package tigase.server.xmppclient;

import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import tigase.cert.CertificateEntry;
import tigase.cert.CertificateUtil;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.config.ConfigField;
import tigase.server.Command;
import tigase.server.DataForm;
import tigase.server.Packet;
import tigase.vhosts.AbstractVHostItemExtension;
import tigase.vhosts.VHostItem;
import tigase.vhosts.VHostItemExtensionBackwardCompatible;
import tigase.vhosts.VHostItemExtensionManager;
import tigase.vhosts.VHostItemExtensionProvider;
import tigase.xml.Element;
import tigase.xmpp.XMPPIOService;

@Bean(name = "client-trust-manager-factory", parent = ClientConnectionManager.class, active = true)
/* loaded from: input_file:tigase/server/xmppclient/ClientTrustManagerFactory.class */
public class ClientTrustManagerFactory {
    public static final String CA_CERT_PATH = "clientCertCA";
    public static final String CERT_REQUIRED_KEY = "clientCertRequired";
    private static final char[] EMPTY_PASS = new char[0];
    private static final Logger log = Logger.getLogger(ClientTrustManagerFactory.class.getName());
    private final KeyStore keystore;

    @ConfigField(desc = "CA for client certificate", alias = CA_CERT_PATH)
    private String clientCertCA;
    protected TrustManager[] defaultTrustManagers;
    private TrustManagerFactory tmf;
    private final ArrayList<X509Certificate> acceptedIssuers = new ArrayList<>();
    private final ConcurrentHashMap<VHostItem, TrustManager[]> trustManagers = new ConcurrentHashMap<>();

    @ConfigField(desc = "Is client certificate required")
    private boolean clientCertRequired = false;
    protected final TrustManager[] emptyTrustManager = {new X509TrustManager(this) { // from class: tigase.server.xmppclient.ClientTrustManagerFactory.1
        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }};

    /* loaded from: input_file:tigase/server/xmppclient/ClientTrustManagerFactory$ClientTrustVHostItemExtension.class */
    public static class ClientTrustVHostItemExtension extends AbstractVHostItemExtension<ClientTrustVHostItemExtension> implements VHostItemExtensionBackwardCompatible<ClientTrustVHostItemExtension> {
        protected static final String ID = "client-trust-extension";
        public static final String CA_CERT_PATH = "ca-cert-path";
        public static final String CERT_REQUIRED = "cert-required";
        private String caCertPath;
        private Boolean certRequired = null;

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public String getId() {
            return ID;
        }

        public String getCaCertPath() {
            return this.caCertPath;
        }

        public Boolean isCertRequired() {
            return this.certRequired;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public void initFromElement(Element element) {
            this.caCertPath = element.getAttributeStaticStr(CA_CERT_PATH);
            this.certRequired = (Boolean) Optional.ofNullable(element.getAttributeStaticStr(CERT_REQUIRED)).map(Boolean::parseBoolean).orElse(null);
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public void initFromCommand(String str, Packet packet) throws IllegalArgumentException {
            this.caCertPath = (String) Optional.ofNullable(Command.getFieldValue(packet, str + "-ca-cert-path")).filter(str2 -> {
                return !str2.isEmpty();
            }).orElse(null);
            this.certRequired = (Boolean) Optional.ofNullable(Command.getFieldValue(packet, str + "-cert-required")).map(str3 -> {
                if (str3.isEmpty()) {
                    return null;
                }
                return str3;
            }).map(Boolean::parseBoolean).orElse(null);
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public String toDebugString() {
            return "caCertPath: " + this.caCertPath + ", certRequired: " + this.certRequired;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public Element toElement() {
            if ((this.caCertPath == null || this.caCertPath.isEmpty()) && this.certRequired == null) {
                return null;
            }
            Element element = new Element(getId());
            if (this.caCertPath != null) {
                element.addAttribute(CA_CERT_PATH, this.caCertPath);
            }
            if (this.certRequired != null) {
                element.addAttribute(CERT_REQUIRED, String.valueOf(this.certRequired));
            }
            return element;
        }

        @Override // tigase.vhosts.VHostItemExtensionIfc
        public void addCommandFields(String str, Packet packet, boolean z) {
            Element elemChild = packet.getElemChild("command", "http://jabber.org/protocol/commands");
            DataForm.addFieldValue(elemChild, str + "-ca-cert-path", this.caCertPath, "text-single", "Client Certificate CA");
            addBooleanFieldWithDefaultToCommand(elemChild, str + "-cert-required", "Client Certificate Required", this.certRequired, z);
        }

        @Override // tigase.vhosts.VHostItemExtensionBackwardCompatible
        public void initFromData(Map<String, Object> map) {
            this.caCertPath = (String) map.remove(ClientTrustManagerFactory.CA_CERT_PATH);
            this.certRequired = (Boolean) map.remove(ClientTrustManagerFactory.CERT_REQUIRED_KEY);
        }

        @Override // tigase.vhosts.VHostItemExtension
        public ClientTrustVHostItemExtension mergeWithDefaults(ClientTrustVHostItemExtension clientTrustVHostItemExtension) {
            return this;
        }
    }

