package com.tigervnc.rfb;

import com.lowagie.text.pdf.PdfObject;
import com.lowagie.text.xml.xmp.XmpWriter;
import com.tigervnc.network.SSLEngineManager;
import com.tigervnc.rdr.FdInStream;
import com.tigervnc.rdr.FdOutStream;
import com.tigervnc.rdr.SystemException;
import com.tigervnc.rdr.TLSInStream;
import com.tigervnc.rdr.TLSOutStream;
import com.tigervnc.rdr.WarningException;
import com.tigervnc.rfb.Configuration;
import com.tigervnc.vncviewer.CConn;
import com.tigervnc.vncviewer.FileUtils;
import com.tigervnc.vncviewer.UserPreferences;
import java.awt.Component;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.swing.Icon;
import javax.swing.JOptionPane;
import javax.xml.bind.DatatypeConverter;

/* loaded from: input_file:com/tigervnc/rfb/CSecurityTLS.class */
public class CSecurityTLS extends CSecurity {
    protected CConnection client;
    private SSLContext ctx;
    private SSLEngine engine;
    private SSLEngineManager manager = null;
    private boolean anon;
    private String cafile;
    private String crlfile;
    private FdInStream is;
    private FdOutStream os;
    public static StringParameter x509ca = new StringParameter("x509ca", "X509 CA certificate", PdfObject.NOTHING, Configuration.ConfigurationObject.ConfViewer);
    public static StringParameter x509crl = new StringParameter("x509crl", "X509 CRL file", PdfObject.NOTHING, Configuration.ConfigurationObject.ConfViewer);
    static LogWriter vlog = new LogWriter("CSecurityTLS");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/tigervnc/rfb/CSecurityTLS$MyX509TrustManager.class */
    public class MyX509TrustManager implements X509TrustManager {
        X509TrustManager tm;

        /* loaded from: input_file:com/tigervnc/rfb/CSecurityTLS$MyX509TrustManager$MyFileInputStream.class */
        private class MyFileInputStream extends InputStream {
            ByteBuffer buf;

            public MyFileInputStream(MyX509TrustManager myX509TrustManager, String str) {
                this(new File(str));
            }

            public MyFileInputStream(File file) {
                StringBuffer stringBuffer = new StringBuffer();
                BufferedReader bufferedReader = null;
                try {
                    try {
                        bufferedReader = new BufferedReader(new FileReader(file));
                        while (true) {
                            String readLine = bufferedReader.readLine();
                            if (readLine == null) {
                                break;
                            } else if (readLine.trim().length() > 0) {
                                stringBuffer.append(readLine + "\n");
                            }
                        }
                        if (bufferedReader != null) {
                            try {
                                bufferedReader.close();
                            } catch (IOException e) {
                                throw new Exception(e.getMessage());
                            }
                        }
                        this.buf = ByteBuffer.wrap(stringBuffer.toString().getBytes(Charset.forName(XmpWriter.UTF8)));
                        this.buf.limit(this.buf.capacity());
                    } catch (Throwable th) {
                        if (bufferedReader != null) {
                            try {
                                bufferedReader.close();
                            } catch (IOException e2) {
                                throw new Exception(e2.getMessage());
                            }
                        }
                        throw th;
                    }
                } catch (java.lang.Exception e3) {
                    throw new Exception(e3.toString());
                }
            }

            @Override // java.io.InputStream
            public int read(byte[] bArr) throws IOException {
                return read(bArr, 0, bArr.length);
            }

            @Override // java.io.InputStream
            public int read(byte[] bArr, int i, int i2) throws IOException {
                if (!this.buf.hasRemaining()) {
                    return -1;
                }
                int min = Math.min(i2, this.buf.remaining());
                this.buf.get(bArr, i, min);
                return min;
            }

            @Override // java.io.InputStream
            public int read() throws IOException {
                if (this.buf.hasRemaining()) {
                    return this.buf.get() & 255;
                }
                return -1;
            }
        }

