package io.pivotal.springcloud.ssl;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.UUID;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:io/pivotal/springcloud/ssl/SslCertificateTruster.class */
public class SslCertificateTruster {
    public static final String JAVAX_NET_SSL_TRUST_STORE_PASSWORD = "javax.net.ssl.trustStorePassword";
    public static final String JAVAX_NET_SSL_TRUST_STORE = "javax.net.ssl.trustStore";
    private final ExecutorService executor = Executors.newFixedThreadPool(1, new ThreadFactory() { // from class: io.pivotal.springcloud.ssl.SslCertificateTruster.1
        @Override // java.util.concurrent.ThreadFactory
        public Thread newThread(Runnable runnable) {
            return new Thread(runnable, "SSLCertificateTruster:downloader");
        }
    });
    static final SslCertificateTruster instance = new SslCertificateTruster();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/pivotal/springcloud/ssl/SslCertificateTruster$CertificateCollectingTrustManager.class */
    public static class CertificateCollectingTrustManager implements X509TrustManager {
        private final X509TrustManager delegate;
        private X509Certificate[] collected;
        private Boolean trusted;

        CertificateCollectingTrustManager(X509TrustManager x509TrustManager) {
            this.delegate = x509TrustManager;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.delegate.getAcceptedIssuers();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (this.collected != null) {
                throw new IllegalStateException("A certificate chain has already been collected.");
            }
            this.collected = x509CertificateArr;
            try {
                this.delegate.checkClientTrusted(x509CertificateArr, str);
                this.trusted = true;
            } catch (CertificateException e) {
                this.trusted = false;
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (this.collected != null) {
                throw new IllegalStateException("A certificate chain has already been collected.");
            }
            this.collected = x509CertificateArr;
            try {
                this.delegate.checkServerTrusted(x509CertificateArr, str);
                this.trusted = true;
            } catch (CertificateException e) {
                this.trusted = false;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isTrusted() {
            if (this.trusted == null) {
                throw new IllegalStateException("No certificates have been collected yet");
            }
            return this.trusted.booleanValue();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public X509Certificate[] getCollectedCertificateChain() {
            return this.collected;
        }
    }

    private SslCertificateTruster() {
    }

    public static X509Certificate[] getUntrustedCertificate(String str, int i, int i2) throws Exception {
        return instance.getUntrustedCertificateInternal(str, i, i2);
    }

    X509Certificate[] getUntrustedCertificateInternal(final String str, final int i, int i2) throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        CertificateCollectingTrustManager certificateCollectingTrustManager = new CertificateCollectingTrustManager(getDefaultTrustManager());
        sSLContext.init(null, new TrustManager[]{certificateCollectingTrustManager}, null);
        final SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
        Future<?> submit = this.executor.submit(new Runnable() { // from class: io.pivotal.springcloud.ssl.SslCertificateTruster.2
            @Override // java.lang.Runnable
            public void run() {
                try {
                    SSLSocket sSLSocket = (SSLSocket) socketFactory.createSocket(str, i);
                    sSLSocket.startHandshake();
                    sSLSocket.close();
                } catch (Exception e) {
                    System.err.println("Error downloading certificate " + str + ":" + i + "," + e);
                }
            }
        });
        try {
            submit.get(i2, TimeUnit.MILLISECONDS);
            X509Certificate[] collectedCertificateChain = certificateCollectingTrustManager.getCollectedCertificateChain();
            if (collectedCertificateChain == null) {
                throw new CertificateException("Could not obtain server certificate chain");
            }
            if (certificateCollectingTrustManager.isTrusted()) {
                return null;
            }
            return collectedCertificateChain;
        } catch (TimeoutException e) {
            submit.cancel(true);
            throw e;
        }
    }

    public static void trustCertificate(String str, int i, int i2) throws Exception {
        instance.trustCertificateInternal(str, i, i2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void trustCertificateInternal(String str, int i, int i2) throws Exception {
        X509Certificate[] untrustedCertificate = getUntrustedCertificate(str, i, i2);
        if (untrustedCertificate != null) {
            appendToTruststore(untrustedCertificate);
        }
    }

    public static void appendToTruststore(X509Certificate[] x509CertificateArr) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, FileNotFoundException {
        instance.appendToTruststoreInternal(x509CertificateArr);
    }

    void appendToTruststoreInternal(X509Certificate[] x509CertificateArr) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, FileNotFoundException {
        X509Certificate[] acceptedIssuers = getDefaultTrustManager().getAcceptedIssuers();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null);
        int i = 0;
        for (X509Certificate x509Certificate : acceptedIssuers) {
            int i2 = i;
            i++;
            keyStore.setCertificateEntry("" + i2, x509Certificate);
        }
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            int i3 = i;
            i++;
            keyStore.setCertificateEntry("" + i3, x509Certificate2);
        }
        String uuid = UUID.randomUUID().toString();
        File createTempFile = File.createTempFile("truststore", null);
        createTempFile.deleteOnExit();
        keyStore.store(new FileOutputStream(createTempFile), uuid.toCharArray());
        System.setProperty(JAVAX_NET_SSL_TRUST_STORE, createTempFile.getAbsolutePath());
        System.setProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD, uuid);
    }

    private static X509TrustManager getDefaultTrustManager() throws NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
    }
}
