package net.java.sip.communicator.impl.certificate;

import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Formatter;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.KeyStoreBuilderParameters;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.swing.SwingUtilities;
import net.java.sip.communicator.plugin.desktoputil.AuthenticationWindow;
import net.java.sip.communicator.service.certificate.CertificateConfigEntry;
import net.java.sip.communicator.service.certificate.CertificateMatcher;
import net.java.sip.communicator.service.certificate.CertificateService;
import net.java.sip.communicator.service.certificate.KeyStoreType;
import net.java.sip.communicator.service.credentialsstorage.CredentialsStorageService;
import net.java.sip.communicator.service.httputil.HttpUtils;
import net.java.sip.communicator.util.Logger;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.jitsi.service.configuration.ConfigurationService;
import org.jitsi.service.resources.ResourceManagementService;
import org.jitsi.util.OSUtils;

/* loaded from: input_file:net/java/sip/communicator/impl/certificate/CertificateServiceImpl.class */
public class CertificateServiceImpl implements CertificateService, PropertyChangeListener {
    private static final String PNAME_CERT_TRUST_PREFIX = "net.java.sip.communicator.impl.certservice";
    private static final String THUMBPRINT_HASH_ALGORITHM = "SHA1";
    private static final Logger logger = Logger.getLogger(CertificateServiceImpl.class);
    private static VerifyCertificateDialog sCertificateDialog = null;
    private final List<KeyStoreType> supportedTypes = new LinkedList<KeyStoreType>() { // from class: net.java.sip.communicator.impl.certificate.CertificateServiceImpl.1
        private static final long serialVersionUID = 0;

        {
            if (!OSUtils.IS_WINDOWS64) {
                add(new KeyStoreType("PKCS11", new String[]{".dll", ".so"}, false));
            }
            add(new KeyStoreType("PKCS12", new String[]{".p12", ".pfx"}, true));
            add(new KeyStoreType(KeyStore.getDefaultType(), new String[]{".ks", ".jks"}, true));
        }
    };
    private final ResourceManagementService R = CertificateVerificationActivator.getResources();
    private final ConfigurationService config = CertificateVerificationActivator.getConfigurationService();
    private final CredentialsStorageService credService = CertificateVerificationActivator.getCredService();
    private Map<String, List<String>> sessionAllowedCertificates = new HashMap();
    private Map<URI, AiaCacheEntry> aiaCache = new HashMap();
    private X509TrustManager mCustomTrustManager = null;
    private KeyStore mCustomKeyStore = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/java/sip/communicator/impl/certificate/CertificateServiceImpl$AiaCacheEntry.class */
    public static class AiaCacheEntry {
        Date cacheDate;
        X509Certificate cert;

        AiaCacheEntry(Date date, X509Certificate x509Certificate) {
            this.cacheDate = date;
            this.cert = x509Certificate;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:net/java/sip/communicator/impl/certificate/CertificateServiceImpl$BrowserLikeHostnameMatcher.class */
    public class BrowserLikeHostnameMatcher implements CertificateMatcher {
        protected BrowserLikeHostnameMatcher() {
        }

        @Override // net.java.sip.communicator.service.certificate.CertificateMatcher
        public void verify(Iterable<String> iterable, X509Certificate x509Certificate) throws CertificateException {
            boolean z = false;
            Iterator<String> it = iterable.iterator();
            while (it.hasNext()) {
                try {
                    SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER.verify(it.next(), x509Certificate);
                    z = true;
                    break;
                } catch (SSLException e) {
                }
            }
            if (!z) {
                throw new CertificateException("None of <" + iterable + "> matched the cert with CN=" + x509Certificate.getSubjectDN());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:net/java/sip/communicator/impl/certificate/CertificateServiceImpl$EMailAddressMatcher.class */
    public class EMailAddressMatcher implements CertificateMatcher {
        protected EMailAddressMatcher() {
        }

