package play.api.libs.ws.ssl;

import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import org.joda.time.DateTime;
import org.joda.time.Interval;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.Option;
import scala.Predef$;
import scala.StringContext;
import scala.collection.JavaConverters$;
import scala.collection.TraversableLike;
import scala.collection.immutable.Map;
import scala.collection.immutable.Set;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.runtime.ObjectRef;

/* compiled from: AlgorithmChecker.scala */
@ScalaSignature(bytes = "\u0006\u0001\u00055c\u0001B\u0001\u0003\u00015\u0011\u0001#\u00117h_JLG\u000f[7DQ\u0016\u001c7.\u001a:\u000b\u0005\r!\u0011aA:tY*\u0011QAB\u0001\u0003oNT!a\u0002\u0005\u0002\t1L'm\u001d\u0006\u0003\u0013)\t1!\u00199j\u0015\u0005Y\u0011\u0001\u00029mCf\u001c\u0001a\u0005\u0002\u0001\u001dA\u0011qBF\u0007\u0002!)\u0011\u0011CE\u0001\u0005G\u0016\u0014HO\u0003\u0002\u0014)\u0005A1/Z2ve&$\u0018PC\u0001\u0016\u0003\u0011Q\u0017M^1\n\u0005]\u0001\"a\u0005)L\u0013b\u001bUM\u001d;QCRD7\t[3dW\u0016\u0014\b\u0002C\r\u0001\u0005\u000b\u0007I\u0011\u0001\u000e\u0002)MLwM\\1ukJ,7i\u001c8tiJ\f\u0017N\u001c;t+\u0005Y\u0002c\u0001\u000f#K9\u0011Q\u0004I\u0007\u0002=)\tq$A\u0003tG\u0006d\u0017-\u0003\u0002\"=\u00051\u0001K]3eK\u001aL!a\t\u0013\u0003\u0007M+GO\u0003\u0002\"=A\u0011aeJ\u0007\u0002\u0005%\u0011\u0001F\u0001\u0002\u0014\u00032<wN]5uQ6\u001cuN\\:ue\u0006Lg\u000e\u001e\u0005\tU\u0001\u0011\t\u0011)A\u00057\u0005)2/[4oCR,(/Z\"p]N$(/Y5oiN\u0004\u0003\u0002\u0003\u0017\u0001\u0005\u000b\u0007I\u0011\u0001\u000e\u0002\u001d-,\u0017pQ8ogR\u0014\u0018-\u001b8ug\"Aa\u0006\u0001B\u0001B\u0003%1$A\blKf\u001cuN\\:ue\u0006Lg\u000e^:!\u0011\u0015\u0001\u0004\u0001\"\u00012\u0003\u0019a\u0014N\\5u}Q\u0019!g\r\u001b\u0011\u0005\u0019\u0002\u0001\"B\r0\u0001\u0004Y\u0002\"\u0002\u00170\u0001\u0004Y\u0002b\u0002\u001c\u0001\u0005\u0004%IaN\u0001\u0007Y><w-\u001a:\u0016\u0003a\u0002\"!\u000f \u000e\u0003iR!a\u000f\u001f\u0002\u000bMdg\r\u000e6\u000b\u0003u\n1a\u001c:h\u0013\ty$H\u0001\u0004M_\u001e<WM\u001d\u0005\u0007\u0003\u0002\u0001\u000b\u0011\u0002\u001d\u0002\u000f1|wmZ3sA!91\t\u0001b\u0001\n\u0013!\u0015aF:jO:\fG/\u001e:f\u0007>t7\u000f\u001e:bS:$8/T1q+\u0005)\u0005\u0003\u0002\u000fG\u0011\u0016J!a\u0012\u0013\u0003\u00075\u000b\u0007\u000f\u0005\u0002\u001d\u0013&\u0011!\n\n\u0002\u0007'R\u0014\u0018N\\4\t\r1\u0003\u0001\u0015!\u0003F\u0003a\u0019\u0018n\u001a8biV\u0014XmQ8ogR\u0014\u0018-\u001b8ug6\u000b\u0007\u000f\t\u0005\b\u001d\u0002\u0011\r\u0011\"\u0003E\u0003EYW-_\"p]N$(/Y5oiNl\u0015\r\u001d\u0005\u0007!\u0002\u0001\u000b\u0011B#\u0002%-,\u0017pQ8ogR\u0014\u0018-\u001b8ug6\u000b\u0007\u000f\t\u0005\u0006%\u0002!