package net.hasor.neta.handler.ssl;

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import net.hasor.cobble.ArrayUtils;
import net.hasor.cobble.io.IOUtils;
import net.hasor.cobble.logging.Logger;
import net.hasor.neta.bytebuf.ByteBuf;
import net.hasor.neta.bytebuf.ByteBufInputStream;

/* loaded from: input_file:net/hasor/neta/handler/ssl/SslUtils.class */
class SslUtils {
    public static final String[] DEFAULT_CIPHER_SUITES;
    public static final String[] DEFAULT_TLSV13_CIPHER_SUITES;
    private static final Logger logger = Logger.getLogger(SslUtils.class);
    public static final String[] TLSV13_CIPHER_SUITES = {"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"};
    private static final boolean TLSV1_3_JDK_SUPPORTED = isTLSv13SupportedByJDK0(null);
    private static final boolean TLSV1_3_JDK_DEFAULT_ENABLED = isTLSv13EnabledByJDK0(null);

    SslUtils() {
    }

    private static SSLContext newInitContext(Provider provider) throws GeneralSecurityException {
        SSLContext sSLContext = provider == null ? SSLContext.getInstance("TLS") : SSLContext.getInstance("TLS", provider);
        sSLContext.init(null, new TrustManager[0], null);
        return sSLContext;
    }

    private static boolean isTLSv13SupportedByJDK0(Provider provider) {
        try {
            return ArrayUtils.contains(newInitContext(provider).getSupportedSSLParameters().getProtocols(), SslProtocol.TLS_v1_3);
        } catch (Throwable th) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.error("Unable to detect if JDK SSLEngine with provider " + provider + " supports TLSv1.3, assuming no", th);
            return false;
        }
    }

    private static boolean isTLSv13EnabledByJDK0(Provider provider) {
        try {
            return ArrayUtils.contains(newInitContext(provider).getDefaultSSLParameters().getProtocols(), SslProtocol.TLS_v1_3);
        } catch (Throwable th) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.error("Unable to detect if JDK SSLEngine with provider " + provider + " enables TLSv1.3 by default, assuming no", th);
            return false;
        }
    }

    public static KeyManagerFactory buildKeyManagerFactory(KeyStore keyStore, char[] cArr, KeyManagerFactory keyManagerFactory) throws GeneralSecurityException, IOException {
        if (keyManagerFactory == null) {
            keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        }
        keyManagerFactory.init(keyStore, cArr);
        return keyManagerFactory;
    }

    public static TrustManagerFactory buildTrustManagerFactory(KeyStore keyStore, TrustManagerFactory trustManagerFactory) throws GeneralSecurityException, IOException {
        if (trustManagerFactory == null) {
            trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        }
        trustManagerFactory.init(keyStore);
        return trustManagerFactory;
    }

    public static void loadKeyStore(KeyStore keyStore, X509Certificate[] x509CertificateArr, PrivateKey privateKey, char[] cArr) throws GeneralSecurityException, IOException {
        Objects.requireNonNull(x509CertificateArr, "required certChain");
        Objects.requireNonNull(privateKey, "required key");
        keyStore.load(null, null);
        int i = 1;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            keyStore.setCertificateEntry("CRT_" + i, x509Certificate);
            i++;
        }
        keyStore.setKeyEntry("key", privateKey, cArr, x509CertificateArr);
    }

    public static void loadKeyStore(KeyStore keyStore, InputStream inputStream, char[] cArr) throws GeneralSecurityException, IOException {
        keyStore.load(inputStream, cArr);
    }

    public static X509Certificate[] toX509Certificates(InputStream inputStream) throws CertificateException {
        if (inputStream == null) {
            return null;
        }
        ByteBuf[] readCertificates = SslPemReader.readCertificates(inputStream);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        X509Certificate[] x509CertificateArr = new X509Certificate[readCertificates.length];
        for (int i = 0; i < readCertificates.length; i++) {
            try {
                ByteBufInputStream byteBufInputStream = new ByteBufInputStream(readCertificates[i]);
                try {
                    x509CertificateArr[i] = (X509Certificate) certificateFactory.generateCertificate(byteBufInputStream);
                    IOUtils.closeQuietly(byteBufInputStream);
                } finally {
                }
            } finally {
                for (ByteBuf byteBuf : readCertificates) {
                    byteBuf.free();
                }
            }
        }
        return x509CertificateArr;
    }

    public static PrivateKey toPrivateKey(InputStream inputStream, String str) throws GeneralSecurityException, IOException {
        if (inputStream == null) {
            return null;
        }
        if (SslPemReaderByBouncyCastle.isAvailable()) {
            if (!inputStream.markSupported()) {
                inputStream = new BufferedInputStream(inputStream);
            }
            inputStream.mark(1048576);
            PrivateKey privateKey = SslPemReaderByBouncyCastle.getPrivateKey(inputStream, str);
            if (privateKey != null) {
                return privateKey;
            }
            inputStream.reset();
        }
        ByteBuf readPrivateKey = SslPemReader.readPrivateKey(inputStream);
        byte[] bArr = new byte[readPrivateKey.readableBytes()];
        readPrivateKey.readBytes(bArr);
        readPrivateKey.free();
        PKCS8EncodedKeySpec generateKeySpec = generateKeySpec(str == null ? null : str.toCharArray(), bArr);
        try {
            return KeyFactory.getInstance("RSA").generatePrivate(generateKeySpec);
        } catch (InvalidKeySpecException e) {
            try {
                return KeyFactory.getInstance("DSA").generatePrivate(generateKeySpec);
            } catch (InvalidKeySpecException e2) {
                try {
                    return KeyFactory.getInstance("EC").generatePrivate(generateKeySpec);
                } catch (InvalidKeySpecException e3) {
                    throw new InvalidKeySpecException("Neither RSA, DSA nor EC worked", e3);
                }
            }
        }
    }

    private static PKCS8EncodedKeySpec generateKeySpec(char[] cArr, byte[] bArr) throws GeneralSecurityException, IOException {
        if (cArr == null) {
            return new PKCS8EncodedKeySpec(bArr);
        }
        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(bArr);
        SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(cArr));
        Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
        cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
        return encryptedPrivateKeyInfo.getKeySpec(cipher);
    }

    static {
        if (TLSV1_3_JDK_SUPPORTED) {
            DEFAULT_TLSV13_CIPHER_SUITES = TLSV13_CIPHER_SUITES;
        } else {
            DEFAULT_TLSV13_CIPHER_SUITES = ArrayUtils.EMPTY_STRING_ARRAY;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
        linkedHashSet.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
        linkedHashSet.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
        linkedHashSet.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
        linkedHashSet.add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
        linkedHashSet.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
        linkedHashSet.add("TLS_RSA_WITH_AES_128_GCM_SHA256");
        linkedHashSet.add("TLS_RSA_WITH_AES_128_CBC_SHA");
        linkedHashSet.add("TLS_RSA_WITH_AES_256_CBC_SHA");
        Collections.addAll(linkedHashSet, DEFAULT_TLSV13_CIPHER_SUITES);
        DEFAULT_CIPHER_SUITES = (String[]) linkedHashSet.toArray(ArrayUtils.EMPTY_STRING_ARRAY);
    }
}
