package tigase.io;

import java.io.IOException;
import java.nio.ByteOrder;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import tigase.annotations.TigaseDeprecated;
import tigase.eventbus.EventBus;
import tigase.eventbus.EventBusFactory;
import tigase.eventbus.HandleEvent;
import tigase.io.CertificateContainer;
import tigase.io.SSLContextContainerAbstract;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.Initializable;
import tigase.kernel.beans.Inject;
import tigase.kernel.beans.UnregisterAware;
import tigase.kernel.beans.config.ConfigField;
import tigase.kernel.core.Kernel;
import tigase.server.Command;
import tigase.server.ConnectionManager;
import tigase.server.DataForm;
import tigase.server.Packet;
import tigase.vhosts.AbstractVHostItemExtension;
import tigase.vhosts.VHostItem;
import tigase.vhosts.VHostItemExtensionBackwardCompatible;
import tigase.vhosts.VHostItemExtensionManager;
import tigase.vhosts.VHostItemExtensionProvider;
import tigase.vhosts.VHostItemImpl;
import tigase.vhosts.VHostManagerIfc;
import tigase.xml.Element;

@Bean(name = "sslContextContainer", parent = ConnectionManager.class, active = true)
/* loaded from: input_file:tigase/io/SSLContextContainer.class */
public class SSLContextContainer extends SSLContextContainerAbstract implements Initializable {
    private static final String EPHEMERAL_DH_KEYSIZE_KEY = "jdk.tls.ephemeralDHKeySize";
    private static final int EPHEMERAL_DH_KEYSIZE_VALUE = 4096;
    private static final String MAX_TLS_HANDSHAKE_MESSAGE_SIZE_KEY = "jdk.tls.maxHandshakeMessageSize";
    private static final int MAX_TLS_HANDSHAKE_MESSAGE_SIZE_VALUE = (int) Math.pow(2.0d, 16.0d);
    private static final String[] TLS_WORKAROUND_CIPHERS = {"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_RSA_WITH_DES_CBC_SHA", "SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_RSA_WITH_AES_128_CBC_SHA"};
    private static final String[] HARDENED_SECURE_FORBIDDEN_CIPHERS = {"^.*(_(MD5|SHA1)$|RC4_.*$)", "^(TLS_RSA_WITH_AES.*$)"};
    private static final String[] HARDENED_STRICT_FORBIDDEN_CIPHERS = {"^.*_AES_128_.*$"};
    private static final String[] HARDENED_SECURE_FORBIDDEN_PROTOCOLS = {"SSL", "SSLv2", "SSLv3"};
    private static final String[] HARDENED_STRICT_FORBIDDEN_PROTOCOLS = {"SSLv2Hello", "TLSv1", "TLSv1.1"};
    private static final Logger log = Logger.getLogger(SSLContextContainer.class.getName());

    @Inject
    protected EventBus eventBus;
    protected Map<String, SSLContextContainerAbstract.SSLHolder> sslContexts;

    @Inject(nullAllowed = true)
    protected VHostManagerIfc vHostManager;
    Map<String, String[]> enabledCiphersMap;
    Map<String, String[]> enabledProtocolsMap;

    @ConfigField(desc = "Disable TLS 1.3", alias = "tls-disable-tls13")
    @TigaseDeprecated(since = "8.1.0", removeIn = "9.0.0", note = "(temporarily) disable TLS 1.3 due to compatibility issues")
    @Deprecated
    private boolean disableTLS13;

    @ConfigField(desc = "Enabled TLS/SSL ciphers", alias = "tls-disabled-ciphers")
    private String[] disabledCiphers;

    @ConfigField(desc = "Enabled TLS/SSL protocols", alias = "tls-disabled-protocols")
    private String[] disabledProtocols;

    @ConfigField(desc = "Enabled TLS/SSL ciphers", alias = "tls-enabled-ciphers")
    @TigaseDeprecated(since = "8.1.0", removeIn = "9.0.0", note = "Control list of ciphers with `tls-disabled-ciphers`")
    @Deprecated
    private String[] enabledCiphers;