    @Bean(name = "client-trust-extension", parent = VHostItemExtensionManager.class, active = true)
    /* loaded from: input_file:tigase/server/xmppclient/ClientTrustManagerFactory$ClientTrustVHostItemExtensionProvider.class */
    public static class ClientTrustVHostItemExtensionProvider implements VHostItemExtensionProvider<ClientTrustVHostItemExtension> {
        @Override // tigase.vhosts.VHostItemExtensionProvider
        public String getId() {
            return "client-trust-extension";
        }

        @Override // tigase.vhosts.VHostItemExtensionProvider
        public Class<ClientTrustVHostItemExtension> getExtensionClazz() {
            return ClientTrustVHostItemExtension.class;
        }
    }

    public ClientTrustManagerFactory() {
        try {
            this.keystore = KeyStore.getInstance(KeyStore.getDefaultType());
            this.keystore.load(null, EMPTY_PASS);
            try {
                this.tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            }
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    public void setClientCertCA(String str) {
        this.clientCertCA = str;
        if (str != null) {
            this.defaultTrustManagers = loadTrustedCert(str);
        } else {
            this.defaultTrustManagers = null;
        }
    }

    public TrustManager[] getManager(VHostItem vHostItem) {
        TrustManager[] loadTrustedCert;
        TrustManager[] trustManagerArr = this.trustManagers.get(vHostItem);
        String key = vHostItem != null ? vHostItem.getKey() : "null";
        if (trustManagerArr == null) {
            if (log.isLoggable(Level.FINEST)) {
                log.finest("Creating new TrustManager for VHost " + key);
            }
            trustManagerArr = this.defaultTrustManagers;
            ClientTrustVHostItemExtension clientTrustVHostItemExtension = (ClientTrustVHostItemExtension) vHostItem.getExtension(ClientTrustVHostItemExtension.class);
            String caCertPath = clientTrustVHostItemExtension != null ? clientTrustVHostItemExtension.getCaCertPath() : null;
            if (log.isLoggable(Level.FINEST)) {
                log.finest("CA cert path=" + caCertPath + " for VHost " + key);
            }
            if (caCertPath != null && (loadTrustedCert = loadTrustedCert(caCertPath)) != null) {
                if (log.isLoggable(Level.FINEST)) {
                    log.finest("Using custom TrustManager for VHost " + key);
                }
                trustManagerArr = loadTrustedCert;
                this.trustManagers.put(vHostItem, trustManagerArr);
            }
        } else if (log.isLoggable(Level.FINEST)) {
            log.finest("Found TrustManager for VHost " + key);
        }
        return trustManagerArr;
    }

    public TrustManager[] getManager(XMPPIOService<Object> xMPPIOService) {
        if (isActive()) {
            return this.emptyTrustManager;
        }
        return null;
    }

    public boolean isActive() {
        return this.acceptedIssuers.size() > 0;
    }

    public boolean isTlsNeedClientAuthEnabled(VHostItem vHostItem) {
        ClientTrustVHostItemExtension clientTrustVHostItemExtension = (ClientTrustVHostItemExtension) vHostItem.getExtension(ClientTrustVHostItemExtension.class);
        return (clientTrustVHostItemExtension == null || clientTrustVHostItemExtension.isCertRequired() == null) ? this.clientCertRequired : clientTrustVHostItemExtension.isCertRequired().booleanValue();
    }

    public boolean isTlsWantClientAuthEnabled(VHostItem vHostItem) {
        TrustManager[] manager = getManager(vHostItem);
        return manager != null && manager.length > 0;
    }

    protected X509Certificate[] getAcceptedIssuers() {
        return (X509Certificate[]) this.acceptedIssuers.toArray(new X509Certificate[0]);
    }

    protected TrustManager[] loadTrustedCert(String str) {
        try {
            CertificateEntry loadCertificate = CertificateUtil.loadCertificate(str);
            Certificate[] certChain = loadCertificate.getCertChain();
            if (log.isLoggable(Level.FINEST)) {
                log.finest("Loaded certificate from file " + str + " : " + String.valueOf(loadCertificate));
            }
            if (certChain != null) {
                if (log.isLoggable(Level.FINEST)) {
                    log.finest("Loaded cert chain: " + Arrays.toString(certChain));
                }
                for (Certificate certificate : certChain) {
                    if (certificate instanceof X509Certificate) {
                        X509Certificate x509Certificate = (X509Certificate) certificate;
                        String name = x509Certificate.getSubjectX500Principal().getName();
                        if (log.isLoggable(Level.FINEST)) {
                            log.finest("Adding certificate to keystore: alias=" + name + "; cert=" + String.valueOf(x509Certificate));
                        }
                        this.keystore.setCertificateEntry(name, x509Certificate);
                        this.acceptedIssuers.add(x509Certificate);
                    }
                }
            }
            this.tmf.init(this.keystore);
            return this.tmf.getTrustManagers();
        } catch (Exception e) {
            log.log(Level.WARNING, "Can''t create TrustManager with certificate from file.", (Throwable) e);
            throw new RuntimeException(e);
        }
    }
}
