package com.floragunn.dlic.util;

import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.searchguard.support.PemKeyReader;
import com.google.common.collect.ImmutableList;
import java.net.Socket;
import java.nio.file.Path;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/dlic/util/SettingsBasedSSLConfigurator.class */
public class SettingsBasedSSLConfigurator {
    public static final String CERT_ALIAS = "cert_alias";
    public static final String CA_ALIAS = "ca_alias";
    public static final String ENABLE_SSL = "enable_ssl";
    public static final String ENABLE_START_TLS = "enable_start_tls";
    public static final String ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth";
    public static final String PEMKEY_FILEPATH = "pemkey_filepath";
    public static final String PEMKEY_CONTENT = "pemkey_content";
    public static final String PEMKEY_PASSWORD = "pemkey_password";
    public static final String PEMCERT_FILEPATH = "pemcert_filepath";
    public static final String PEMCERT_CONTENT = "pemcert_content";
    public static final String PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content";
    public static final String PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath";
    public static final String VERIFY_HOSTNAMES = "verify_hostnames";
    public static final String TRUST_ALL = "trust_all";
    private SSLContextBuilder sslContextBuilder;
    private final Settings settings;
    private final String settingsKeyPrefix;
    private final Path configPath;
    private final String clientName;
    private boolean enabled;
    private boolean enableSslClientAuth;
    private KeyStore effectiveTruststore;
    private KeyStore effectiveKeystore;
    private char[] effectiveKeyPassword;
    private String effectiveKeyAlias;
    private List<String> effectiveTruststoreAliases;
    private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
    private static final List<String> DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/util/SettingsBasedSSLConfigurator$OverlyTrustfulSSLContextBuilder.class */
    public static class OverlyTrustfulSSLContextBuilder extends SSLContextBuilder {
        private OverlyTrustfulSSLContextBuilder() {
        }

        protected void initSSLContext(SSLContext sSLContext, Collection<KeyManager> collection, Collection<TrustManager> collection2, SecureRandom secureRandom) throws KeyManagementException {
            sSLContext.init(!collection.isEmpty() ? (KeyManager[]) collection.toArray(new KeyManager[collection.size()]) : null, new TrustManager[]{new OverlyTrustfulTrustManager()}, secureRandom);
        }
    }

    /* loaded from: input_file:com/floragunn/dlic/util/SettingsBasedSSLConfigurator$OverlyTrustfulTrustManager.class */
    private static class OverlyTrustfulTrustManager implements X509TrustManager {
        private OverlyTrustfulTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    /* loaded from: input_file:com/floragunn/dlic/util/SettingsBasedSSLConfigurator$SSLConfig.class */
    public static class SSLConfig {
        private final SSLContext sslContext;
        private final String[] supportedProtocols;
        private final String[] supportedCipherSuites;
        private final HostnameVerifier hostnameVerifier;
        private final boolean startTlsEnabled;
        private final boolean hostnameVerificationEnabled;
        private final boolean trustAll;
        private final KeyStore effectiveTruststore;
        private final List<String> effectiveTruststoreAliases;
        private final KeyStore effectiveKeystore;
        private final char[] effectiveKeyPassword;
        private final String effectiveKeyAlias;
        private final boolean clientCertAuth;

        public SSLConfig(SSLContext sSLContext, String[] strArr, String[] strArr2, HostnameVerifier hostnameVerifier, boolean z, boolean z2, boolean z3, KeyStore keyStore, List<String> list, KeyStore keyStore2, char[] cArr, String str, boolean z4) {
            this.sslContext = sSLContext;
            this.supportedProtocols = strArr;
            this.supportedCipherSuites = strArr2;
            this.hostnameVerifier = hostnameVerifier;
            this.hostnameVerificationEnabled = z;
            this.trustAll = z2;
            this.startTlsEnabled = z3;
            this.effectiveTruststore = keyStore;
            this.effectiveTruststoreAliases = list;
            this.effectiveKeystore = keyStore2;
            this.effectiveKeyPassword = cArr;
            this.effectiveKeyAlias = str;
            this.clientCertAuth = z4;
            if (SettingsBasedSSLConfigurator.log.isDebugEnabled()) {
                SettingsBasedSSLConfigurator.log.debug("Created SSLConfig: " + this);
            }
        }

        public SSLContext getUnrestrictedSslContext() {
            return this.sslContext;
        }

        public RestrictingSSLSocketFactory getRestrictedSSLSocketFactory() {
            return new RestrictingSSLSocketFactory(this.sslContext.getSocketFactory(), getSupportedProtocols(), getSupportedCipherSuites());
        }

