package de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13;

import java.net.InetAddress;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.net.ssl.SSLPeerUnverifiedException;
import kotlin.Lazy;
import kotlin.LazyKt;
import kotlin.Metadata;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.JvmOverloads;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.Regex;
import kotlin.text.StringsKt;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: TLSSessionVerificationHelper.kt */
@Metadata(mv = {1, 7, 1}, k = 1, xi = 48, d1 = {"��B\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\b\n\u0002\u0010\u000b\n��\n\u0002\u0010 \n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0010\u0002\n��\n\u0002\u0010\b\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\bÆ\u0002\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J$\u0010\u000f\u001a\u00020\u00102\f\u0010\u0011\u001a\b\u0012\u0004\u0012\u00020\u00130\u00122\f\u0010\u0014\u001a\b\u0012\u0004\u0012\u00020\u00130\u0012H\u0002J\u0010\u0010\u0015\u001a\u00020\u00102\u0006\u0010\u0016\u001a\u00020\u0013H\u0002J2\u0010\u0017\u001a\u00020\u00182\u0006\u0010\u0016\u001a\u00020\u00132\u0006\u0010\u0019\u001a\u00020\u001a2\u0006\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u001d\u001a\u00020\u00102\b\b\u0002\u0010\u001e\u001a\u00020\u0010H\u0007R\u0016\u0010\u0003\u001a\n \u0005*\u0004\u0018\u00010\u00040\u0004X\u0082\u0004¢\u0006\u0002\n��R#\u0010\u0006\u001a\n \u0005*\u0004\u0018\u00010\u00070\u00078BX\u0082\u0084\u0002¢\u0006\f\n\u0004\b\n\u0010\u000b\u001a\u0004\b\b\u0010\tR#\u0010\f\u001a\n \u0005*\u0004\u0018\u00010\u00070\u00078BX\u0082\u0084\u0002¢\u0006\f\n\u0004\b\u000e\u0010\u000b\u001a\u0004\b\r\u0010\t¨\u0006\u001f"}, d2 = {"Lde/fhg/aisec/ids/idscp2/defaultdrivers/securechannel/tls13/TLSSessionVerificationHelper;", "", "()V", "LOG", "Lorg/slf4j/Logger;", "kotlin.jvm.PlatformType", "ipv4Pattern", "Ljava/util/regex/Pattern;", "getIpv4Pattern", "()Ljava/util/regex/Pattern;", "ipv4Pattern$delegate", "Lkotlin/Lazy;", "ipv6Pattern", "getIpv6Pattern", "ipv6Pattern$delegate", "checkHostname", "", "dnsNameLabels", "", "", "hostNameLabels", "isIpAddress", "host", "verifyTlsSession", "", "port", "", "peerCert", "Ljava/security/cert/X509Certificate;", "hostnameVerificationEnabled", "peerIsServer", "idscp2-core"})
/* loaded from: input_file:de/fhg/aisec/ids/idscp2/defaultdrivers/securechannel/tls13/TLSSessionVerificationHelper.class */
public final class TLSSessionVerificationHelper {

    @NotNull
    public static final TLSSessionVerificationHelper INSTANCE = new TLSSessionVerificationHelper();
    private static final Logger LOG = LoggerFactory.getLogger(TLSSessionVerificationHelper.class);

    @NotNull
    private static final Lazy ipv4Pattern$delegate = LazyKt.lazy(new Function0<Pattern>() { // from class: de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.TLSSessionVerificationHelper$ipv4Pattern$2
        /* renamed from: invoke, reason: merged with bridge method [inline-methods] */
        public final Pattern m30invoke() {
            return Pattern.compile("(([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.){3}([01]?\\d\\d?|2[0-4]\\d|25[0-5])", 2);
        }
    });

    @NotNull
    private static final Lazy ipv6Pattern$delegate = LazyKt.lazy(new Function0<Pattern>() { // from class: de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.TLSSessionVerificationHelper$ipv6Pattern$2
        /* renamed from: invoke, reason: merged with bridge method [inline-methods] */
        public final Pattern m32invoke() {
            return Pattern.compile("(([0-9a-f]{0,4}:){1,7}[0-9a-f]{0,4})", 2);
        }
    });

    private TLSSessionVerificationHelper() {
    }

    private final Pattern getIpv4Pattern() {
        return (Pattern) ipv4Pattern$delegate.getValue();
    }

    private final Pattern getIpv6Pattern() {
        return (Pattern) ipv6Pattern$delegate.getValue();
    }

