package com.predic8.membrane.core.transport.ssl;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.Lists;
import com.oracle.util.ssl.SSLCapabilities;
import com.oracle.util.ssl.SSLExplorer;
import com.predic8.membrane.core.config.security.Certificate;
import com.predic8.membrane.core.config.security.SSLParser;
import com.predic8.membrane.core.resolver.ResolverMap;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nullable;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLSocketFactory;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;

/* loaded from: input_file:lib/service-proxy-core-4.2.3.jar:com/predic8/membrane/core/transport/ssl/GeneratingSSLContext.class */
public class GeneratingSSLContext extends SSLContext {
    private static final Logger log = LoggerFactory.getLogger(GeneratingSSLContext.class.getName());
    private final PrivateKey caPrivate;
    private final SSLParser sslParser;
    private final X509Certificate caPublic;
    LoadingCache<String, SSLContext> cache;

    public GeneratingSSLContext(SSLParser sSLParser, ResolverMap resolverMap, String str) {
        this.sslParser = sSLParser;
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, "".toCharArray());
            ArrayList arrayList = new ArrayList();
            Iterator<Certificate> it = sSLParser.getKeyGenerator().getKey().getCertificates().iterator();
            while (it.hasNext()) {
                arrayList.add(PEMSupport.getInstance().parseCertificate(it.next().get(resolverMap, str)));
            }
            if (arrayList.size() == 0) {
                throw new RuntimeException("At least one //ssl/keyGenerator/certificate is required.");
            }
            checkChainValidity(arrayList);
            Object parseKey = PEMSupport.getInstance().parseKey(sSLParser.getKeyGenerator().getKey().getPrivate().get(resolverMap, str));
            Key key = parseKey instanceof Key ? (Key) parseKey : ((KeyPair) parseKey).getPrivate();
            if (!(key instanceof RSAPrivateCrtKey) || !(arrayList.get(0).getPublicKey() instanceof RSAPublicKey)) {
                throw new RuntimeException("Key is a " + key.getClass().getName() + ", which is not yet supported.");
            }
            RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) key;
            RSAPublicKey rSAPublicKey = (RSAPublicKey) arrayList.get(0).getPublicKey();
            if (!rSAPrivateCrtKey.getModulus().equals(rSAPublicKey.getModulus()) || !rSAPrivateCrtKey.getPublicExponent().equals(rSAPublicKey.getPublicExponent())) {
                log.warn("Certificate does not fit to key.");
            }
            this.caPrivate = rSAPrivateCrtKey;
            this.caPublic = (X509Certificate) arrayList.get(0);
            keyStore.setKeyEntry("inlinePemKeyAndCertificate", key, "".toCharArray(), (java.security.cert.Certificate[]) arrayList.toArray(new java.security.cert.Certificate[arrayList.size()]));
            KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).init(keyStore, (sSLParser.getKeyGenerator().getKey().getPassword() != null ? sSLParser.getKeyGenerator().getKey().getPassword() : "").toCharArray());
            this.cache = CacheBuilder.newBuilder().maximumSize(100L).build(new CacheLoader<String, SSLContext>() { // from class: com.predic8.membrane.core.transport.ssl.GeneratingSSLContext.1
                public SSLContext load(String str2) throws Exception {
                    GeneratingSSLContext.log.info("Generating certificate for " + str2);
                    return GeneratingSSLContext.this.getSSLContextForHostname(str2);
                }
            });
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public ServerSocket createServerSocket(int i, int i2, InetAddress inetAddress) throws IOException {
        return new ServerSocket(i, 50, inetAddress);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket wrapAcceptedSocket(Socket socket) throws IOException {
        List<SNIServerName> serverNames;
        InputStream inputStream = socket.getInputStream();
        byte[] bArr = new byte[255];
        int i = 0;
        socket.setSoTimeout(30000);
        while (i < 5) {
            int read = inputStream.read(bArr, i, 5 - i);
            if (read < 0) {
                throw new IOException("unexpected end of stream!");
            }
            i += read;
        }
        int requiredSize = SSLExplorer.getRequiredSize(bArr, 0, i);
        if (bArr.length < requiredSize) {
            bArr = Arrays.copyOf(bArr, requiredSize);
        }
        while (i < requiredSize) {
            int read2 = inputStream.read(bArr, i, requiredSize - i);
            if (read2 < 0) {
                throw new IOException("unexpected end of stream!");
            }
            i += read2;
        }
        SSLCapabilities explore = SSLExplorer.explore(bArr, 0, requiredSize);
        if (explore != null && (serverNames = explore.getServerNames()) != null && serverNames.size() > 0) {
            Iterator<SNIServerName> it = serverNames.iterator();
            if (it.hasNext()) {
                try {
                    return ((SSLContext) this.cache.get(new String(it.next().getEncoded(), "UTF-8"))).wrap(socket, bArr, i);
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            }
        }
        try {
            socket.getOutputStream().write(new byte[]{21, 3, 1, 0, 2, 2, 112});
            socket.close();
            throw new RuntimeException("non-SNI connection not supported.");
        } catch (Throwable th) {
            socket.close();
            throw th;
        }
    }

    public SSLContext getSSLContextForHostname(String str) {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            X509Certificate[] x509CertificateArr = {sign(new X500Name("CN=" + str).toString(), this.caPublic, this.caPrivate, generateKeyPair.getPublic())};
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
            keyStore.setKeyEntry("alias", generateKeyPair.getPrivate(), new char[0], x509CertificateArr);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, new char[0]);
            javax.net.ssl.SSLContext sSLContext = javax.net.ssl.SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerFactory.getKeyManagers(), null, null);
            return new StaticSSLContext(this.sslParser, sSLContext);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static X509Certificate sign(String str, X509Certificate x509Certificate, PrivateKey privateKey, PublicKey publicKey) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, IOException, OperatorCreationException, CertificateException {
        AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
        AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
        AsymmetricKeyParameter createKey = PrivateKeyFactory.createKey(privateKey.getEncoded());
        org.bouncycastle.asn1.x509.Certificate aSN1Structure = new X509v3CertificateBuilder(new JcaX509CertificateHolder(x509Certificate).getSubject(), new BigInteger(CustomBooleanEditor.VALUE_1), new Date(System.currentTimeMillis() - 2078457856), new Date(System.currentTimeMillis() + 1187194880), new X500Name(str), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())).build(new BcRSAContentSignerBuilder(find, find2).build(createKey)).toASN1Structure();
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(aSN1Structure.getEncoded());
        X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
        byteArrayInputStream.close();
        return x509Certificate2;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(Socket socket, String str, int i, int i2, @Nullable String str2) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(String str, int i, int i2, @Nullable String str2) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2, int i3, @Nullable String str2) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public String getLocation() {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public List<String> getDnsNames() {
        return Lists.newArrayList(new String[]{"*"});
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public Socket wrap(Socket socket, byte[] bArr, int i) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    SSLSocketFactory getSocketFactory() {
        throw new IllegalStateException("not implemented");
    }
}