        public String[] getSupportedProtocols() {
            return this.supportedProtocols;
        }

        public String[] getSupportedCipherSuites() {
            return this.supportedCipherSuites;
        }

        public HostnameVerifier getHostnameVerifier() {
            return this.hostnameVerifier;
        }

        public SSLIOSessionStrategy toSSLIOSessionStrategy() {
            return new SSLIOSessionStrategy(this.sslContext, this.supportedProtocols, this.supportedCipherSuites, this.hostnameVerifier);
        }

        public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
            return new SSLConnectionSocketFactory(this.sslContext, this.supportedProtocols, this.supportedCipherSuites, this.hostnameVerifier);
        }

        public boolean isStartTlsEnabled() {
            return this.startTlsEnabled;
        }

        public boolean isHostnameVerificationEnabled() {
            return this.hostnameVerificationEnabled;
        }

        public KeyStore getEffectiveTruststore() {
            return this.effectiveTruststore;
        }

        public KeyStore getEffectiveKeystore() {
            return this.effectiveKeystore;
        }

        public char[] getEffectiveKeyPassword() {
            return this.effectiveKeyPassword;
        }

        public String getEffectiveKeyPasswordString() {
            if (this.effectiveKeyPassword == null) {
                return null;
            }
            return new String(this.effectiveKeyPassword);
        }

        public String getEffectiveKeyAlias() {
            return this.effectiveKeyAlias;
        }

        public List<String> getEffectiveTruststoreAliases() {
            return this.effectiveTruststoreAliases;
        }

        public String[] getEffectiveTruststoreAliasesArray() {
            if (this.effectiveTruststoreAliases == null) {
                return null;
            }
            return (String[]) this.effectiveTruststoreAliases.toArray(new String[this.effectiveTruststoreAliases.size()]);
        }

        public String[] getEffectiveKeyAliasesArray() {
            if (this.effectiveKeyAlias == null) {
                return null;
            }
            return new String[]{this.effectiveKeyAlias};
        }

        public String toString() {
            return "SSLConfig [sslContext=" + this.sslContext + ", supportedProtocols=" + Arrays.toString(this.supportedProtocols) + ", supportedCipherSuites=" + Arrays.toString(this.supportedCipherSuites) + ", hostnameVerifier=" + this.hostnameVerifier + ", startTlsEnabled=" + this.startTlsEnabled + ", hostnameVerificationEnabled=" + this.hostnameVerificationEnabled + ", trustAll=" + this.trustAll + ", effectiveTruststore=" + this.effectiveTruststore + ", effectiveTruststoreAliases=" + this.effectiveTruststoreAliases + ", effectiveKeystore=" + this.effectiveKeystore + ", effectiveKeyAlias=" + this.effectiveKeyAlias + ", clientCertAuth=" + this.clientCertAuth + "]";
        }

        public boolean isTrustAllEnabled() {
            return this.trustAll;
        }

        public boolean isClientCertAuthenticationEnabled() {
            return this.clientCertAuth;
        }
    }

    /* loaded from: input_file:com/floragunn/dlic/util/SettingsBasedSSLConfigurator$SSLConfigException.class */
    public static class SSLConfigException extends Exception {
        private static final long serialVersionUID = 5827273100470174111L;

        public SSLConfigException() {
        }

        public SSLConfigException(String str, Throwable th, boolean z, boolean z2) {
            super(str, th, z, z2);
        }

        public SSLConfigException(String str, Throwable th) {
            super(str, th);
        }

        public SSLConfigException(String str) {
            super(str);
        }

        public SSLConfigException(Throwable th) {
            super(th);
        }
    }

    public SettingsBasedSSLConfigurator(Settings settings, Path path, String str, String str2) {
        this.settings = settings;
        this.configPath = path;
        this.settingsKeyPrefix = normalizeSettingsKeyPrefix(str);
        this.clientName = str2 != null ? str2 : this.settingsKeyPrefix;
    }

    public SettingsBasedSSLConfigurator(Settings settings, Path path, String str) {
        this(settings, path, str, null);
    }

