package org.apache.cxf.transport.https;

import java.net.HttpURLConnection;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.logging.Logger;
import javax.net.ssl.HttpsURLConnection;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;

/* JADX WARN: Classes with same name are omitted:
  input_file:resources/fedora.war:WEB-INF/lib/cxf-rt-transports-http-2.6.2.jar:org/apache/cxf/transport/https/CertConstraintsInterceptor.class
 */
/* loaded from: input_file:resources/fedorahome.zip:client/cxf-bundle-2.6.2.jar:org/apache/cxf/transport/https/CertConstraintsInterceptor.class */
public final class CertConstraintsInterceptor extends AbstractPhaseInterceptor<Message> {
    public static final CertConstraintsInterceptor INSTANCE = new CertConstraintsInterceptor();
    static final Logger LOG = LogUtils.getL7dLogger(CertConstraintsInterceptor.class);

    private CertConstraintsInterceptor() {
        super(Phase.PRE_STREAM);
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) throws Fault {
        CertConstraints certConstraints = (CertConstraints) message.getContextualProperty(CertConstraints.class.getName());
        if (certConstraints == null) {
            return;
        }
        if (isRequestor(message)) {
            try {
                if (!(((HttpURLConnection) message.get("http.connection")) instanceof HttpsURLConnection)) {
                    throw new UntrustedURLConnectionIOException("TLS is not in use");
                }
                message.put((Class<Class>) MessageTrustDecider.class, (Class) new HttpsMessageTrustDecider(certConstraints, (MessageTrustDecider) message.get(MessageTrustDecider.class)));
                return;
            } catch (UntrustedURLConnectionIOException e) {
                throw new Fault(e);
            }
        }
        try {
            Certificate[] peerCertificates = ((TLSSessionInfo) message.get(TLSSessionInfo.class)).getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length == 0) {
                throw new UntrustedURLConnectionIOException("No client certificates were found");
            }
            if (!certConstraints.matches(((X509Certificate[]) peerCertificates)[0])) {
                throw new UntrustedURLConnectionIOException("The client certificate does not match the defined cert constraints");
            }
        } catch (UntrustedURLConnectionIOException e2) {
            throw new Fault(e2);
        }
    }
}
