package oracle.net.nt;

import java.io.IOException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Level;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import oracle.jdbc.SecurityInformation;
import oracle.jdbc.diagnostics.Diagnosable;
import oracle.jdbc.diagnostics.SecurityLabel;
import oracle.net.ns.NetException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:oracle/net/nt/DNVerifier.class */
public class DNVerifier implements Diagnosable {
    private static final String CLASS_NAME = DNVerifier.class.getName();
    private static final int SSL_CERT_SAN_TYPE_DNS_NAME = 2;
    private static final int SSL_CERT_SAN_TYPE_IP_ADDR = 7;
    private final ConnOption connOption;
    private final boolean isDNmatchEnabled;
    private final Diagnosable diagnosable;
    private SecurityInformation.DNMatchStatus dnMatchStatus = SecurityInformation.DNMatchStatus.NOT_VERIFIED;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DNVerifier(ConnOption connOption, boolean z, Diagnosable diagnosable) {
        this.connOption = connOption;
        this.isDNmatchEnabled = z;
        this.diagnosable = diagnosable;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityInformation.DNMatchStatus verify(X509Certificate x509Certificate) throws IOException {
        if (this.isDNmatchEnabled) {
            return verifyServerCertificate(x509Certificate);
        }
        debug(Level.INFO, SecurityLabel.UNKNOWN, CLASS_NAME, "verify", "Server DN verification is disabled and connection is not secure.Enable DN verification through Connection Property 'oracle.net.ssl_server_dn_match' or through URL parameter 'SSL_SERVER_DN_MATCH'", null, null);
        return SecurityInformation.DNMatchStatus.NOT_VERIFIED;
    }

    @Override // oracle.jdbc.diagnostics.Diagnosable
    public Diagnosable getDiagnosable() {
        return this.diagnosable;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isWeakDNMatchAllowed() {
        ConnOption originalConnOption = this.connOption.getOriginalConnOption();
        return originalConnOption.sslAllowWeakDNMatch != null && (originalConnOption.sslAllowWeakDNMatch.equalsIgnoreCase("on") || originalConnOption.sslAllowWeakDNMatch.equalsIgnoreCase("true") || originalConnOption.sslAllowWeakDNMatch.equalsIgnoreCase("yes"));
    }

    public SecurityInformation.DNMatchStatus verifyServerCertificate(X509Certificate x509Certificate) throws NetException, IOException {
        ConnOption originalConnOption = this.connOption.getOriginalConnOption();
        return originalConnOption.sslServerCertDN != null ? verifyConfiguredDN(x509Certificate, originalConnOption.sslServerCertDN) : verifyHostOrServiceName(x509Certificate);
    }

    private SecurityInformation.DNMatchStatus verifyConfiguredDN(X509Certificate x509Certificate, String str) throws NetException, IOException {
        String name = x509Certificate.getSubjectDN().getName();
        if (doFullDNMatch(name, str)) {
            return SecurityInformation.DNMatchStatus.VERIFIED_MATCHING_CONFIG;
        }
        throw new NetException(NetException.MISMATCH_SERVER_CERT_DN, null, false, str, name);
    }

    private SecurityInformation.DNMatchStatus verifyHostOrServiceName(X509Certificate x509Certificate) throws NetException, IOException {
        ConnOption originalConnOption = this.connOption.getOriginalConnOption();
        String str = this.connOption.host;
        String str2 = originalConnOption.host;
        if (matchCNAndSANs(x509Certificate, str) || matchCNAndSANs(x509Certificate, str2)) {
            return SecurityInformation.DNMatchStatus.VERIFIED_MATCHING_HOSTNAME;
        }
        boolean isWeakDNMatchAllowed = isWeakDNMatchAllowed();
        String str3 = originalConnOption.service_name;
        String str4 = Objects.equals(str2, str) ? str : str2 + ", " + str;
        if (!isWeakDNMatchAllowed || str3 == null) {
            throw new NetException(NetException.MISMATCH_SERVER_CERT_DN_HOSTNAME, null, false, str4, getCNValue(x509Certificate), Optional.ofNullable(getDNSSubjectAlts(x509Certificate)).map((v0) -> {
                return Arrays.toString(v0);
            }).orElse("null"));
        }
        if (matchSANs(x509Certificate, str3) || matchCN(x509Certificate, str3)) {
            return SecurityInformation.DNMatchStatus.VERIFIED_MATCHING_SERVICENAME;
        }
        throw new NetException(NetException.MISMATCH_SERVER_CERT_DN_SERVICE_NAME, null, false, str4, str3, getCNValue(x509Certificate), Optional.ofNullable(getDNSSubjectAlts(x509Certificate)).map((v0) -> {
            return Arrays.toString(v0);
        }).orElse("null"));
    }