        MyX509TrustManager() throws GeneralSecurityException {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            try {
                keyStore.load(null, null);
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init((KeyStore) null);
                for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                    if (trustManager instanceof X509TrustManager) {
                        for (X509Certificate x509Certificate : ((X509TrustManager) trustManager).getAcceptedIssuers()) {
                            keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
                        }
                    }
                }
                File file = new File(FileUtils.getVncHomeDir() + "x509_savedcerts.pem");
                if (file.exists() && file.canRead()) {
                    for (Certificate certificate : certificateFactory.generateCertificates(new MyFileInputStream(file))) {
                        keyStore.setCertificateEntry(((X509Certificate) certificate).getSubjectX500Principal().getName(), (X509Certificate) certificate);
                    }
                }
                File file2 = new File(CSecurityTLS.this.cafile);
                if (file2.exists() && file2.canRead()) {
                    for (Certificate certificate2 : certificateFactory.generateCertificates(new MyFileInputStream(file2))) {
                        keyStore.setCertificateEntry(((X509Certificate) certificate2).getSubjectX500Principal().getName(), (X509Certificate) certificate2);
                    }
                }
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
                File file3 = new File(CSecurityTLS.this.crlfile);
                if (file3.exists() && file3.canRead()) {
                    pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificateFactory.generateCRLs(new FileInputStream(CSecurityTLS.this.crlfile)))));
                    pKIXBuilderParameters.setRevocationEnabled(true);
                } else {
                    pKIXBuilderParameters.setRevocationEnabled(false);
                }
                TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance("PKIX");
                trustManagerFactory2.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
                this.tm = (X509TrustManager) trustManagerFactory2.getTrustManagers()[0];
            } catch (java.lang.Exception e) {
                throw new Exception(e.getMessage());
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.tm.checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            MessageDigest messageDigest = null;
            try {
                messageDigest = MessageDigest.getInstance("SHA-1");
                verifyHostname(x509CertificateArr[0]);
                this.tm.checkServerTrusted(x509CertificateArr, str);
            } catch (java.lang.Exception e) {
                if (!(e.getCause() instanceof CertPathBuilderException)) {
                    throw new SystemException(e.getMessage());
                }
                Object[] objArr = {"YES", "NO"};
                X509Certificate x509Certificate = x509CertificateArr[0];
                messageDigest.update(x509Certificate.getEncoded());
                if (JOptionPane.showOptionDialog((Component) null, "This certificate has been signed by an unknown authority\n\n  Subject: " + x509Certificate.getSubjectX500Principal().getName() + "\n  Issuer: " + x509Certificate.getIssuerX500Principal().getName() + "\n  Serial Number: " + x509Certificate.getSerialNumber() + "\n  Version: " + x509Certificate.getVersion() + "\n  Signature Algorithm: " + x509Certificate.getPublicKey().getAlgorithm() + "\n  Not Valid Before: " + x509Certificate.getNotBefore() + "\n  Not Valid After: " + x509Certificate.getNotAfter() + "\n  SHA1 Fingerprint: " + DatatypeConverter.printHexBinary(messageDigest.digest()).replaceAll("..(?!$)", "$0 ") + "\n\nDo you want to save it and continue?", "Certificate Issuer Unknown", 0, 2, (Icon) null, objArr, objArr[0]) != 0) {
                    throw new WarningException("Peer certificate verification failed.");
                }
                File file = new File(FileUtils.getVncHomeDir());
                File file2 = new File(file, "x509_savedcerts.pem");
                try {
                    if (!file.exists()) {
                        file.mkdir();
                    }
                    if (!file2.createNewFile()) {
                        CSecurityTLS.vlog.error("Certificate save failed.");
                        return;
                    }
                    Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(new MyFileInputStream(file2));
                    for (int i = 0; i < x509CertificateArr.length; i++) {
                        if (generateCertificates == null || !generateCertificates.contains(x509CertificateArr[i])) {
                            String replaceAll = DatatypeConverter.printBase64Binary(x509CertificateArr[i].getEncoded()).replaceAll("(.{64})", "$1\n");
                            FileWriter fileWriter = null;
                            try {
                                try {
                                    fileWriter = new FileWriter(file2.getAbsolutePath(), true);
                                    fileWriter.write("-----BEGIN CERTIFICATE-----\n");
                                    fileWriter.write(replaceAll + "\n");
                                    fileWriter.write("-----END CERTIFICATE-----\n");
                                    if (fileWriter != null) {
                                        try {
                                            fileWriter.close();
                                        } catch (IOException e2) {
                                            throw new Exception(e2.getMessage());
                                        }
                                    }
                                } catch (IOException e3) {
                                    throw new Exception(e3.getMessage());
                                }
                            } catch (Throwable th) {
                                if (fileWriter != null) {
                                    try {
                                        fileWriter.close();
                                    } catch (IOException e4) {
                                        throw new Exception(e4.getMessage());
                                    }
                                }
                                throw th;
                            }
                        }
                    }
                } catch (java.lang.Exception e5) {
                    CSecurityTLS.vlog.error("Certificate save failed: " + e5.getMessage());
                }
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.tm.getAcceptedIssuers();
        }

        private void verifyHostname(X509Certificate x509Certificate) throws CertificateParsingException {
            try {
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames == null) {
                    for (Rdn rdn : new LdapName(x509Certificate.getSubjectX500Principal().getName()).getRdns()) {
                        if (rdn.getType().equalsIgnoreCase("CN") && ((CConn) CSecurityTLS.this.client).getSocket().getPeerName().toLowerCase().equals(((String) rdn.getValue()).toLowerCase())) {
                            return;
                        }
                    }
                } else {
                    for (List<?> list : subjectAlternativeNames) {
                        if (((Integer) list.get(0)).intValue() == 2) {
                            if (((CConn) CSecurityTLS.this.client).getSocket().getPeerName().toLowerCase().equals(((String) list.get(1)).toLowerCase())) {
                                return;
                            }
                        } else if (((Integer) list.get(0)).intValue() == 7 && ((CConn) CSecurityTLS.this.client).getSocket().getPeerAddress().equals(((String) list.get(1)).toLowerCase())) {
                            return;
                        }
                    }
                }
                Object[] objArr = {"YES", "NO"};
                if (JOptionPane.showOptionDialog((Component) null, "Hostname verification failed. Do you want to continue?", "Hostname Verification Failure", 0, 2, (Icon) null, objArr, objArr[0]) != 0) {
                    throw new WarningException("Hostname verification failed.");
                }
            } catch (InvalidNameException e) {
                throw new SystemException(e.getMessage());
            } catch (CertificateParsingException e2) {
                throw new SystemException(e2.getMessage());
            }
        }
    }