    SSLContext buildSSLContext() throws SSLConfigException {
        try {
            if (isTrustAllEnabled()) {
                this.sslContextBuilder = new OverlyTrustfulSSLContextBuilder();
            } else {
                this.sslContextBuilder = SSLContexts.custom();
            }
            configureWithSettings();
            if (this.enabled) {
                return this.sslContextBuilder.build();
            }
            return null;
        } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException e) {
            throw new SSLConfigException("Error while initializing SSL configuration for " + this.clientName, e);
        }
    }

    public SSLConfig buildSSLConfig() throws SSLConfigException {
        SSLContext buildSSLContext = buildSSLContext();
        if (buildSSLContext == null) {
            return null;
        }
        return new SSLConfig(buildSSLContext, getSupportedProtocols(), getSupportedCipherSuites(), getHostnameVerifier(), isHostnameVerificationEnabled(), isTrustAllEnabled(), isStartTlsEnabled(), this.effectiveTruststore, this.effectiveTruststoreAliases, this.effectiveKeystore, this.effectiveKeyPassword, this.effectiveKeyAlias, isClientCertAuthenticationEnabled());
    }

    private boolean isHostnameVerificationEnabled() {
        return getSettingAsBoolean("verify_hostnames", true).booleanValue() && !isTrustAllEnabled();
    }

    private HostnameVerifier getHostnameVerifier() {
        return isHostnameVerificationEnabled() ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE;
    }

    private String[] getSupportedProtocols() {
        return getSettingAsArray(ConfigConstants.LDAPS_ENABLED_SSL_PROTOCOLS, DEFAULT_TLS_PROTOCOLS);
    }

    private String[] getSupportedCipherSuites() {
        return getSettingAsArray(ConfigConstants.LDAPS_ENABLED_SSL_CIPHERS, null);
    }

    private boolean isStartTlsEnabled() {
        return getSettingAsBoolean("enable_start_tls", false).booleanValue();
    }

    private boolean isTrustAllEnabled() {
        return getSettingAsBoolean("trust_all", false).booleanValue();
    }

    private boolean isClientCertAuthenticationEnabled() {
        return getSettingAsBoolean("enable_ssl_client_auth", false).booleanValue();
    }

    private void configureWithSettings() throws SSLConfigException, NoSuchAlgorithmException, KeyStoreException {
        this.enabled = getSettingAsBoolean("enable_ssl", false).booleanValue() || getSettingAsBoolean("enable_start_tls", false).booleanValue();
        if (this.enabled) {
            this.enableSslClientAuth = getSettingAsBoolean("enable_ssl_client_auth", false).booleanValue();
            if (this.settings.get(this.settingsKeyPrefix + "pemtrustedcas_filepath", (String) null) == null && this.settings.get(this.settingsKeyPrefix + "pemtrustedcas_content", (String) null) == null) {
                initFromKeyStore();
            } else {
                initFromPem();
            }
            if (this.effectiveTruststore != null) {
                this.sslContextBuilder.loadTrustMaterial(this.effectiveTruststore, (TrustStrategy) null);
            }
            if (!this.enableSslClientAuth || this.effectiveKeystore == null) {
                return;
            }
            try {
                this.sslContextBuilder.loadKeyMaterial(this.effectiveKeystore, this.effectiveKeyPassword, new PrivateKeyStrategy() { // from class: com.floragunn.dlic.util.SettingsBasedSSLConfigurator.1
                    public String chooseAlias(Map<String, PrivateKeyDetails> map, Socket socket) {
                        return (map == null || map.isEmpty()) ? SettingsBasedSSLConfigurator.this.effectiveKeyAlias : (SettingsBasedSSLConfigurator.this.effectiveKeyAlias == null || SettingsBasedSSLConfigurator.this.effectiveKeyAlias.isEmpty()) ? map.keySet().iterator().next() : SettingsBasedSSLConfigurator.this.effectiveKeyAlias;
                    }
                });
            } catch (UnrecoverableKeyException e) {
                throw new RuntimeException(e);
            }
        }
    }