    @ConfigField(desc = "Enabled TLS/SSL protocols", alias = "tls-enabled-protocols")
    @TigaseDeprecated(since = "8.1.0", removeIn = "9.0.0", note = "Control list of protocols with `tls-disabled-protocols`")
    @Deprecated
    private String[] enabledProtocols;

    @ConfigField(desc = "Sets ephemeral DH Key Size", alias = "ephemeral-key-size")
    private int ephemeralDHKeySize;

    @ConfigField(desc = "Sets max Handshake Message Size", alias = "max-handshake-message-size")
    private int maxHandshakeMessageSize;

    @ConfigField(desc = "TLS/SSL hardened mode", alias = HardenedModeVHostItemExtension.ID)
    private HARDENED_MODE hardenedMode;

    @Inject(bean = "rootSslContextContainer", type = Root.class, nullAllowed = true)
    private SSLContextContainerIfc parent;

    @ConfigField(desc = "TLS/SSL", alias = "tls-jdk-nss-bug-workaround-active")
    private boolean tlsJdkNssBugWorkaround;

    /* loaded from: input_file:tigase/io/SSLContextContainer$HARDENED_MODE.class */
    public enum HARDENED_MODE {
        global,
        relaxed,
        secure,
        strict;

        public static HARDENED_MODE getDefault() {
            return secure;
        }

        static String[] stringValues() {
            return (String[]) EnumSet.allOf(HARDENED_MODE.class).stream().map((v0) -> {
                return v0.name();
            }).toArray(i -> {
                return new String[i];
            });
        }
    }

    /* loaded from: input_file:tigase/io/SSLContextContainer$HardenedModeVHostItemExtension.class */
    public static class HardenedModeVHostItemExtension extends AbstractVHostItemExtension<HardenedModeVHostItemExtension> implements VHostItemExtensionBackwardCompatible<HardenedModeVHostItemExtension> {
        public static final String ID = "hardened-mode";
        private HARDENED_MODE mode = HARDENED_MODE.secure;

        public static HARDENED_MODE parseHardenedModeFromString(String str) {
            HARDENED_MODE hardened_mode = HARDENED_MODE.secure;
            try {
                hardened_mode = HARDENED_MODE.valueOf(str);
            } catch (IllegalArgumentException e) {
                String lowerCase = str.trim().toLowerCase();
                if (SSLContextContainerIfc.ALLOW_SELF_SIGNED_CERTS_VAL.equals(lowerCase)) {
                    hardened_mode = HARDENED_MODE.secure;
                } else if (SSLContextContainerIfc.ALLOW_INVALID_CERTS_VAL.equals(lowerCase)) {
                    hardened_mode = HARDENED_MODE.relaxed;
                }
            } catch (Exception e2) {
                hardened_mode = HARDENED_MODE.global;
            }
            return hardened_mode;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public String getId() {
            return ID;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public void initFromElement(Element element) {
            this.mode = parseHardenedModeFromString(element.getAttributeStaticStr(getId()));
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public void initFromCommand(String str, Packet packet) throws IllegalArgumentException {
            String fieldValue = Command.getFieldValue(packet, str);
            this.mode = fieldValue != null ? parseHardenedModeFromString(fieldValue) : HARDENED_MODE.global;
        }

        public HARDENED_MODE getMode() {
            return this.mode;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public String toDebugString() {
            return "hardened-mode: " + this.mode;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public Element toElement() {
            if (this.mode == null || this.mode.equals(HARDENED_MODE.getDefault())) {
                return null;
            }
            Element element = new Element(getId());
            element.setAttribute(getId(), String.valueOf(this.mode));
            return element;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public void addCommandFields(String str, Packet packet, boolean z) {
            DataForm.addFieldValue(packet.getElemChild("command", "http://jabber.org/protocol/commands"), getId(), String.valueOf(getMode()), getId(), HARDENED_MODE.stringValues(), HARDENED_MODE.stringValues(), DataForm.FieldType.ListSingle.value());
        }

