package io.grpc.s2a.internal.handshaker;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.protobuf.ByteString;
import io.grpc.s2a.internal.handshaker.SessionReq;
import io.grpc.s2a.internal.handshaker.ValidatePeerCertificateChainReq;
import io.grpc.s2a.internal.handshaker.ValidatePeerCertificateChainResp;
import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Optional;
import javax.annotation.concurrent.NotThreadSafe;
import javax.net.ssl.X509TrustManager;

@NotThreadSafe
/* loaded from: input_file:io/grpc/s2a/internal/handshaker/S2ATrustManager.class */
final class S2ATrustManager implements X509TrustManager {
    private final Optional<S2AIdentity> localIdentity;
    private final S2AStub stub;
    private final String hostname;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static S2ATrustManager createForClient(S2AStub s2AStub, String str, Optional<S2AIdentity> optional) {
        Preconditions.checkNotNull(s2AStub);
        Preconditions.checkNotNull(str);
        return new S2ATrustManager(s2AStub, str, optional);
    }

    private S2ATrustManager(S2AStub s2AStub, String str, Optional<S2AIdentity> optional) {
        this.stub = s2AStub;
        this.hostname = str;
        this.localIdentity = optional;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkPeerTrusted(x509CertificateArr, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkPeerTrusted(x509CertificateArr, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    private void checkPeerTrusted(X509Certificate[] x509CertificateArr, boolean z) throws CertificateException {
        Preconditions.checkNotNull(x509CertificateArr);
        Preconditions.checkArgument(x509CertificateArr.length > 0, "Certificate chain has zero certificates.");
        ValidatePeerCertificateChainReq.Builder mode = ValidatePeerCertificateChainReq.newBuilder().setMode(ValidatePeerCertificateChainReq.VerificationMode.UNSPECIFIED);
        if (z) {
            mode.setClientPeer(ValidatePeerCertificateChainReq.ClientPeer.newBuilder().addAllCertificateChain(certificateChainToDerChain(x509CertificateArr)));
        } else {
            mode.setServerPeer(ValidatePeerCertificateChainReq.ServerPeer.newBuilder().addAllCertificateChain(certificateChainToDerChain(x509CertificateArr)).setServerHostname(this.hostname));
        }
        SessionReq.Builder validatePeerCertificateChainReq = SessionReq.newBuilder().setValidatePeerCertificateChainReq(mode);
        if (this.localIdentity.isPresent()) {
            validatePeerCertificateChainReq.setLocalIdentity(this.localIdentity.get().getIdentity());
        }
        try {
            SessionResp send = this.stub.send(validatePeerCertificateChainReq.m650build());
            if (send.hasStatus() && send.getStatus().getCode() != 0) {
                throw new CertificateException(String.format("Error occurred in response from S2A, error code: %d, error message: %s.", Integer.valueOf(send.getStatus().getCode()), send.getStatus().getDetails()));
            }
            if (!send.hasValidatePeerCertificateChainResp()) {
                throw new CertificateException("No valid response received from S2A.");
            }
            ValidatePeerCertificateChainResp validatePeerCertificateChainResp = send.getValidatePeerCertificateChainResp();
            if (validatePeerCertificateChainResp.getValidationResult() != ValidatePeerCertificateChainResp.ValidationResult.SUCCESS) {
                throw new CertificateException(validatePeerCertificateChainResp.getValidationDetails());
            }
        } catch (IOException e) {
            throw new CertificateException("Failed to send request to S2A.", e);
        } catch (InterruptedException e2) {
            Thread.currentThread().interrupt();
            throw new CertificateException("Failed to send request to S2A.", e2);
        }
    }

    private static ImmutableList<ByteString> certificateChainToDerChain(X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
        ImmutableList.Builder builder = ImmutableList.builder();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            builder.add(ByteString.copyFrom(x509Certificate.getEncoded()));
        }
        return builder.build();
    }
}