        @Override // net.java.sip.communicator.service.certificate.CertificateMatcher
        public void verify(Iterable<String> iterable, X509Certificate x509Certificate) throws CertificateException {
            boolean z = false;
            Iterable<String> subjectAltNames = CertificateServiceImpl.getSubjectAltNames(x509Certificate, 6);
            for (String str : iterable) {
                Iterator<String> it = subjectAltNames.iterator();
                while (true) {
                    if (it.hasNext()) {
                        if (str.equalsIgnoreCase(it.next())) {
                            z = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
            }
            if (!z) {
                throw new CertificateException("The peer provided certificate with Subject <" + x509Certificate.getSubjectDN() + "> contains no SAN for <" + iterable + ">");
            }
        }
    }

    private List<String> getSessionCertEntry(String str) {
        return this.sessionAllowedCertificates.computeIfAbsent(str, str2 -> {
            return new LinkedList();
        });
    }

    public CertificateServiceImpl() {
        setTrustStore();
        this.config.global().addPropertyChangeListener(CertificateService.PNAME_TRUSTSTORE_TYPE, this);
        System.setProperty("com.sun.security.enableCRLDP", this.config.global().getString(CertificateService.PNAME_REVOCATION_CHECK_ENABLED, "false"));
        System.setProperty("com.sun.net.ssl.checkRevocation", this.config.global().getString(CertificateService.PNAME_REVOCATION_CHECK_ENABLED, "false"));
        Security.setProperty("ocsp.enable", this.config.global().getString(CertificateService.PNAME_OCSP_ENABLED, "false"));
    }

    @Override // java.beans.PropertyChangeListener
    public void propertyChange(PropertyChangeEvent propertyChangeEvent) {
        setTrustStore();
    }

    private void setTrustStore() {
        String str = (String) this.config.global().getProperty(CertificateService.PNAME_TRUSTSTORE_FILE);
        String loadPassword = this.credService.global().loadPassword(CertificateService.PNAME_TRUSTSTORE_PASSWORD);
        System.getProperties().remove("javax.net.ssl.trustStoreType");
        if (str != null) {
            System.setProperty("javax.net.ssl.trustStore", str);
        } else {
            System.getProperties().remove("javax.net.ssl.trustStore");
        }
        if (loadPassword != null) {
            System.setProperty("javax.net.ssl.trustStorePassword", loadPassword);
        } else {
            System.getProperties().remove("javax.net.ssl.trustStorePassword");
        }
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public List<KeyStoreType> getSupportedKeyStoreTypes() {
        return this.supportedTypes;
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public List<CertificateConfigEntry> getClientAuthCertificateConfigs() {
        LinkedList linkedList = new LinkedList();
        for (String str : this.config.global().getPropertyNamesByPrefix(CertificateService.PNAME_CLIENTAUTH_CERTCONFIG_BASE, false)) {
            String string = this.config.global().getString(str);
            if (string != null && str.endsWith(string)) {
                String str2 = "net.java.sip.communicator.service.cert.clientauth." + string;
                CertificateConfigEntry certificateConfigEntry = new CertificateConfigEntry();
                certificateConfigEntry.setId(string);
                certificateConfigEntry.setAlias(this.config.global().getString(str2 + ".alias"));
                certificateConfigEntry.setDisplayName(this.config.global().getString(str2 + ".displayName"));
                certificateConfigEntry.setKeyStore(this.config.global().getString(str2 + ".keyStore"));
                certificateConfigEntry.setSavePassword(this.config.global().getBoolean(str2 + ".savePassword", false));
                if (certificateConfigEntry.isSavePassword()) {
                    certificateConfigEntry.setKeyStorePassword(this.credService.global().loadPassword(str2));
                }
                String string2 = this.config.global().getString(str2 + ".keyStoreType");
                Iterator<KeyStoreType> it = getSupportedKeyStoreTypes().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    KeyStoreType next = it.next();
