package org.kaazing.gateway.transport.ssl.cert;

import java.net.URI;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import org.apache.mina.core.session.IoSession;
import org.kaazing.gateway.resource.address.Comparators;
import org.kaazing.gateway.resource.address.ResourceAddress;
import org.kaazing.gateway.resource.address.ssl.SslResourceAddress;
import org.kaazing.gateway.transport.BridgeSession;
import org.kaazing.gateway.transport.ssl.bridge.filter.SslCertificateSelectionFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/kaazing/gateway/transport/ssl/cert/VirtualHostKeySelector.class */
public class VirtualHostKeySelector extends AbstractKeySelector {
    private static final Logger LOGGER;
    private Map<String, Collection<String>> hostnameToCertAliases = new HashMap();
    private Map<ResourceAddress, Collection<String>> transportAddressToCertAliases = new TreeMap(Comparators.compareResourceOriginPathAlternatesAndProtocolStack());
    private Map<ResourceAddress, List<ResourceAddress>> transportAddressToResourceAddresses = new TreeMap(Comparators.compareResourceOriginAndProtocolStack());
    private Map<String, String> aliasToCertCN = new HashMap();
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // org.kaazing.gateway.transport.ssl.cert.AbstractKeySelector
    public ResourceAddress getAvailableCertAliasesKey(boolean z) {
        IoSession currentSession = SslCertificateSelectionFilter.getCurrentSession(z);
        if (currentSession == null) {
            return null;
        }
        return z ? (ResourceAddress) BridgeSession.REMOTE_ADDRESS.get(currentSession) : (ResourceAddress) BridgeSession.LOCAL_ADDRESS.get(currentSession);
    }

    @Override // org.kaazing.gateway.transport.ssl.cert.AbstractKeySelector
    public Collection<String> getAvailableCertAliases(boolean z) {
        return this.transportAddressToCertAliases.get(getAvailableCertAliasesKey(z));
    }

    private String getCertCN(X509Certificate x509Certificate) throws CertificateParsingException {
        for (String str : x509Certificate.getSubjectX500Principal().getName().split(",")) {
            if (str.startsWith("CN=")) {
                return str.substring(3).toLowerCase();
            }
        }
        throw new CertificateParsingException("Certificate CN not found");
    }

    private Collection<String> getCertServerNames(X509Certificate x509Certificate) throws CertificateParsingException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        String certCN = getCertCN(x509Certificate);
        linkedHashSet.add(certCN);
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (list.size() >= 2) {
                        Object obj = list.get(0);
                        if ((obj instanceof Integer) && ((Integer) obj).intValue() == 2) {
                            Object obj2 = list.get(1);
                            if (obj2 instanceof String) {
                                linkedHashSet.add(((String) obj2).toLowerCase());
                            }
                        }
                    }
                }
            }
        } catch (CertificateParsingException e) {
            LOGGER.warn("Certificate alternative names ignored for certificate " + (certCN != null ? " " + certCN : ""), e);
        }
        return linkedHashSet;
    }

    @Override // org.kaazing.gateway.transport.ssl.cert.AbstractKeySelector
    public void init(KeyStore keyStore, char[] cArr) throws KeyStoreException {
        if (keyStore == null) {
            return;
        }
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.entryInstanceOf(nextElement, KeyStore.PrivateKeyEntry.class)) {
                Certificate certificate = keyStore.getCertificate(nextElement);
                if (certificate instanceof X509Certificate) {
                    try {
                        X509Certificate x509Certificate = (X509Certificate) certificate;
                        this.aliasToCertCN.put(nextElement, getCertCN(x509Certificate));
                        try {
                            x509Certificate.checkValidity();
                        } catch (CertificateExpiredException e) {
                            LOGGER.warn("The certificate associated with alias " + nextElement + " in the keystore is expired.");
                        } catch (CertificateNotYetValidException e2) {
                            LOGGER.warn("The certificate associated with alias " + nextElement + " in the keystore is not yet valid.");
                        }
                        if (x509Certificate.getPublicKey().getAlgorithm().equals("DSA")) {
                            LOGGER.warn(String.format("The certificate associated with alias %s is a DSA certificate.  DSA certificates require Diffie-Hellman ciphersuites, which do not provide authentication.  Search 'ssl.ciphers' in the documentation for details.", nextElement));
                        }
                        for (String str : getCertServerNames(x509Certificate)) {
                            Collection<String> collection = this.hostnameToCertAliases.get(str);
                            if (collection == null) {
                                collection = new HashSet();
                                this.hostnameToCertAliases.put(str, collection);
                            }
                            if (collection.add(nextElement)) {
                                LOGGER.debug("Found certificate for " + str + " (alias: " + nextElement + ")");
                            }
                        }
                    } catch (CertificateParsingException e3) {
                        LOGGER.warn("The certificate associated with alias " + nextElement + " was ignored due to a parsing exceptions", e3);
                    }
                }
            }
        }
    }

