package com.sun.jndi.ldap.ext;

import com.sun.jndi.ldap.Connection;
import com.sun.jndi.ldap.LdapName;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/* loaded from: input_file:WEB-INF/lib/lucee.jar:bundles/sun.jndi.ldapsec-1.2.4.jar:com/sun/jndi/ldap/ext/StartTlsResponseImpl.class */
public final class StartTlsResponseImpl extends StartTlsResponse {

    /* renamed from: debug, reason: collision with root package name */
    private static final boolean f1698debug = false;
    private static final int DNSNAME_TYPE = 2;
    private transient Connection ldapConnection = null;
    private transient InputStream originalInputStream = null;
    private transient OutputStream originalOutputStream = null;
    private transient SSLSocket sslSocket = null;
    private transient SSLSocketFactory defaultFactory = null;
    private transient SSLSocketFactory currentFactory = null;
    private transient String[] suites = null;
    private transient HostnameVerifier verifier = null;
    private transient boolean isClosed = true;

    public void setEnabledCipherSuites(String[] strArr) {
        this.suites = strArr;
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        this.verifier = hostnameVerifier;
    }

    public SSLSession negotiate() throws IOException {
        return negotiate(null);
    }

    public SSLSession negotiate(SSLSocketFactory sSLSocketFactory) throws IOException {
        if (this.isClosed && this.sslSocket != null) {
            throw new IOException("TLS connection is closed.");
        }
        if (sSLSocketFactory == null) {
            sSLSocketFactory = getDefaultFactory();
        }
        SSLSession session = startHandshake(sSLSocketFactory).getSession();
        if (verify(this.ldapConnection.host, session) || (this.verifier != null && this.verifier.verify(this.ldapConnection.host, session))) {
            this.isClosed = false;
            return session;
        }
        close();
        session.invalidate();
        throw new SSLPeerUnverifiedException(new StringBuffer().append("hostname of the server '").append(this.ldapConnection.host).append("' does not match the hostname in the ").append("server's certificate.").toString());
    }

    public void close() throws IOException {
        if (this.isClosed) {
            return;
        }
        this.ldapConnection.replaceStreams(this.originalInputStream, this.originalOutputStream);
        this.sslSocket.close();
        this.isClosed = true;
    }

    public void setConnection(Connection connection) {
        this.ldapConnection = connection;
        this.originalInputStream = connection.inStream;
        this.originalOutputStream = connection.outStream;
    }

    private SSLSocketFactory getDefaultFactory() throws IOException {
        if (this.defaultFactory != null) {
            return this.defaultFactory;
        }
        SSLSocketFactory sSLSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
        this.defaultFactory = sSLSocketFactory;
        return sSLSocketFactory;
    }

    private SSLSocket startHandshake(SSLSocketFactory sSLSocketFactory) throws IOException {
        if (this.ldapConnection == null) {
            throw new IllegalStateException("LDAP connection has not been set. TLS requires an existing LDAP connection.");
        }
        if (sSLSocketFactory != this.currentFactory) {
            this.sslSocket = (SSLSocket) sSLSocketFactory.createSocket(this.ldapConnection.sock, this.ldapConnection.host, this.ldapConnection.port, false);
            this.currentFactory = sSLSocketFactory;
        }
        if (this.suites != null) {
            this.sslSocket.setEnabledCipherSuites(this.suites);
        }
        try {
            this.sslSocket.startHandshake();
            this.ldapConnection.replaceStreams(this.sslSocket.getInputStream(), this.sslSocket.getOutputStream());
            return this.sslSocket;
        } catch (IOException e) {
            this.sslSocket.close();
            this.isClosed = true;
            throw e;
        }
    }

    private boolean verify(String str, SSLSession sSLSession) {
        LdapName ldapName;
        int size;
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                throw new SSLPeerUnverifiedException("");
            }
            Collection<List<?>> subjectAlternativeNames = ((X509Certificate) peerCertificates[0]).getSubjectAlternativeNames();
            boolean z = true;
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (((Integer) list.get(0)).intValue() == 2) {
                        z = false;
                        if (matchNames(str, (String) list.get(1))) {
                            return true;
                        }
                    }
                }
            }
            if (!z || (size = (ldapName = new LdapName(((X509Certificate) peerCertificates[0]).getSubjectDN().getName())).size()) <= 0) {
                return false;
            }
            return ldapName.get(size - 1).equalsIgnoreCase(new StringBuffer().append("cn=").append(str).toString());
        } catch (SSLPeerUnverifiedException e) {
            String cipherSuite = sSLSession.getCipherSuite();
            return (cipherSuite == null || cipherSuite.indexOf("_anon_") == -1) ? false : true;
        } catch (Exception e2) {
            return false;
        }
    }

    private static boolean matchNames(String str, String str2) {
        if (str2 == null) {
            return false;
        }
        return str2.startsWith("*.") ? str2.substring(1).equalsIgnoreCase(str.substring(str.indexOf(46))) : str2.equalsIgnoreCase(str);
    }
}
