package org.elasticsearch.xpack.core.ssl;

import java.io.IOException;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.ssl.DerParser;
import org.elasticsearch.core.Strings;

/* loaded from: input_file:org/elasticsearch/xpack/core/ssl/RestrictedTrustManager.class */
public final class RestrictedTrustManager extends X509ExtendedTrustManager {
    private static final Logger logger = LogManager.getLogger(RestrictedTrustManager.class);
    private static final String CN_OID = "2.5.4.3";
    private static final int SAN_CODE_OTHERNAME = 0;
    private final X509ExtendedTrustManager delegate;
    private final CertificateTrustRestrictions trustRestrictions;

    public RestrictedTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, CertificateTrustRestrictions certificateTrustRestrictions) {
        this.delegate = x509ExtendedTrustManager;
        this.trustRestrictions = certificateTrustRestrictions;
        logger.debug("Configured with trust restrictions: [{}]", certificateTrustRestrictions);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str, socket);
        verifyTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str, socket);
        verifyTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        verifyTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        verifyTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str);
        verifyTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str);
        verifyTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.getAcceptedIssuers();
    }

    private void verifyTrust(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr.length == 0) {
            throw new CertificateException("No certificate presented");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        Set<String> readCommonNames = readCommonNames(x509Certificate);
        if (verifyCertificateNames(readCommonNames)) {
            logger.debug(() -> {
                return Strings.format("Trusting certificate [%s] [%s] with common-names [%s]", new Object[]{x509Certificate.getSubjectX500Principal(), x509Certificate.getSerialNumber().toString(16), readCommonNames});
            });
        } else {
            logger.info("Rejecting certificate [{}] [{}] with common-names [{}]", x509Certificate.getSubjectX500Principal(), x509Certificate.getSerialNumber().toString(16), readCommonNames);
            throw new CertificateException("Certificate for " + x509Certificate.getSubjectX500Principal() + " with common-names " + readCommonNames + " does not match the trusted names " + this.trustRestrictions.getTrustedNames());
        }
    }

    private boolean verifyCertificateNames(Set<String> set) {
        for (Predicate<String> predicate : this.trustRestrictions.getTrustedNames()) {
            Optional<String> findFirst = set.stream().filter(predicate).findFirst();
            if (findFirst.isPresent()) {
                logger.debug("Name [{}] matches trusted pattern [{}]", findFirst.get(), predicate);
                return true;
            }
        }
        return false;
    }

    private static Set<String> readCommonNames(X509Certificate x509Certificate) throws CertificateParsingException {
        return (Set) getSubjectAlternativeNames(x509Certificate).stream().filter(list -> {
            return ((Integer) list.get(0)).intValue() == 0;
        }).map(list2 -> {
            return list2.get(1);
        }).map(obj -> {
            return decodeDerValue((byte[]) obj, x509Certificate);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String decodeDerValue(byte[] bArr, X509Certificate x509Certificate) {
        try {
            DerParser.Asn1Object readAsn1Object = new DerParser(bArr).readAsn1Object();
            DerParser parser = readAsn1Object.getParser();
            String oid = parser.readAsn1Object().getOid();
            if (!CN_OID.equals(oid)) {
                logger.debug("Certificate [{}] has 'otherName' [{}] with unsupported object-id [{}]", x509Certificate.getSubjectX500Principal(), readAsn1Object, oid);
                return null;
            }
            DerParser.Asn1Object readAsn1Object2 = parser.readAsn1Object().getParser().readAsn1Object();
            if (readAsn1Object2.isConstructed()) {
                readAsn1Object2 = readAsn1Object2.getParser().readAsn1Object();
            }
            logger.trace("Read innermost ASN.1 Object with type code [{}]", Integer.valueOf(readAsn1Object2.getType()));
            String string = readAsn1Object2.getString();
            logger.trace("Read cn [{}] from ASN1Sequence [{}]", string, readAsn1Object);
            return string;
        } catch (IOException e) {
            logger.warn("Failed to read 'otherName' from certificate [{}]", x509Certificate.getSubjectX500Principal());
            return null;
        }
    }

    private static Collection<List<?>> getSubjectAlternativeNames(X509Certificate x509Certificate) throws CertificateParsingException {
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        logger.trace("Certificate [{}] has subject alternative names [{}]", x509Certificate.getSubjectX500Principal(), subjectAlternativeNames);
        return subjectAlternativeNames == null ? Collections.emptyList() : subjectAlternativeNames;
    }
}
