package org.eclipse.scout.rt.server.commons;

import java.io.InputStream;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.eclipse.scout.rt.platform.ApplicationScoped;
import org.eclipse.scout.rt.platform.BEANS;
import org.eclipse.scout.rt.platform.config.CONFIG;
import org.eclipse.scout.rt.platform.config.ConfigPropertyProvider;
import org.eclipse.scout.rt.platform.exception.ProcessingException;
import org.eclipse.scout.rt.platform.security.SecurityUtility;
import org.eclipse.scout.rt.platform.util.CollectionUtility;
import org.eclipse.scout.rt.server.commons.ServerCommonsConfigProperties;
import org.eclipse.scout.rt.shared.services.common.file.IRemoteFileService;
import org.eclipse.scout.rt.shared.services.common.file.RemoteFile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:org/eclipse/scout/rt/server/commons/GlobalTrustManager.class */
public class GlobalTrustManager {
    private static final Logger LOG = LoggerFactory.getLogger(GlobalTrustManager.class);
    private static final String PATH_CERTS = "/certificates";

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/eclipse/scout/rt/server/commons/GlobalTrustManager$P_GlobalTrustManager.class */
    public static class P_GlobalTrustManager implements X509TrustManager {
        private static final String CERTIFICATE_NOT_TRUSTED = "certificate not trusted.";
        private TrustManager[] m_installedTrustManagers;
        private final List<X509Certificate> m_trustedCerts;

        protected P_GlobalTrustManager(List<X509Certificate> list, String str) throws NoSuchAlgorithmException, KeyStoreException {
            this.m_trustedCerts = new ArrayList(list);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str);
            trustManagerFactory.init((KeyStore) null);
            this.m_installedTrustManagers = trustManagerFactory.getTrustManagers();
            if (this.m_installedTrustManagers == null) {
                this.m_installedTrustManagers = new TrustManager[0];
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            for (TrustManager trustManager : this.m_installedTrustManagers) {
                if (trustManager instanceof X509TrustManager) {
                    try {
                        ((X509TrustManager) trustManager).checkClientTrusted(x509CertificateArr, str);
                    } catch (CertificateException e) {
                        GlobalTrustManager.LOG.error(CERTIFICATE_NOT_TRUSTED, e);
                        throw e;
                    }
                }
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                if (x509Certificate != null) {
                    for (X509Certificate x509Certificate2 : this.m_trustedCerts) {
                        if (x509Certificate2 != null) {
                            try {
                                x509Certificate.verify(x509Certificate2.getPublicKey());
                                x509Certificate.checkValidity();
                                return;
                            } catch (GeneralSecurityException e) {
                            }
                        }
                    }
                }
            }
            for (TrustManager trustManager : this.m_installedTrustManagers) {
                if (trustManager instanceof X509TrustManager) {
                    try {
                        ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, str);
                    } catch (CertificateException e2) {
                        GlobalTrustManager.LOG.error(CERTIFICATE_NOT_TRUSTED, e2);
                        throw e2;
                    }
                }
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            X509Certificate[] acceptedIssuers;
            ArrayList arrayList = new ArrayList(this.m_trustedCerts);
            for (TrustManager trustManager : this.m_installedTrustManagers) {
                if ((trustManager instanceof X509TrustManager) && (acceptedIssuers = ((X509TrustManager) trustManager).getAcceptedIssuers()) != null && acceptedIssuers.length > 0) {
                    arrayList.addAll(Arrays.asList(acceptedIssuers));
                }
            }
            return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
        }
    }

    public void installGlobalTrustManager() {
        installGlobalTrustManager("TLS", TrustManagerFactory.getDefaultAlgorithm());
    }

    public void installGlobalTrustManager(String str, String str2) {
        try {
            X509TrustManager createGlobalTrustManager = createGlobalTrustManager(str2, getAllTrustedCertificates());
            SSLContext sSLContext = SSLContext.getInstance(str);
            sSLContext.init(null, new TrustManager[]{createGlobalTrustManager}, SecurityUtility.createSecureRandom());
            SSLContext.setDefault(sSLContext);
        } catch (Exception e) {
            throw new ProcessingException("could not install global trust manager.", new Object[]{e});
        }
    }