                    if (next.getName().equals(string2)) {
                        certificateConfigEntry.setKeyStoreType(next);
                        break;
                    }
                }
                linkedList.add(certificateConfigEntry);
            }
        }
        return linkedList;
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public void setClientAuthCertificateConfig(CertificateConfigEntry certificateConfigEntry) {
        if (certificateConfigEntry.getId() == null) {
            certificateConfigEntry.setId("conf" + Math.abs(new SecureRandom().nextInt()));
        }
        String str = "net.java.sip.communicator.service.cert.clientauth." + certificateConfigEntry.getId();
        this.config.global().setProperty(str, certificateConfigEntry.getId());
        this.config.global().setProperty(str + ".alias", certificateConfigEntry.getAlias());
        this.config.global().setProperty(str + ".displayName", certificateConfigEntry.getDisplayName());
        this.config.global().setProperty(str + ".keyStore", certificateConfigEntry.getKeyStore());
        this.config.global().setProperty(str + ".savePassword", Boolean.valueOf(certificateConfigEntry.isSavePassword()));
        if (certificateConfigEntry.isSavePassword()) {
            this.credService.global().storePassword(str, certificateConfigEntry.getKeyStorePassword());
        } else {
            this.credService.global().removePassword(str);
        }
        this.config.global().setProperty(str + ".keyStoreType", certificateConfigEntry.getKeyStoreType());
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public void removeClientAuthCertificateConfig(String str) {
        Iterator it = this.config.global().getPropertyNamesByPrefix("net.java.sip.communicator.service.cert.clientauth." + str, true).iterator();
        while (it.hasNext()) {
            this.config.global().removeProperty((String) it.next());
        }
        this.config.global().removeProperty("net.java.sip.communicator.service.cert.clientauth." + str);
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public void addCertificateToTrust(Certificate certificate, String str, int i) throws CertificateException {
        String str2 = "net.java.sip.communicator.impl.certservice.param." + str;
        String thumbprint = getThumbprint(certificate, THUMBPRINT_HASH_ALGORITHM);
        switch (i) {
            case CertificateService.DO_NOT_TRUST /* 0 */:
                throw new IllegalArgumentException("Cannot add a certificate to trust when no trust is requested.");
            case CertificateService.TRUST_ALWAYS /* 1 */:
                String str3 = thumbprint;
                if (this.config.global().getString(str2) != null) {
                    str3 = str3 + "," + thumbprint;
                }
                this.config.global().setProperty(str2, str3);
                return;
            case CertificateService.TRUST_THIS_SESSION_ONLY /* 2 */:
                getSessionCertEntry(str2).add(thumbprint);
                return;
            default:
                return;
        }
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public SSLContext getSSLContext() throws GeneralSecurityException {
        return getSSLContext(getTrustManager((Iterable<String>) null));
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public SSLContext getSSLContext(X509TrustManager x509TrustManager) throws GeneralSecurityException {
        try {
            KeyStore keyStore = KeyStore.getInstance(System.getProperty("javax.net.ssl.keyStoreType", KeyStore.getDefaultType()));
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            String property = System.getProperty("javax.net.ssl.keyStorePassword");
            if (System.getProperty("javax.net.ssl.keyStore") != null) {
                keyStore.load(new FileInputStream(System.getProperty("javax.net.ssl.keyStore")), null);
            } else {
                keyStore.load(null, null);
            }
            keyManagerFactory.init(keyStore, property == null ? null : property.toCharArray());
            return getSSLContext(keyManagerFactory.getKeyManagers(), x509TrustManager);
        } catch (Exception e) {
            throw new GeneralSecurityException("Cannot init SSLContext", e);
        }
    }

