package org.graylog2.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import com.google.inject.assistedinject.Assisted;
import com.google.inject.assistedinject.AssistedInject;
import java.io.IOException;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.est.jcajce.JsseDefaultHostnameAuthorizer;

/* loaded from: input_file:org/graylog2/security/DefaultX509TrustManager.class */
public class DefaultX509TrustManager extends X509ExtendedTrustManager {
    private final List<String> hosts;
    private final X509TrustManager defaultTrustManager;
    private final JsseDefaultHostnameAuthorizer authorizer;

    @AssistedInject
    public DefaultX509TrustManager(@Assisted String str) throws NoSuchAlgorithmException, KeyStoreException {
        this(str, (KeyStore) null);
    }

    @AssistedInject
    public DefaultX509TrustManager(@Assisted List<String> list) throws NoSuchAlgorithmException, KeyStoreException {
        this(list, (KeyStore) null);
    }

    @VisibleForTesting
    public DefaultX509TrustManager(String str, KeyStore keyStore) throws NoSuchAlgorithmException, KeyStoreException {
        this((List<String>) ImmutableList.of(str), keyStore);
    }

    @VisibleForTesting
    public DefaultX509TrustManager(List<String> list, KeyStore keyStore) throws NoSuchAlgorithmException, KeyStoreException {
        this.authorizer = new JsseDefaultHostnameAuthorizer(Collections.emptySet());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        this.defaultTrustManager = (X509TrustManager) Arrays.stream(trustManagerFactory.getTrustManagers()).filter(trustManager -> {
            return trustManager instanceof X509TrustManager;
        }).map(trustManager2 -> {
            return (X509TrustManager) trustManager2;
        }).findFirst().orElseThrow(() -> {
            return new IllegalStateException("Unable to initialize default X509 trust manager.");
        });
        this.hosts = list;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.defaultTrustManager.getAcceptedIssuers();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
        validateHostnames(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str);
        validateHostnames(x509CertificateArr, str);
    }

    private void validateHostnames(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (Arrays.stream(x509CertificateArr).filter(this::certificateMatchesHostname).findFirst().isEmpty()) {
            throw new CertificateException("Presented certificate does not match configured hostname!");
        }
    }

    private boolean certificateMatchesHostname(X509Certificate x509Certificate) {
        return this.hosts.stream().anyMatch(str -> {
            try {
                return this.authorizer.verify(str, x509Certificate);
            } catch (IOException e) {
                return false;
            }
        });
    }
}
