// // Decompiled by Procyon v0.6.0 // package io.netty.handler.codec.quic; import java.security.cert.CertPathValidatorException; import java.security.cert.CertificateRevokedException; import java.security.cert.X509Certificate; import java.security.cert.CertificateNotYetValidException; import java.security.cert.CertificateExpiredException; import io.netty.handler.ssl.OpenSslCertificateException; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509ExtendedTrustManager; import org.jetbrains.annotations.Nullable; import javax.net.ssl.X509TrustManager; final class BoringSSLCertificateVerifyCallback { private static final boolean TRY_USING_EXTENDED_TRUST_MANAGER; private final QuicheQuicSslEngineMap engineMap; private final X509TrustManager manager; BoringSSLCertificateVerifyCallback(final QuicheQuicSslEngineMap engineMap, @Nullable final X509TrustManager manager) { this.engineMap = engineMap; this.manager = manager; } int verify(final long ssl, final byte[][] x509, final String authAlgorithm) { final QuicheQuicSslEngine engine = this.engineMap.get(ssl); if (engine == null) { return BoringSSL.X509_V_ERR_UNSPECIFIED; } if (this.manager == null) { this.engineMap.remove(ssl); return BoringSSL.X509_V_ERR_UNSPECIFIED; } final X509Certificate[] peerCerts = BoringSSL.certificates(x509); try { if (engine.getUseClientMode()) { if (BoringSSLCertificateVerifyCallback.TRY_USING_EXTENDED_TRUST_MANAGER && this.manager instanceof X509ExtendedTrustManager) { ((X509ExtendedTrustManager)this.manager).checkServerTrusted(peerCerts, authAlgorithm, engine); } else { this.manager.checkServerTrusted(peerCerts, authAlgorithm); } } else if (BoringSSLCertificateVerifyCallback.TRY_USING_EXTENDED_TRUST_MANAGER && this.manager instanceof X509ExtendedTrustManager) { ((X509ExtendedTrustManager)this.manager).checkClientTrusted(peerCerts, authAlgorithm, engine); } else { this.manager.checkClientTrusted(peerCerts, authAlgorithm); } return BoringSSL.X509_V_OK; } catch (final Throwable cause) { this.engineMap.remove(ssl); if (cause instanceof OpenSslCertificateException) { return ((OpenSslCertificateException)cause).errorCode(); } if (cause instanceof CertificateExpiredException) { return BoringSSL.X509_V_ERR_CERT_HAS_EXPIRED; } if (cause instanceof CertificateNotYetValidException) { return BoringSSL.X509_V_ERR_CERT_NOT_YET_VALID; } return translateToError(cause); } } private static int translateToError(final Throwable cause) { if (cause instanceof CertificateRevokedException) { return BoringSSL.X509_V_ERR_CERT_REVOKED; } for (Throwable wrapped = cause.getCause(); wrapped != null; wrapped = wrapped.getCause()) { if (wrapped instanceof CertPathValidatorException) { final CertPathValidatorException ex = (CertPathValidatorException)wrapped; final CertPathValidatorException.Reason reason = ex.getReason(); if (reason == CertPathValidatorException.BasicReason.EXPIRED) { return BoringSSL.X509_V_ERR_CERT_HAS_EXPIRED; } if (reason == CertPathValidatorException.BasicReason.NOT_YET_VALID) { return BoringSSL.X509_V_ERR_CERT_NOT_YET_VALID; } if (reason == CertPathValidatorException.BasicReason.REVOKED) { return BoringSSL.X509_V_ERR_CERT_REVOKED; } } } return BoringSSL.X509_V_ERR_UNSPECIFIED; } static { boolean tryUsingExtendedTrustManager; try { Class.forName(X509ExtendedTrustManager.class.getName()); tryUsingExtendedTrustManager = true; } catch (final Throwable cause) { tryUsingExtendedTrustManager = false; } TRY_USING_EXTENDED_TRUST_MANAGER = tryUsingExtendedTrustManager; } }