package com.netflix.spinnaker.kork.tomcat.x509;

import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import java.security.cert.CRLReason;
import java.security.cert.CertificateException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/netflix/spinnaker/kork/tomcat/x509/BlocklistingX509TrustManager.class */
public class BlocklistingX509TrustManager implements X509TrustManager {
    public static AtomicBoolean BLOCKLIST_ENABLED = new AtomicBoolean(true);
    private final X509TrustManager delegate;
    private final Blocklist blocklist;
    private final Registry registry;
    private final Id checkClientTrusted;

    public BlocklistingX509TrustManager(X509TrustManager x509TrustManager, Blocklist blocklist, Registry registry) {
        this.delegate = (X509TrustManager) Objects.requireNonNull(x509TrustManager);
        this.blocklist = (Blocklist) Objects.requireNonNull(blocklist);
        this.registry = (Registry) Objects.requireNonNull(registry);
        this.checkClientTrusted = registry.createId("ssl.blocklist.checkClientTrusted");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (BLOCKLIST_ENABLED.get()) {
            boolean z = false;
            if (x509CertificateArr != null) {
                try {
                    for (X509Certificate x509Certificate : x509CertificateArr) {
                        if (this.blocklist.isBlocklisted(x509Certificate)) {
                            z = true;
                            throw new CertificateRevokedException(new Date(), CRLReason.UNSPECIFIED, x509Certificate.getIssuerX500Principal(), Collections.emptyMap());
                        }
                    }
                } catch (Throwable th) {
                    this.registry.counter(this.checkClientTrusted.withTag("rejected", Boolean.toString(z))).increment();
                    throw th;
                }
            }
            this.registry.counter(this.checkClientTrusted.withTag("rejected", Boolean.toString(false))).increment();
        }
        this.delegate.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.getAcceptedIssuers();
    }
}
