package com.predic8.membrane.core.transport.ssl;

import com.google.common.base.Objects;
import com.google.common.collect.Sets;
import com.predic8.membrane.core.config.security.SSLParser;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.Socket;
import java.security.InvalidParameterException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;

/* loaded from: input_file:lib/service-proxy-core-4.5.1.jar:com/predic8/membrane/core/transport/ssl/SSLContext.class */
public abstract class SSLContext implements SSLProvider {
    private static final Logger log = LoggerFactory.getLogger(SSLContext.class.getName());
    protected String[] ciphers;
    protected String[] protocols;
    protected boolean wantClientAuth;
    protected boolean needClientAuth;
    protected String endpointIdentificationAlgorithm;
    private boolean showSSLExceptions = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/service-proxy-core-4.5.1.jar:com/predic8/membrane/core/transport/ssl/SSLContext$CipherInfo.class */
    public static class CipherInfo {
        public final String cipher;
        public final int points;

        public CipherInfo(String str) {
            this.cipher = str;
            int aESStrength = (supportsPFS(str) ? 100 : 0) + (getAESStrength(str) * 5) + (getSHAStrength(str) * 2);
            this.points = supportsAESGCM(str) ? aESStrength + 1 : aESStrength;
        }

        private boolean supportsAESGCM(String str) {
            return str.contains("_GCM_");
        }

        private int getAESStrength(String str) {
            if (str.contains("_AES_512_")) {
                return 2;
            }
            if (str.contains("_AES_256_")) {
                return 1;
            }
            return str.contains("_AES_128_") ? 0 : 0;
        }

        private int getSHAStrength(String str) {
            if (str.endsWith("_SHA384")) {
                return 2;
            }
            return str.endsWith("_SHA256") ? 1 : 0;
        }

        private boolean supportsPFS(String str) {
            return this.cipher.contains("_DHE_RSA_") || this.cipher.contains("_DHE_DSS_") || this.cipher.contains("_ECDHE_RSA_") || this.cipher.contains("_ECDHE_ECDSA_");
        }
    }

    public void init(SSLParser sSLParser, javax.net.ssl.SSLContext sSLContext) {
        this.showSSLExceptions = sSLParser.isShowSSLExceptions();
        if (sSLParser.getCiphers() != null) {
            this.ciphers = sSLParser.getCiphers().split(StringArrayPropertyEditor.DEFAULT_SEPARATOR);
            HashSet newHashSet = Sets.newHashSet(sSLContext.getSocketFactory().getSupportedCipherSuites());
            for (String str : this.ciphers) {
                if (!newHashSet.contains(str)) {
                    throw new InvalidParameterException("Unknown cipher " + str);
                }
                if (str.contains("_RC4_")) {
                    log.warn("Cipher " + str + " uses RC4, which is deprecated.");
                }
                if (str.contains("_3DES_")) {
                    log.warn("Cipher " + str + " uses 3DES, which is deprecated.");
                }
            }
        } else {
            String[] defaultCipherSuites = sSLContext.getSocketFactory().getDefaultCipherSuites();
            ArrayList<String> arrayList = new ArrayList<>(defaultCipherSuites.length);
            for (String str2 : defaultCipherSuites) {
                if (!str2.contains("_RC4_") && !str2.contains("_3DES_")) {
                    arrayList.add(str2);
                }
            }
            sortCiphers(arrayList);
            this.ciphers = (String[]) arrayList.toArray(new String[arrayList.size()]);
        }
        if (sSLParser.getProtocols() != null) {
            this.protocols = sSLParser.getProtocols().split(StringArrayPropertyEditor.DEFAULT_SEPARATOR);
        } else {
            this.protocols = null;
        }
        if (sSLParser.getClientAuth() == null) {
            this.needClientAuth = false;
            this.wantClientAuth = false;
        } else if (sSLParser.getClientAuth().equals("need")) {
            this.needClientAuth = true;
            this.wantClientAuth = true;
        } else {
            if (!sSLParser.getClientAuth().equals("want")) {
                throw new RuntimeException("Invalid value '" + sSLParser.getClientAuth() + "' in clientAuth: expected 'want', 'need' or not set.");
            }
            this.needClientAuth = false;
            this.wantClientAuth = true;
        }
        this.endpointIdentificationAlgorithm = sSLParser.getEndpointIdentificationAlgorithm();
    }

