package org.elasticsearch.common.ssl;

import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.net.ssl.SSLSession;
import org.apache.jena.atlas.json.io.JSWriter;
import org.elasticsearch.core.Nullable;

/* loaded from: input_file:ingrid-iplug-sns-6.2.0/lib/elasticsearch-ssl-config-7.17.9.jar:org/elasticsearch/common/ssl/SslDiagnostics.class */
public class SslDiagnostics {
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ingrid-iplug-sns-6.2.0/lib/elasticsearch-ssl-config-7.17.9.jar:org/elasticsearch/common/ssl/SslDiagnostics$CertificateTrust.class */
    public static class CertificateTrust {
        private final List<X509Certificate> trustedCertificates;
        private final boolean match;
        private final boolean identicalCertificate;

        private CertificateTrust(List<X509Certificate> list, boolean z, boolean z2) {
            this.trustedCertificates = list;
            this.match = z;
            this.identicalCertificate = z2;
        }

        private static CertificateTrust noMatchingIssuer() {
            return new CertificateTrust(null, false, false);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static CertificateTrust sameCertificate(X509Certificate x509Certificate) {
            return new CertificateTrust(Collections.singletonList(x509Certificate), true, true);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static CertificateTrust samePublicKey(List<X509Certificate> list) {
            return new CertificateTrust(list, true, false);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static CertificateTrust nonMatchingCertificates(List<X509Certificate> list) {
            return new CertificateTrust(list, false, false);
        }

        boolean hasCertificates() {
            return (this.trustedCertificates == null || this.trustedCertificates.isEmpty()) ? false : true;
        }

        boolean isTrusted() {
            return hasCertificates() && this.match;
        }

        boolean isSameCertificate() {
            return isTrusted() && this.identicalCertificate;
        }

        static /* synthetic */ CertificateTrust access$200() {
            return noMatchingIssuer();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ingrid-iplug-sns-6.2.0/lib/elasticsearch-ssl-config-7.17.9.jar:org/elasticsearch/common/ssl/SslDiagnostics$IssuerTrust.class */
    public static class IssuerTrust {
        private final List<X509Certificate> issuerCerts;
        private final boolean verified;

        private IssuerTrust(List<X509Certificate> list, boolean z) {
            this.issuerCerts = list;
            this.verified = z;
        }

        private static IssuerTrust noMatchingCertificate() {
            return new IssuerTrust(null, false);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static IssuerTrust verifiedCertificates(List<X509Certificate> list) {
            return new IssuerTrust(list, true);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static IssuerTrust unverifiedCertificates(List<X509Certificate> list) {
            return new IssuerTrust(list, false);
        }

        boolean isVerified() {
            return this.issuerCerts != null && this.verified;
        }

        boolean foundCertificateForDn() {
            return this.issuerCerts != null;
        }

        static /* synthetic */ IssuerTrust access$600() {
            return noMatchingCertificate();
        }
    }

    /* loaded from: input_file:ingrid-iplug-sns-6.2.0/lib/elasticsearch-ssl-config-7.17.9.jar:org/elasticsearch/common/ssl/SslDiagnostics$PeerType.class */
    public enum PeerType {
        CLIENT,
        SERVER
    }

    public static List<String> describeValidHostnames(X509Certificate x509Certificate) {
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null || subjectAlternativeNames.isEmpty()) {
                return Collections.emptyList();
            }
            ArrayList arrayList = new ArrayList(subjectAlternativeNames.size());
            for (List<?> list : subjectAlternativeNames) {
                if (list != null && list.size() == 2 && (list.get(0) instanceof Integer) && (list.get(1) instanceof String)) {
                    int intValue = ((Integer) list.get(0)).intValue();
                    String str = (String) list.get(1);
                    if (intValue == 2) {
                        arrayList.add("DNS:" + str);
                    } else if (intValue == 7) {
                        arrayList.add("IP:" + str);
                    }
                }
            }
            return arrayList;
        } catch (CertificateParsingException e) {
            return Collections.emptyList();
        }
    }

