package com.predic8.membrane.core.transport.ssl;

import com.google.common.base.Objects;
import com.predic8.membrane.core.config.security.Certificate;
import com.predic8.membrane.core.config.security.SSLParser;
import com.predic8.membrane.core.config.security.Store;
import com.predic8.membrane.core.resolver.ResolverMap;
import com.predic8.membrane.core.transport.TrustManagerWrapper;
import com.predic8.membrane.core.transport.http2.Http2TlsSupport;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.InvalidParameterException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nullable;
import javax.crypto.Cipher;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.validation.constraints.NotNull;
import org.jose4j.keys.AesKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;

/* loaded from: input_file:WEB-INF/lib/service-proxy-core-4.8.4.jar:com/predic8/membrane/core/transport/ssl/StaticSSLContext.class */
public class StaticSSLContext extends SSLContext {
    private static final String DEFAULT_CERTIFICATE_SHA256 = "c7:e3:fd:97:2f:d3:b9:4f:38:87:9c:45:32:70:b3:d8:c1:9f:d1:64:39:fc:48:5f:f4:a1:6a:95:b5:ca:08:f7";
    private static boolean limitedStrength;
    private final SSLParser sslParser;
    private List<String> dnsNames;
    private javax.net.ssl.SSLContext sslc;
    private static boolean default_certificate_warned = false;
    private static final Logger log = LoggerFactory.getLogger(StaticSSLContext.class.getName());

    public StaticSSLContext(SSLParser sSLParser, ResolverMap resolverMap, String str) {
        String str2;
        this.sslParser = sSLParser;
        try {
            String algorithm = sSLParser.getAlgorithm() != null ? sSLParser.getAlgorithm() : KeyManagerFactory.getDefaultAlgorithm();
            KeyManagerFactory keyManagerFactory = null;
            str2 = "JKS";
            if (sSLParser.getKeyStore() != null) {
                if (sSLParser.getKeyStore().getKeyAlias() != null) {
                    throw new InvalidParameterException("keyAlias is not yet supported.");
                }
                char[] charArray = sSLParser.getKeyStore().getKeyPassword() != null ? sSLParser.getKeyStore().getKeyPassword().toCharArray() : "changeit".toCharArray();
                str2 = sSLParser.getKeyStore().getType() != null ? sSLParser.getKeyStore().getType() : "JKS";
                KeyStore openKeyStore = openKeyStore(sSLParser.getKeyStore(), "JKS", charArray, resolverMap, str);
                keyManagerFactory = KeyManagerFactory.getInstance(algorithm);
                keyManagerFactory.init(openKeyStore, charArray);
                Enumeration<String> aliases = openKeyStore.aliases();
                while (true) {
                    if (!aliases.hasMoreElements()) {
                        break;
                    }
                    String nextElement = aliases.nextElement();
                    if (openKeyStore.isKeyEntry(nextElement)) {
                        this.dnsNames = getDNSNames(openKeyStore.getCertificate(nextElement));
                        break;
                    }
                }
            }
            if (sSLParser.getKey() != null) {
                if (keyManagerFactory != null) {
                    throw new InvalidParameterException("<key> may not be used together with <keystore>.");
                }
                KeyStore keyStore = KeyStore.getInstance(str2);
                keyStore.load(null, "".toCharArray());
                ArrayList arrayList = new ArrayList();
                Iterator<Certificate> it = sSLParser.getKey().getCertificates().iterator();
                while (it.hasNext()) {
                    arrayList.add(PEMSupport.getInstance().parseCertificate(it.next().get(resolverMap, str)));
                }
                if (arrayList.size() == 0) {
                    throw new RuntimeException("At least one //ssl/key/certificate is required.");
                }
                this.dnsNames = getDNSNames(arrayList.get(0));
                checkChainValidity(arrayList);
                Object parseKey = PEMSupport.getInstance().parseKey(sSLParser.getKey().getPrivate().get(resolverMap, str));
                Key key = parseKey instanceof Key ? (Key) parseKey : ((KeyPair) parseKey).getPrivate();
                if ((key instanceof RSAPrivateCrtKey) && (arrayList.get(0).getPublicKey() instanceof RSAPublicKey)) {
                    RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) key;
                    RSAPublicKey rSAPublicKey = (RSAPublicKey) arrayList.get(0).getPublicKey();
                    if (!rSAPrivateCrtKey.getModulus().equals(rSAPublicKey.getModulus()) || !rSAPrivateCrtKey.getPublicExponent().equals(rSAPublicKey.getPublicExponent())) {
                        log.warn("Certificate does not fit to key.");
                    }
                }
                keyStore.setKeyEntry("inlinePemKeyAndCertificate", key, "".toCharArray(), (java.security.cert.Certificate[]) arrayList.toArray(new java.security.cert.Certificate[arrayList.size()]));
                keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, (sSLParser.getKey().getPassword() != null ? sSLParser.getKey().getPassword() : "").toCharArray());
            }
            TrustManagerFactory trustManagerFactory = null;
            KeyStore keyStore2 = null;
            String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            String str3 = null;
            if (sSLParser.getTrustStore() != null) {
                defaultAlgorithm = sSLParser.getTrustStore().getAlgorithm() != null ? sSLParser.getTrustStore().getAlgorithm() : defaultAlgorithm;
                keyStore2 = openKeyStore(sSLParser.getTrustStore(), str2, null, resolverMap, str);
                str3 = sSLParser.getTrustStore().getCheckRevocation();
            }
            if (sSLParser.getTrust() != null) {
                if (0 != 0) {
                    throw new InvalidParameterException("<trust> may not be used together with <truststore>.");
                }
                defaultAlgorithm = sSLParser.getTrust().getAlgorithm() != null ? sSLParser.getTrust().getAlgorithm() : defaultAlgorithm;
                keyStore2 = KeyStore.getInstance(str2);
                keyStore2.load(null, "".toCharArray());
                for (int i = 0; i < sSLParser.getTrust().getCertificateList().size(); i++) {
                    keyStore2.setCertificateEntry("inlinePemCertificate" + i, PEMSupport.getInstance().parseCertificate(sSLParser.getTrust().getCertificateList().get(i).get(resolverMap, str)));
                }
                str3 = sSLParser.getTrust().getCheckRevocation();
            }
            if (keyStore2 != null) {
                trustManagerFactory = TrustManagerFactory.getInstance(defaultAlgorithm);
                if (str3 != null) {
                    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(defaultAlgorithm);
                    PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore2, new X509CertSelector());
                    PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
                    EnumSet noneOf = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
                    for (String str4 : str3.split(",")) {
                        noneOf.add(PKIXRevocationChecker.Option.valueOf(str4));
                    }
                    pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
                    trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
                } else {
                    trustManagerFactory.init(keyStore2);
                }
            }
            TrustManager[] trustManagers = trustManagerFactory != null ? trustManagerFactory.getTrustManagers() : null;
            trustManagers = sSLParser.isIgnoreTimestampCheckFailure() ? new TrustManager[]{new TrustManagerWrapper(trustManagers, true)} : trustManagers;
            if (sSLParser.getProtocol() != null) {
                this.sslc = javax.net.ssl.SSLContext.getInstance(sSLParser.getProtocol());
            } else {
                this.sslc = javax.net.ssl.SSLContext.getInstance("TLS");
            }
            this.sslc.init(keyManagerFactory != null ? keyManagerFactory.getKeyManagers() : null, trustManagers, null);
            init(sSLParser, this.sslc);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public StaticSSLContext(SSLParser sSLParser, javax.net.ssl.SSLContext sSLContext) {
        this.sslParser = sSLParser;
        this.sslc = sSLContext;
        init(sSLParser, sSLContext);
    }