    abstract String getLocation();

    abstract List<String> getDnsNames();

    public Socket wrap(Socket socket, byte[] bArr, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(socket, new ByteArrayInputStream(bArr, 0, i), true);
        applyCiphers(sSLSocket);
        if (getProtocols() != null) {
            sSLSocket.setEnabledProtocols(getProtocols());
        } else {
            String[] enabledProtocols = sSLSocket.getEnabledProtocols();
            HashSet hashSet = new HashSet();
            for (String str : enabledProtocols) {
                if (!str.equals("SSLv3") && !str.equals("SSLv2Hello")) {
                    hashSet.add(str);
                }
            }
            sSLSocket.setEnabledProtocols((String[]) hashSet.toArray(new String[0]));
        }
        sSLSocket.setWantClientAuth(isWantClientAuth());
        sSLSocket.setNeedClientAuth(isNeedClientAuth());
        return sSLSocket;
    }

    public void applyCiphers(SSLSocket sSLSocket) {
        if (this.ciphers != null) {
            SSLParameters sSLParameters = sSLSocket.getSSLParameters();
            applyCipherOrdering(sSLParameters);
            sSLParameters.setCipherSuites(this.ciphers);
            sSLParameters.setEndpointIdentificationAlgorithm(this.endpointIdentificationAlgorithm);
            sSLSocket.setSSLParameters(sSLParameters);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void applyCipherOrdering(SSLParameters sSLParameters) {
        sSLParameters.setUseCipherSuitesOrder(true);
    }

    String[] getCiphers() {
        return this.ciphers;
    }

    String[] getProtocols() {
        return this.protocols;
    }

    boolean isNeedClientAuth() {
        return this.needClientAuth;
    }

    boolean isWantClientAuth() {
        return this.wantClientAuth;
    }

    private void sortCiphers(ArrayList<String> arrayList) {
        ArrayList arrayList2 = new ArrayList(arrayList.size());
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            arrayList2.add(new CipherInfo(it.next()));
        }
        Collections.sort(arrayList2, new Comparator<CipherInfo>() { // from class: com.predic8.membrane.core.transport.ssl.SSLContext.1
            @Override // java.util.Comparator
            public int compare(CipherInfo cipherInfo, CipherInfo cipherInfo2) {
                return cipherInfo2.points - cipherInfo.points;
            }
        });
        for (int i = 0; i < arrayList.size(); i++) {
            arrayList.set(i, ((CipherInfo) arrayList2.get(i)).cipher);
        }
    }

    public String constructHostNamePattern() {
        StringBuilder sb = null;
        List<String> dnsNames = getDnsNames();
        if (dnsNames == null) {
            throw new RuntimeException("Could not extract DNS names from the first key's certificate in " + getLocation());
        }
        for (String str : dnsNames) {
            if (sb == null) {
                sb = new StringBuilder();
            } else {
                sb.append(" ");
            }
            sb.append(str);
        }
        if (sb != null) {
            return sb.toString();
        }
        log.warn("Could not retrieve DNS hostname for certificate, using '*': " + getLocation());
        return "*";
    }

    abstract SSLSocketFactory getSocketFactory();

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkChainValidity(List<Certificate> list) {
        boolean z = true;
        for (int i = 0; i < list.size() - 1; i++) {
            z = z && Objects.equal(((X509Certificate) list.get(i)).getIssuerX500Principal().toString(), ((X509Certificate) list.get(i + 1)).getSubjectX500Principal().toString());
        }
        if (z) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("Certificate chain is not valid:\n");
        for (int i2 = 0; i2 < list.size(); i2++) {
            sb.append("Cert " + String.format("%2d", Integer.valueOf(i2)) + ": Subject: " + ((X509Certificate) list.get(i2)).getSubjectX500Principal().toString() + "\n");
            sb.append("         Issuer: " + ((X509Certificate) list.get(i2)).getIssuerX500Principal().toString() + "\n");
        }
        log.warn(sb.toString());
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public boolean showSSLExceptions() {
        return this.showSSLExceptions;
    }
}