        @Override // tigase.vhosts.VHostItemExtensionBackwardCompatible
        public void initFromData(Map<String, Object> map) {
            HARDENED_MODE hardened_mode = (HARDENED_MODE) map.remove(getId());
            if (hardened_mode != null) {
                this.mode = hardened_mode;
            }
        }

        @Override // tigase.vhosts.VHostItemExtension
        public HardenedModeVHostItemExtension mergeWithDefaults(HardenedModeVHostItemExtension hardenedModeVHostItemExtension) {
            return this.mode == HARDENED_MODE.global ? hardenedModeVHostItemExtension : this;
        }
    }

    @Bean(name = HardenedModeVHostItemExtension.ID, parent = VHostItemExtensionManager.class, active = true)
    /* loaded from: input_file:tigase/io/SSLContextContainer$HardenedModeVHostItemExtensionProvider.class */
    public static class HardenedModeVHostItemExtensionProvider implements VHostItemExtensionProvider<HardenedModeVHostItemExtension> {
        @Override // tigase.vhosts.VHostItemExtensionProvider
        public String getId() {
            return HardenedModeVHostItemExtension.ID;
        }

        @Override // tigase.vhosts.VHostItemExtensionProvider
        public Class<HardenedModeVHostItemExtension> getExtensionClazz() {
            return HardenedModeVHostItemExtension.class;
        }
    }

    @Bean(name = "rootSslContextContainer", parent = Kernel.class, active = true, exportable = true)
    /* loaded from: input_file:tigase/io/SSLContextContainer$Root.class */
    public static class Root extends SSLContextContainer implements Initializable, UnregisterAware {
        @Override // tigase.kernel.beans.UnregisterAware
        public void beforeUnregister() {
            stop();
        }

        @Override // tigase.io.SSLContextContainer, tigase.kernel.beans.Initializable
        public void initialize() {
            start();
        }

        @Override // tigase.io.SSLContextContainer
        public void setParent(SSLContextContainerIfc sSLContextContainerIfc) {
            SSLContextContainer.log.log(Level.FINE, "setting root = " + sSLContextContainerIfc);
        }
    }

    private static String getKey(HARDENED_MODE hardened_mode, boolean z) {
        return hardened_mode + (z ? "_client" : "");
    }

    private static String markEnabled(String[] strArr, String[] strArr2) {
        List arrayList = strArr == null ? new ArrayList() : Arrays.asList(strArr);
        String str = "";
        if (strArr2 != null) {
            for (int i = 0; i < strArr2.length; i++) {
                String str2 = strArr2[i];
                str = (str + (arrayList.contains(str2) ? "(+)" : "(-)")) + str2;
                if (i + 1 < strArr2.length) {
                    str = str + ",";
                }
            }
        }
        return str;
    }

    private static String[] subtractItemsFromCollection(String[] strArr, String[] strArr2) {
        return (String[]) Arrays.stream(strArr).filter(str -> {
            return !Arrays.stream(strArr2).map(Pattern::compile).map(pattern -> {
                return pattern.matcher(str);
            }).map((v0) -> {
                return v0.matches();
            }).anyMatch(bool -> {
                return bool.booleanValue();
            });
        }).toArray(i -> {
            return new String[i];
        });
    }

    public SSLContextContainer() {
        this(null, null);
    }

    public SSLContextContainer(CertificateContainerIfc certificateContainerIfc) {
        this(certificateContainerIfc, null);
    }

    public SSLContextContainer(CertificateContainerIfc certificateContainerIfc, SSLContextContainerIfc sSLContextContainerIfc) {
        super(certificateContainerIfc);
        this.eventBus = EventBusFactory.getInstance();
        this.sslContexts = new ConcurrentSkipListMap();
        this.vHostManager = null;
        this.enabledCiphersMap = new ConcurrentHashMap(3);
        this.enabledProtocolsMap = new ConcurrentHashMap(6);
        this.disableTLS13 = false;
        this.ephemeralDHKeySize = EPHEMERAL_DH_KEYSIZE_VALUE;
        this.maxHandshakeMessageSize = MAX_TLS_HANDSHAKE_MESSAGE_SIZE_VALUE;
        this.hardenedMode = HARDENED_MODE.secure;
        this.tlsJdkNssBugWorkaround = false;
        this.parent = sSLContextContainerIfc;
    }