    public static String getTrustDiagnosticFailure(X509Certificate[] x509CertificateArr, PeerType peerType, SSLSession sSLSession, String str, @Nullable Map<String, List<X509Certificate>> map) {
        StringBuilder append = new StringBuilder("failed to establish trust with ").append(peerType.name().toLowerCase(Locale.ROOT)).append(" at [").append((String) Optional.ofNullable(sSLSession).map((v0) -> {
            return v0.getPeerHost();
        }).orElse("<unknown host>")).append("]; ");
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            append.append("the ").append(peerType.name().toLowerCase(Locale.ROOT)).append(" did not provide a certificate");
            return append.toString();
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        append.append("the ").append(peerType.name().toLowerCase(Locale.ROOT)).append(" provided a certificate with subject name [").append(x509Certificate.getSubjectX500Principal().getName()).append("] and ").append(fingerprintDescription(x509Certificate));
        if (peerType == PeerType.SERVER) {
            try {
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames == null || subjectAlternativeNames.isEmpty()) {
                    append.append("; the certificate does not have any subject alternative names");
                } else {
                    List<String> describeValidHostnames = describeValidHostnames(x509Certificate);
                    if (describeValidHostnames.isEmpty()) {
                        append.append("; the certificate does not have any DNS/IP subject alternative names");
                    } else {
                        append.append("; the certificate has subject alternative names [").append((String) describeValidHostnames.stream().collect(Collectors.joining(","))).append("]");
                    }
                }
            } catch (CertificateParsingException e) {
                append.append("; the certificate's subject alternative names cannot be parsed");
            }
        }
        if (isSelfIssued(x509Certificate)) {
            append.append("; the certificate is ").append(describeSelfIssuedCertificate(x509Certificate, str, map));
        } else {
            String name = x509Certificate.getIssuerX500Principal().getName();
            append.append("; the certificate is issued by [").append(name).append("]");
            if (x509CertificateArr.length == 1) {
                append.append(" but the ").append(peerType.name().toLowerCase(Locale.ROOT)).append(" did not provide a copy of the issuing certificate in the certificate chain").append(describeIssuerTrust(str, map, x509Certificate, name));
            }
        }
        if (x509CertificateArr.length > 1) {
            append.append("; the certificate is ");
            for (int i = 1; i < x509CertificateArr.length; i++) {
                append.append("signed by (subject [").append(x509CertificateArr[i].getSubjectX500Principal().getName()).append("] ").append(fingerprintDescription(x509CertificateArr[i]));
                if (map != null && resolveCertificateTrust(map, x509CertificateArr[i]).isTrusted()) {
                    append.append(" {trusted issuer}");
                }
                append.append(") ");
            }
            X509Certificate x509Certificate2 = x509CertificateArr[x509CertificateArr.length - 1];
            if (isSelfIssued(x509Certificate2)) {
                append.append("which is ").append(describeSelfIssuedCertificate(x509Certificate2, str, map));
            } else {
                String name2 = x509Certificate2.getIssuerX500Principal().getName();
                append.append("which is issued by [").append(name2).append("] (but that issuer certificate was not provided in the chain)").append(describeIssuerTrust(str, map, x509Certificate2, name2));
            }
        }
        return append.toString();
    }

    private static CharSequence describeIssuerTrust(String str, @Nullable Map<String, List<X509Certificate>> map, X509Certificate x509Certificate, String str2) {
        if (map == null) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        IssuerTrust checkIssuerTrust = checkIssuerTrust(map, x509Certificate);
        if (checkIssuerTrust.isVerified()) {
            sb.append("; the issuing ").append(checkIssuerTrust.issuerCerts.size() == 1 ? SslConfigurationKeys.CERTIFICATE : "certificates").append(" with ").append(fingerprintDescription((List<X509Certificate>) checkIssuerTrust.issuerCerts)).append(" ").append(checkIssuerTrust.issuerCerts.size() == 1 ? "is" : "are").append(" trusted in this ssl context ([").append(str).append("])");
        } else if (checkIssuerTrust.foundCertificateForDn()) {
            sb.append("; this ssl context ([").append(str).append("]) trusts [").append(checkIssuerTrust.issuerCerts.size()).append("] ").append(checkIssuerTrust.issuerCerts.size() == 1 ? SslConfigurationKeys.CERTIFICATE : "certificates").append(" with subject name [").append(str2).append("] and ").append(fingerprintDescription((List<X509Certificate>) checkIssuerTrust.issuerCerts)).append(" but the signatures do not match");
        } else {
            sb.append("; this ssl context ([").append(str).append("]) is not configured to trust that issuer");
            if (map.isEmpty()) {
                sb.append(" or any other issuer");
            } else if (map.size() == 1) {
                String next = map.keySet().iterator().next();
                sb.append(", it only trusts the issuer [").append(next).append("] with ").append(fingerprintDescription(map.get(next)));
            } else {
                sb.append(" but trusts [").append(map.size()).append("] other issuers");
                if (map.size() < 10) {
                    sb.append(" ([").append((String) map.keySet().stream().sorted().collect(Collectors.joining(JSWriter.ArraySep))).append("])");
                }
            }
        }
        return sb;
    }

