package io.r2dbc.mssql.client.ssl;

import java.net.IDN;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.function.Predicate;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.util.annotation.Nullable;

/* loaded from: input_file:io/r2dbc/mssql/client/ssl/ExpectedHostnameX509TrustManager.class */
final class ExpectedHostnameX509TrustManager implements X509TrustManager {
    private static final Logger logger = LoggerFactory.getLogger(TdsSslHandler.class);
    private final X509TrustManager defaultTrustManager;
    private final String expectedHostName;
    private final Predicate<String> matcher;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ExpectedHostnameX509TrustManager(X509TrustManager x509TrustManager, String str) {
        this.defaultTrustManager = x509TrustManager;
        this.expectedHostName = str;
        this.matcher = HostNamePredicate.of(str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (logger.isDebugEnabled()) {
            logger.debug("Forwarding ClientTrusted");
        }
        this.defaultTrustManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (logger.isDebugEnabled()) {
            logger.debug("Forwarding ServerTrusted");
        }
        this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
        if (logger.isDebugEnabled()) {
            logger.debug("ServerTrusted succeeded proceeding with server name validation");
        }
        validateServerNameInCertificate(x509CertificateArr[0]);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.defaultTrustManager.getAcceptedIssuers();
    }

    private void validateServerNameInCertificate(X509Certificate x509Certificate) throws CertificateException {
        String hostName = X509CertificateUtil.getHostName(x509Certificate);
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Expecting server name: [%s]", this.expectedHostName));
            logger.debug(String.format("Name in certificate: [%s]", hostName));
        }
        boolean validateServerName = validateServerName(hostName);
        if (!validateServerName) {
            Iterator<String> it = X509CertificateUtil.getSubjectAlternativeNames(x509Certificate).iterator();
            while (it.hasNext()) {
                validateServerName = validateServerName(it.next());
                if (validateServerName) {
                    break;
                }
            }
        }
        if (!validateServerName) {
            throw new CertificateException(String.format("Cannot validate certificate: %s", hostName));
        }
    }

    private boolean validateServerName(@Nullable String str) {
        if (null == str) {
            return false;
        }
        if (str.startsWith("xn--")) {
            str = IDN.toUnicode(str);
        }
        boolean test = this.matcher.test(str);
        if (test) {
            logSuccessMessage(str);
        } else {
            logFailMessage(str);
        }
        return test;
    }

    private void logFailMessage(String str) {
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("The name in certificate [%s] does not match with the server name [%s].", str, this.expectedHostName));
        }
    }

    private void logSuccessMessage(String str) {
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("The name in certificate [%s] validated against server name [%s].", str, this.expectedHostName));
        }
    }
}