    @Override // tigase.io.SSLContextContainerIfc
    public IOInterface createIoInterface(String str, String str2, String str3, int i, boolean z, boolean z2, boolean z3, ByteOrder byteOrder, TrustManager[] trustManagerArr, TLSEventHandler tLSEventHandler, IOInterface iOInterface, CertificateContainerIfc certificateContainerIfc) throws IOException {
        return new TLSIO(iOInterface, new JcaTLSWrapper(getSSLContext(str, str2, z, trustManagerArr), tLSEventHandler, str3, i, z, z2, z3, getEnabledCiphers(str2), getEnabledProtocols(str2, z)), byteOrder);
    }

    @Override // tigase.io.SSLContextContainerIfc
    public String[] getEnabledCiphers(String str) {
        if (this.enabledCiphers != null && this.enabledCiphers.length != 0) {
            return this.enabledCiphers;
        }
        if (this.tlsJdkNssBugWorkaround) {
            return TLS_WORKAROUND_CIPHERS;
        }
        return this.enabledCiphersMap.get(getKey(getHardenedMode(str), false));
    }

    public void setEnabledCiphers(String[] strArr) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Enabled ciphers: " + (strArr == null ? "default" : Arrays.toString(strArr)));
        }
        this.enabledCiphers = strArr;
    }

    @Override // tigase.io.SSLContextContainerIfc
    public String[] getEnabledProtocols(String str, boolean z) {
        if (this.enabledProtocols != null && this.enabledProtocols.length != 0) {
            return this.enabledProtocols;
        }
        return this.enabledProtocolsMap.get(getKey(getHardenedMode(str), z));
    }

    public void setEnabledProtocols(String[] strArr) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Enabled protocols: " + (strArr == null ? "default" : Arrays.toString(strArr)));
        }
        this.enabledProtocols = strArr;
    }

    public void setEphemeralDHKeySize(int i) {
        this.ephemeralDHKeySize = i;
    }

    @Override // tigase.io.SSLContextContainerIfc
    public SSLContext getSSLContext(String str, String str2, boolean z, TrustManager[] trustManagerArr) {
        SSLContextContainerAbstract.SSLHolder sSLHolder;
        String str3 = str2;
        if (trustManagerArr == null) {
            try {
                if (this.parent != null) {
                    return this.parent.getSSLContext(str, str2, z, trustManagerArr);
                }
                trustManagerArr = getTrustManagers();
            } catch (Exception e) {
                log.log(Level.SEVERE, "Can not initialize SSLContext for domain: " + str3 + ", protocol: " + str, (Throwable) e);
                sSLHolder = null;
            }
        }
        if (str3 == null) {
            str3 = getDefCertAlias();
        }
        sSLHolder = (SSLContextContainerAbstract.SSLHolder) find(this.sslContexts, str3);
        if (!validateDomainCertificate(sSLHolder, str3)) {
            sSLHolder = null;
        }
        if (sSLHolder == null || !sSLHolder.isValid(trustManagerArr)) {
            sSLHolder = createContextHolder(str, str2, str3, z, trustManagerArr);
            if (z) {
                if (log.isLoggable(Level.FINEST)) {
                    log.log(Level.FINEST, "Using SSLHolder: " + sSLHolder);
                }
                return sSLHolder.getSSLContext();
            }
            if (!validateDomainCertificate(sSLHolder, str3)) {
                sSLHolder = createContextHolder(str, str2, str3, z, trustManagerArr);
            }
            this.sslContexts.put(str3, sSLHolder);
        }
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Using SSLHolder: " + sSLHolder);
        }
        if (sSLHolder != null) {
            return sSLHolder.getSSLContext();
        }
        return null;
    }