    private void initGlobal() {
        try {
            this.ctx = SSLContext.getInstance("TLS");
        } catch (NoSuchAlgorithmException e) {
            throw new Exception(e.toString());
        }
    }

    public CSecurityTLS(boolean z) {
        this.anon = z;
        setDefaults();
        this.cafile = x509ca.getData();
        this.crlfile = x509crl.getData();
    }

    public static String getDefaultCA() {
        return UserPreferences.get("viewer", "x509ca") != null ? UserPreferences.get("viewer", "x509ca") : FileUtils.getVncHomeDir() + "x509_ca.pem";
    }

    public static String getDefaultCRL() {
        return UserPreferences.get("viewer", "x509crl") != null ? UserPreferences.get("viewer", "x509crl") : FileUtils.getVncHomeDir() + "x509_crl.pem";
    }

    public static void setDefaults() {
        if (new File(getDefaultCA()).exists()) {
            x509ca.setDefaultStr(getDefaultCA());
        }
        if (new File(getDefaultCRL()).exists()) {
            x509crl.setDefaultStr(getDefaultCRL());
        }
    }

    @Override // com.tigervnc.rfb.CSecurity
    public boolean processMsg(CConnection cConnection) {
        this.is = (FdInStream) cConnection.getInStream();
        this.os = (FdOutStream) cConnection.getOutStream();
        this.client = cConnection;
        initGlobal();
        if (this.manager == null) {
            if (!this.is.checkNoWait(1)) {
                return false;
            }
            if (this.is.readU8() == 0) {
                int readU32 = this.is.readU32();
                throw new AuthFailureException((readU32 == 1 || readU32 == 2) ? this.is.readString() : new String("Authentication failure (protocol error)"));
            }
            setParam();
        }
        try {
            this.manager = new SSLEngineManager(this.engine, this.is, this.os);
            this.manager.doHandshake();
            cConnection.setStreams(new TLSInStream(this.is, this.manager), new TLSOutStream(this.os, this.manager));
            return true;
        } catch (java.lang.Exception e) {
            throw new SystemException(e.toString());
        }
    }

    private void setParam() {
        if (this.anon) {
            try {
                this.ctx.init(null, null, null);
            } catch (KeyManagementException e) {
                throw new AuthFailureException(e.toString());
            }
        } else {
            try {
                this.ctx.init(null, new TrustManager[]{new MyX509TrustManager()}, null);
            } catch (GeneralSecurityException e2) {
                throw new AuthFailureException(e2.toString());
            }
        }
        this.ctx.getSocketFactory();
        this.engine = this.ctx.createSSLEngine(this.client.getServerName(), this.client.getServerPort());
        this.engine.setUseClientMode(true);
        String[] supportedProtocols = this.engine.getSupportedProtocols();
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < supportedProtocols.length; i++) {
            if (supportedProtocols[i].matches("TLS.*")) {
                arrayList.add(supportedProtocols[i]);
            }
        }
        this.engine.setEnabledProtocols((String[]) arrayList.toArray(new String[0]));
        if (!this.anon) {
            this.engine.setEnabledCipherSuites(this.engine.getSupportedCipherSuites());
            return;
        }
        String[] supportedCipherSuites = this.engine.getSupportedCipherSuites();
        ArrayList arrayList2 = new ArrayList();
        for (int i2 = 0; i2 < supportedCipherSuites.length; i2++) {
            if (supportedCipherSuites[i2].matches("TLS_ECDH_anon.*")) {
                arrayList2.add(supportedCipherSuites[i2]);
            }
        }
        for (int i3 = 0; i3 < supportedCipherSuites.length; i3++) {
            if (supportedCipherSuites[i3].matches("TLS_DH_anon.*")) {
                arrayList2.add(supportedCipherSuites[i3]);
            }
        }
        this.engine.setEnabledCipherSuites((String[]) arrayList2.toArray(new String[0]));
    }

    @Override // com.tigervnc.rfb.CSecurity
    public final int getType() {
        return this.anon ? 257 : 260;
    }

    @Override // com.tigervnc.rfb.CSecurity
    public final String description() {
        return this.anon ? "TLS Encryption without VncAuth" : "X509 Encryption without VncAuth";
    }
}
