normal_exit();
            return sSLSocketFactory;
        }
        SSLSocketFactory sSLSocketFactory2 = (SSLSocketFactory) SSLSocketFactory.getDefault(null);
        this.defaultFactory = sSLSocketFactory2;
        DCRuntime.normal_exit();
        return sSLSocketFactory2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v19, types: [com.sun.jndi.ldap.Connection] */
    /* JADX WARN: Type inference failed for: r0v27 */
    /* JADX WARN: Type inference failed for: r0v28 */
    /* JADX WARN: Type inference failed for: r0v9 */
    private SSLSocket startHandshake(SSLSocketFactory sSLSocketFactory, DCompMarker dCompMarker) throws IOException {
        DCRuntime.create_tag_frame(RequestStatus.SCHEDULING_ERROR);
        if (this.ldapConnection == null) {
            IllegalStateException illegalStateException = new IllegalStateException("LDAP connection has not been set. TLS requires an existing LDAP connection.", (DCompMarker) null);
            DCRuntime.throw_op();
            throw illegalStateException;
        }
        if (!DCRuntime.object_eq(sSLSocketFactory, this.currentFactory)) {
            Socket socket = this.ldapConnection.sock;
            String str = this.ldapConnection.host;
            Connection connection = this.ldapConnection;
            connection.port_com_sun_jndi_ldap_Connection__$get_tag();
            int i = connection.port;
            DCRuntime.push_const();
            this.sslSocket = (SSLSocket) sSLSocketFactory.createSocket(socket, str, i, false, null);
            this.currentFactory = sSLSocketFactory;
        }
        String[] strArr = this.suites;
        ?? r0 = strArr;
        if (strArr != null) {
            SSLSocket sSLSocket = this.sslSocket;
            sSLSocket.setEnabledCipherSuites(this.suites, null);
            r0 = sSLSocket;
        }
        try {
            this.sslSocket.startHandshake(null);
            r0 = this.ldapConnection;
            r0.replaceStreams(this.sslSocket.getInputStream(null), this.sslSocket.getOutputStream(null), null);
            SSLSocket sSLSocket2 = this.sslSocket;
            DCRuntime.normal_exit();
            return sSLSocket2;
        } catch (IOException e) {
            this.sslSocket.close(null);
            DCRuntime.push_const();
            isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$set_tag();
            this.isClosed = true;
            DCRuntime.throw_op();
            throw e;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v43 */
    /* JADX WARN: Type inference failed for: r0v44 */
    /* JADX WARN: Type inference failed for: r0v45 */
    /* JADX WARN: Type inference failed for: r0v46 */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.lang.Throwable] */
    private boolean verify(String str, SSLSession sSLSession, DCompMarker dCompMarker) throws SSLPeerUnverifiedException {
        DCRuntime.create_tag_frame("8");
        String str2 = str;
        ?? r0 = str2;
        if (str2 != null) {
            boolean startsWith = str.startsWith("[", (DCompMarker) null);
            DCRuntime.discard_tag(1);
            r0 = startsWith;
            if (startsWith) {
                boolean endsWith = str.endsWith("]", null);
                DCRuntime.discard_tag(1);
                r0 = endsWith;
                if (endsWith) {
                    DCRuntime.push_const();
                    int length = str.length(null);
                    DCRuntime.push_const();
                    DCRuntime.binary_tag_op();
                    String substring = str.substring(1, length - 1, null);
                    str = substring;
                    r0 = substring;
                }
            }
        }
        try {
            DCRuntime.push_const();
            HostnameChecker hostnameChecker = HostnameChecker.getInstance((byte) 2, null);
            Principal peerPrincipal = getPeerPrincipal(sSLSession, null);
            DCRuntime.push_const();
            boolean z = peerPrincipal instanceof KerberosPrincipal;
            DCRuntime.discard_tag(1);
            if (z) {
                boolean match = HostnameChecker.match(str, (KerberosPrincipal) peerPrincipal, (DCompMarker) null);
                DCRuntime.discard_tag(1);
                if (!match) {
                    SSLPeerUnverifiedException sSLPeerUnverifiedException = new SSLPeerUnverifiedException(new StringBuilder((DCompMarker) null).append("hostname of the kerberos principal:", (DCompMarker) null).append((Object) peerPrincipal, (DCompMarker) null).append(" does not match the hostname:", (DCompMarker) null).append(str, (DCompMarker) null).toString(), null);
                    DCRuntime.throw_op();
                    throw sSLPeerUnverifiedException;
                }
            } else {
                Certificate[] peerCertificates = sSLSession.getPeerCertificates(null);
                DCRuntime.push_const();
                DCRuntime.ref_array_load(peerCertificates, 0);
                Certificate certificate = peerCertificates[0];
                DCRuntime.push_const();
                boolean z2 = certificate instanceof X509Certificate;
                DCRuntime.discard_tag(1);
                if (!z2) {
                    SSLPeerUnverifiedException sSLPeerUnverifiedException2 = new SSLPeerUnverifiedException("Received a non X509Certificate from the server", null);
                    DCRuntime.throw_op();
                    throw sSLPeerUnverifiedException2;
                }
                DCRuntime.push_const();
                DCRuntime.ref_array_load(peerCertificates, 0);
                hostnameChecker.match(str, (X509Certificate) peerCertificates[0], (DCompMarker) null);
            }
            DCRuntime.push_const();
            DCRuntime.normal_exit_primitive();
            return true;
        } catch (CertificateException e) {
            SSLPeerUnverifiedException sSLPeerUnverifiedException3 = (SSLPeerUnverifiedException) new SSLPeerUnverifiedException(new StringBuilder((DCompMarker) null).append("hostname of the server '", (DCompMarker) null).append(str, (DCompMarker) null).append("' does not match the hostname in the ", (DCompMarker) null).append("server's certificate.", (DCompMarker) null).toString(), null).initCause(e, null);
            DCRuntime.throw_op();
            throw sSLPeerUnverifiedException3;
        } catch (SSLPeerUnverifiedException e2) {
            String cipherSuite = sSLSession.getCipherSuite(null);
            if (cipherSuite != null) {
                int indexOf = cipherSuite.indexOf("_anon_", (DCompMarker) null);
                DCRuntime.push_const();
                DCRuntime.cmp_op();
                if (indexOf != -1) {
                    DCRuntime.push_const();
                    DCRuntime.normal_exit_primitive();
                    return true;
                }
            }
            DCRuntime.throw_op();
            throw e2;
        }
    }

    /* JADX WARN: Type inference failed for: r0v4, types: [java.lang.Throwable, java.security.Principal] */
    private static Principal getPeerPrincipal(SSLSession sSLSession, DCompMarker dCompMarker) throws SSLPeerUnverifiedException {
        Principal principal;
        DCRuntime.create_tag_frame(RequestStatus.SCHEDULING_ERROR);
        try {
            principal = sSLSession.getPeerPrincipal(null);
        } catch (AbstractMethodError e) {
            principal = null;
        }
        ?? r0 = principal;
        DCRuntime.normal_exit();
        return r0;
    }

    public final void isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$get_tag() {
        DCRuntime.push_field_tag(this, 0);
    }

    private final void isClosed_com_sun_jndi_ldap_ext_StartTlsResponseImpl__$set_tag() {
        DCRuntime.pop_field_tag(this, 0);
    }
}
