package org.apache.cassandra.auth;

import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.List;
import org.apache.cassandra.exceptions.AuthenticationException;

/* loaded from: input_file:org/apache/cassandra/auth/SpiffeCertificateValidator.class */
public class SpiffeCertificateValidator implements MutualTlsCertificateValidator {
    @Override // org.apache.cassandra.auth.MutualTlsCertificateValidator
    public boolean isValidCertificate(Certificate[] certificateArr) {
        return true;
    }

    @Override // org.apache.cassandra.auth.MutualTlsCertificateValidator
    public String identity(Certificate[] certificateArr) throws AuthenticationException {
        try {
            return getSANSpiffe(certificateArr);
        } catch (CertificateException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private static String getSANSpiffe(Certificate[] certificateArr) throws CertificateException {
        Collection<List<?>> subjectAlternativeNames = MutualTlsUtil.castCertsToX509(certificateArr)[0].getSubjectAlternativeNames();
        if (subjectAlternativeNames != null) {
            for (List<?> list : subjectAlternativeNames) {
                Integer num = (Integer) list.get(0);
                String str = (String) list.get(1);
                if (num.intValue() == 6 && str.startsWith("spiffe://")) {
                    return str;
                }
            }
        }
        throw new CertificateException("Unable to extract Spiffe from the certificate");
    }
}
