package com.homihq.db2rest.jdbc.config.driver;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Date;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/pg-dialect-1.6.0.jar:com/homihq/db2rest/jdbc/config/driver/EnvVarSSLSocketFactory.class */
public class EnvVarSSLSocketFactory extends SSLSocketFactory {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) EnvVarSSLSocketFactory.class);
    private final SSLSocketFactory factory;
    private final X509Certificate cert;

    public EnvVarSSLSocketFactory() throws Exception {
        byte[] bytes;
        String str = System.getenv("PG_CERT_CONTENT");
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalStateException("PG_CERT_CONTENT environment variable is not set");
        }
        try {
            bytes = Base64.getDecoder().decode(str);
        } catch (IllegalArgumentException e) {
            bytes = str.getBytes(StandardCharsets.UTF_8);
        }
        this.cert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bytes));
        validateCertificate(this.cert);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setCertificateEntry("postgresql", this.cert);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(null, createTrustManagersWithHostnameVerification(trustManagerFactory.getTrustManagers()), null);
        this.factory = sSLContext.getSocketFactory();
    }

    private void validateCertificate(X509Certificate x509Certificate) throws CertificateException {
        try {
            x509Certificate.checkValidity(new Date());
            if (x509Certificate.getSubjectX500Principal() == null || x509Certificate.getSubjectX500Principal().getName().isEmpty()) {
                throw new CertificateException("Certificate has invalid subject");
            }
            int basicConstraints = x509Certificate.getBasicConstraints();
            boolean z = basicConstraints != -1;
            boolean z2 = basicConstraints < 0;
            if (z && z2) {
                throw new CertificateException("Certificate has invalid subject");
            }
            log.debug("Certificate validated successfully:");
            log.debug("Subject: {}", x509Certificate.getSubjectX500Principal().getName());
            log.debug("Issuer: {}", x509Certificate.getIssuerX500Principal().getName());
            log.debug("Valid from: {}", x509Certificate.getNotBefore());
            log.debug("Valid until: {}", x509Certificate.getNotAfter());
        } catch (CertificateExpiredException e) {
            throw new CertificateException("Certificate has expired", e);
        } catch (CertificateNotYetValidException e2) {
            throw new CertificateException("Certificate is not yet valid", e2);
        }
    }

    private TrustManager[] createTrustManagersWithHostnameVerification(final TrustManager[] trustManagerArr) {
        TrustManager[] trustManagerArr2 = new TrustManager[trustManagerArr.length];
        for (int i = 0; i < trustManagerArr.length; i++) {
            if (trustManagerArr[i] instanceof X509TrustManager) {
                final int i2 = i;
                trustManagerArr2[i] = new X509TrustManager() { // from class: com.homihq.db2rest.jdbc.config.driver.EnvVarSSLSocketFactory.1
                    private final X509TrustManager delegate;

                    {
                        this.delegate = (X509TrustManager) trustManagerArr[i2];
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                        this.delegate.checkClientTrusted(x509CertificateArr, str);
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                        this.delegate.checkServerTrusted(x509CertificateArr, str);
                        for (X509Certificate x509Certificate : x509CertificateArr) {
                            EnvVarSSLSocketFactory.this.validateCertificate(x509Certificate);
                        }
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return this.delegate.getAcceptedIssuers();
                    }
                };
            } else {
                trustManagerArr2[i] = trustManagerArr[i];
            }
        }
        return trustManagerArr2;
    }

    @Override // javax.net.ssl.SSLSocketFactory
    public Socket createSocket(Socket socket, String str, int i, boolean z) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.factory.createSocket(socket, str, i, z);
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        sSLSocket.setSSLParameters(sSLParameters);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(String str, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.factory.createSocket(str, i);
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        sSLSocket.setSSLParameters(sSLParameters);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.factory.createSocket(str, i, inetAddress, i2);
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        sSLSocket.setSSLParameters(sSLParameters);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.factory.createSocket(inetAddress, i);
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        sSLSocket.setSSLParameters(sSLParameters);
        return sSLSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.factory.createSocket(inetAddress, i, inetAddress2, i2);
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        sSLSocket.setSSLParameters(sSLParameters);
        return sSLSocket;
    }

    @Override // javax.net.ssl.SSLSocketFactory
    public String[] getDefaultCipherSuites() {
        return this.factory.getDefaultCipherSuites();
    }

    @Override // javax.net.ssl.SSLSocketFactory
    public String[] getSupportedCipherSuites() {
        return this.factory.getSupportedCipherSuites();
    }
}