    private List<String> getDNSNames(java.security.cert.Certificate certificate) throws CertificateParsingException {
        Collection<List<?>> subjectAlternativeNames;
        ArrayList arrayList = new ArrayList();
        if ((certificate instanceof X509Certificate) && (subjectAlternativeNames = ((X509Certificate) certificate).getSubjectAlternativeNames()) != null) {
            for (List<?> list : subjectAlternativeNames) {
                if ((list.get(0) instanceof Integer) && ((Integer) list.get(0)).intValue() == 2) {
                    arrayList.add(list.get(1).toString());
                }
            }
        }
        return arrayList;
    }

    public boolean equals(Object obj) {
        if (obj instanceof SSLContext) {
            return Objects.equal(this.sslParser, ((StaticSSLContext) obj).sslParser);
        }
        return false;
    }

    private KeyStore openKeyStore(Store store, String str, char[] cArr, ResolverMap resolverMap, String str2) throws NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, KeyStoreException, NoSuchProviderException {
        String type = store.getType();
        if (type == null) {
            type = str;
        }
        char[] cArr2 = cArr;
        if (store.getPassword() != null) {
            cArr2 = store.getPassword().toCharArray();
        }
        if (cArr2 == null) {
            throw new InvalidParameterException("Password for key store is not set.");
        }
        KeyStore keyStore = store.getProvider() != null ? KeyStore.getInstance(type, store.getProvider()) : KeyStore.getInstance(type);
        keyStore.load(resolverMap.resolve(ResolverMap.combine(str2, store.getLocation())), cArr2);
        if (!default_certificate_warned && keyStore.getCertificate("membrane") != null) {
            byte[] encoded = keyStore.getCertificate("membrane").getEncoded();
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(encoded);
            byte[] digest = messageDigest.digest();
            StringBuffer stringBuffer = new StringBuffer();
            for (int i = 0; i < digest.length; i++) {
                if (i > 0) {
                    stringBuffer.append(':');
                }
                stringBuffer.append(Integer.toString((digest[i] & 255) + 256, 16).substring(1));
            }
            if (stringBuffer.toString().equals(DEFAULT_CERTIFICATE_SHA256)) {
                log.warn("Using Membrane with the default certificate. This is highly discouraged! Please run the generate-ssl-keys script in the conf directory.");
                default_certificate_warned = true;
            }
        }
        return keyStore;
    }

