package com.sleepycat.je.rep.utilint.net;

import com.sleepycat.je.rep.ReplicationSSLConfig;
import com.sleepycat.je.rep.net.InstanceContext;
import com.sleepycat.je.rep.net.InstanceLogger;
import com.sleepycat.je.rep.net.InstanceParams;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:WEB-INF/lib/je-7.5.11.jar:com/sleepycat/je/rep/utilint/net/SSLMirrorMatcher.class */
class SSLMirrorMatcher {
    private final Principal ourPrincipal;
    private final InstanceLogger logger;

    public SSLMirrorMatcher(InstanceParams instanceParams, boolean z) throws IllegalArgumentException {
        this.ourPrincipal = determinePrincipal(instanceParams.getContext(), z);
        if (this.ourPrincipal == null) {
            throw new IllegalArgumentException("Unable to determine a local principal for comparison with peer principals");
        }
        this.logger = instanceParams.getContext().getLoggerFactory().getLogger(getClass());
    }

    public boolean peerMatches(SSLSession sSLSession) {
        if (this.ourPrincipal == null) {
            return false;
        }
        try {
            Principal peerPrincipal = sSLSession.getPeerPrincipal();
            if (peerPrincipal != null && (peerPrincipal instanceof X500Principal)) {
                return this.ourPrincipal.equals(peerPrincipal);
            }
            this.logger.log(Level.INFO, "Unable to attempt peer validation - peer Principal is: " + peerPrincipal);
            return false;
        } catch (SSLPeerUnverifiedException e) {
            return false;
        }
    }

    private Principal determinePrincipal(InstanceContext instanceContext, boolean z) throws IllegalArgumentException {
        ReplicationSSLConfig replicationSSLConfig = (ReplicationSSLConfig) instanceContext.getRepNetConfig();
        String sSLClientKeyAlias = z ? replicationSSLConfig.getSSLClientKeyAlias() : replicationSSLConfig.getSSLServerKeyAlias();
        KeyStore readKeyStore = SSLChannelFactory.readKeyStore(instanceContext);
        if (sSLClientKeyAlias == null || sSLClientKeyAlias.isEmpty()) {
            try {
                if (readKeyStore.size() < 1) {
                    this.logger.log(Level.INFO, "KeyStore is empty");
                    return null;
                }
                if (readKeyStore.size() > 1) {
                    this.logger.log(Level.INFO, "KeyStore has multiple entries but no alias was specified.  Using the first one available.");
                }
                sSLClientKeyAlias = readKeyStore.aliases().nextElement();
            } catch (KeyStoreException e) {
                throw new IllegalArgumentException("Error accessing aliases from the keystore", e);
            }
        }
        try {
            Certificate certificate = readKeyStore.getCertificate(sSLClientKeyAlias);
            if (certificate == null) {
                this.logger.log(Level.INFO, "No certificate for alias " + sSLClientKeyAlias + " found in KeyStore");
                throw new IllegalArgumentException("Unable to find a certificate in the keystore");
            }
            if (certificate instanceof X509Certificate) {
                return ((X509Certificate) certificate).getSubjectX500Principal();
            }
            this.logger.log(Level.INFO, "The certificate for alias " + sSLClientKeyAlias + " is not an X509Certificate.");
            throw new IllegalArgumentException("Unable to find a valid certificate in the keystore");
        } catch (KeyStoreException e2) {
            throw new IllegalArgumentException("Error accessing certificate with alias " + sSLClientKeyAlias + " from the keystore", e2);
        }
    }
}