    @Override // tigase.io.SSLContextContainerAbstract, tigase.io.SSLContextContainerIfc
    public KeyStore getTrustStore() {
        KeyStore trustStore = super.getTrustStore();
        if (trustStore == null && this.parent != null) {
            trustStore = this.parent.getTrustStore();
        }
        return trustStore;
    }

    public void setHardenedMode(HARDENED_MODE hardened_mode) {
        this.hardenedMode = hardened_mode;
    }

    public void setParent(SSLContextContainerIfc sSLContextContainerIfc) {
        log.log(Level.FINE, "setting root = " + sSLContextContainerIfc);
        this.parent = sSLContextContainerIfc;
    }

    public void setTlsJdkNssBugWorkaround(boolean z) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Workaround for TLS/SSL bug is " + (z ? VHostItemImpl.ENABLED_ATT : "disabled"));
        }
        this.tlsJdkNssBugWorkaround = z;
    }

    @Override // tigase.kernel.beans.Initializable
    public void initialize() {
        System.setProperty(EPHEMERAL_DH_KEYSIZE_KEY, String.valueOf(this.ephemeralDHKeySize));
        System.setProperty(MAX_TLS_HANDSHAKE_MESSAGE_SIZE_KEY, String.valueOf(this.maxHandshakeMessageSize));
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            createSSLEngine.setUseClientMode(false);
            log.config("Supported protocols: " + markEnabled(createSSLEngine.getEnabledProtocols(), createSSLEngine.getSupportedProtocols()));
            log.config("Supported ciphers: " + markEnabled(createSSLEngine.getEnabledCipherSuites(), createSSLEngine.getSupportedCipherSuites()));
            String[] subtractItemsFromCollection = this.disableTLS13 ? subtractItemsFromCollection(createSSLEngine.getEnabledProtocols(), new String[]{"TLSv1.3"}) : createSSLEngine.getEnabledProtocols();
            if (this.disabledProtocols != null && this.disabledProtocols.length > 0) {
                subtractItemsFromCollection = subtractItemsFromCollection(subtractItemsFromCollection, this.disabledProtocols);
            }
            log.config("RELAXED protocols: " + Arrays.toString(subtractItemsFromCollection));
            this.enabledProtocolsMap.put(getKey(HARDENED_MODE.relaxed, false), subtractItemsFromCollection);
            this.enabledProtocolsMap.put(getKey(HARDENED_MODE.relaxed, true), subtractItemsFromCollection(subtractItemsFromCollection, new String[]{"SSLv2Hello"}));
            String[] subtractItemsFromCollection2 = subtractItemsFromCollection(subtractItemsFromCollection, HARDENED_SECURE_FORBIDDEN_PROTOCOLS);
            log.config("SECURE protocols: " + Arrays.toString(subtractItemsFromCollection2));
            this.enabledProtocolsMap.put(getKey(HARDENED_MODE.secure, false), subtractItemsFromCollection2);
            this.enabledProtocolsMap.put(getKey(HARDENED_MODE.secure, true), subtractItemsFromCollection(subtractItemsFromCollection2, new String[]{"SSLv2Hello"}));
            String[] subtractItemsFromCollection3 = subtractItemsFromCollection(subtractItemsFromCollection2, HARDENED_STRICT_FORBIDDEN_PROTOCOLS);
            log.config("STRICT protocols: " + Arrays.toString(subtractItemsFromCollection3));
            this.enabledProtocolsMap.put(getKey(HARDENED_MODE.strict, false), subtractItemsFromCollection3);
            this.enabledProtocolsMap.put(getKey(HARDENED_MODE.strict, true), subtractItemsFromCollection(subtractItemsFromCollection3, new String[]{"SSLv2Hello"}));
            String[] enabledCipherSuites = createSSLEngine.getEnabledCipherSuites();
            if (this.disabledProtocols != null && this.disabledProtocols.length > 0) {
                enabledCipherSuites = subtractItemsFromCollection(enabledCipherSuites, this.disabledCiphers);
            }
            log.config("RELAXED ciphers: " + Arrays.toString(enabledCipherSuites));
            this.enabledCiphersMap.put(getKey(HARDENED_MODE.relaxed, false), enabledCipherSuites);
            String[] subtractItemsFromCollection4 = subtractItemsFromCollection(enabledCipherSuites, HARDENED_SECURE_FORBIDDEN_CIPHERS);
            log.config("SECURE ciphers: " + Arrays.toString(subtractItemsFromCollection4));
            this.enabledCiphersMap.put(getKey(HARDENED_MODE.secure, false), subtractItemsFromCollection4);
            String[] subtractItemsFromCollection5 = subtractItemsFromCollection(subtractItemsFromCollection4, HARDENED_STRICT_FORBIDDEN_CIPHERS);
            log.config("STRICT ciphers: " + Arrays.toString(subtractItemsFromCollection5));
            this.enabledCiphersMap.put(getKey(HARDENED_MODE.strict, false), subtractItemsFromCollection5);
        } catch (NoSuchAlgorithmException e) {
            log.log(Level.WARNING, "Can't determine supported protocols", (Throwable) e);
        }
    }

