package org.astrogrid.security.rfc3820.tomcat;

import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.astrogrid.security.rfc3820.CertificateChainValidator;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:org/astrogrid/security/rfc3820/tomcat/RFC3820TrustManager.class */
public class RFC3820TrustManager implements X509TrustManager {
    static Log log = LogFactory.getLog(RFC3820Implementation.class);
    private CertificateChainValidator validator;
    private X509Certificate[] anchors;

    public RFC3820TrustManager(X509Certificate[] x509CertificateArr) {
        try {
            if (Security.getProvider("BC") == null) {
                Security.addProvider(new BouncyCastleProvider());
            }
            this.validator = new CertificateChainValidator(x509CertificateArr);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        try {
            this.validator.validate(x509CertificateArr);
            log.info(getIdentity(x509CertificateArr) + " is authenticated by TLS.");
        } catch (Exception e) {
            String str2 = "This party's certificate-chain is not trusted: " + e;
            log.info(str2);
            throw new CertificateException(str2);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("This trust manager cannot authenticate services.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.anchors;
    }

    private String getIdentity(X509Certificate[] x509CertificateArr) {
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (x509CertificateArr[i].getExtensionValue("1.3.6.1.5.5.7.1.14") == null && x509CertificateArr[i].getExtensionValue("1.3.6.1.4.1.3536.1.222") == null) {
                return x509CertificateArr[i].getSubjectX500Principal().getName();
            }
        }
        return null;
    }
}