    private static CharSequence describeSelfIssuedCertificate(X509Certificate x509Certificate, String str, @Nullable Map<String, List<X509Certificate>> map) {
        if (map == null) {
            return "self-issued";
        }
        StringBuilder sb = new StringBuilder();
        CertificateTrust resolveCertificateTrust = resolveCertificateTrust(map, x509Certificate);
        sb.append("self-issued; the [").append(x509Certificate.getIssuerX500Principal().getName()).append("] certificate ").append(resolveCertificateTrust.isTrusted() ? "is" : "is not").append(" trusted in this ssl context ([").append(str).append("])");
        if (resolveCertificateTrust.isTrusted()) {
            if (!resolveCertificateTrust.isSameCertificate()) {
                if (resolveCertificateTrust.trustedCertificates.size() == 1) {
                    sb.append(" because we trust a certificate with ").append(fingerprintDescription((X509Certificate) resolveCertificateTrust.trustedCertificates.get(0))).append(" for the same public key");
                } else {
                    sb.append(" because we trust [").append(resolveCertificateTrust.trustedCertificates.size()).append("] certificates with ").append(fingerprintDescription((List<X509Certificate>) resolveCertificateTrust.trustedCertificates)).append(" for the same public key");
                }
            }
        } else if (resolveCertificateTrust.hasCertificates()) {
            if (resolveCertificateTrust.trustedCertificates.size() == 1) {
                X509Certificate x509Certificate2 = (X509Certificate) resolveCertificateTrust.trustedCertificates.get(0);
                sb.append("; this ssl context does trust a certificate with subject [").append(x509Certificate2.getSubjectX500Principal().getName()).append("] but the trusted certificate has ").append(fingerprintDescription(x509Certificate2));
            } else {
                sb.append("; this ssl context does trust [").append(resolveCertificateTrust.trustedCertificates.size()).append("] certificates with subject [").append(x509Certificate.getSubjectX500Principal().getName()).append("] but those certificates have ").append(fingerprintDescription((List<X509Certificate>) resolveCertificateTrust.trustedCertificates));
            }
        }
        return sb;
    }

    private static CertificateTrust resolveCertificateTrust(Map<String, List<X509Certificate>> map, X509Certificate x509Certificate) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError("Do not call `resolveCertificateTrust` with null issuers");
        }
        List<X509Certificate> list = map.get(x509Certificate.getSubjectX500Principal().getName());
        if (list == null || list.isEmpty()) {
            return CertificateTrust.access$200();
        }
        int indexOf = list.indexOf(x509Certificate);
        if (indexOf != -1) {
            return CertificateTrust.sameCertificate(list.get(indexOf));
        }
        List list2 = (List) list.stream().filter(x509Certificate2 -> {
            return x509Certificate2.getPublicKey().equals(x509Certificate.getPublicKey());
        }).collect(Collectors.toList());
        return !list2.isEmpty() ? CertificateTrust.samePublicKey(list2) : CertificateTrust.nonMatchingCertificates(list);
    }

    public static IssuerTrust checkIssuerTrust(Map<String, List<X509Certificate>> map, X509Certificate x509Certificate) {
        List<X509Certificate> list = map.get(x509Certificate.getIssuerX500Principal().getName());
        if (list == null || list.isEmpty()) {
            return IssuerTrust.access$600();
        }
        List list2 = (List) list.stream().filter(x509Certificate2 -> {
            return checkIssuer(x509Certificate, x509Certificate2);
        }).collect(Collectors.toList());
        return !list2.isEmpty() ? IssuerTrust.verifiedCertificates(list2) : IssuerTrust.unverifiedCertificates(list);
    }

    private static String fingerprintDescription(List<X509Certificate> list) {
        return (String) list.stream().map(SslDiagnostics::fingerprintDescription).collect(Collectors.joining(JSWriter.ArraySep));
    }

    private static String fingerprintDescription(X509Certificate x509Certificate) {
        try {
            return "fingerprint [" + SslUtil.calculateFingerprint(x509Certificate) + "]";
        } catch (CertificateEncodingException e) {
            return "invalid encoding [" + e.toString() + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean checkIssuer(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private static boolean isSelfIssued(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal());
    }

    static {
        $assertionsDisabled = !SslDiagnostics.class.desiredAssertionStatus();
    }
}
