package io.confluent.security.mtls;

import io.confluent.security.authentication.AdmissionController;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/mtls/CertificateMetadata.class */
public class CertificateMetadata {
    private static final Logger LOG = LoggerFactory.getLogger(CertificateMetadata.class);
    private static final String RFC2253 = "RFC2253";
    private final X509Certificate certificate;
    private final Map<String, String> celVars = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/security/mtls/CertificateMetadata$SANType.class */
    public enum SANType {
        OTHERNAME(0),
        EMAIL(1),
        DNS(2),
        X400(3),
        DIR(4),
        EDIPARTY(5),
        URI(6),
        IP(7),
        RID(8);

        private static final Map<Integer, SANType> LOOKUP = new HashMap();
        private final int value;

        SANType(int i) {
            this.value = i;
        }

        int getValue() {
            return this.value;
        }

        static SANType fromValue(int i) {
            SANType sANType = LOOKUP.get(Integer.valueOf(i));
            if (sANType == null) {
                throw new IllegalArgumentException("Invalid value: " + i);
            }
            return sANType;
        }

        static {
            for (SANType sANType : values()) {
                LOOKUP.put(Integer.valueOf(sANType.getValue()), sANType);
            }
        }
    }

    public CertificateMetadata(X509Certificate x509Certificate) {
        this.certificate = x509Certificate;
        generateCelVars();
    }

    public Map<String, String> getCelVars() {
        return this.celVars;
    }

    public String getIssuerDn() {
        return this.certificate.getIssuerX500Principal().getName(RFC2253);
    }

    public String getDn() {
        return this.celVars.get(CertMetadataIdentifier.DN.getValue());
    }

    public String getSan() {
        return this.celVars.get(CertMetadataIdentifier.SAN.getValue());
    }

    public String getCn() {
        return this.celVars.get(CertMetadataIdentifier.CN.getValue());
    }

    public String getSnid() {
        return this.celVars.get(CertMetadataIdentifier.SNID.getValue());
    }

    public String getSha1() {
        return this.celVars.get(CertMetadataIdentifier.SHA1.getValue());
    }

    private void generateCelVars() {
        this.celVars.putAll(generateSubjectDnVars(this.certificate));
        this.celVars.put(CertMetadataIdentifier.SAN.getValue(), generateSubjectAlternativeName(this.certificate));
        this.celVars.put(CertMetadataIdentifier.SNID.getValue(), getSerialNumber(this.certificate));
        try {
            this.celVars.put(CertMetadataIdentifier.SHA1.getValue(), calculateSha1Fingerprint(this.certificate));
        } catch (Exception e) {
            LOG.error("Failed to calculate SHA-1 fingerprint", e);
        }
    }

    public static String getIssuerDn(X509CRL x509crl) {
        return x509crl.getIssuerX500Principal().getName(RFC2253);
    }

    public static String getSerialNumber(X509CRLEntry x509CRLEntry) {
        return toHexStringUpperCase(x509CRLEntry.getSerialNumber());
    }

    static Map<String, String> generateSubjectDnVars(X509Certificate x509Certificate) {
        HashMap hashMap = new HashMap();
        String name = x509Certificate.getSubjectX500Principal().getName(RFC2253);
        hashMap.put(CertMetadataIdentifier.DN.getValue(), name);
        try {
            new LdapName(name).getRdns().forEach(rdn -> {
                String upperCase = rdn.getType().toUpperCase(Locale.ENGLISH);
                String escapeValue = Rdn.escapeValue(rdn.getValue());
                if (CertMetadataIdentifier.IDENTIFIERS.contains(upperCase)) {
                    hashMap.putIfAbsent(upperCase, escapeValue);
                }
            });
        } catch (InvalidNameException e) {
            LOG.error("Failed to parse DN: {}", name, e);
        }
        return hashMap;
    }

    static String generateSubjectAlternativeName(X509Certificate x509Certificate) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null || subjectAlternativeNames.isEmpty()) {
                return "";
            }
            ArrayList arrayList = new ArrayList();
            for (List<?> list : subjectAlternativeNames) {
                Integer num = list.size() >= 2 ? (Integer) list.get(0) : null;
                if (num != null && (list.get(1) instanceof String)) {
                    arrayList.add(String.format("%s:%s", SANType.fromValue(num.intValue()), list.get(1)));
                }
            }
            return String.join(AdmissionController.OAUTH_POOL_DELIMITER, arrayList);
        } catch (CertificateParsingException e) {
            LOG.warn("Failed to parse SAN", e);
            return "";
        }
    }

    static String getSerialNumber(X509Certificate x509Certificate) {
        return toHexStringUpperCase(x509Certificate.getSerialNumber());
    }

    static String calculateSha1Fingerprint(X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        return toHexStringUpperCase(MessageDigest.getInstance("SHA-1").digest(x509Certificate.getEncoded()));
    }

    private static String toHexStringUpperCase(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            sb.append(String.format("%02X", Byte.valueOf(b)));
        }
        return sb.toString();
    }

    private static String toHexStringUpperCase(BigInteger bigInteger) {
        return bigInteger.toString(16).toUpperCase(Locale.ENGLISH);
    }
}
