package com.hubspot.horizon.ning.internal;

import com.hubspot.horizon.SSLConfig;
import com.hubspot.horizon.shaded.org.jboss.netty.handler.codec.http.websocketx.WebSocketServerHandshaker;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;

/* loaded from: input_file:com/hubspot/horizon/ning/internal/NingHostnameVerifier.class */
public class NingHostnameVerifier implements HostnameVerifier {
    private final boolean acceptAllSSL;
    private static final String[] BAD_COUNTRY_2LDS = {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info", "lg", "ne", "net", "or", "org"};
    private static final Pattern IPV4_PATTERN;
    private static final Pattern IPV6_STD_PATTERN;
    private static final Pattern IPV6_HEX_COMPRESSED_PATTERN;

    public NingHostnameVerifier(SSLConfig sSLConfig) {
        this.acceptAllSSL = sSLConfig.isAcceptAllSSL();
    }

    @Override // javax.net.ssl.HostnameVerifier
    public boolean verify(String str, SSLSession sSLSession) {
        if (this.acceptAllSSL) {
            return true;
        }
        try {
            verify(str, (X509Certificate) sSLSession.getPeerCertificates()[0]);
            return true;
        } catch (SSLException e) {
            return false;
        }
    }

    private void verify(String str, X509Certificate x509Certificate) throws SSLException {
        List<String> cNs = getCNs(x509Certificate);
        List<String> subjectAlts = getSubjectAlts(x509Certificate, str);
        LinkedList linkedList = new LinkedList();
        if (!cNs.isEmpty()) {
            linkedList.add(cNs.get(0));
        }
        linkedList.addAll(subjectAlts);
        if (linkedList.isEmpty()) {
            throw new SSLException("Certificate for <" + str + "> doesn't contain CN or DNS subjectAlt");
        }
        StringBuilder sb = new StringBuilder();
        String lowerCase = str.trim().toLowerCase(Locale.US);
        boolean z = false;
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            String lowerCase2 = ((String) it.next()).toLowerCase(Locale.US);
            sb.append(" <");
            sb.append(lowerCase2);
            sb.append('>');
            if (it.hasNext()) {
                sb.append(" OR");
            }
            String[] split = lowerCase2.split("\\.");
            if (split.length >= 3 && split[0].endsWith(WebSocketServerHandshaker.SUB_PROTOCOL_WILDCARD) && acceptableCountryWildcard(lowerCase2) && !isIPAddress(str)) {
                String str2 = split[0];
                if (str2.length() > 1) {
                    String substring = str2.substring(0, str2.length() - 1);
                    z = lowerCase.startsWith(substring) && lowerCase.substring(substring.length()).endsWith(lowerCase2.substring(str2.length()));
                } else {
                    z = lowerCase.endsWith(lowerCase2.substring(1));
                }
            } else {
                z = lowerCase.equals(lowerCase2);
            }
            if (z) {
                break;
            }
        }
        if (!z) {
            throw new SSLException("hostname in certificate didn't match: <" + str + "> !=" + ((Object) sb));
        }
    }

    private static boolean acceptableCountryWildcard(String str) {
        String[] split = str.split("\\.");
        return (split.length == 3 && split[2].length() == 2 && Arrays.binarySearch(BAD_COUNTRY_2LDS, split[1]) >= 0) ? false : true;
    }

    private static List<String> getCNs(X509Certificate x509Certificate) {
        LinkedList linkedList = new LinkedList();
        StringTokenizer stringTokenizer = new StringTokenizer(x509Certificate.getSubjectX500Principal().toString(), ",+");
        while (stringTokenizer.hasMoreTokens()) {
            String trim = stringTokenizer.nextToken().trim();
            if (trim.length() > 3 && trim.substring(0, 3).equalsIgnoreCase("CN=")) {
                linkedList.add(trim.substring(3));
            }
        }
        return linkedList;
    }

    private static List<String> getSubjectAlts(X509Certificate x509Certificate, @Nullable String str) {
        String str2;
        int i = isIPAddress(str) ? 7 : 2;
        LinkedList linkedList = new LinkedList();
        try {
            for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
                if (((Integer) list.get(0)).intValue() == i && (str2 = (String) list.get(1)) != null) {
                    linkedList.add(str2);
                }
            }
        } catch (CertificateParsingException e) {
        }
        return linkedList;
    }

    private static boolean isIPAddress(@Nullable String str) {
        return str != null && (isIPv4Address(str) || isIPv6Address(str));
    }

    private static boolean isIPv4Address(String str) {
        return IPV4_PATTERN.matcher(str).matches();
    }

    private static boolean isIPv6Address(String str) {
        return isIPv6StdAddress(str) || isIPv6HexCompressedAddress(str);
    }

    private static boolean isIPv6StdAddress(String str) {
        return IPV6_STD_PATTERN.matcher(str).matches();
    }

    private static boolean isIPv6HexCompressedAddress(String str) {
        int i = 0;
        for (int i2 = 0; i2 < str.length(); i2++) {
            if (str.charAt(i2) == ':') {
                i++;
            }
        }
        return i <= 7 && IPV6_HEX_COMPRESSED_PATTERN.matcher(str).matches();
    }

    static {
        Arrays.sort(BAD_COUNTRY_2LDS);
        IPV4_PATTERN = Pattern.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$");
        IPV6_STD_PATTERN = Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$");
        IPV6_HEX_COMPRESSED_PATTERN = Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$");
    }
}
