package org.apache.hadoop.hdds.security.x509.certificate.authority.profile;

import com.google.common.base.Preconditions;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.BitSet;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.function.BiPredicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.function.Predicates;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/profile/DefaultProfile.class */
public class DefaultProfile implements PKIProfile {
    private static final BiPredicate<Extension, PKIProfile> VALIDATE_KEY_USAGE = DefaultProfile::validateKeyUsage;
    private static final BiPredicate<Extension, PKIProfile> VALIDATE_AUTHORITY_KEY_IDENTIFIER = Predicates.yesBi();
    private static final BiPredicate<Extension, PKIProfile> VALIDATE_LOGO_TYPE = Predicates.yesBi();
    private static final Logger LOG = LoggerFactory.getLogger(DefaultProfile.class);
    private static final BiPredicate<Extension, PKIProfile> VALIDATE_SAN = DefaultProfile::validateSubjectAlternativeName;
    private static final BiPredicate<Extension, PKIProfile> VALIDATE_EXTENDED_KEY_USAGE = DefaultProfile::validateExtendedKeyUsage;
    private static final int[] GENERAL_NAMES = {2, 7, 0};
    protected static final Map<ASN1ObjectIdentifier, BiPredicate<Extension, PKIProfile>> EXTENSIONS_MAP = (Map) Stream.of((Object[]) new AbstractMap.SimpleEntry[]{new AbstractMap.SimpleEntry(Extension.keyUsage, VALIDATE_KEY_USAGE), new AbstractMap.SimpleEntry(Extension.subjectAlternativeName, VALIDATE_SAN), new AbstractMap.SimpleEntry(Extension.authorityKeyIdentifier, VALIDATE_AUTHORITY_KEY_IDENTIFIER), new AbstractMap.SimpleEntry(Extension.extendedKeyUsage, VALIDATE_EXTENDED_KEY_USAGE), new AbstractMap.SimpleEntry(Extension.logoType, VALIDATE_LOGO_TYPE)}).collect(Collectors.toMap((v0) -> {
        return v0.getKey();
    }, (v0) -> {
        return v0.getValue();
    }));
    private static final KeyPurposeId[] EXTENDED_KEY_USAGE = {KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth};
    private final Set<KeyPurposeId> extendKeyPurposeSet;
    private final Set<Integer> generalNameSet = new HashSet();

    public DefaultProfile() {
        for (int i : GENERAL_NAMES) {
            this.generalNameSet.add(Integer.valueOf(i));
        }
        this.extendKeyPurposeSet = new HashSet(Arrays.asList(EXTENDED_KEY_USAGE));
    }

    private static boolean validateKeyUsage(Extension extension, PKIProfile pKIProfile) {
        KeyUsage keyUsage = pKIProfile.getKeyUsage();
        KeyUsage keyUsage2 = KeyUsage.getInstance(extension.getParsedValue());
        BitSet valueOf = BitSet.valueOf(keyUsage.getBytes());
        BitSet valueOf2 = BitSet.valueOf(keyUsage2.getBytes());
        valueOf.and(valueOf2);
        return valueOf.equals(valueOf2);
    }

    private static boolean validateSubjectAlternativeName(Extension extension, PKIProfile pKIProfile) {
        if (extension.isCritical()) {
            LOG.error("SAN extension marked as critical in the Extension. {}", GeneralNames.getInstance(extension.getParsedValue()).toString());
            return false;
        }
        for (GeneralName generalName : GeneralNames.getInstance(extension.getParsedValue()).getNames()) {
            try {
                if (!pKIProfile.validateGeneralName(generalName.getTagNo(), generalName.getName().toString())) {
                    return false;
                }
            } catch (UnknownHostException e) {
                LOG.error("IP address validation failed." + generalName.getName().toString(), e);
                return false;
            }
        }
        return true;
    }

    private static boolean validateExtendedKeyUsage(Extension extension, PKIProfile pKIProfile) {
        if (extension.isCritical()) {
            LOG.error("Extended Key usage marked as critical.");
            return false;
        }
        for (KeyPurposeId keyPurposeId : ExtendedKeyUsage.getInstance(extension.getParsedValue()).getUsages()) {
            if (!pKIProfile.validateExtendedKeyUsage(keyPurposeId)) {
                return false;
            }
        }
        return true;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public int[] getGeneralNames() {
        return Arrays.copyOfRange(GENERAL_NAMES, 0, GENERAL_NAMES.length);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean isSupportedGeneralName(int i) {
        return this.generalNameSet.contains(Integer.valueOf(i));
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean validateGeneralName(int i, String str) {
        if (!isSupportedGeneralName(i)) {
            return false;
        }
        switch (i) {
            case 0:
                return true;
            case 2:
                return DomainValidator.getInstance().isValid(str);
            case 7:
                try {
                    InetAddress byAddress = InetAddress.getByAddress(Hex.decodeHex(str.substring(1)));
                    if (!LOG.isDebugEnabled()) {
                        return true;
                    }
                    LOG.debug("Host Name/IP Address : {}", byAddress);
                    return true;
                } catch (UnknownHostException | DecoderException e) {
                    return false;
                }
            default:
                LOG.error("Unexpected type in General Name (int value) : {}", Integer.valueOf(i));
                return false;
        }
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean validateExtendedKeyUsage(KeyPurposeId keyPurposeId) {
        return this.extendKeyPurposeSet.contains(keyPurposeId);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public ASN1ObjectIdentifier[] getSupportedExtensions() {
        return (ASN1ObjectIdentifier[]) getExtensionsMap().keySet().toArray(new ASN1ObjectIdentifier[0]);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean isSupportedExtension(Extension extension) {
        return getExtensionsMap().containsKey(extension.getExtnId());
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean validateExtension(Extension extension) {
        Preconditions.checkNotNull(extension, "Extension cannot be null");
        if (isSupportedExtension(extension)) {
            return EXTENSIONS_MAP.getOrDefault(extension.getExtnId(), (extension2, pKIProfile) -> {
                return false;
            }).test(extension, this);
        }
        LOG.error("Unsupported Extension found: {} ", extension.getExtnId().getId());
        return false;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public KeyUsage getKeyUsage() {
        return new KeyUsage(184);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public RDN[] getRDNs() {
        return new RDN[0];
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean isValidRDN(RDN rdn) {
        return true;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean validateRDN(RDN rdn) {
        return true;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public boolean isCA() {
        return false;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile
    public Map<ASN1ObjectIdentifier, BiPredicate<Extension, PKIProfile>> getExtensionsMap() {
        return EXTENSIONS_MAP;
    }
}
