package io.confluent.kafka.client.plugins.ssl;

import java.security.cert.CertificateException;
import java.util.Map;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutes;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutesStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/client/plugins/ssl/NetworkLinkTrustManager.class */
public class NetworkLinkTrustManager extends ConfluentTrustManager {
    private static final Logger log = LoggerFactory.getLogger(NetworkLinkTrustManager.class);
    private final String brokerSessionUuid;

    public NetworkLinkTrustManager(Map<String, ?> map, X509ExtendedTrustManager x509ExtendedTrustManager) {
        super(map, x509ExtendedTrustManager);
        this.brokerSessionUuid = getBrokerSessionUuid(map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.confluent.kafka.client.plugins.ssl.ConfluentTrustManager
    public boolean verifySubjectAltName(String str) throws CertificateException {
        return super.verifySubjectAltName(str) && getNetworkRoutes().allowsDNSDomainSuffix(str);
    }

    private TrafficNetworkIdRoutes getNetworkRoutes() throws CertificateException {
        TrafficNetworkIdRoutes routes = TrafficNetworkIdRoutesStore.getRoutes(this.brokerSessionUuid);
        if (routes != null) {
            return routes;
        }
        log.trace("The certificate verification failed due to: {}", "Traffic network routes are not available");
        throw new CertificateException("Traffic network routes are not available");
    }

    private static String getBrokerSessionUuid(Map<String, ?> map) {
        Object obj = map.get("broker.session.uuid");
        if (obj == null) {
            throw new ConfigException("broker.session.uuid is not set");
        }
        return obj.toString();
    }
}