    private boolean doFullDNMatch(String str, String str2) throws IOException {
        if (str == null || str2 == null) {
            return false;
        }
        try {
            return new LdapName(str).equals(new LdapName(str2));
        } catch (InvalidNameException e) {
            throw new IOException((Throwable) e);
        }
    }

    private boolean matchCNAndSANs(X509Certificate x509Certificate, String str) throws IOException {
        if (str != null) {
            return matchSANs(x509Certificate, str) || matchCN(x509Certificate, str);
        }
        return false;
    }

    private boolean matchCN(X509Certificate x509Certificate, String str) throws IOException {
        return compare(getCNValue(x509Certificate), str);
    }

    private boolean matchSANs(X509Certificate x509Certificate, String str) throws IOException {
        String[] dNSSubjectAlts = getDNSSubjectAlts(x509Certificate);
        if (dNSSubjectAlts == null) {
            return false;
        }
        for (String str2 : dNSSubjectAlts) {
            if (compare(str2, str)) {
                return true;
            }
        }
        return false;
    }

    private String[] getDNSSubjectAlts(X509Certificate x509Certificate) throws IOException {
        try {
            LinkedList linkedList = new LinkedList();
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null) {
                return null;
            }
            for (List<?> list : subjectAlternativeNames) {
                Integer num = (Integer) list.get(0);
                if (num.intValue() == 2 || num.intValue() == 7) {
                    linkedList.add((String) list.get(1));
                }
            }
            return (String[]) linkedList.toArray(new String[linkedList.size()]);
        } catch (CertificateParsingException e) {
            throw new IOException(e);
        }
    }

    private String getCNValue(X509Certificate x509Certificate) throws IOException {
        try {
            return getCNValue(new LdapName(x509Certificate.getSubjectDN().getName()));
        } catch (InvalidNameException e) {
            throw new IOException((Throwable) e);
        }
    }

    private String getCNValue(LdapName ldapName) {
        for (Rdn rdn : ldapName.getRdns()) {
            if (rdn.getType().equalsIgnoreCase("CN")) {
                return (String) rdn.getValue();
            }
        }
        return null;
    }

    private boolean compare(String str, String str2) {
        String lowerCase = str.toLowerCase();
        String lowerCase2 = str2.toLowerCase();
        if (lowerCase.equals(lowerCase2)) {
            return true;
        }
        int indexOf = lowerCase.indexOf(46);
        int indexOf2 = lowerCase2.indexOf(46);
        if (indexOf <= 0 || indexOf2 <= 0 || !lowerCase.substring(indexOf).equals(lowerCase2.substring(indexOf2))) {
            return false;
        }
        return wildcardCompare(lowerCase.substring(0, indexOf), lowerCase2.substring(0, indexOf2));
    }

    private boolean wildcardCompare(String str, String str2) {
        if (str.equals("*")) {
            return !str2.isEmpty();
        }
        int indexOf = str.indexOf(42);
        if (indexOf == -1) {
            return false;
        }
        if (indexOf == str.length() - 1) {
            return str2.startsWith(str.substring(0, str.length() - 1));
        }
        if (indexOf == 0) {
            return str2.endsWith(str.substring(1));
        }
        return str2.startsWith(str.substring(0, indexOf)) && str2.endsWith(str.substring(indexOf + 1));
    }
}
