package io.spiffe.provider;

import io.spiffe.bundle.BundleSource;
import io.spiffe.bundle.x509bundle.X509Bundle;
import io.spiffe.exception.BundleNotFoundException;
import io.spiffe.spiffeid.SpiffeId;
import io.spiffe.svid.x509svid.X509SvidValidator;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
import java.util.function.Supplier;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedTrustManager;
import lombok.NonNull;

/* loaded from: input_file:io/spiffe/provider/SpiffeTrustManager.class */
public final class SpiffeTrustManager extends X509ExtendedTrustManager {
    private final BundleSource<X509Bundle> x509BundleSource;
    private final Supplier<Set<SpiffeId>> acceptedSpiffeIdsSupplier;
    private final boolean acceptAnySpiffeId;

    public SpiffeTrustManager(@NonNull BundleSource<X509Bundle> bundleSource, @NonNull Supplier<Set<SpiffeId>> supplier) {
        if (bundleSource == null) {
            throw new NullPointerException("x509BundleSource is marked non-null but is null");
        }
        if (supplier == null) {
            throw new NullPointerException("acceptedSpiffeIdsSupplier is marked non-null but is null");
        }
        this.x509BundleSource = bundleSource;
        this.acceptedSpiffeIdsSupplier = supplier;
        this.acceptAnySpiffeId = false;
    }

    public SpiffeTrustManager(@NonNull BundleSource<X509Bundle> bundleSource) {
        if (bundleSource == null) {
            throw new NullPointerException("x509BundleSource is marked non-null but is null");
        }
        this.x509BundleSource = bundleSource;
        this.acceptedSpiffeIdsSupplier = Collections::emptySet;
        this.acceptAnySpiffeId = true;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(@NonNull X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        validatePeerChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(@NonNull X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        validatePeerChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(@NonNull X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(@NonNull X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(@NonNull X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(@NonNull X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new NullPointerException("chain is marked non-null but is null");
        }
        checkServerTrusted(x509CertificateArr, str);
    }

    private void validatePeerChain(X509Certificate... x509CertificateArr) throws CertificateException {
        if (!this.acceptAnySpiffeId) {
            X509SvidValidator.verifySpiffeId(x509CertificateArr[0], this.acceptedSpiffeIdsSupplier);
        }
        try {
            X509SvidValidator.verifyChain(Arrays.asList(x509CertificateArr), this.x509BundleSource);
        } catch (BundleNotFoundException e) {
            throw new CertificateException(e.getMessage(), e);
        }
    }
}
