package org.apache.kafka.common.security.ssl;

import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.apache.kafka.common.KafkaException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:kafka-clients-3.9.0.jar:org/apache/kafka/common/security/ssl/CommonNameLoggingTrustManagerFactoryWrapper.class */
class CommonNameLoggingTrustManagerFactoryWrapper {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CommonNameLoggingTrustManagerFactoryWrapper.class);
    private final TrustManagerFactory origTmf;

    /* loaded from: input_file:kafka-clients-3.9.0.jar:org/apache/kafka/common/security/ssl/CommonNameLoggingTrustManagerFactoryWrapper$CommonNameLoggingTrustManager.class */
    static class CommonNameLoggingTrustManager implements X509TrustManager {
        private final X509TrustManager origTm;
        final int nrOfRememberedBadCerts;
        private final LinkedHashMap<ByteBuffer, String> previouslyRejectedClientCertChains;

        public CommonNameLoggingTrustManager(X509TrustManager x509TrustManager, final int i) {
            this.origTm = x509TrustManager;
            this.nrOfRememberedBadCerts = i;
            this.previouslyRejectedClientCertChains = new LinkedHashMap<ByteBuffer, String>() { // from class: org.apache.kafka.common.security.ssl.CommonNameLoggingTrustManagerFactoryWrapper.CommonNameLoggingTrustManager.1
                @Override // java.util.LinkedHashMap
                protected boolean removeEldestEntry(Map.Entry<ByteBuffer, String> entry) {
                    return size() > i;
                }
            };
        }

        public X509TrustManager getOriginalTrustManager() {
            return this.origTm;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            String str2;
            CertificateException certificateException = null;
            ByteBuffer calcDigestForCertificateChain = calcDigestForCertificateChain(x509CertificateArr);
            if (calcDigestForCertificateChain != null && (str2 = this.previouslyRejectedClientCertChains.get(calcDigestForCertificateChain)) != null) {
                addRejectedClientCertChains(calcDigestForCertificateChain, str2, true);
                throw new CertificateException(str2);
            }
            try {
                this.origTm.checkClientTrusted(x509CertificateArr, str);
            } catch (CertificateException e) {
                certificateException = e;
                try {
                    X509Certificate[] sortChainAnWrapEndCertificate = sortChainAnWrapEndCertificate(x509CertificateArr);
                    this.origTm.checkClientTrusted(sortChainAnWrapEndCertificate, str);
                    if (sortChainAnWrapEndCertificate[0].getNotBefore().before(new Date())) {
                        CommonNameLoggingTrustManagerFactoryWrapper.log.info("Certificate with common name \"" + sortChainAnWrapEndCertificate[0].getSubjectX500Principal().toString() + "\" expired on " + sortChainAnWrapEndCertificate[0].getNotAfter().toString());
                        addRejectedClientCertChains(calcDigestForCertificateChain, certificateException.getMessage(), false);
                    }
                } catch (CertificateException e2) {
                    addRejectedClientCertChains(calcDigestForCertificateChain, certificateException.getMessage(), false);
                }
            }
            if (certificateException != null) {
                throw certificateException;
            }
        }

        public static ByteBuffer calcDigestForCertificateChain(X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    messageDigest.update(x509Certificate.getEncoded());
                }
                return ByteBuffer.wrap(messageDigest.digest());
            } catch (NoSuchAlgorithmException e) {
                return null;
            }
        }

        private void addRejectedClientCertChains(ByteBuffer byteBuffer, String str, boolean z) {
            if (z) {
                this.previouslyRejectedClientCertChains.remove(byteBuffer);
            }
            this.previouslyRejectedClientCertChains.put(byteBuffer, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.origTm.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.origTm.getAcceptedIssuers();
        }

        public static X509Certificate[] sortChainAnWrapEndCertificate(X509Certificate[] x509CertificateArr) throws CertificateException {
            if (x509CertificateArr == null || x509CertificateArr.length < 1) {
                throw new CertificateException("Certificate chain is null or empty");
            }
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            for (X509Certificate x509Certificate : x509CertificateArr) {
                X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
                if (issuerX500Principal.equals(subjectX500Principal)) {
                    if (!(x509Certificate.getBasicConstraints() >= 0)) {
                        throw new CertificateException("Self-signed certificate in chain that is not a CA!");
                    }
                }
                hashMap2.put(issuerX500Principal, x509Certificate);
                hashMap.put(subjectX500Principal, x509Certificate);
            }
            HashSet hashSet = new HashSet();
            for (X509Certificate x509Certificate2 : x509CertificateArr) {
                if (!hashMap2.containsKey(x509Certificate2.getSubjectX500Principal())) {
                    hashSet.add(x509Certificate2);
                }
            }
            if (hashSet.size() != 1) {
                throw new CertificateException("Multiple end certificates in chain");
            }
            X509Certificate x509Certificate3 = (X509Certificate) hashSet.iterator().next();
            X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
            x509CertificateArr2[0] = new NeverExpiringX509Certificate(x509Certificate3);
            for (int i = 1; i < x509CertificateArr.length; i++) {
                X500Principal issuerX500Principal2 = x509CertificateArr2[i - 1].getIssuerX500Principal();
                if (!hashMap.containsKey(issuerX500Principal2)) {
                    throw new CertificateException("Certificate chain contains certificates not belonging to the chain");
                }
                x509CertificateArr2[i] = (X509Certificate) hashMap.get(issuerX500Principal2);
            }
            return x509CertificateArr2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:kafka-clients-3.9.0.jar:org/apache/kafka/common/security/ssl/CommonNameLoggingTrustManagerFactoryWrapper$NeverExpiringX509Certificate.class */
    public static class NeverExpiringX509Certificate extends X509Certificate {
        private final X509Certificate origCertificate;

        public NeverExpiringX509Certificate(X509Certificate x509Certificate) {
            this.origCertificate = x509Certificate;
            if (this.origCertificate == null) {
                throw new KafkaException("No X509 certificate provided in constructor NeverExpiringX509Certificate");
            }
        }