    @Override // tigase.server.Lifecycle
    public void start() {
        this.eventBus.registerAll(this);
    }

    @Override // tigase.server.Lifecycle
    public void stop() {
        this.eventBus.unregisterAll(this);
    }

    private HARDENED_MODE getHardenedMode(String str) {
        VHostItem vHostItem;
        HardenedModeVHostItemExtension hardenedModeVHostItemExtension;
        HARDENED_MODE hardened_mode = this.hardenedMode;
        if (str != null && this.vHostManager != null && (vHostItem = this.vHostManager.getVHostItem(str)) != null && (hardenedModeVHostItemExtension = (HardenedModeVHostItemExtension) vHostItem.getExtension(HardenedModeVHostItemExtension.class)) != null) {
            hardened_mode = hardenedModeVHostItemExtension.getMode();
        }
        HARDENED_MODE hardened_mode2 = HARDENED_MODE.global.equals(hardened_mode) ? this.hardenedMode : hardened_mode;
        log.log(Level.INFO, "Using hardened-mode: {0} for domain: {1}", (Object[]) new String[]{String.valueOf(hardened_mode2), str});
        return hardened_mode2;
    }

    private void invalidateContextHolder(SSLContextContainerAbstract.SSLHolder sSLHolder, String str) throws Exception {
        this.sslContexts.remove(str);
        createCertificate(str);
    }

    @HandleEvent
    private void onCertificateChange(CertificateContainer.CertificateChanged certificateChanged) {
        this.sslContexts.remove(certificateChanged.getAlias());
        removeMatchedDomains(this.sslContexts, certificateChanged.getDomains());
    }

    private boolean validateDomainCertificate(SSLContextContainerAbstract.SSLHolder sSLHolder, String str) throws Exception {
        if (sSLHolder == null || sSLHolder.domainCertificate == null || !sSLHolder.domainCertificate.getIssuerDN().equals(sSLHolder.domainCertificate.getSubjectDN())) {
            return true;
        }
        try {
            sSLHolder.domainCertificate.checkValidity();
            return true;
        } catch (CertificateException e) {
            if (log.isLoggable(Level.INFO)) {
                log.log(Level.INFO, "Certificate for domain: {0} is not valid, exception: {1}, certificate: {2}", (Object[]) new String[]{str, String.valueOf(e), String.valueOf(sSLHolder.domainCertificate)});
            }
            invalidateContextHolder(sSLHolder, str);
            return false;
        }
    }
}