    private KeyStore.Builder loadKeyStore(final CertificateConfigEntry certificateConfigEntry) {
        final File file = new File(certificateConfigEntry.getKeyStore());
        final KeyStoreType keyStoreType = certificateConfigEntry.getKeyStoreType();
        if ("PKCS11".equals(keyStoreType.getName())) {
            try {
                Security.insertProviderAt((Provider) Class.forName("sun.security.pkcs11.SunPKCS11").getConstructor(InputStream.class).newInstance(new ByteArrayInputStream(("name=" + file.getName() + "\nlibrary=" + file.getAbsoluteFile()).getBytes())), 0);
            } catch (Exception e) {
                logger.error("Tried to access the PKCS11 provider on an unsupported platform or the load failed", e);
            }
        }
        return KeyStore.Builder.newInstance(keyStoreType.getName(), null, file, new KeyStore.CallbackHandlerProtection(new CallbackHandler() { // from class: net.java.sip.communicator.impl.certificate.CertificateServiceImpl.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (!(callback instanceof PasswordCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    PasswordCallback passwordCallback = (PasswordCallback) callback;
                    if (certificateConfigEntry.isSavePassword()) {
                        passwordCallback.setPassword(certificateConfigEntry.getKeyStorePassword().toCharArray());
                        return;
                    }
                    AuthenticationWindow.AuthenticationWindowResult authenticationResult = AuthenticationWindow.getAuthenticationResult(file.getName(), (char[]) null, keyStoreType.getName(), false, false);
                    if (authenticationResult.isCanceled()) {
                        throw new IOException("User cancel");
                    }
                    passwordCallback.setPassword(authenticationResult.getPassword());
                }
            }
        }));
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public SSLContext getSSLContext(String str, X509TrustManager x509TrustManager) throws GeneralSecurityException {
        try {
            if (str == null) {
                return getSSLContext(x509TrustManager);
            }
            CertificateConfigEntry certificateConfigEntry = null;
            Iterator<CertificateConfigEntry> it = getClientAuthCertificateConfigs().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                CertificateConfigEntry next = it.next();
                if (next.getId().equals(str)) {
                    certificateConfigEntry = next;
                    break;
                }
            }
            if (certificateConfigEntry == null) {
                throw new GeneralSecurityException("Client certificate config with id <" + str + "> not found.");
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("NewSunX509");
            keyManagerFactory.init(new KeyStoreBuilderParameters(loadKeyStore(certificateConfigEntry)));
            return getSSLContext(keyManagerFactory.getKeyManagers(), x509TrustManager);
        } catch (Exception e) {
            throw new GeneralSecurityException("Cannot init SSLContext", e);
        }
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public SSLContext getSSLContext(KeyManager[] keyManagerArr, X509TrustManager x509TrustManager) throws GeneralSecurityException {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, new TrustManager[]{x509TrustManager}, null);
            return sSLContext;
        } catch (Exception e) {
            throw new GeneralSecurityException("Cannot init SSLContext", e);
        }
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public X509TrustManager getTrustManager() throws GeneralSecurityException {
        return getTrustManager(new ArrayList(), new EMailAddressMatcher(), new BrowserLikeHostnameMatcher());
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public X509TrustManager getTrustManager(Iterable<String> iterable) throws GeneralSecurityException {
        return getTrustManager(iterable, new EMailAddressMatcher(), new BrowserLikeHostnameMatcher());
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public X509TrustManager getTrustManager(String str) throws GeneralSecurityException {
        return getTrustManager(Arrays.asList(str), new EMailAddressMatcher(), new BrowserLikeHostnameMatcher());
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public X509TrustManager getTrustManager(String str, CertificateMatcher certificateMatcher, CertificateMatcher certificateMatcher2) throws GeneralSecurityException {
        return getTrustManager(Arrays.asList(str), certificateMatcher, certificateMatcher2);
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public X509TrustManager getTrustManager(final Iterable<String> iterable, final CertificateMatcher certificateMatcher, final CertificateMatcher certificateMatcher2) throws GeneralSecurityException {
        X509TrustManager x509TrustManager = null;
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        if (x509TrustManager == null) {
            throw new GeneralSecurityException("No default X509 trust manager found");
        }
        final X509TrustManager x509TrustManager2 = x509TrustManager;
        return new X509TrustManager() { // from class: net.java.sip.communicator.impl.certificate.CertificateServiceImpl.3
            private boolean serverCheck;

