package net.jini.jeri.ssl;

import com.sun.jini.logging.Levels;
import java.lang.ref.Reference;
import java.lang.ref.SoftReference;
import java.net.Socket;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import net.jini.jeri.ssl.SubjectCredentials;
import net.jini.security.AuthenticationPermission;

/* loaded from: input_file:net/jini/jeri/ssl/ServerAuthManager.class */
class ServerAuthManager extends AuthManager {
    private static final Logger logger;
    private final SSLSessionContext sslSessionContext;
    private final X500PrivateCredential[] readOnlyPrivateCredentials;
    private final Map credentialCache;
    private Reference sessionCache;
    private long credentialsValidUntil;
    static final boolean $assertionsDisabled;
    static Class class$net$jini$jeri$ssl$ServerAuthManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerAuthManager(Subject subject, Set set, SSLSessionContext sSLSessionContext) throws NoSuchAlgorithmException {
        super(subject, set, null);
        this.credentialCache = new HashMap(2);
        this.sessionCache = new SoftReference(null);
        this.credentialsValidUntil = 0L;
        this.sslSessionContext = sSLSessionContext;
        this.readOnlyPrivateCredentials = (!this.subjectIsReadOnly || subject == null) ? null : (X500PrivateCredential[]) AccessController.doPrivileged(new SubjectCredentials.GetAllPrivateCredentialsAction(subject));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Certificate getServerCertificate(SSLSession sSLSession) {
        synchronized (this.credentialCache) {
            if (this.sslSessionContext.getSession(sSLSession.getId()) != null) {
                Object obj = this.credentialCache.get(getKeyAlgorithm(sSLSession.getCipherSuite()));
                if (obj instanceof X500PrivateCredential) {
                    X500PrivateCredential x500PrivateCredential = (X500PrivateCredential) obj;
                    if (!x500PrivateCredential.isDestroyed()) {
                        return x500PrivateCredential.getCertificate();
                    }
                }
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkCredentials(SSLSession sSLSession, Subject subject) throws GeneralSecurityException {
        synchronized (this.credentialCache) {
            if (this.sslSessionContext.getSession(sSLSession.getId()) == null) {
                throw new SecurityException("Session not valid");
            }
            Object obj = this.credentialCache.get(getKeyAlgorithm(sSLSession.getCipherSuite()));
            if (obj == null) {
                throw new SecurityException("No credential cached for key type");
            }
            if (obj instanceof String) {
                throw new SecurityException((String) obj);
            }
            X500PrivateCredential x500PrivateCredential = (X500PrivateCredential) obj;
            if (x500PrivateCredential.isDestroyed()) {
                throw new SecurityException("Private credentials are destroyed");
            }
            if (this.subjectIsReadOnly && sSLSession.equals(this.sessionCache.get()) && System.currentTimeMillis() < this.credentialsValidUntil) {
                return;
            }
            this.credentialsValidUntil = checkCredentials(x500PrivateCredential, subject, "accept");
            this.sessionCache = new SoftReference(sSLSession);
        }
    }

    private long checkCredentials(X500PrivateCredential x500PrivateCredential, Subject subject, String str) {
        Subject subject2 = getSubject();
        if (subject2 == null) {
            throw new SecurityException("Missing subject");
        }
        X509Certificate certificate = x500PrivateCredential.getCertificate();
        if (SubjectCredentials.getPrincipal(subject2, certificate) == null) {
            throw new SecurityException("Missing principal");
        }
        CertPath certificateChain = SubjectCredentials.getCertificateChain(subject2, certificate);
        if (certificateChain == null) {
            throw new SecurityException("Missing public credentials");
        }
        long certificatesValidUntil = certificatesValidUntil(certificateChain);
        if (subject != null) {
            if (!$assertionsDisabled && !subject.isReadOnly()) {
                throw new AssertionError();
            }
            certificatesValidUntil = Math.min(certificatesValidUntil, certificatesValidUntil((CertPath) subject.getPublicCredentials().iterator().next()));
        }
        if (System.currentTimeMillis() > certificatesValidUntil) {
            throw new SecurityException("Certificates no longer valid");
        }
        X500PrivateCredential privateCredential = getPrivateCredential(certificate, getPeerPrincipalName(subject), str);
        if (privateCredential == null) {
            throw new SecurityException("Missing private credentials");
        }
        if (equalPrivateCredentials(x500PrivateCredential, privateCredential)) {
            return certificatesValidUntil;
        }
        throw new SecurityException("Wrong private credential");
    }

    private String getPeerPrincipalName(Subject subject) {
        if (subject == null) {
            return null;
        }
        if ($assertionsDisabled || subject.isReadOnly()) {
            return subject.getPrincipals().iterator().next().getName();
        }
        throw new AssertionError();
    }