    public X509TrustManager createTrustManager() {
        return createTrustManager(TrustManagerFactory.getDefaultAlgorithm());
    }

    public X509TrustManager createTrustManager(String str) {
        try {
            return createGlobalTrustManager(str, getAllTrustedCertificates());
        } catch (Exception e) {
            throw new ProcessingException("could not create trust manager.", new Object[]{e});
        }
    }

    protected List<X509Certificate> getAllTrustedCertificates() {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(getTrustedCertificatesInRemoteFiles());
        arrayList.addAll(getConfiguredTrustedCertificates());
        return arrayList;
    }

    protected List<X509Certificate> getConfiguredTrustedCertificates() {
        List<String> list = (List) CONFIG.getPropertyValue(ServerCommonsConfigProperties.TrustedCertificatesProperty.class);
        if (CollectionUtility.isEmpty(list)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (String str : list) {
            try {
                URL resourceUrl = ConfigPropertyProvider.getResourceUrl(str);
                if (resourceUrl == null) {
                    LOG.warn("Configured trusted certificate '{}' could not be found.", str);
                } else {
                    LOG.info("Trusted certificate '{}' found.", str);
                    Throwable th = null;
                    try {
                        InputStream openStream = resourceUrl.openStream();
                        try {
                            arrayList.add(readX509Cert(openStream));
                            if (openStream != null) {
                                openStream.close();
                            }
                            LOG.info("Trusted certificate '{}' successfully installed.", str);
                        } catch (Throwable th2) {
                            th = th2;
                            if (openStream != null) {
                                openStream.close();
                            }
                            throw th;
                            break;
                        }
                    } catch (Throwable th3) {
                        if (th == null) {
                            th = th3;
                        } else if (th != th3) {
                            th.addSuppressed(th3);
                        }
                        throw th;
                    }
                }
            } catch (Exception e) {
                LOG.error("Failed to install trusted certificate '{}'.", str, e);
            }
        }
        return arrayList;
    }

    protected List<X509Certificate> getTrustedCertificatesInRemoteFiles() {
        try {
            RemoteFile[] remoteFiles = ((IRemoteFileService) BEANS.get(IRemoteFileService.class)).getRemoteFiles(PATH_CERTS, (file, str) -> {
                return str.toLowerCase().endsWith(".der");
            }, (RemoteFile[]) null);
            if (remoteFiles != null && remoteFiles.length >= 1) {
                return remoteFilesToCertificates(remoteFiles);
            }
            LOG.info("No certificates to trust in folder '{}' could be found.", PATH_CERTS);
            return Collections.emptyList();
        } catch (RuntimeException e) {
            LOG.error("Could not access folder '{}' to import trusted certificates.", PATH_CERTS, e);
            return Collections.emptyList();
        }
    }

    protected List<X509Certificate> remoteFilesToCertificates(RemoteFile[] remoteFileArr) {
        Throwable th;
        InputStream decompressedInputStream;
        ArrayList arrayList = new ArrayList(remoteFileArr.length);
        for (RemoteFile remoteFile : remoteFileArr) {
            try {
                LOG.info("Trusted certificate '{}' found.", remoteFile.getName());
                th = null;
                try {
                    decompressedInputStream = remoteFile.getDecompressedInputStream();
                } catch (Throwable th2) {
                    if (th == null) {
                        th = th2;
                    } else if (th != th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                    break;
                }
            } catch (Exception e) {
                LOG.info("Failed to install trusted certificate '{}'.", remoteFile.getName(), e);
            }
            try {
                arrayList.add(readX509Cert(decompressedInputStream));
                if (decompressedInputStream != null) {
                    decompressedInputStream.close();
                }
                LOG.info("Trusted certificate '{}' successfully installed.", remoteFile.getName());
            } catch (Throwable th3) {
                th = th3;
                if (decompressedInputStream != null) {
                    decompressedInputStream.close();
                }
                throw th;
                break;
            }
        }
        return arrayList;
    }

    protected X509TrustManager createGlobalTrustManager(String str, List<X509Certificate> list) throws NoSuchAlgorithmException, KeyStoreException {
        return new P_GlobalTrustManager(list, str);
    }

    protected X509Certificate readX509Cert(InputStream inputStream) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
    }
}
