package org.apache.nifi.security.cert;

import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.net.ssl.SSLPeerUnverifiedException;

/* loaded from: input_file:org/apache/nifi/security/cert/StandardPeerIdentityProvider.class */
public class StandardPeerIdentityProvider implements PeerIdentityProvider {
    private final CertificateAttributeReader certificateAttributeReader = new StandardCertificateAttributeReader();

    @Override // org.apache.nifi.security.cert.PeerIdentityProvider
    public Set<String> getIdentities(Certificate[] certificateArr) throws SSLPeerUnverifiedException {
        if (certificateArr == null || certificateArr.length == 0) {
            throw new SSLPeerUnverifiedException("Peer certificates not found");
        }
        Certificate certificate = certificateArr[0];
        if (!(certificate instanceof X509Certificate)) {
            throw new SSLPeerUnverifiedException("X.509 Peer certificate not found");
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        try {
            x509Certificate.checkValidity();
            return getIdentities(x509Certificate);
        } catch (CertificateException e) {
            throw new SSLPeerUnverifiedException(String.format("X.509 Peer certificate not valid: %s", e.getMessage()));
        }
    }

    private Set<String> getIdentities(X509Certificate x509Certificate) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (SubjectAlternativeName subjectAlternativeName : this.certificateAttributeReader.getSubjectAlternativeNames(x509Certificate)) {
            if (GeneralNameType.DNS_NAME == subjectAlternativeName.getGeneralNameType()) {
                linkedHashSet.add(subjectAlternativeName.getName());
            }
        }
        return linkedHashSet;
    }
}
