package com.yahoo.vespa.model.application.validation;

import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.vespa.model.application.validation.Validation;
import com.yahoo.vespa.model.container.http.Client;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Objects;
import java.util.function.BiConsumer;
import java.util.logging.Level;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.TBSCertificate;

/* loaded from: input_file:com/yahoo/vespa/model/application/validation/CloudClientsValidator.class */
public class CloudClientsValidator implements Validator {
    @Override // com.yahoo.vespa.model.application.validation.Validator
    public void validate(Validation.Context context) {
        if (context.deployState().isHosted()) {
            context.model().getContainerClusters().forEach((str, applicationContainerCluster) -> {
                for (Client client : applicationContainerCluster.getClients()) {
                    client.certificates().forEach(x509Certificate -> {
                        String id = client.id();
                        Objects.requireNonNull(context);
                        validateCertificate(str, id, x509Certificate, context::illegal, context.deployState());
                    });
                }
            });
        }
    }

    static void validateCertificate(String str, String str2, X509Certificate x509Certificate, BiConsumer<String, Throwable> biConsumer, DeployState deployState) {
        try {
            Extensions extensions = TBSCertificate.getInstance(x509Certificate.getTBSCertificate()).getExtensions();
            if (extensions == null) {
                return;
            }
            if (extensions.getExtensionOIDs().length == 0) {
                deployState.getDeployLogger().log(Level.INFO, errorMessage(str, str2, "The certificate's ASN.1 structure contains an empty sequence of extensions, which is a violation of the ASN.1 specification. Please update the application package with a new certificate, e.g by generating a new one using the Vespa CLI `$ vespa auth cert`. "));
            }
        } catch (CertificateEncodingException e) {
            biConsumer.accept(errorMessage(str, str2, e.getMessage()), e);
        }
    }

    private static String errorMessage(String str, String str2, String str3) {
        return "Client **%s** defined for cluster **%s** contains an invalid certificate: %s".formatted(str2, str, str3);
    }
}
