package com.predic8.membrane.core.transport.ssl;

import com.google.common.base.Objects;
import com.google.common.collect.Sets;
import com.predic8.membrane.core.config.security.SSLParser;
import com.predic8.membrane.core.transport.http2.Http2TlsSupport;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.Socket;
import java.security.InvalidParameterException;
import java.security.Key;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECFieldFp;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.math.ec.ECPoint;
import org.bouncycastle.math.ec.FixedPointCombMultiplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.5.0.jar:com/predic8/membrane/core/transport/ssl/SSLContext.class */
public abstract class SSLContext implements SSLProvider {
    private static final Logger log = LoggerFactory.getLogger(SSLContext.class.getName());
    protected static Method getApplicationProtocols;
    protected static Method setApplicationProtocols;
    protected String[] ciphers;
    protected String[] protocols;
    protected boolean wantClientAuth;
    protected boolean needClientAuth;
    protected String endpointIdentificationAlgorithm;
    private boolean showSSLExceptions = true;
    private boolean useAsDefault;
    private boolean useHttp2;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.5.0.jar:com/predic8/membrane/core/transport/ssl/SSLContext$CipherInfo.class */
    public static class CipherInfo {
        public final String cipher;
        public final int points;

        public CipherInfo(String str) {
            this.cipher = str;
            int aESStrength = (supportsPFS(str) ? 100 : 0) + (getAESStrength(str) * 5) + (getSHAStrength(str) * 2) + (getChaChaPoly1305Strength(str) * 25);
            aESStrength = supportsAESGCM(str) ? aESStrength + 15 : aESStrength;
            this.points = supportsAESCBC(str) ? aESStrength : aESStrength + 150;
        }

        private boolean supportsAESGCM(String str) {
            return str.contains("_GCM_");
        }

        private boolean supportsAESCBC(String str) {
            return str.contains("_CBC_");
        }

        private int getChaChaPoly1305Strength(String str) {
            return str.contains("_CHACHA20_POLY1305_") ? 1 : 0;
        }

        private int getAESStrength(String str) {
            if (str.contains("_AES_512_")) {
                return 2;
            }
            if (str.contains("_AES_256_")) {
                return 1;
            }
            return str.contains("_AES_128_") ? 0 : 0;
        }

        private int getSHAStrength(String str) {
            if (str.endsWith("_SHA384")) {
                return 2;
            }
            return str.endsWith("_SHA256") ? 1 : 0;
        }

        private boolean supportsPFS(String str) {
            return this.cipher.contains("_DHE_RSA_") || this.cipher.contains("_DHE_DSS_") || this.cipher.contains("_ECDHE_RSA_") || this.cipher.contains("_ECDHE_ECDSA_");
        }
    }

    public void init(SSLParser sSLParser, javax.net.ssl.SSLContext sSLContext) {
        this.showSSLExceptions = sSLParser.isShowSSLExceptions();
        this.useAsDefault = sSLParser.isUseAsDefault();
        if (sSLParser.getCiphers() != null) {
            this.ciphers = sSLParser.getCiphers().split(",");
            HashSet newHashSet = Sets.newHashSet(sSLContext.getSocketFactory().getSupportedCipherSuites());
            for (String str : this.ciphers) {
                if (!newHashSet.contains(str)) {
                    throw new InvalidParameterException("Unknown cipher " + str);
                }
                if (str.contains("_RC4_")) {
                    log.warn("Cipher " + str + " uses RC4, which is deprecated.");
                }
                if (str.contains("_3DES_")) {
                    log.warn("Cipher " + str + " uses 3DES, which is deprecated.");
                }
            }
        } else {
            String[] defaultCipherSuites = sSLContext.getSocketFactory().getDefaultCipherSuites();
            ArrayList<String> arrayList = new ArrayList<>(defaultCipherSuites.length);
            for (String str2 : defaultCipherSuites) {
                if (!str2.contains("_RC4_") && !str2.contains("_3DES_")) {
                    arrayList.add(str2);
                }
            }
            sortCiphers(arrayList);
            this.ciphers = (String[]) arrayList.toArray(new String[arrayList.size()]);
        }
        if (sSLParser.getProtocols() != null) {
            this.protocols = sSLParser.getProtocols().split(",");
        } else {
            this.protocols = null;
        }
        if (sSLParser.getClientAuth() == null) {
            this.needClientAuth = false;
            this.wantClientAuth = false;
        } else if (sSLParser.getClientAuth().equals("need")) {
            this.needClientAuth = true;
            this.wantClientAuth = true;
        } else {
            if (!sSLParser.getClientAuth().equals("want")) {
                throw new RuntimeException("Invalid value '" + sSLParser.getClientAuth() + "' in clientAuth: expected 'want', 'need' or not set.");
            }
            this.needClientAuth = false;
            this.wantClientAuth = true;
        }
        this.endpointIdentificationAlgorithm = sSLParser.getEndpointIdentificationAlgorithm();
        this.useHttp2 = sSLParser.isUseExperimentalHttp2();
    }

