package io.grpc.xds.internal.security.trust;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.re2j.Pattern;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.RegexMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import javax.annotation.Nullable;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/grpc/xds/internal/security/trust/XdsX509TrustManager.class */
public final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509TrustManager {
    private static final int ALT_DNS_NAME = 2;
    private static final int ALT_URI_NAME = 6;
    private static final int ALT_IPA_NAME = 7;
    private final X509ExtendedTrustManager delegate;
    private final CertificateValidationContext certContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public XdsX509TrustManager(@Nullable CertificateValidationContext certificateValidationContext, X509ExtendedTrustManager x509ExtendedTrustManager) {
        Preconditions.checkNotNull(x509ExtendedTrustManager, "delegate");
        this.certContext = certificateValidationContext;
        this.delegate = x509ExtendedTrustManager;
    }

    private static boolean verifyDnsNameInPattern(String str, StringMatcher stringMatcher) {
        if (Strings.isNullOrEmpty(str)) {
            return false;
        }
        switch (stringMatcher.getMatchPatternCase()) {
            case EXACT:
                return verifyDnsNameExact(str, stringMatcher.getExact(), stringMatcher.getIgnoreCase());
            case PREFIX:
                return verifyDnsNamePrefix(str, stringMatcher.getPrefix(), stringMatcher.getIgnoreCase());
            case SUFFIX:
                return verifyDnsNameSuffix(str, stringMatcher.getSuffix(), stringMatcher.getIgnoreCase());
            case CONTAINS:
                return verifyDnsNameContains(str, stringMatcher.getContains(), stringMatcher.getIgnoreCase());
            case SAFE_REGEX:
                return verifyDnsNameSafeRegex(str, stringMatcher.getSafeRegex());
            default:
                throw new IllegalArgumentException("Unknown match-pattern-case " + stringMatcher.getMatchPatternCase());
        }
    }

    private static boolean verifyDnsNameSafeRegex(String str, RegexMatcher regexMatcher) {
        return Pattern.compile(regexMatcher.getRegex()).matches(str);
    }

    private static boolean verifyDnsNamePrefix(String str, String str2, boolean z) {
        if (Strings.isNullOrEmpty(str2)) {
            return false;
        }
        return z ? str.toLowerCase(Locale.ROOT).startsWith(str2.toLowerCase(Locale.ROOT)) : str.startsWith(str2);
    }

    private static boolean verifyDnsNameSuffix(String str, String str2, boolean z) {
        if (Strings.isNullOrEmpty(str2)) {
            return false;
        }
        return z ? str.toLowerCase(Locale.ROOT).endsWith(str2.toLowerCase(Locale.ROOT)) : str.endsWith(str2);
    }

    private static boolean verifyDnsNameContains(String str, String str2, boolean z) {
        if (Strings.isNullOrEmpty(str2)) {
            return false;
        }
        return z ? str.toLowerCase(Locale.ROOT).contains(str2.toLowerCase(Locale.ROOT)) : str.contains(str2);
    }

    private static boolean verifyDnsNameExact(String str, String str2, boolean z) {
        if (Strings.isNullOrEmpty(str2)) {
            return false;
        }
        return z ? str2.equalsIgnoreCase(str) : str2.equals(str);
    }

    private static boolean verifyDnsNameInSanList(String str, List<StringMatcher> list) {
        Iterator<StringMatcher> it = list.iterator();
        while (it.hasNext()) {
            if (verifyDnsNameInPattern(str, it.next())) {
                return true;
            }
        }
        return false;
    }

    private static boolean verifyOneSanInList(List<?> list, List<StringMatcher> list2) throws CertificateParsingException {
        if (list == null || list.size() < 2) {
            throw new CertificateParsingException("Invalid SAN entry");
        }
        Integer num = (Integer) list.get(0);
        if (num == null) {
            throw new CertificateParsingException("Invalid SAN entry: null altNameType");
        }
        switch (num.intValue()) {
            case 2:
            case 6:
            case 7:
                return verifyDnsNameInSanList((String) list.get(1), list2);
            default:
                return false;
        }
    }

    private static void verifySubjectAltNameInLeaf(X509Certificate x509Certificate, List<StringMatcher> list) throws CertificateException {
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames == null || subjectAlternativeNames.isEmpty()) {
            throw new CertificateException("Peer certificate SAN check failed");
        }
        Iterator<List<?>> it = subjectAlternativeNames.iterator();
        while (it.hasNext()) {
            if (verifyOneSanInList(it.next(), list)) {
                return;
            }
        }
        throw new CertificateException("Peer certificate SAN check failed");
    }

    @VisibleForTesting
    void verifySubjectAltNameInChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (this.certContext == null) {
            return;
        }
        List<StringMatcher> matchSubjectAltNamesList = this.certContext.getMatchSubjectAltNamesList();
        if (matchSubjectAltNamesList.isEmpty()) {
            return;
        }
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            throw new CertificateException("Peer certificate(s) missing");
        }
        verifySubjectAltNameInLeaf(x509CertificateArr[0], matchSubjectAltNamesList);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str, socket);
        verifySubjectAltNameInChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        verifySubjectAltNameInChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkClientTrusted(x509CertificateArr, str);
        verifySubjectAltNameInChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        SSLSocket sSLSocket;
        SSLParameters sSLParameters;
        if ((socket instanceof SSLSocket) && (sSLParameters = (sSLSocket = (SSLSocket) socket).getSSLParameters()) != null) {
            sSLParameters.setEndpointIdentificationAlgorithm("");
            sSLSocket.setSSLParameters(sSLParameters);
        }
        this.delegate.checkServerTrusted(x509CertificateArr, str, socket);
        verifySubjectAltNameInChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        SSLParameters sSLParameters = sSLEngine.getSSLParameters();
        if (sSLParameters != null) {
            sSLParameters.setEndpointIdentificationAlgorithm("");
            sSLEngine.setSSLParameters(sSLParameters);
        }
        this.delegate.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        verifySubjectAltNameInChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str);
        verifySubjectAltNameInChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.getAcceptedIssuers();
    }
}