\taU\u0001\u001bSN4uN]<be\u0012\u001c\u0005.Z2lS:<7+\u001e9q_J$X\r\u001a\u000b\u0002)B\u0011Q$V\u0005\u0003-z\u0011qAQ8pY\u0016\fg\u000eC\u0003Y\u0001\u0011\u0005\u0011,\u0001\fhKR\u001cV\u000f\u001d9peR,G-\u0012=uK:\u001c\u0018n\u001c8t)\u0005Q\u0006cA._\u00116\tAL\u0003\u0002^)\u0005!Q\u000f^5m\u0013\t\u0019C\fC\u0003a\u0001\u0011\u0005\u0011-\u0001\u0003j]&$HC\u00012f!\ti2-\u0003\u0002e=\t!QK\\5u\u0011\u00151w\f1\u0001U\u0003\u001d1wN]<be\u0012DQ\u0001\u001b\u0001\u0005\u0002%\fqCZ5oINKwM\\1ukJ,7i\u001c8tiJ\f\u0017N\u001c;\u0015\u0005)l\u0007cA\u000flK%\u0011AN\b\u0002\u0007\u001fB$\u0018n\u001c8\t\u000b9<\u0007\u0019\u0001%\u0002\u0013\u0005dwm\u001c:ji\"l\u0007\"\u00029\u0001\t\u0003\t\u0018!\u00054j]\u0012\\U-_\"p]N$(/Y5oiR\u0011!N\u001d\u0005\u0006]>\u0004\r\u0001\u0013\u0005\u0006i\u0002!\t!^\u0001\u0019G\",7m[*jO:\fG/\u001e:f\u00032<wN]5uQ6\u001cHC\u00012w\u0011\u001598\u000f1\u0001y\u0003!AX\u0007M\u001dDKJ$\bCA\bz\u0013\tQ\bCA\bYkAJ4)\u001a:uS\u001aL7-\u0019;f\u0011\u0015a\b\u0001\"\u0001~\u0003I\u0019\u0007.Z2l\u0017\u0016L\u0018\t\\4pe&$\b.\\:\u0015\u0005\tt\b\"B<|\u0001\u0004A\bbBA\u0001\u0001\u0011\u0005\u00111A\u0001\u0006G\",7m\u001b\u000b\u0006E\u0006\u0015\u0011Q\u0002\u0005\u0007#}\u0004\r!a\u0002\u0011\u0007=\tI!C\u0002\u0002\fA\u00111bQ3si&4\u0017nY1uK\"9\u0011qB@A\u0002\u0005E\u0011AE;oe\u0016\u001cx\u000e\u001c<fI\u000e\u0013\u0018\u000e^#yiN\u0004BaWA\n\u0011&\u0019\u0011Q\u0003/\u0003\u0015\r{G\u000e\\3di&|g\u000eC\u0004\u0002\u001a\u0001!\t!a\u0007\u00029M,hn]3u'\"\u000b\u0015gU5h]\u0006$XO]3BY\u001e|'/\u001b;i[R\u0019!-!\b\t\r]\f9\u00021\u0001y\u0011\u001d\t\t\u0003\u0001C\u0001\u0003G\tA\"\u001b8g_>s7+\u001e8tKR$RAYA\u0013\u0003OAaa^A\u0010\u0001\u0004A\b\u0002CA\u0015\u0003?\u0001\r!a\u000b\u0002\u001d\u0015D\b/\u001b:bi&|g\u000eR1uKB!\u0011QFA\u001c\u001b\t\tyC\u0003\u0003\u00022\u0005M\u0012\u0001\u0002;j[\u0016T1!!\u000e=\u0003\u0011Qw\u000eZ1\n\t\u0005e\u0012q\u0006\u0002\t\t\u0006$X\rV5nK\"9\u0011Q\b\u0001\u0005\u0002\u0005}\u0012\u0001D<be:|enU;og\u0016$H#\u00022\u0002B\u0005\r\u0003BB<\u0002<\u0001\u0007\u0001\u0010\u0003\u0005\u0002*\u0005m\u0002\u0019AA\u0016\u0011\u001d\t9\u0005\u0001C\u0001\u0003\u0013\nQbZ3u\u0007>lWn\u001c8OC6,Gc\u0001%\u0002L!1\u0011#!\u0012A\u0002a\u0004")
/* loaded from: input_file:play/api/libs/ws/ssl/AlgorithmChecker.class */
public class AlgorithmChecker extends PKIXCertPathChecker {
    private final Set<AlgorithmConstraint> signatureConstraints;
    private final Set<AlgorithmConstraint> keyConstraints;
    private final Logger play$api$libs$ws$ssl$AlgorithmChecker$$logger = LoggerFactory.getLogger(getClass());
    private final Map<String, AlgorithmConstraint> signatureConstraintsMap;
    private final Map<String, AlgorithmConstraint> keyConstraintsMap;

