package io.confluent.kafka.server.plugins.ssl;

import com.fasterxml.jackson.core.JsonProcessingException;
import io.confluent.kafka.common.utils.ConfluentUtils;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedTrustManager;
import kafka.server.ssl.CertificateId;
import kafka.server.ssl.CertificateIdsJsonConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/ssl/ConfluentTrustManager.class */
public class ConfluentTrustManager extends X509ExtendedTrustManager {
    private static final Logger log = LoggerFactory.getLogger(ConfluentTrustManager.class);
    private static final int DNS = 2;
    private final X509ExtendedTrustManager defaultTrustManager;
    private final Map<String, ?> configs;
    private final Set<CertificateId> revokedCertificateIds;

    public ConfluentTrustManager(Map<String, ?> map, X509ExtendedTrustManager x509ExtendedTrustManager) {
        this.defaultTrustManager = x509ExtendedTrustManager;
        this.configs = map;
        this.revokedCertificateIds = revokedCertificateIds(map);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        if (!(socket instanceof SSLSocket)) {
            verifyClientCerts(x509CertificateArr);
        } else if (((SSLSocket) socket).getNeedClientAuth() || ((SSLSocket) socket).getWantClientAuth()) {
            verifyClientCerts(x509CertificateArr);
        }
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str, socket);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        verifyServerCerts(x509CertificateArr);
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str, socket);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        if (sSLEngine.getNeedClientAuth() || sSLEngine.getWantClientAuth()) {
            verifyClientCerts(x509CertificateArr);
        }
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str, sSLEngine);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        verifyServerCerts(x509CertificateArr);
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        verifyClientCerts(x509CertificateArr);
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        verifyServerCerts(x509CertificateArr);
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.defaultTrustManager.getAcceptedIssuers();
    }

    boolean verifyClientCerts(X509Certificate[] x509CertificateArr) throws CertificateException {
        return verifyCerts(x509CertificateArr, true);
    }

    boolean verifyServerCerts(X509Certificate[] x509CertificateArr) throws CertificateException {
        return verifyCerts(x509CertificateArr, false);
    }

    boolean isConfluentCert(X509Certificate x509Certificate) throws CertificateException {
        List<String> subjectAltNames = getSubjectAltNames(x509Certificate);
        if (subjectAltNames.isEmpty()) {
            return false;
        }
        log.trace("Verifying the cert subjectAlts:{}", subjectAltNames);
        Iterator<String> it = subjectAltNames.iterator();
        while (it.hasNext()) {
            if (verifySubjectAltName(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifySubjectAltName(String str) throws CertificateException {
        return ConfluentUtils.hasCCloudHostPattern(this.configs, str);
    }

    private boolean verifyCerts(X509Certificate[] x509CertificateArr, boolean z) throws CertificateException {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (isConfluentCert(x509Certificate) && !isRevoked(x509Certificate)) {
                return true;
            }
        }
        Object[] objArr = new Object[1];
        objArr[0] = z ? "client" : "server";
        String format = MessageFormat.format("A trusted {0} certificate not found", objArr);
        log.trace("The certificate verification failed due to: {}", format);
        throw new CertificateException(format);
    }

    List<String> getSubjectAltNames(X509Certificate x509Certificate) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null) {
                return Collections.emptyList();
            }
            ArrayList arrayList = new ArrayList();
            for (List<?> list : subjectAlternativeNames) {
                Integer num = list.size() >= DNS ? (Integer) list.get(0) : null;
                if (num != null && num.intValue() == DNS) {
                    Object obj = list.get(1);
                    if (obj instanceof String) {
                        arrayList.add((String) obj);
                    }
                }
            }
            return arrayList;
        } catch (CertificateParsingException e) {
            log.trace("Ignoring certificate parsing exception", e);
            return Collections.emptyList();
        }
    }

    private boolean isRevoked(X509Certificate x509Certificate) {
        return this.revokedCertificateIds.contains(new CertificateId(x509Certificate));
    }

    final Set<CertificateId> revokedCertificateIds(Map<String, ?> map) {
        try {
            CertificateIdsJsonConfig[] fromJson = CertificateIdsJsonConfig.fromJson((String) map.get("confluent.security.revoked.certificate.ids"));
            HashSet hashSet = new HashSet();
            Arrays.stream(fromJson).forEach(certificateIdsJsonConfig -> {
                certificateIdsJsonConfig.serialNumbers().stream().forEach(str -> {
                    hashSet.add(new CertificateId(certificateIdsJsonConfig.issuer(), str));
                });
            });
            return hashSet;
        } catch (JsonProcessingException e) {
            throw new IllegalStateException("Failed to parse revoked certificate ids", e);
        }
    }
}