    public void applyCiphers(SSLServerSocket sSLServerSocket) {
        if (this.ciphers != null) {
            SSLParameters sSLParameters = sSLServerSocket.getSSLParameters();
            applyCipherOrdering(sSLParameters);
            sSLParameters.setCipherSuites(this.ciphers);
            sSLServerSocket.setSSLParameters(sSLParameters);
        }
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public ServerSocket createServerSocket(int i, int i2, InetAddress inetAddress) throws IOException {
        SSLServerSocket sSLServerSocket = (SSLServerSocket) this.sslc.getServerSocketFactory().createServerSocket(i, i2, inetAddress);
        applyCiphers(sSLServerSocket);
        if (this.protocols != null) {
            sSLServerSocket.setEnabledProtocols(this.protocols);
        } else {
            String[] enabledProtocols = sSLServerSocket.getEnabledProtocols();
            HashSet hashSet = new HashSet();
            for (String str : enabledProtocols) {
                if (!str.equals("SSLv3") && !str.equals("SSLv2Hello")) {
                    hashSet.add(str);
                }
            }
            sSLServerSocket.setEnabledProtocols((String[]) hashSet.toArray(new String[0]));
        }
        sSLServerSocket.setWantClientAuth(this.wantClientAuth);
        sSLServerSocket.setNeedClientAuth(this.needClientAuth);
        if (this.sslParser.isUseExperimentalHttp2()) {
            Http2TlsSupport.offerHttp2(sSLServerSocket);
        }
        return sSLServerSocket;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket wrapAcceptedSocket(Socket socket) throws IOException {
        return socket;
    }

    private void prepare(SSLSocket sSLSocket) {
        if (this.protocols != null) {
            sSLSocket.setEnabledProtocols(this.protocols);
        } else {
            String[] enabledProtocols = sSLSocket.getEnabledProtocols();
            HashSet hashSet = new HashSet();
            for (String str : enabledProtocols) {
                if (!str.equals("SSLv3") && !str.equals("SSLv2Hello")) {
                    hashSet.add(str);
                }
            }
            sSLSocket.setEnabledProtocols((String[]) hashSet.toArray(new String[0]));
        }
        applyCiphers(sSLSocket);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket() throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.sslc.getSocketFactory().createSocket();
        prepare(sSLSocket);
        return sSLSocket;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(Socket socket, String str, int i, int i2, @Nullable String str2) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.sslc.getSocketFactory().createSocket(socket, str, i, true);
        applySNI(sSLSocket, str2, str);
        prepare(sSLSocket);
        return sSLSocket;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(String str, int i, int i2, @Nullable String str2) throws IOException {
        Socket socket = new Socket();
        socket.connect(new InetSocketAddress(str, i), i2);
        return createSocket(socket, str, i, i2, str2);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2, int i3, @Nullable String str2) throws IOException {
        Socket socket = new Socket();
        socket.bind(new InetSocketAddress(inetAddress, i2));
        socket.connect(new InetSocketAddress(str, i), i3);
        return createSocket(socket, str, i, i3, str2);
    }

    private void applySNI(@NotNull SSLSocket sSLSocket, @Nullable String str, @NotNull String str2) {
        if (str == null || !str.isEmpty()) {
            if (str == null) {
                str = str2;
            }
            SNIHostName sNIHostName = new SNIHostName(str.getBytes());
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(sNIHostName);
            SSLParameters sSLParameters = sSLSocket.getSSLParameters();
            sSLParameters.setServerNames(arrayList);
            sSLSocket.setSSLParameters(sSLParameters);
        }
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    SSLSocketFactory getSocketFactory() {
        return this.sslc.getSocketFactory();
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    List<String> getDnsNames() {
        return this.dnsNames;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    String getLocation() {
        return this.sslParser.getKeyStore() != null ? this.sslParser.getKeyStore().getLocation() : BeanDefinitionParserDelegate.NULL_ELEMENT;
    }

    static {
        String property = System.getProperty("jdk.tls.ephemeralDHKeySize");
        if (property == null || "legacy".equals(property)) {
            System.setProperty("jdk.tls.ephemeralDHKeySize", "matched");
        }
        try {
            limitedStrength = Cipher.getMaxAllowedKeyLength(AesKey.ALGORITHM) <= 128;
            if (limitedStrength) {
                log.warn("Your Java Virtual Machine does not have unlimited strength cryptography. If it is legal in your country, we strongly advise installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.");
            }
        } catch (NoSuchAlgorithmException e) {
        }
        if (System.getProperty("jdk.tls.server.enableStatusRequestExtension") == null) {
            System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");
        }
    }
}