    public Set<AlgorithmConstraint> signatureConstraints() {
        return this.signatureConstraints;
    }

    public Set<AlgorithmConstraint> keyConstraints() {
        return this.keyConstraints;
    }

    public Logger play$api$libs$ws$ssl$AlgorithmChecker$$logger() {
        return this.play$api$libs$ws$ssl$AlgorithmChecker$$logger;
    }

    private Map<String, AlgorithmConstraint> signatureConstraintsMap() {
        return this.signatureConstraintsMap;
    }

    private Map<String, AlgorithmConstraint> keyConstraintsMap() {
        return this.keyConstraintsMap;
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public boolean isForwardCheckingSupported() {
        return false;
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public java.util.Set<String> getSupportedExtensions() {
        return Collections.emptySet();
    }

    @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
    public void init(boolean z) {
        play$api$libs$ws$ssl$AlgorithmChecker$$logger().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"init: forward = ", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{BoxesRunTime.boxToBoolean(z)})));
        if (z) {
            throw new CertPathValidatorException("Forward checking not supported");
        }
    }

    public Option<AlgorithmConstraint> findSignatureConstraint(String str) {
        return signatureConstraintsMap().get(str);
    }

    public Option<AlgorithmConstraint> findKeyConstraint(String str) {
        return keyConstraintsMap().get(str);
    }

    public void checkSignatureAlgorithms(X509Certificate x509Certificate) {
        String sigAlgName = x509Certificate.getSigAlgName();
        Set<String> decomposes = Algorithms$.MODULE$.decomposes(sigAlgName);
        play$api$libs$ws$ssl$AlgorithmChecker$$logger().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"checkSignatureAlgorithms: sigAlgName = ", ", sigAlgName = ", ", sigAlgorithms = ", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{sigAlgName, sigAlgName, decomposes})));
        decomposes.foreach(new AlgorithmChecker$$anonfun$checkSignatureAlgorithms$1(this, x509Certificate));
    }

    public void checkKeyAlgorithms(X509Certificate x509Certificate) {
        PublicKey publicKey = x509Certificate.getPublicKey();
        String algorithm = publicKey.getAlgorithm();
        int unboxToInt = BoxesRunTime.unboxToInt(Algorithms$.MODULE$.keySize(publicKey).getOrElse(new AlgorithmChecker$$anonfun$3(this, publicKey)));
        Set<String> decomposes = Algorithms$.MODULE$.decomposes(algorithm);
        play$api$libs$ws$ssl$AlgorithmChecker$$logger().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"checkKeyAlgorithms: keyAlgorithmName = ", ", keySize = ", ", keyAlgorithms = ", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{algorithm, BoxesRunTime.boxToInteger(unboxToInt), decomposes})));
        decomposes.foreach(new AlgorithmChecker$$anonfun$checkKeyAlgorithms$1(this, x509Certificate, unboxToInt));
    }

