package org.apache.cxf.transport.https;

import java.security.cert.X509Certificate;
import org.apache.cxf.message.Message;
import org.apache.cxf.transport.http.MessageTrustDecider;
import org.apache.cxf.transport.http.URLConnectionInfo;
import org.apache.cxf.transport.http.UntrustedURLConnectionIOException;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-transports-http-3.0.1.e3.jar:org/apache/cxf/transport/https/HttpsMessageTrustDecider.class */
final class HttpsMessageTrustDecider extends MessageTrustDecider {
    private final CertConstraints certConstraints;
    private final MessageTrustDecider orig;

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpsMessageTrustDecider(CertConstraints certConstraints, MessageTrustDecider messageTrustDecider) {
        this.certConstraints = certConstraints;
        this.orig = messageTrustDecider;
    }

    @Override // org.apache.cxf.transport.http.MessageTrustDecider
    public void establishTrust(String str, URLConnectionInfo uRLConnectionInfo, Message message) throws UntrustedURLConnectionIOException {
        if (this.orig != null) {
            this.orig.establishTrust(str, uRLConnectionInfo, message);
        }
        HttpsURLConnectionInfo httpsURLConnectionInfo = (HttpsURLConnectionInfo) uRLConnectionInfo;
        if (httpsURLConnectionInfo.getServerCertificates() == null || httpsURLConnectionInfo.getServerCertificates().length == 0) {
            throw new UntrustedURLConnectionIOException("No server certificates were found");
        }
        if (!this.certConstraints.matches(((X509Certificate[]) httpsURLConnectionInfo.getServerCertificates())[0])) {
            throw new UntrustedURLConnectionIOException("The server certificate(s) do not match the defined cert constraints");
        }
    }
}
