package snowblossom.lib.tls;

import com.google.protobuf.ByteString;
import java.net.Socket;
import java.security.KeyStore;
import java.security.Provider;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.TrustManagerFactorySpi;
import javax.net.ssl.X509ExtendedTrustManager;
import org.bouncycastle.asn1.ASN1StreamParser;
import org.bouncycastle.asn1.DEROctetStringParser;
import snowblossom.lib.AddressSpecHash;
import snowblossom.lib.AddressUtil;
import snowblossom.lib.Globals;
import snowblossom.lib.KeyUtil;
import snowblossom.lib.NetworkParams;
import snowblossom.proto.AddressSpec;
import snowblossom.proto.SignedMessage;
import snowblossom.proto.SignedMessagePayload;

/* loaded from: input_file:snowblossom/lib/tls/SnowTrustManagerFactorySpi.class */
public class SnowTrustManagerFactorySpi extends TrustManagerFactorySpi {
    private static final Logger logger = Logger.getLogger("snowblossom.tls");
    private AddressSpecHash expected_server_spec_hash;
    private Provider provider;
    private NetworkParams params;

    /* loaded from: input_file:snowblossom/lib/tls/SnowTrustManagerFactorySpi$SnowTrustManager.class */
    public class SnowTrustManager extends X509ExtendedTrustManager {
        public SnowTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            SnowTrustManagerFactorySpi.logger.log(Level.FINER, "Evaluating client cert");
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            SnowTrustManagerFactorySpi.logger.log(Level.FINER, "Evaluating server cert");
            if (x509CertificateArr.length != 1) {
                throw new CertificateException("Unexpected cert chain length");
            }
            X509Certificate x509Certificate = x509CertificateArr[0];
            byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.134");
            if (extensionValue == null) {
                throw new CertificateException("Missing snowblossom claim data in oid 2.5.29.134");
            }
            try {
                SignedMessage parseFrom = SignedMessage.parseFrom(((DEROctetStringParser) new ASN1StreamParser(extensionValue).readObject()).getOctetStream());
                MsgSigUtil.validateSignedMessage(parseFrom, SnowTrustManagerFactorySpi.this.params);
                SignedMessagePayload parseFrom2 = SignedMessagePayload.parseFrom(parseFrom.getPayload());
                AddressSpec claim = parseFrom2.getClaim();
                ByteString tlsPublicKey = parseFrom2.getTlsPublicKey();
                AddressSpecHash hashForSpec = AddressUtil.getHashForSpec(claim);
                if (SnowTrustManagerFactorySpi.this.expected_server_spec_hash != null) {
                    if (!hashForSpec.equals(SnowTrustManagerFactorySpi.this.expected_server_spec_hash)) {
                        throw new CertificateException("Server did not claim the expected address");
                    }
                    SnowTrustManagerFactorySpi.logger.log(Level.FINER, "Server matched expected spec hash");
                }
                try {
                    if (!ByteString.copyFrom(KeyUtil.decodeKey(tlsPublicKey, "RSA").getEncoded()).equals(ByteString.copyFrom(x509Certificate.getPublicKey().getEncoded()))) {
                        throw new CertificateException("Public key mismatch");
                    }
                    SnowTrustManagerFactorySpi.logger.log(Level.FINER, "Certificate checks out");
                    SnowTrustManagerFactorySpi.logger.info("Connected to TLS server with key: " + AddressUtil.getAddressString(Globals.NODE_ADDRESS_STRING, hashForSpec));
                } catch (Exception e) {
                    throw new CertificateException(e);
                }
            } catch (Exception e2) {
                throw new CertificateException(e2);
            }
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            checkServerTrusted(x509CertificateArr, str);
        }
    }

    public SnowTrustManagerFactorySpi(AddressSpecHash addressSpecHash, Provider provider, NetworkParams networkParams) throws Exception {
        this.expected_server_spec_hash = addressSpecHash;
        this.provider = provider;
        this.params = networkParams;
    }

    public static TrustManagerFactory getFactory(AddressSpecHash addressSpecHash, NetworkParams networkParams) throws Exception {
        String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        Provider provider = TrustManagerFactory.getInstance(defaultAlgorithm).getProvider();
        return new SnowTrustManagerFactory(new SnowTrustManagerFactorySpi(addressSpecHash, provider, networkParams), provider, defaultAlgorithm);
    }

    @Override // javax.net.ssl.TrustManagerFactorySpi
    public TrustManager[] engineGetTrustManagers() {
        return new TrustManager[]{new SnowTrustManager()};
    }

    @Override // javax.net.ssl.TrustManagerFactorySpi
    public void engineInit(KeyStore keyStore) {
        throw new RuntimeException("Keystores are for jerks");
    }

    @Override // javax.net.ssl.TrustManagerFactorySpi
    public void engineInit(ManagerFactoryParameters managerFactoryParameters) {
        throw new RuntimeException("Don't need instructions to know how to rock");
    }
}