    @Override // net.jini.jeri.ssl.AuthManager
    Logger getLogger() {
        return logger;
    }

    @Override // net.jini.jeri.ssl.AuthManager
    X500PrivateCredential getPrivateCredential(X509Certificate x509Certificate) {
        return getPrivateCredential(x509Certificate, (String) null, "listen");
    }

    private X500PrivateCredential getPrivateCredential(X509Certificate x509Certificate, String str, String str2) {
        X500PrivateCredential x500PrivateCredential;
        Subject subject = getSubject();
        if (subject == null) {
            return null;
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(getAuthPermission(x509Certificate, str, str2));
        }
        if (!this.subjectIsReadOnly) {
            return (X500PrivateCredential) AccessController.doPrivileged(new SubjectCredentials.GetPrivateCredentialAction(subject, x509Certificate));
        }
        int length = this.readOnlyPrivateCredentials.length;
        do {
            length--;
            if (length < 0) {
                return null;
            }
            x500PrivateCredential = this.readOnlyPrivateCredentials[length];
        } while (!x509Certificate.equals(x500PrivateCredential.getCertificate()));
        return x500PrivateCredential;
    }

    private AuthenticationPermission getAuthPermission(X509Certificate x509Certificate, String str, String str2) {
        return new AuthenticationPermission(Collections.singleton(x509Certificate.getSubjectX500Principal()), str == null ? null : Collections.singleton(new X500Principal(str)), str2);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        String[] aliases = getAliases(str, principalArr);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "get server aliases for key type {0}\nand issuers {1}\nreturns {2}", new Object[]{str, toString(principalArr), toString(aliases)});
        }
        return aliases;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        Class cls;
        X500PrivateCredential x500PrivateCredential = null;
        synchronized (this.credentialCache) {
            Object obj = this.credentialCache.get(str);
            if (obj instanceof X500PrivateCredential) {
                x500PrivateCredential = (X500PrivateCredential) obj;
                try {
                    checkCredentials(x500PrivateCredential, null, "listen");
                } catch (SecurityException e) {
                    if (logger.isLoggable(Levels.HANDLED)) {
                        Logger logger2 = logger;
                        Level level = Levels.HANDLED;
                        if (class$net$jini$jeri$ssl$ServerAuthManager == null) {
                            cls = class$("net.jini.jeri.ssl.ServerAuthManager");
                            class$net$jini$jeri$ssl$ServerAuthManager = cls;
                        } else {
                            cls = class$net$jini$jeri$ssl$ServerAuthManager;
                        }
                        logThrow(logger2, level, cls, "chooseServerAlias", "choose server alias for key type {0}\nand issuers {1}\ncaught exception", new Object[]{str, toString(principalArr)}, e);
                    }
                    x500PrivateCredential = null;
                    this.credentialCache.remove(str);
                    Enumeration<byte[]> ids = this.sslSessionContext.getIds();
                    while (ids.hasMoreElements()) {
                        SSLSession session = this.sslSessionContext.getSession(ids.nextElement());
                        if (session != null && str.equals(getKeyAlgorithm(session.getCipherSuite()))) {
                            session.invalidate();
                        }
                    }
                }
            }
            if (x500PrivateCredential == null) {
                Exception exc = null;
                try {
                    x500PrivateCredential = chooseCredential(str, principalArr);
                    if (x500PrivateCredential != null) {
                        this.credentialCache.put(str, x500PrivateCredential);
                    }
                } catch (SecurityException e2) {
                    exc = e2;
                } catch (GeneralSecurityException e3) {
                    exc = e3;
                }
                if (exc != null) {
                    this.credentialCache.put(str, exc.getMessage());
                    return null;
                }
            }
            String certificateName = x500PrivateCredential == null ? null : SubjectCredentials.getCertificateName(x500PrivateCredential.getCertificate());
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "choose server alias for key type {0}\nissuers {1}\nreturns {2}", new Object[]{str, toString(principalArr), certificateName});
            }
            return certificateName;
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$net$jini$jeri$ssl$ServerAuthManager == null) {
            cls = class$("net.jini.jeri.ssl.ServerAuthManager");
            class$net$jini$jeri$ssl$ServerAuthManager = cls;
        } else {
            cls = class$net$jini$jeri$ssl$ServerAuthManager;
        }
        $assertionsDisabled = !cls.desiredAssertionStatus();
        logger = serverLogger;
    }
}
