package com.yahoo.vespa.hosted.controller.api.integration.certificates;

import com.yahoo.config.provision.zone.ZoneId;
import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.security.SubjectAlternativeName;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Instant;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;

/* loaded from: input_file:com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.class */
public class EndpointCertificateValidatorImpl implements EndpointCertificateValidator {
    private final SecretStore secretStore;
    private final Clock clock;
    private static final Logger log = Logger.getLogger(EndpointCertificateValidator.class.getName());

    public EndpointCertificateValidatorImpl(SecretStore secretStore, Clock clock) {
        this.secretStore = secretStore;
        this.clock = clock;
    }

    @Override // com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateValidator
    public void validate(EndpointCertificateMetadata endpointCertificateMetadata, String str, ZoneId zoneId, List<String> list) {
        try {
            String secret = this.secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version());
            if (secret == null) {
                throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Secret store returned null for certificate");
            }
            List<X509Certificate> certificateListFromPem = X509CertificateUtils.certificateListFromPem(secret);
            if (certificateListFromPem.isEmpty()) {
                throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Empty certificate list");
            }
            if (certificateListFromPem.size() < 2) {
                throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Only a single certificate found in chain - intermediate certificates likely missing");
            }
            Instant instant = this.clock.instant();
            Instant instant2 = Instant.MAX;
            for (X509Certificate x509Certificate : certificateListFromPem) {
                Instant instant3 = x509Certificate.getNotBefore().toInstant();
                Instant instant4 = x509Certificate.getNotAfter().toInstant();
                if (instant.isBefore(instant3)) {
                    throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Certificate is not yet valid");
                }
                if (instant.isAfter(instant4)) {
                    throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Certificate has expired");
                }
                if (instant4.isBefore(instant2)) {
                    instant2 = instant4;
                }
            }
            if (!((Set) X509CertificateUtils.getSubjectAlternativeNames((X509Certificate) certificateListFromPem.get(0)).stream().filter(subjectAlternativeName -> {
                return subjectAlternativeName.getType().equals(SubjectAlternativeName.Type.DNS_NAME);
            }).map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.toSet())).containsAll(list)) {
                throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Certificate is missing required SANs for zone " + zoneId.value());
            }
        } catch (SecretNotFoundException e) {
            throw new EndpointCertificateException(EndpointCertificateException.Type.CERT_NOT_AVAILABLE, "Certificate not found in secret store");
        } catch (EndpointCertificateException e2) {
            log.log(Level.WARNING, "Certificate validation failure for " + str, (Throwable) e2);
            throw e2;
        } catch (Exception e3) {
            log.log(Level.WARNING, "Certificate validation failure for " + str, (Throwable) e3);
            throw new EndpointCertificateException(EndpointCertificateException.Type.VERIFICATION_FAILURE, "Certificate validation failure for app " + str, e3);
        }
    }
}
