package io.asyncer.r2dbc.mysql.client;

import io.asyncer.r2dbc.mysql.util.AddressUtils;
import io.asyncer.r2dbc.mysql.util.AssertUtils;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import reactor.util.Logger;
import reactor.util.Loggers;

/* loaded from: input_file:io/asyncer/r2dbc/mysql/client/DefaultHostnameVerifier.class */
final class DefaultHostnameVerifier implements HostnameVerifier {
    static final DefaultHostnameVerifier INSTANCE = new DefaultHostnameVerifier();
    private static final Logger logger = Loggers.getLogger(DefaultHostnameVerifier.class);
    private static final boolean LOG_DEBUG = logger.isDebugEnabled();
    private static final String COMMON_NAME = "CN";
    private static final int DNS = 0;
    private static final int IP_V4 = 1;
    private static final int IP_V6 = 2;

    @Override // javax.net.ssl.HostnameVerifier
    public boolean verify(String str, SSLSession sSLSession) {
        AssertUtils.requireNonNull(str, "host must not be null");
        AssertUtils.requireNonNull(sSLSession, "session must not be null");
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates.length == 0) {
                return false;
            }
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                logger.warn("Certificate for '{}' must be X509Certificate (not javax) instead of {}", new Object[]{str, peerCertificates[0].getClass()});
                return false;
            }
            X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
            List<San> extractSans = extractSans(x509Certificate);
            if (extractSans.isEmpty()) {
                return matchCn(str, x509Certificate);
            }
            switch (determineHostType(str)) {
                case 1:
                    return matchIpv4(str, extractSans);
                case 2:
                    return matchIpv6(str, extractSans);
                default:
                    return matchDns(str, extractSans);
            }
        } catch (SSLPeerUnverifiedException e) {
            logger.error("Load peer certificates failed", e);
            return false;
        }
    }

    private static boolean matchIpv4(String str, List<San> list) {
        for (San san : list) {
            if (7 == san.getType() && str.equals(san.getValue())) {
                if (!LOG_DEBUG) {
                    return true;
                }
                logger.debug("Certificate for '{}' matched IPv4 '{}' of the Subject Alternative Names", new Object[]{str, san.getValue()});
                return true;
            }
        }
        logger.warn("Certificate for '{}' does not match any Subject Alternative Names: {}", new Object[]{str, list});
        return false;
    }

    private static boolean matchIpv6(String str, List<San> list) {
        String normaliseIpv6 = normaliseIpv6(str);
        for (San san : list) {
            if (7 == san.getType() && normaliseIpv6.equals(normaliseIpv6(san.getValue()))) {
                if (!LOG_DEBUG) {
                    return true;
                }
                logger.debug("Certificate for '{}' matched IPv6 '{}' of the Subject Alternative Names", new Object[]{str, san.getValue()});
                return true;
            }
        }
        logger.warn("Certificate for '{}' does not match any Subject Alternative Names: {}", new Object[]{str, list});
        return false;
    }

    private static boolean matchDns(String str, List<San> list) {
        if (str.isEmpty() || str.charAt(0) == '.' || str.endsWith("..")) {
            logger.warn("Certificate for '{}' cannot match because it is invalid", new Object[]{str});
            return false;
        }
        for (San san : list) {
            if (2 == san.getType() && matchHost(str, san.getValue())) {
                if (!LOG_DEBUG) {
                    return true;
                }
                logger.debug("Certificate for '{}' matched DNS '{}' of the Subject Alternative Names", new Object[]{str, san.getValue()});
                return true;
            }
        }
        logger.warn("Certificate for '{}' does not match any Subject Alternative Names: {}", new Object[]{str, list});
        return false;
    }