    @Override // org.kaazing.gateway.transport.ssl.cert.AbstractKeySelector
    public void bind(ResourceAddress resourceAddress) throws Exception {
        Collection<String> collection;
        String host = resourceAddress.getResource().getHost();
        ResourceAddress transport = resourceAddress.getTransport();
        if (!$assertionsDisabled && transport == null) {
            throw new AssertionError();
        }
        URI resource = transport.getResource();
        if (host == null) {
            throw new CertificateNotFoundException("Unable to determine server name or address");
        }
        Collection<String> collection2 = this.hostnameToCertAliases.get(host);
        if (collection2 == null) {
            collection2 = new HashSet();
        }
        if (host.contains(".") && (collection = this.hostnameToCertAliases.get(host.replaceFirst("[^.]+", "*"))) != null) {
            collection2.addAll(collection);
        }
        if (collection2.isEmpty()) {
            String str = "Keystore does not have a certificate entry for " + host;
            LOGGER.error(str);
            throw new CertificateNotFoundException(str);
        }
        Collection<String> collection3 = this.transportAddressToCertAliases.get(transport);
        if (collection3 == null) {
            this.transportAddressToCertAliases.put(transport, new HashSet(collection2));
        } else {
            if (!collection2.containsAll(collection3)) {
                HashSet<String> hashSet = new HashSet(collection2);
                hashSet.removeAll(collection3);
                for (String str2 : hashSet) {
                    LOGGER.warn(String.format("A certificate for %s (alias %s) cannot be used on transport %s, because it does not match all possible hostnames bound to that port", this.aliasToCertCN.get(str2), str2, resource));
                }
            }
            if (!collection3.containsAll(collection2)) {
                HashSet<String> hashSet2 = new HashSet(collection3);
                hashSet2.removeAll(collection2);
                for (String str3 : hashSet2) {
                    LOGGER.warn(String.format("A certificate for %s (alias %s) cannot be used on transport %s, because it does not match all possible hostnames bound to that port", this.aliasToCertCN.get(str3), str3, resource));
                }
                collection3.retainAll(collection2);
                if (collection3.isEmpty()) {
                    String format = String.format("keystore does not have any certificate entries matching all possible hostnames bound to %s", resource);
                    LOGGER.error(format);
                    throw new CertificateNotAvailableException(format);
                }
            }
        }
        List<ResourceAddress> list = this.transportAddressToResourceAddresses.get(transport);
        if (list == null) {
            LinkedList linkedList = new LinkedList();
            linkedList.add(resourceAddress);
            this.transportAddressToResourceAddresses.put(transport, linkedList);
            return;
        }
        ResourceAddress resourceAddress2 = list.get(0);
        boolean booleanValue = ((Boolean) resourceAddress2.getOption(SslResourceAddress.WANT_CLIENT_AUTH)).booleanValue();
        boolean booleanValue2 = ((Boolean) resourceAddress2.getOption(SslResourceAddress.NEED_CLIENT_AUTH)).booleanValue();
        boolean booleanValue3 = ((Boolean) resourceAddress.getOption(SslResourceAddress.WANT_CLIENT_AUTH)).booleanValue();
        boolean booleanValue4 = ((Boolean) resourceAddress.getOption(SslResourceAddress.NEED_CLIENT_AUTH)).booleanValue();
        if (booleanValue != booleanValue3 || booleanValue2 != booleanValue4) {
            String format2 = String.format("<ssl.verify-client> value for <accept>%s</accept> does not match <ssl.verify-client> value for <accept>%s</accept> on same transport %s", resourceAddress.getResource(), resourceAddress2.getResource(), resource);
            LOGGER.error(format2);
            throw new CertificateException(format2);
        }
        String[] strArr = (String[]) resourceAddress2.getOption(SslResourceAddress.CIPHERS);
        String[] strArr2 = (String[]) resourceAddress.getOption(SslResourceAddress.CIPHERS);
        Arrays.sort(strArr2);
        Arrays.sort(strArr);
        if (!Arrays.equals(strArr, strArr2)) {
            String format3 = String.format("<ssl.ciphers>%s</ssl.ciphers> value for %s does not match <ssl.ciphers>%s</ssl.ciphers> also configured for %s on same transport %s", Arrays.asList(strArr2), resourceAddress.getResource(), Arrays.asList(strArr), resourceAddress2.getResource(), resource);
            LOGGER.error(format3);
            throw new CertificateException(format3);
        }
        String[] strArr3 = (String[]) resourceAddress2.getOption(SslResourceAddress.PROTOCOLS);
        String[] strArr4 = (String[]) resourceAddress.getOption(SslResourceAddress.PROTOCOLS);
        if (strArr4 != null) {
            Arrays.sort(strArr4);
        }
        if (strArr3 != null) {
            Arrays.sort(strArr3);
        }
        if (Arrays.equals(strArr3, strArr4)) {
            list.add(resourceAddress);
            return;
        }
        URI resource2 = resourceAddress2.getResource();
        URI resource3 = resourceAddress.getResource();
        Object[] objArr = new Object[5];
        objArr[0] = strArr4 == null ? null : Arrays.asList(strArr4);
        objArr[1] = resource3;
        objArr[2] = strArr3 == null ? null : Arrays.asList(strArr3);
        objArr[3] = resource2;
        objArr[4] = resource;
        String format4 = String.format("<ssl.protocols>%s</ssl.protocols> value for %s does not match <ssl.protocols>%s</ssl.protocols> also configured for %s on same transport %s", objArr);
        LOGGER.error(format4);
        throw new CertificateException(format4);
    }

    @Override // org.kaazing.gateway.transport.ssl.cert.AbstractKeySelector
    public void unbind(ResourceAddress resourceAddress) {
        if (this.transportAddressToResourceAddresses.get(resourceAddress.getTransport()) != null) {
            this.transportAddressToResourceAddresses.remove(resourceAddress.getTransport());
        }
    }

    static {
        $assertionsDisabled = !VirtualHostKeySelector.class.desiredAssertionStatus();
        LOGGER = LoggerFactory.getLogger(VirtualHostKeySelector.class);
    }
}