    @JvmOverloads
    public final void verifyTlsSession(@NotNull String str, int i, @NotNull X509Certificate x509Certificate, boolean z, boolean z2) throws SSLPeerUnverifiedException {
        List emptyList;
        Intrinsics.checkNotNullParameter(str, "host");
        Intrinsics.checkNotNullParameter(x509Certificate, "peerCert");
        if (LOG.isTraceEnabled()) {
            LOG.trace("Connected to {}:{}", str, Integer.valueOf(i));
        }
        try {
            if (z) {
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames == null) {
                    throw new SSLPeerUnverifiedException("No Subject alternative names for hostname verification provided");
                }
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                for (List<?> list : subjectAlternativeNames) {
                    if (list.size() == 2) {
                        Object obj = list.get(1);
                        Integer num = (Integer) list.get(0);
                        if (num != null && num.intValue() == 2) {
                            if (obj instanceof String) {
                                arrayList.add(obj);
                            } else if (obj instanceof byte[]) {
                                arrayList.add(new String((byte[]) obj, Charsets.UTF_8));
                            }
                        }
                        if (num != null && num.intValue() == 7) {
                            if (obj instanceof String) {
                                arrayList2.add(obj);
                            } else if (obj instanceof byte[]) {
                                arrayList2.add(new String((byte[]) obj, Charsets.UTF_8));
                            }
                        }
                        if (LOG.isTraceEnabled()) {
                            LOG.trace("Unhandled SAN type \"{}\" with value \"{}\"", list.get(0), obj);
                        }
                    }
                }
                if (!isIpAddress(str)) {
                    List<String> split$default = StringsKt.split$default(str, new String[]{"."}, false, 0, 6, (Object) null);
                    boolean z3 = false;
                    Iterator it = arrayList.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        String str2 = (String) it.next();
                        Intrinsics.checkNotNullExpressionValue(str2, "entry");
                        if (checkHostname(StringsKt.split$default(StringsKt.trimEnd(str2, new char[]{'.'}), new String[]{"."}, false, 0, 6, (Object) null), split$default)) {
                            z3 = true;
                            break;
                        }
                    }
                    if (!z3) {
                        throw new SSLPeerUnverifiedException("Hostname verification failed. Peer certificate does not belong to peer host");
                    }
                } else if (!arrayList2.contains(str)) {
                    ArrayList arrayList3 = arrayList;
                    ArrayList arrayList4 = new ArrayList();
                    Iterator it2 = arrayList3.iterator();
                    while (it2.hasNext()) {
                        try {
                            InetAddress[] allByName = InetAddress.getAllByName((String) it2.next());
                            Intrinsics.checkNotNullExpressionValue(allByName, "getAllByName(it)");
                            emptyList = ArraysKt.toList(allByName);
                        } catch (Throwable th) {
                            emptyList = CollectionsKt.emptyList();
                        }
                        CollectionsKt.addAll(arrayList4, emptyList);
                    }
                    ArrayList arrayList5 = arrayList4;
                    ArrayList arrayList6 = new ArrayList(CollectionsKt.collectionSizeOrDefault(arrayList5, 10));
                    Iterator it3 = arrayList5.iterator();
                    while (it3.hasNext()) {
                        arrayList6.add(((InetAddress) it3.next()).getHostAddress());
                    }
                    ArrayList arrayList7 = arrayList6;
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Resolved IPs: {}", CollectionsKt.joinToString$default(CollectionsKt.toSet(arrayList7), (CharSequence) null, (CharSequence) null, (CharSequence) null, 0, (CharSequence) null, (Function1) null, 63, (Object) null));
                    }
                    if (!arrayList7.contains(str)) {
                        throw new SSLPeerUnverifiedException("Hostname verification failed. Peer certificate does not belong to peer host");
                    }
                }
            } else if (z2) {
                LOG.warn("DANGER: TLS server hostname verification is disabled. This is strongly discouraged except for testing purposes!");
            } else {
                LOG.info("Client hostname verification is disabled. This may reduce connection security, please consider enabling it when applicable.");
            }
            Date date = new Date();
            date.setTime(date.getTime() + 86400000);
            x509Certificate.checkValidity();
            x509Certificate.checkValidity(date);
        } catch (CertificateExpiredException e) {
            throw new SSLPeerUnverifiedException("TLS Session Verification failed " + e);
        } catch (CertificateNotYetValidException e2) {
            throw new SSLPeerUnverifiedException("TLS Session Verification failed " + e2);
        } catch (CertificateParsingException e3) {
            throw new SSLPeerUnverifiedException("TLS Session Verification failed " + e3);
        }
    }

    public static /* synthetic */ void verifyTlsSession$default(TLSSessionVerificationHelper tLSSessionVerificationHelper, String str, int i, X509Certificate x509Certificate, boolean z, boolean z2, int i2, Object obj) throws SSLPeerUnverifiedException {
        if ((i2 & 16) != 0) {
            z2 = true;
        }
        tLSSessionVerificationHelper.verifyTlsSession(str, i, x509Certificate, z, z2);
    }

    private final boolean isIpAddress(String str) {
        return getIpv4Pattern().matcher(str).matches() || getIpv6Pattern().matcher(str).matches();
    }

    private final boolean checkHostname(List<String> list, List<String> list2) {
        if (list.size() != list2.size()) {
            return false;
        }
        int size = list.size();
        for (int i = 1; i < size; i++) {
            if (!Intrinsics.areEqual(list.get(i), list2.get(i))) {
                return false;
            }
        }
        return new Regex(StringsKt.replace$default(list.get(0), "*", ".*", false, 4, (Object) null)).matches(list2.get(0));
    }

    @JvmOverloads
    public final void verifyTlsSession(@NotNull String str, int i, @NotNull X509Certificate x509Certificate, boolean z) throws SSLPeerUnverifiedException {
        Intrinsics.checkNotNullParameter(str, "host");
        Intrinsics.checkNotNullParameter(x509Certificate, "peerCert");
        verifyTlsSession$default(this, str, i, x509Certificate, z, false, 16, null);
    }
}