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return x509TrustManager2.getAcceptedIssuers();
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                this.serverCheck = true;
                checkCertTrusted(x509CertificateArr, str);
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                this.serverCheck = false;
                checkCertTrusted(x509CertificateArr, str);
            }

            private void checkCertTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                String i18NString;
                try {
                    boolean parseBoolean = Boolean.parseBoolean(CertificateVerificationActivator.getResources().getSettingsString(CertificateService.PNAME_ALWAYS_TRUST));
                    if (CertificateServiceImpl.this.config.user() != null) {
                        parseBoolean = CertificateServiceImpl.this.config.user().getBoolean(CertificateService.PNAME_ALWAYS_TRUST, parseBoolean);
                    }
                    if (parseBoolean) {
                        return;
                    }
                    boolean z = false;
                    try {
                        try {
                            x509CertificateArr = tryBuildChain(x509CertificateArr);
                        } catch (CertificateException e) {
                            try {
                                if (CertificateServiceImpl.this.mCustomTrustManager != null) {
                                    if (this.serverCheck) {
                                        CertificateServiceImpl.this.mCustomTrustManager.checkServerTrusted(x509CertificateArr, str);
                                    } else {
                                        CertificateServiceImpl.this.mCustomTrustManager.checkClientTrusted(x509CertificateArr, str);
                                    }
                                }
                            } catch (CertificateException e2) {
                                z = true;
                                CertificateServiceImpl.logger.warn("Failed to check certificate using default trust manager: ", e);
                                CertificateServiceImpl.logger.warn("Failed to check certificate using our own trust manager: ", e2);
                            }
                        }
                    } catch (Exception e3) {
                        CertificateServiceImpl.logger.info(e3);
                    }
                    CertificateServiceImpl.logger.debug("Checking server certificate authType: " + str + " tm: " + x509TrustManager2);
                    if (this.serverCheck) {
                        x509TrustManager2.checkServerTrusted(x509CertificateArr, str);
                    } else {
                        x509TrustManager2.checkClientTrusted(x509CertificateArr, str);
                    }
                    if (!z) {
                        if (iterable == null || !iterable.iterator().hasNext()) {
                            return;
                        }
                        try {
                            if (this.serverCheck) {
                                certificateMatcher2.verify(iterable, x509CertificateArr[0]);
                            } else {
                                certificateMatcher.verify(iterable, x509CertificateArr[0]);
                            }
                        } catch (CertificateException e4) {
                            z = true;
                            CertificateServiceImpl.logger.warn("Failed to verify certificate: ", e4);
                        }
                    }
                    if (z) {
                        String thumbprint = CertificateServiceImpl.getThumbprint(x509CertificateArr[0], CertificateServiceImpl.THUMBPRINT_HASH_ALGORITHM);
                        LinkedList<String> linkedList = new LinkedList();
                        LinkedList linkedList2 = new LinkedList();
                        String settingsString = CertificateServiceImpl.this.R.getSettingsString("service.gui.APPLICATION_NAME");
                        if (iterable == null || !iterable.iterator().hasNext()) {
                            String str2 = "net.java.sip.communicator.impl.certservice.server." + thumbprint;
                            linkedList.add(str2);
                            i18NString = CertificateServiceImpl.this.R.getI18NString("service.gui.CERT_DIALOG_DESCRIPTION_TXT_NOHOST", new String[]{settingsString});
                            String string = CertificateServiceImpl.this.config.global().getString(str2);
                            if (string != null) {
                                for (String str3 : string.split(",")) {
                                    linkedList2.add(str3);
                                }
                            }
                            List<String> list = CertificateServiceImpl.this.sessionAllowedCertificates.get(str2);
                            if (list != null) {
                                linkedList2.addAll(list);
                            }
                        } else {
                            i18NString = this.serverCheck ? CertificateServiceImpl.this.R.getI18NString("service.gui.CERT_DIALOG_DESCRIPTION_TXT", new String[]{settingsString, iterable.toString()}) : CertificateServiceImpl.this.R.getI18NString("service.gui.CERT_DIALOG_PEER_DESCRIPTION_TXT", new String[]{settingsString, iterable.toString()});
                            Iterator it = iterable.iterator();
                            while (it.hasNext()) {
                                String str4 = "net.java.sip.communicator.impl.certservice.param." + ((String) it.next());
                                linkedList.add(str4);
                                String string2 = CertificateServiceImpl.this.config.global().getString(str4);
                                if (string2 != null) {
                                    for (String str5 : string2.split(",")) {
                                        linkedList2.add(str5);
                                    }
                                }
                                List<String> list2 = CertificateServiceImpl.this.sessionAllowedCertificates.get(str4);
                                if (list2 != null) {
                                    linkedList2.addAll(list2);
                                }
                            }
                        }
                        if (!linkedList2.contains(thumbprint)) {
                            CertificateServiceImpl.logger.debug("Certificate not stored: stored: " + linkedList2 + " thumbprint: " + thumbprint);
                            switch (CertificateServiceImpl.this.verify(x509CertificateArr, i18NString)) {
                                case CertificateService.DO_NOT_TRUST /* 0 */:
                                    throw new CertificateException("The peer provided certificate with Subject <" + x509CertificateArr[0].getSubjectDN() + "> is not trusted");
                                case CertificateService.TRUST_ALWAYS /* 1 */:
                                    for (String str6 : linkedList) {
                                        String string3 = CertificateServiceImpl.this.config.global().getString(str6);
                                        String str7 = thumbprint;
                                        if (string3 != null) {
                                            str7 = str7 + "," + string3;
                                        }
                                        CertificateServiceImpl.this.config.global().setProperty(str6, str7);
                                    }
                                    break;
                                case CertificateService.TRUST_THIS_SESSION_ONLY /* 2 */:
                                    Iterator it2 = linkedList.iterator();
                                    while (it2.hasNext()) {
                                        CertificateServiceImpl.this.getSessionCertEntry((String) it2.next()).add(thumbprint);
                                    }
                                    break;
                            }
                        }
                    }
                } catch (Exception e5) {
                    CertificateServiceImpl.logger.error("Error checking certificate: " + e5);
                    throw e5;
                }
            }