    @Override // java.security.cert.PKIXCertPathChecker
    public void check(Certificate certificate, Collection<String> collection) {
        if (!(certificate instanceof X509Certificate)) {
            throw new UnsupportedOperationException("check only works with x509 certificates!");
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        play$api$libs$ws$ssl$AlgorithmChecker$$logger().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"check: checking certificate commonName = ", ", subjAltName = ", ", certName = ", ", expirationDate = ", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{getCommonName(x509Certificate), x509Certificate.getSubjectAlternativeNames(), x509Certificate.getSubjectX500Principal().getName(), new DateTime(x509Certificate.getNotAfter().getTime())})));
        sunsetSHA1SignatureAlgorithm(x509Certificate);
        checkSignatureAlgorithms(x509Certificate);
        checkKeyAlgorithms(x509Certificate);
        BoxedUnit boxedUnit = BoxedUnit.UNIT;
    }

    public void sunsetSHA1SignatureAlgorithm(X509Certificate x509Certificate) {
        Set<String> decomposes = Algorithms$.MODULE$.decomposes(x509Certificate.getSigAlgName());
        if (decomposes.contains("SHA1") || decomposes.contains("SHA-1")) {
            Interval interval = new Interval(new DateTime(2016, 6, 1, 0, 0, 0, 0), new DateTime(2016, 12, 31, 0, 0, 0, 0));
            DateTime dateTime = new DateTime(x509Certificate.getNotAfter().getTime());
            if (interval.contains(dateTime)) {
                infoOnSunset(x509Certificate, dateTime);
            }
            DateTime dateTime2 = new DateTime(2017, 1, 1, 0, 0, 0, 0);
            if (dateTime2.isEqual(dateTime) || dateTime2.isBefore(dateTime)) {
                warnOnSunset(x509Certificate, dateTime);
            }
        }
    }

    public void infoOnSunset(X509Certificate x509Certificate, DateTime dateTime) {
        play$api$libs$ws$ssl$AlgorithmChecker$$logger().info(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"Certificate ", " uses SHA-1 and expires ", ": this certificate expires soon, but SHA-1 is being sunsetted."})).s(Predef$.MODULE$.genericWrapArray(new Object[]{x509Certificate.getSubjectX500Principal().getName(), dateTime})));
    }

    public void warnOnSunset(X509Certificate x509Certificate, DateTime dateTime) {
        play$api$libs$ws$ssl$AlgorithmChecker$$logger().warn(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"Certificate ", " uses SHA-1 and expires ", ": SHA-1 cannot be considered secure and this certificate should be replaced."})).s(Predef$.MODULE$.genericWrapArray(new Object[]{x509Certificate.getSubjectX500Principal().getName(), dateTime})));
    }

    public String getCommonName(X509Certificate x509Certificate) {
        try {
            LdapName ldapName = new LdapName(x509Certificate.getSubjectX500Principal().getName());
            ObjectRef create = ObjectRef.create((Object) null);
            ((TraversableLike) JavaConverters$.MODULE$.asScalaBufferConverter(ldapName.getRdns()).asScala()).withFilter(new AlgorithmChecker$$anonfun$getCommonName$1(this)).foreach(new AlgorithmChecker$$anonfun$getCommonName$2(this, create));
            return (String) create.elem;
        } catch (InvalidNameException e) {
            return null;
        }
    }

    public AlgorithmChecker(Set<AlgorithmConstraint> set, Set<AlgorithmConstraint> set2) {
        this.signatureConstraints = set;
        this.keyConstraints = set2;
        this.signatureConstraintsMap = set.iterator().map(new AlgorithmChecker$$anonfun$1(this)).toMap(Predef$.MODULE$.$conforms());
        this.keyConstraintsMap = set2.iterator().map(new AlgorithmChecker$$anonfun$2(this)).toMap(Predef$.MODULE$.$conforms());
    }
}
