package com.yahoo.security.tls;

import com.yahoo.security.SealedSharedKey;
import com.yahoo.security.TrustManagerUtils;
import com.yahoo.security.X509CertificateUtils;
import java.net.Socket;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedTrustManager;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/yahoo/security/tls/PeerAuthorizerTrustManager.class */
public class PeerAuthorizerTrustManager extends X509ExtendedTrustManager {
    static final String AUTH_CONTEXT_PROPERTY = "vespa.tls.auth.ctx";
    private static final Logger log = Logger.getLogger(PeerAuthorizerTrustManager.class.getName());
    private final PeerAuthorizer authorizer;
    private final X509ExtendedTrustManager defaultTrustManager;
    private final AuthorizationMode mode;
    private final HostnameVerification hostnameVerification;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.yahoo.security.tls.PeerAuthorizerTrustManager$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/security/tls/PeerAuthorizerTrustManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$security$tls$HostnameVerification = new int[HostnameVerification.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$security$tls$HostnameVerification[HostnameVerification.ENABLED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$yahoo$security$tls$HostnameVerification[HostnameVerification.DISABLED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode authorizationMode, HostnameVerification hostnameVerification, X509ExtendedTrustManager x509ExtendedTrustManager) {
        this.authorizer = new PeerAuthorizer(authorizedPeers);
        this.mode = authorizationMode;
        this.hostnameVerification = hostnameVerification;
        this.defaultTrustManager = x509ExtendedTrustManager;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PeerAuthorizerTrustManager(AuthorizedPeers authorizedPeers, AuthorizationMode authorizationMode, HostnameVerification hostnameVerification, KeyStore keyStore) {
        this(authorizedPeers, authorizationMode, hostnameVerification, TrustManagerUtils.createDefaultX509TrustManager(keyStore));
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str);
        authorizePeer(x509CertificateArr, str, true, null);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
        authorizePeer(x509CertificateArr, str, false, null);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str, socket);
        authorizePeer(x509CertificateArr, str, true, ((SSLSocket) socket).getHandshakeSession());
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        overrideHostnameVerificationForClient(socket);
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str, socket);
        authorizePeer(x509CertificateArr, str, false, ((SSLSocket) socket).getHandshakeSession());
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        authorizePeer(x509CertificateArr, str, true, sSLEngine.getHandshakeSession());
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        overrideHostnameVerificationForClient(sSLEngine);
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        authorizePeer(x509CertificateArr, str, false, sSLEngine.getHandshakeSession());
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.defaultTrustManager.getAcceptedIssuers();
    }

    private void authorizePeer(X509Certificate[] x509CertificateArr, String str, boolean z, SSLSession sSLSession) throws PeerAuthorizationFailedException {
        log.fine(() -> {
            return "Verifying certificate: " + createInfoString(x509CertificateArr[0], str, z);
        });
        ConnectionAuthContext authorizePeer = this.mode != AuthorizationMode.DISABLE ? this.authorizer.authorizePeer(List.of((Object[]) x509CertificateArr)) : ConnectionAuthContext.defaultAllCapabilities(List.of((Object[]) x509CertificateArr));
        if (sSLSession != null) {
            sSLSession.putValue(AUTH_CONTEXT_PROPERTY, authorizePeer);
        } else {
            log.log(Level.FINE, () -> {
                return "Warning: unable to provide ConnectionAuthContext as no SSLSession is available";
            });
        }
        if (authorizePeer.authorized()) {
            log.fine(() -> {
                return String.format("Verification result: %s", authorizePeer);
            });
            return;
        }
        String str2 = "Authorization failed: " + createInfoString(x509CertificateArr[0], str, z);
        log.warning(str2);
        if (this.mode == AuthorizationMode.ENFORCE) {
            throw new PeerAuthorizationFailedException(str2, List.of((Object[]) x509CertificateArr));
        }
    }

    private String createInfoString(X509Certificate x509Certificate, String str, boolean z) {
        return String.format("DN='%s', SANs=%s, authType='%s', isVerifyingClient='%b', mode=%s", x509Certificate.getSubjectX500Principal(), X509CertificateUtils.getSubjectAlternativeNames(x509Certificate), str, Boolean.valueOf(z), this.mode);
    }

    private void overrideHostnameVerificationForClient(SSLEngine sSLEngine) {
        SSLParameters sSLParameters = sSLEngine.getSSLParameters();
        if (overrideHostnameVerificationForClient(sSLParameters)) {
            sSLEngine.setSSLParameters(sSLParameters);
        }
    }

    private void overrideHostnameVerificationForClient(Socket socket) {
        if (socket instanceof SSLSocket) {
            SSLSocket sSLSocket = (SSLSocket) socket;
            SSLParameters sSLParameters = sSLSocket.getSSLParameters();
            if (overrideHostnameVerificationForClient(sSLParameters)) {
                sSLSocket.setSSLParameters(sSLParameters);
            }
        }
    }

    private boolean overrideHostnameVerificationForClient(SSLParameters sSLParameters) {
        String endpointIdentificationAlgorithm = sSLParameters.getEndpointIdentificationAlgorithm();
        switch (AnonymousClass1.$SwitchMap$com$yahoo$security$tls$HostnameVerification[this.hostnameVerification.ordinal()]) {
            case SealedSharedKey.CURRENT_TOKEN_VERSION /* 1 */:
                if ("HTTPS".equals(endpointIdentificationAlgorithm)) {
                    return false;
                }
                sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
                return true;
            case 2:
                if (endpointIdentificationAlgorithm == null || endpointIdentificationAlgorithm.isEmpty()) {
                    return false;
                }
                sSLParameters.setEndpointIdentificationAlgorithm("");
                return true;
            default:
                throw new IllegalStateException("Unknown host verification type: " + this.hostnameVerification);
        }
    }
}