    abstract String getLocation();

    abstract List<String> getDnsNames();

    public Socket wrap(Socket socket, byte[] bArr, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(socket, new ByteArrayInputStream(bArr, 0, i), true);
        applyCiphers(sSLSocket);
        if (getProtocols() != null) {
            sSLSocket.setEnabledProtocols(getProtocols());
        } else {
            String[] enabledProtocols = sSLSocket.getEnabledProtocols();
            HashSet hashSet = new HashSet();
            for (String str : enabledProtocols) {
                if (!str.equals("SSLv3") && !str.equals("SSLv2Hello")) {
                    hashSet.add(str);
                }
            }
            sSLSocket.setEnabledProtocols((String[]) hashSet.toArray(new String[0]));
        }
        sSLSocket.setWantClientAuth(isWantClientAuth());
        sSLSocket.setNeedClientAuth(isNeedClientAuth());
        if (this.useHttp2) {
            Http2TlsSupport.offerHttp2(sSLSocket);
        }
        return sSLSocket;
    }

    public void applyCiphers(SSLSocket sSLSocket) {
        if (this.ciphers != null) {
            SSLParameters sSLParameters = sSLSocket.getSSLParameters();
            applyCipherOrdering(sSLParameters);
            sSLParameters.setCipherSuites(this.ciphers);
            sSLParameters.setEndpointIdentificationAlgorithm(this.endpointIdentificationAlgorithm);
            sSLSocket.setSSLParameters(sSLParameters);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void applyCipherOrdering(SSLParameters sSLParameters) {
        sSLParameters.setUseCipherSuitesOrder(true);
    }

    String[] getCiphers() {
        return this.ciphers;
    }

    String[] getProtocols() {
        return this.protocols;
    }

    boolean isNeedClientAuth() {
        return this.needClientAuth;
    }

    boolean isWantClientAuth() {
        return this.wantClientAuth;
    }

    private void sortCiphers(ArrayList<String> arrayList) {
        ArrayList arrayList2 = new ArrayList(arrayList.size());
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            arrayList2.add(new CipherInfo(it.next()));
        }
        arrayList2.sort((cipherInfo, cipherInfo2) -> {
            return cipherInfo2.points - cipherInfo.points;
        });
        for (int i = 0; i < arrayList.size(); i++) {
            arrayList.set(i, ((CipherInfo) arrayList2.get(i)).cipher);
        }
    }

    public String constructHostNamePattern() {
        StringBuilder sb = null;
        List<String> dnsNames = getDnsNames();
        if (dnsNames == null) {
            throw new RuntimeException("Could not extract DNS names from the first key's certificate in " + getLocation());
        }
        for (String str : dnsNames) {
            if (sb == null) {
                sb = new StringBuilder();
            } else {
                sb.append(" ");
            }
            sb.append(str);
        }
        if (sb != null) {
            return sb.toString();
        }
        log.warn("Could not retrieve DNS hostname for certificate, using '*': " + getLocation());
        return "*";
    }

    abstract SSLSocketFactory getSocketFactory();

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkChainValidity(List<Certificate> list) {
        boolean z = true;
        for (int i = 0; i < list.size() - 1; i++) {
            z = z && Objects.equal(((X509Certificate) list.get(i)).getIssuerX500Principal().toString(), ((X509Certificate) list.get(i + 1)).getSubjectX500Principal().toString());
        }
        if (z) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("Certificate chain is not valid:\n");
        for (int i2 = 0; i2 < list.size(); i2++) {
            sb.append("Cert " + String.format("%2d", Integer.valueOf(i2)) + ": Subject: " + ((X509Certificate) list.get(i2)).getSubjectX500Principal().toString() + "\n");
            sb.append("         Issuer: " + ((X509Certificate) list.get(i2)).getIssuerX500Principal().toString() + "\n");
        }
        log.warn(sb.toString());
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public boolean showSSLExceptions() {
        return this.showSSLExceptions;
    }