            private X509Certificate[] tryBuildChain(X509Certificate[] x509CertificateArr) throws IOException, URISyntaxException, CertificateException {
                if (x509CertificateArr.length == 1 && !x509CertificateArr[0].getIssuerDN().equals(x509CertificateArr[0].getSubjectDN())) {
                    ArrayList arrayList = new ArrayList(x509CertificateArr.length + 4);
                    for (X509Certificate x509Certificate : x509CertificateArr) {
                        arrayList.add(x509Certificate);
                    }
                    CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                    X509Certificate x509Certificate2 = x509CertificateArr[x509CertificateArr.length - 1];
                    int i2 = 0;
                    do {
                        boolean z = false;
                        byte[] extensionValue = x509Certificate2.getExtensionValue(Extension.authorityInfoAccess.getId());
                        if (extensionValue == null) {
                            break;
                        }
                        AccessDescription[] accessDescriptions = AuthorityInformationAccess.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getAccessDescriptions();
                        int length2 = accessDescriptions.length;
                        int i3 = 0;
                        while (true) {
                            if (i3 >= length2) {
                                break;
                            }
                            AccessDescription accessDescription = accessDescriptions[i3];
                            if (accessDescription.getAccessMethod().equals(AccessDescription.id_ad_caIssuers)) {
                                GeneralName accessLocation = accessDescription.getAccessLocation();
                                if (accessLocation.getTagNo() == 6 && (accessLocation.getName() instanceof DERIA5String)) {
                                    URI uri = new URI(accessLocation.getName().getString());
                                    if (uri.getScheme().equalsIgnoreCase("http") || uri.getScheme().equals("https")) {
                                        X509Certificate x509Certificate3 = null;
                                        AiaCacheEntry aiaCacheEntry = CertificateServiceImpl.this.aiaCache.get(uri);
                                        if (aiaCacheEntry == null || !aiaCacheEntry.cacheDate.after(new Date())) {
                                            CertificateServiceImpl.logger.debug("Downloading parent certificate for <" + x509Certificate2.getSubjectDN() + "> from <" + uri + ">");
                                            try {
                                                x509Certificate3 = (X509Certificate) certificateFactory.generateCertificate(HttpUtils.openURLConnection(uri.toString()).getContent());
                                            } catch (Exception e) {
                                                CertificateServiceImpl.logger.debug("Could not download from <" + uri + ">");
                                            }
                                            CertificateServiceImpl.this.aiaCache.put(uri, new AiaCacheEntry(new Date(new Date().getTime() + 600000), x509Certificate3));
                                        } else {
                                            x509Certificate3 = aiaCacheEntry.cert;
                                        }
                                        if (x509Certificate3 == null) {
                                            continue;
                                        } else {
                                            if (!x509Certificate3.getIssuerDN().equals(x509Certificate3.getSubjectDN())) {
                                                arrayList.add(x509Certificate3);
                                                z = true;
                                                x509Certificate2 = x509Certificate3;
                                                break;
                                            }
                                            CertificateServiceImpl.logger.debug("Parent is self-signed, ignoring");
                                        }
                                    }
                                }
                            }
                            i3++;
                        }
                        i2++;
                        if (!z) {
                            break;
                        }
                    } while (i2 < 10);
                    return (X509Certificate[]) arrayList.toArray(x509CertificateArr);
                }
                return x509CertificateArr;
            }
        };
    }

