package org.apache.qpid.server.transport.network.security.ssl;

import java.io.IOException;
import java.net.Socket;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/transport/network/security/ssl/QpidBestFitX509KeyManager.class */
public class QpidBestFitX509KeyManager extends X509ExtendedKeyManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(QpidBestFitX509KeyManager.class);
    private static final long SIX_HOURS = 21600000;
    private final X509ExtendedKeyManager _delegate;
    private final String _defaultAlias;
    private final List<String> _aliases;

    public QpidBestFitX509KeyManager(String str, URL url, String str2, String str3, String str4) throws GeneralSecurityException, IOException {
        KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(url, str3, str2);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(str4);
        keyManagerFactory.init(initializedKeyStore, str3.toCharArray());
        ArrayList arrayList = new ArrayList();
        Iterator it = Collections.list(initializedKeyStore.aliases()).iterator();
        while (it.hasNext()) {
            String str5 = (String) it.next();
            if (initializedKeyStore.entryInstanceOf(str5, KeyStore.PrivateKeyEntry.class)) {
                arrayList.add(str5);
            }
        }
        this._aliases = Collections.unmodifiableList(arrayList);
        this._delegate = (X509ExtendedKeyManager) keyManagerFactory.getKeyManagers()[0];
        this._defaultAlias = str;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return this._defaultAlias == null ? this._delegate.chooseClientAlias(strArr, principalArr, socket) : this._defaultAlias;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return this._delegate.chooseServerAlias(str, principalArr, socket);
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        return this._delegate.getCertificateChain(str);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return this._delegate.getClientAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        return this._delegate.getPrivateKey(str);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return this._delegate.getServerAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return this._defaultAlias == null ? this._delegate.chooseEngineClientAlias(strArr, principalArr, sSLEngine) : this._defaultAlias;
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        Date date = new Date();
        List<SNIServerName> serverNames = sSLEngine.getSSLParameters().getServerNames();
        if (serverNames == null || serverNames.isEmpty()) {
            return getDefaultServerAlias(str, principalArr, sSLEngine);
        }
        ArrayList<String> arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (SNIServerName sNIServerName : sSLEngine.getSSLParameters().getServerNames()) {
            if (sNIServerName instanceof SNIHostName) {
                for (String str2 : this._aliases) {
                    if (str.equalsIgnoreCase(getPrivateKey(str2).getAlgorithm())) {
                        X509Certificate x509Certificate = getCertificateChain(str2)[0];
                        if (SSLUtil.checkHostname(((SNIHostName) sNIServerName).getAsciiName(), x509Certificate)) {
                            if (date.after(x509Certificate.getNotBefore()) && date.before(x509Certificate.getNotAfter())) {
                                arrayList.add(str2);
                            } else {
                                arrayList2.add(str2);
                            }
                        }
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            return arrayList2.isEmpty() ? getDefaultServerAlias(str, principalArr, sSLEngine) : (String) arrayList2.get(0);
        }
        if (arrayList.size() > 1) {
            for (String str3 : arrayList) {
                X509Certificate x509Certificate2 = getCertificateChain(str3)[0];
                if (date.getTime() - x509Certificate2.getNotBefore().getTime() > SIX_HOURS && x509Certificate2.getNotAfter().getTime() - date.getTime() > SIX_HOURS) {
                    return str3;
                }
            }
        }
        return (String) arrayList.get(0);
    }

    private String getDefaultServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return this._defaultAlias != null ? this._defaultAlias : this._delegate.chooseEngineServerAlias(str, principalArr, sSLEngine);
    }
}