    private static boolean matchCn(String str, X509Certificate x509Certificate) {
        try {
            String str2 = null;
            Iterator it = new LdapName(x509Certificate.getSubjectX500Principal().getName("RFC2253")).getRdns().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Rdn rdn = (Rdn) it.next();
                if (COMMON_NAME.equalsIgnoreCase(rdn.getType())) {
                    str2 = rdn.getValue().toString();
                    break;
                }
            }
            if (str2 == null) {
                logger.warn("Certificate for '{}' does not contain the Common Name", new Object[]{str});
                return false;
            }
            if (str.isEmpty() || str.charAt(0) == '.' || str.endsWith("..") || !matchHost(str, str2)) {
                logger.warn("Certificate for '{}' does not match the Common Name: {}", new Object[]{str, str2});
                return false;
            }
            if (!LOG_DEBUG) {
                return true;
            }
            logger.debug("Certificate for '{}' matched by Common Name '{}'", new Object[]{str, str2});
            return true;
        } catch (InvalidNameException e) {
            logger.error("LDAP name parse failed", e);
            return false;
        }
    }

    private static boolean matchHost(String str, String str2) {
        if (str2.isEmpty() || str2.charAt(0) == '.' || str2.endsWith("..")) {
            return false;
        }
        int indexOf = str2.indexOf(42);
        if (indexOf < 0) {
            return str.equalsIgnoreCase(str2);
        }
        int length = str2.length();
        if (length == 1) {
            logger.warn("Certificate cannot signature as {} for match all identities", new Object[]{str2});
            return false;
        }
        int i = (length - indexOf) - 1;
        int length2 = str.length() - i;
        if (length2 <= indexOf) {
            return false;
        }
        String lowerCase = str.toLowerCase(Locale.ROOT);
        String lowerCase2 = str2.toLowerCase(Locale.ROOT);
        if (indexOf <= 0 || lowerCase.startsWith(lowerCase2.substring(0, indexOf))) {
            return (i <= 0 || lowerCase.endsWith(lowerCase2.substring(indexOf + 1))) && !str.substring(indexOf, length2).contains(".");
        }
        return false;
    }

    private static List<San> extractSans(X509Certificate x509Certificate) {
        Object obj;
        int intValue;
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null || subjectAlternativeNames.isEmpty()) {
                return Collections.emptyList();
            }
            ArrayList arrayList = new ArrayList();
            for (List<?> list : subjectAlternativeNames) {
                if (list != null && list.size() >= 2 && (obj = list.get(0)) != null) {
                    if (obj instanceof Integer) {
                        intValue = ((Integer) obj).intValue();
                    } else {
                        try {
                            intValue = Integer.parseInt(obj.toString());
                        } catch (NumberFormatException e) {
                            logger.info("Unknown SAN type {}", new Object[]{obj});
                        }
                    }
                    if (2 == intValue || 7 == intValue) {
                        Object obj2 = list.get(1);
                        if (obj2 instanceof String) {
                            arrayList.add(new San((String) obj2, intValue));
                        } else if (obj2 instanceof byte[]) {
                            logger.warn("Certificate contains an ASN.1 DER encoded form but DER is unsupported now");
                        } else if (logger.isWarnEnabled()) {
                            logger.warn("Certificate contains an unknown value of Subject Alternative Names: {}", new Object[]{obj2.getClass()});
                        }
                    } else {
                        logger.warn("Certificate contains an unknown type of Subject Alternative Names: {}", new Object[]{Integer.valueOf(intValue)});
                    }
                }
            }
            return arrayList;
        } catch (CertificateParsingException e2) {
            logger.warn("Load Subject Alternative Names from Certificate failed", e2);
            return Collections.emptyList();
        }
    }

    private static String normaliseIpv6(String str) {
        try {
            return InetAddress.getByName(str).getHostAddress();
        } catch (UnknownHostException e) {
            return str;
        }
    }

    private static int determineHostType(String str) {
        if (AddressUtils.isIpv4(str)) {
            return 1;
        }
        int length = str.length() - 1;
        return AddressUtils.isIpv6((str.charAt(0) != '[' || str.charAt(length) != ']') ? str : str.substring(1, length)) ? 2 : 0;
    }

    private DefaultHostnameVerifier() {
    }
}