    private String chainToString(X509Certificate[] x509CertificateArr) {
        StringBuffer stringBuffer = new StringBuffer("X509 Chain: [");
        for (X509Certificate x509Certificate : x509CertificateArr) {
            StringBuffer stringBuffer2 = new StringBuffer();
            if (x509Certificate == null) {
                stringBuffer2.append("null");
            } else {
                try {
                    stringBuffer2.append("SN=");
                    stringBuffer2.append(x509Certificate.getSerialNumber());
                    stringBuffer2.append("\nIssuer=");
                    stringBuffer2.append(x509Certificate.getIssuerX500Principal());
                    stringBuffer2.append("\nSubject=");
                    stringBuffer2.append(x509Certificate.getSubjectX500Principal());
                    Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                    if (subjectAlternativeNames != null) {
                        for (List<?> list : subjectAlternativeNames) {
                            stringBuffer2.append("\n");
                            stringBuffer2.append(list.get(0));
                            stringBuffer2.append("=");
                            stringBuffer2.append(list.get(1));
                        }
                    }
                } catch (CertificateParsingException e) {
                    logger.info("Failed to parse certificate: " + stringBuffer2, e);
                    stringBuffer2 = new StringBuffer("ParseError");
                }
            }
            stringBuffer.append("{");
            stringBuffer2.append("\n");
            stringBuffer.append(stringBuffer2);
            stringBuffer2.append("\n");
            stringBuffer.append("}\n");
        }
        stringBuffer.append("]");
        return stringBuffer.toString();
    }

    protected int verify(X509Certificate[] x509CertificateArr, String str) {
        logger.warn("Asking user to verify certificate.  chain: " + chainToString(x509CertificateArr) + " with message: " + str);
        if (this.config.user() != null && this.config.user().getBoolean(CertificateService.PNAME_NO_USER_INTERACTION, false)) {
            return 0;
        }
        final VerifyCertificateDialog verifyCertificateDialog = sCertificateDialog == null ? new VerifyCertificateDialog(x509CertificateArr, null, str) : sCertificateDialog;
        sCertificateDialog = verifyCertificateDialog;
        try {
            SwingUtilities.invokeAndWait(new Runnable() { // from class: net.java.sip.communicator.impl.certificate.CertificateServiceImpl.4
                @Override // java.lang.Runnable
                public void run() {
                    verifyCertificateDialog.setVisible(true);
                }
            });
            if (!verifyCertificateDialog.isTrusted) {
                logger.warn("User said do not trust");
                logger.user("Do not trust selected");
                return 0;
            }
            if (verifyCertificateDialog.alwaysTrustCheckBox.isSelected()) {
                logger.user("Always trust selected");
                return 1;
            }
            logger.user("Trust only for this session selected");
            return 2;
        } catch (Exception e) {
            logger.error("Cannot show certificate verification dialog", e);
            return 0;
        }
    }

    private static String getThumbprint(Certificate certificate, String str) throws CertificateException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(str);
            byte[] encoded = certificate.getEncoded();
            StringBuilder sb = new StringBuilder(encoded.length * 2);
            Formatter formatter = new Formatter(sb);
            try {
                for (byte b : messageDigest.digest(encoded)) {
                    formatter.format("%02x", Byte.valueOf(b));
                }
                formatter.close();
                return sb.toString();
            } catch (Throwable th) {
                try {
                    formatter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (NoSuchAlgorithmException e) {
            throw new CertificateException(e);
        }
    }

    private static Iterable<String> getSubjectAltNames(X509Certificate x509Certificate, int i) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            LinkedList linkedList = new LinkedList();
            for (List<?> list : subjectAlternativeNames) {
                if (list.contains(Integer.valueOf(i)) && ((Integer) list.get(0)).intValue() == i) {
                    linkedList.add((String) list.get(1));
                }
            }
            return linkedList;
        } catch (CertificateParsingException e) {
            return Collections.emptyList();
        }
    }

    private void setCustomTrustManager() throws GeneralSecurityException {
        X509TrustManager x509TrustManager = null;
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(this.mCustomKeyStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        if (x509TrustManager == null) {
            throw new GeneralSecurityException("No default X509 trust manager found");
        }
        final X509TrustManager x509TrustManager2 = x509TrustManager;
        this.mCustomTrustManager = new X509TrustManager() { // from class: net.java.sip.communicator.impl.certificate.CertificateServiceImpl.5
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return x509TrustManager2.getAcceptedIssuers();
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                CertificateServiceImpl.logger.info("Could not verify certificate chain. Checking custom certificates.");
                x509TrustManager2.checkClientTrusted(x509CertificateArr, str);
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                CertificateServiceImpl.logger.info("Could not verify certificate chain. Checking custom certificates.");
                x509TrustManager2.checkServerTrusted(x509CertificateArr, str);
            }
        };
    }

    @Override // net.java.sip.communicator.service.certificate.CertificateService
    public void setCustomKeyStore(KeyStore keyStore) throws GeneralSecurityException {
        this.mCustomKeyStore = keyStore;
        setCustomTrustManager();
    }
}
