package org.ldaptive.ssl;

import java.nio.ByteBuffer;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import org.ldaptive.LdapUtils;
import org.ldaptive.asn1.DN;
import org.ldaptive.asn1.RDN;
import org.ldaptive.io.StringValueTranscoder;
import org.opensaml.security.x509.X509Support;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/ldaptive-1.3.3.jar:org/ldaptive/ssl/DefaultHostnameVerifier.class */
public class DefaultHostnameVerifier implements HostnameVerifier, CertificateHostnameVerifier {
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    private final HostnameVerifier verifier = new HostnameVerifierAdapter(this);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/ldaptive-1.3.3.jar:org/ldaptive/ssl/DefaultHostnameVerifier$SubjectAltNameType.class */
    public enum SubjectAltNameType {
        OTHER_NAME,
        RFC822_NAME,
        DNS_NAME,
        X400_ADDRESS,
        DIRECTORY_NAME,
        EDI_PARTY_NAME,
        UNIFORM_RESOURCE_IDENTIFIER,
        IP_ADDRESS,
        REGISTERED_ID
    }

    @Override // javax.net.ssl.HostnameVerifier
    public boolean verify(String str, SSLSession sSLSession) {
        return this.verifier.verify(str, sSLSession);
    }

    @Override // org.ldaptive.ssl.CertificateHostnameVerifier
    public boolean verify(String str, X509Certificate x509Certificate) {
        this.logger.debug("verifying hostname={} against cert={}", str, x509Certificate.getSubjectX500Principal());
        return LdapUtils.isIPAddress(str) ? verifyIP(str, x509Certificate) : verifyDNS(str, x509Certificate);
    }

    protected boolean verifyIP(String str, X509Certificate x509Certificate) {
        String[] subjectAltNames = getSubjectAltNames(x509Certificate, SubjectAltNameType.IP_ADDRESS);
        this.logger.debug("verifyIP using subjectAltNames={}", Arrays.toString(subjectAltNames));
        for (String str2 : subjectAltNames) {
            if (str.equalsIgnoreCase(str2)) {
                this.logger.debug("verifyIP found hostname match: {}", str2);
                return true;
            }
        }
        return false;
    }

    protected boolean verifyDNS(String str, X509Certificate x509Certificate) {
        boolean z = false;
        String[] subjectAltNames = getSubjectAltNames(x509Certificate, SubjectAltNameType.DNS_NAME);
        this.logger.debug("verifyDNS using subjectAltNames={}", Arrays.toString(subjectAltNames));
        if (subjectAltNames.length > 0) {
            int length = subjectAltNames.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str2 = subjectAltNames[i];
                if (isMatch(str, str2)) {
                    this.logger.debug("verifyDNS found hostname match: {}", str2);
                    z = true;
                    break;
                }
                i++;
            }
        } else {
            String[] cNs = getCNs(x509Certificate);
            this.logger.debug("verifyDNS using CN={}", Arrays.toString(cNs));
            if (cNs.length > 0 && isMatch(str, cNs[cNs.length - 1])) {
                this.logger.debug("verifyDNS found hostname match: {}", cNs[cNs.length - 1]);
                z = true;
            }
        }
        return z;
    }

    private String[] getSubjectAltNames(X509Certificate x509Certificate, SubjectAltNameType subjectAltNameType) {
        ArrayList arrayList = new ArrayList();
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (((Integer) list.get(0)).intValue() == subjectAltNameType.ordinal()) {
                        arrayList.add((String) list.get(1));
                    }
                }
            }
        } catch (CertificateParsingException e) {
            this.logger.warn("Error reading subject alt names from certificate", (Throwable) e);
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    private String[] getCNs(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        byte[] encoded = x509Certificate.getSubjectX500Principal().getEncoded();
        if (encoded != null && encoded.length > 0) {
            for (RDN rdn : DN.decode(ByteBuffer.wrap(encoded)).getRDNs()) {
                String str = (String) rdn.getAttributeValue(X509Support.CN_OID, new StringValueTranscoder());
                if (str != null) {
                    arrayList.add(str);
                }
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    private boolean isMatch(String str, String str2) {
        boolean equalsIgnoreCase;
        boolean z = str2.startsWith("*.") && str2.indexOf(46) < str2.lastIndexOf(46);
        this.logger.trace("matching for hostname={}, certName={}, isWildcard={}", str, str2, Boolean.valueOf(z));
        if (z) {
            String substring = str2.substring(str2.indexOf("."));
            String substring2 = str.substring(str.contains(".") ? str.indexOf(".") : str.length());
            equalsIgnoreCase = substring.equalsIgnoreCase(substring2);
            this.logger.trace("match={} for {} == {}", Boolean.valueOf(equalsIgnoreCase), substring, substring2);
        } else {
            equalsIgnoreCase = str2.equalsIgnoreCase(str);
            this.logger.trace("match={} for {} == {}", Boolean.valueOf(equalsIgnoreCase), str2, str);
        }
        return equalsIgnoreCase;
    }
}
