package org.apache.cassandra.auth;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.temporal.ChronoUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.cassandra.config.DurationSpec;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.utils.FBUtilities;

/* loaded from: input_file:org/apache/cassandra/auth/MutualTlsCertificateValidityPeriodValidator.class */
public class MutualTlsCertificateValidityPeriodValidator {

    @Nonnull
    private final int maxCertificateValidityPeriodMinutes;

    public MutualTlsCertificateValidityPeriodValidator(@Nullable DurationSpec.IntMinutesBound intMinutesBound) {
        this.maxCertificateValidityPeriodMinutes = intMinutesBound != null ? intMinutesBound.toMinutes() : Integer.MAX_VALUE;
    }

    public int validate(Certificate[] certificateArr) throws AuthenticationException {
        X509Certificate[] castCertsToX509 = MutualTlsUtil.castCertsToX509(certificateArr);
        if (castCertsToX509 == null || castCertsToX509.length == 0) {
            return -1;
        }
        int between = (int) ChronoUnit.MINUTES.between(FBUtilities.now(), castCertsToX509[0].getNotAfter().toInstant());
        int certificateValidityPeriodInMinutes = certificateValidityPeriodInMinutes(castCertsToX509[0]);
        if (certificateValidityPeriodInMinutes > this.maxCertificateValidityPeriodMinutes) {
            throw new AuthenticationException(String.format("The validity period of the provided certificate (%s) exceeds the maximum allowed validity period of %s", MutualTlsUtil.toHumanReadableCertificateExpiration(certificateValidityPeriodInMinutes), MutualTlsUtil.toHumanReadableCertificateExpiration(this.maxCertificateValidityPeriodMinutes)));
        }
        return between;
    }

    int certificateValidityPeriodInMinutes(X509Certificate x509Certificate) {
        return (int) ChronoUnit.MINUTES.between(x509Certificate.getNotBefore().toInstant(), x509Certificate.getNotAfter().toInstant());
    }
}