    public boolean isUseAsDefault() {
        return this.useAsDefault;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public String[] getApplicationProtocols(Socket socket) {
        if (!(socket instanceof SSLSocket) || setApplicationProtocols == null || getApplicationProtocols == null) {
            return null;
        }
        try {
            return (String[]) getApplicationProtocols.invoke(((SSLSocket) socket).getSSLParameters(), new Object[0]);
        } catch (IllegalAccessException | InvocationTargetException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkKeyMatchesCert(Key key, List<Certificate> list) {
        if ((key instanceof RSAPrivateCrtKey) && (list.get(0).getPublicKey() instanceof RSAPublicKey)) {
            RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) key;
            RSAPublicKey rSAPublicKey = (RSAPublicKey) list.get(0).getPublicKey();
            if (!rSAPrivateCrtKey.getModulus().equals(rSAPublicKey.getModulus()) || !rSAPrivateCrtKey.getPublicExponent().equals(rSAPublicKey.getPublicExponent())) {
                throw new RuntimeException("Certificate does not fit to key: " + getLocation());
            }
        }
        if ((key instanceof ECPrivateKey) && (list.get(0).getPublicKey() instanceof ECPublicKey)) {
            ECPrivateKey eCPrivateKey = (ECPrivateKey) key;
            ECPublicKey eCPublicKey = (ECPublicKey) list.get(0).getPublicKey();
            if (eCPublicKey.getParams().getCurve().getField() instanceof ECFieldFp) {
                ECFieldFp eCFieldFp = (ECFieldFp) eCPublicKey.getParams().getCurve().getField();
                if (!(eCPrivateKey.getParams().getCurve().getField() instanceof ECFieldFp)) {
                    throw new RuntimeException("Elliptic curve differs between private key and public key (ECFieldFp vs ECFieldF2m).");
                }
                if (!eCFieldFp.getP().equals(((ECFieldFp) eCPrivateKey.getParams().getCurve().getField()).getP())) {
                    throw new RuntimeException("Elliptic curve differs between private key and public key (p).");
                }
            }
            if (!eCPublicKey.getParams().getCurve().getA().equals(eCPrivateKey.getParams().getCurve().getA())) {
                throw new RuntimeException("Elliptic curve differs between private key and public key (a).");
            }
            if (!eCPublicKey.getParams().getCurve().getB().equals(eCPrivateKey.getParams().getCurve().getB())) {
                throw new RuntimeException("Elliptic curve differs between private key and public key (b).");
            }
            if (!eCPublicKey.getParams().getGenerator().equals(eCPrivateKey.getParams().getGenerator())) {
                throw new RuntimeException("Elliptic curve differs between private key and public key (generator).");
            }
            if (!eCPublicKey.getParams().getOrder().equals(eCPrivateKey.getParams().getOrder())) {
                throw new RuntimeException("Elliptic curve differs between private key and public key (order).");
            }
            if (eCPublicKey.getParams().getCofactor() != eCPrivateKey.getParams().getCofactor()) {
                throw new RuntimeException("Elliptic curve differs between private key and public key (cofactor).");
            }
            ECPoint normalize = new FixedPointCombMultiplier().multiply(((BCECPublicKey) eCPublicKey).getParameters().getG(), eCPrivateKey.getS()).normalize();
            if (!normalize.getAffineXCoord().toBigInteger().equals(eCPublicKey.getW().getAffineX()) || !normalize.getAffineYCoord().toBigInteger().equals(eCPublicKey.getW().getAffineY())) {
                throw new RuntimeException("Elliptic curve private key does not match public key.");
            }
        }
    }

    public static long getValidFrom(List<Certificate> list) {
        return ((Long) list.stream().map(certificate -> {
            return Long.valueOf(((X509Certificate) certificate).getNotBefore().getTime());
        }).max((v0, v1) -> {
            return Long.compare(v0, v1);
        }).get()).longValue();
    }

    public static long getMinimumValidity(List<Certificate> list) {
        return ((Long) list.stream().map(certificate -> {
            return Long.valueOf(((X509Certificate) certificate).getNotAfter().getTime());
        }).min((v0, v1) -> {
            return Long.compare(v0, v1);
        }).get()).longValue();
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public void stop() {
    }

    public abstract boolean hasKeyAndCertificate();

    public abstract long getValidFrom();

    public abstract long getValidUntil();

    public abstract String getPrometheusContextTypeName();

    static {
        try {
            getApplicationProtocols = SSLParameters.class.getDeclaredMethod("getApplicationProtocols", new Class[0]);
            setApplicationProtocols = SSLParameters.class.getDeclaredMethod("setApplicationProtocols", String[].class);
        } catch (NoSuchMethodException e) {
        }
    }
}