        @Override // java.security.cert.X509Extension
        public Set<String> getCriticalExtensionOIDs() {
            return this.origCertificate.getCriticalExtensionOIDs();
        }

        @Override // java.security.cert.X509Extension
        public byte[] getExtensionValue(String str) {
            return this.origCertificate.getExtensionValue(str);
        }

        @Override // java.security.cert.X509Extension
        public Set<String> getNonCriticalExtensionOIDs() {
            return this.origCertificate.getNonCriticalExtensionOIDs();
        }

        @Override // java.security.cert.X509Extension
        public boolean hasUnsupportedCriticalExtension() {
            return this.origCertificate.hasUnsupportedCriticalExtension();
        }

        @Override // java.security.cert.X509Certificate
        public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException {
            if (this.origCertificate.getNotAfter().before(new Date())) {
                return;
            }
            this.origCertificate.checkValidity();
        }

        @Override // java.security.cert.X509Certificate
        public void checkValidity(Date date) {
        }

        @Override // java.security.cert.X509Certificate
        public int getBasicConstraints() {
            return this.origCertificate.getBasicConstraints();
        }

        @Override // java.security.cert.X509Certificate
        public Principal getIssuerDN() {
            return this.origCertificate.getIssuerDN();
        }

        @Override // java.security.cert.X509Certificate
        public boolean[] getIssuerUniqueID() {
            return this.origCertificate.getIssuerUniqueID();
        }

        @Override // java.security.cert.X509Certificate
        public boolean[] getKeyUsage() {
            return this.origCertificate.getKeyUsage();
        }

        @Override // java.security.cert.X509Certificate
        public Date getNotAfter() {
            return this.origCertificate.getNotAfter();
        }

        @Override // java.security.cert.X509Certificate
        public Date getNotBefore() {
            return this.origCertificate.getNotBefore();
        }

        @Override // java.security.cert.X509Certificate
        public BigInteger getSerialNumber() {
            return this.origCertificate.getSerialNumber();
        }

        @Override // java.security.cert.X509Certificate
        public String getSigAlgName() {
            return this.origCertificate.getSigAlgName();
        }

        @Override // java.security.cert.X509Certificate
        public String getSigAlgOID() {
            return this.origCertificate.getSigAlgOID();
        }

        @Override // java.security.cert.X509Certificate
        public byte[] getSigAlgParams() {
            return this.origCertificate.getSigAlgParams();
        }

        @Override // java.security.cert.X509Certificate
        public byte[] getSignature() {
            return this.origCertificate.getSignature();
        }

        @Override // java.security.cert.X509Certificate
        public Principal getSubjectDN() {
            return this.origCertificate.getSubjectDN();
        }

        @Override // java.security.cert.X509Certificate
        public boolean[] getSubjectUniqueID() {
            return this.origCertificate.getSubjectUniqueID();
        }

        @Override // java.security.cert.X509Certificate
        public byte[] getTBSCertificate() throws CertificateEncodingException {
            return this.origCertificate.getTBSCertificate();
        }

        @Override // java.security.cert.X509Certificate
        public int getVersion() {
            return this.origCertificate.getVersion();
        }

        @Override // java.security.cert.Certificate
        public byte[] getEncoded() throws CertificateEncodingException {
            return this.origCertificate.getEncoded();
        }

        @Override // java.security.cert.Certificate
        public PublicKey getPublicKey() {
            return this.origCertificate.getPublicKey();
        }

        @Override // java.security.cert.Certificate
        public String toString() {
            return this.origCertificate.toString();
        }

        @Override // java.security.cert.Certificate
        public void verify(PublicKey publicKey) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
            this.origCertificate.verify(publicKey);
        }

        @Override // java.security.cert.Certificate
        public void verify(PublicKey publicKey, String str) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
            this.origCertificate.verify(publicKey, str);
        }
    }

    protected CommonNameLoggingTrustManagerFactoryWrapper(String str) throws NoSuchAlgorithmException {
        this.origTmf = TrustManagerFactory.getInstance(str);
    }

    public static CommonNameLoggingTrustManagerFactoryWrapper getInstance(String str) throws NoSuchAlgorithmException {
        return new CommonNameLoggingTrustManagerFactoryWrapper(str);
    }

    public TrustManagerFactory getOriginalTrustManagerFactory() {
        return this.origTmf;
    }

    public String getAlgorithm() {
        return this.origTmf.getAlgorithm();
    }

    public void init(KeyStore keyStore) throws KeyStoreException {
        this.origTmf.init(keyStore);
    }

    public TrustManager[] getTrustManagers() {
        TrustManager[] trustManagers = this.origTmf.getTrustManagers();
        TrustManager[] trustManagerArr = new TrustManager[trustManagers.length];
        for (int i = 0; i < trustManagers.length; i++) {
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                trustManagerArr[i] = new CommonNameLoggingTrustManager((X509TrustManager) trustManager, 2000);
            } else {
                trustManagerArr[i] = trustManager;
            }
        }
        return trustManagerArr;
    }
}