    private void initFromPem() throws SSLConfigException {
        try {
            X509Certificate[] loadCertificatesFromStream = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(this.settingsKeyPrefix + "pemtrustedcas_content", this.settings));
            if (loadCertificatesFromStream == null) {
                String resolve = PemKeyReader.resolve(this.settingsKeyPrefix + "pemtrustedcas_filepath", this.settings, this.configPath, !isTrustAllEnabled());
                try {
                    loadCertificatesFromStream = PemKeyReader.loadCertificatesFromFile(resolve);
                } catch (Exception e) {
                    throw new SSLConfigException("Error loading PEM from " + resolve + " (" + this.settingsKeyPrefix + "pemtrustedcas_filepath) for " + this.clientName, e);
                }
            }
            try {
                X509Certificate[] loadCertificatesFromStream2 = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(this.settingsKeyPrefix + "pemcert_content", this.settings));
                if (loadCertificatesFromStream2 == null) {
                    String resolve2 = PemKeyReader.resolve(this.settingsKeyPrefix + "pemcert_filepath", this.settings, this.configPath, this.enableSslClientAuth);
                    try {
                        loadCertificatesFromStream2 = PemKeyReader.loadCertificatesFromFile(resolve2);
                    } catch (Exception e2) {
                        throw new SSLConfigException("Error loading PEM from " + resolve2 + " (" + this.settingsKeyPrefix + "pemcert_filepath) for " + this.clientName, e2);
                    }
                }
                try {
                    PrivateKey loadKeyFromStream = PemKeyReader.loadKeyFromStream(getSetting("pemkey_password"), PemKeyReader.resolveStream(this.settingsKeyPrefix + "pemkey_content", this.settings));
                    if (loadKeyFromStream == null) {
                        String resolve3 = PemKeyReader.resolve(this.settingsKeyPrefix + "pemkey_filepath", this.settings, this.configPath, this.enableSslClientAuth);
                        try {
                            loadKeyFromStream = PemKeyReader.loadKeyFromFile(getSetting("pemkey_password"), resolve3);
                        } catch (Exception e3) {
                            throw new SSLConfigException("Error loading PEM from " + resolve3 + " (" + this.settingsKeyPrefix + "pemkey_filepath) for " + this.clientName, e3);
                        }
                    }
                    try {
                        this.effectiveKeyPassword = PemKeyReader.randomChars(12);
                        this.effectiveKeyAlias = "al";
                        this.effectiveTruststore = PemKeyReader.toTruststore(this.effectiveKeyAlias, loadCertificatesFromStream);
                        this.effectiveKeystore = PemKeyReader.toKeystore(this.effectiveKeyAlias, this.effectiveKeyPassword, loadCertificatesFromStream2, loadKeyFromStream);
                    } catch (Exception e4) {
                        throw new SSLConfigException("Error initializing SSLConfig for " + this.clientName, e4);
                    }
                } catch (Exception e5) {
                    throw new SSLConfigException("Error loading PEM from " + this.settingsKeyPrefix + "pemkey_content for " + this.clientName, e5);
                }
            } catch (Exception e6) {
                throw new SSLConfigException("Error loading PEM from " + this.settingsKeyPrefix + "pemcert_content for " + this.clientName, e6);
            }
        } catch (Exception e7) {
            throw new SSLConfigException("Error loading PEM from " + this.settingsKeyPrefix + "pemtrustedcas_content for " + this.clientName, e7);
        }
    }

    private void initFromKeyStore() throws SSLConfigException {
        try {
            KeyStore loadKeyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.truststore_filepath", this.settings, this.configPath, !isTrustAllEnabled()), this.settings.get("searchguard.ssl.transport.truststore_password", "changeit"), this.settings.get("searchguard.ssl.transport.truststore_type"));
            this.effectiveTruststoreAliases = getSettingAsList("ca_alias", null);
            try {
                KeyStore loadKeyStore2 = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.keystore_filepath", this.settings, this.configPath, this.enableSslClientAuth), this.settings.get("searchguard.ssl.transport.keystore_password", "changeit"), this.settings.get("searchguard.ssl.transport.keystore_type"));
                String str = this.settings.get("searchguard.ssl.transport.keystore_password", "changeit");
                this.effectiveKeyPassword = (str == null || str.isEmpty()) ? null : str.toCharArray();
                this.effectiveKeyAlias = getSetting("cert_alias");
                if (this.enableSslClientAuth && this.effectiveKeyAlias == null) {
                    throw new IllegalArgumentException(this.settingsKeyPrefix + "cert_alias not given");
                }
                this.effectiveTruststore = loadKeyStore;
                this.effectiveKeystore = loadKeyStore2;
            } catch (Exception e) {
                throw new SSLConfigException("Error loading key store from " + this.settings.get("searchguard.ssl.transport.keystore_filepath"), e);
            }
        } catch (Exception e2) {
            throw new SSLConfigException("Error loading trust store from " + this.settings.get("searchguard.ssl.transport.truststore_filepath"), e2);
        }
    }

    private String getSetting(String str) {
        return this.settings.get(this.settingsKeyPrefix + str);
    }

    private Boolean getSettingAsBoolean(String str, Boolean bool) {
        return this.settings.getAsBoolean(this.settingsKeyPrefix + str, bool);
    }

    private List<String> getSettingAsList(String str, List<String> list) {
        return this.settings.getAsList(this.settingsKeyPrefix + str, list);
    }

    private String[] getSettingAsArray(String str, List<String> list) {
        List<String> settingAsList = getSettingAsList(str, list);
        if (settingAsList == null) {
            return null;
        }
        return (String[]) settingAsList.toArray(new String[settingAsList.size()]);
    }

    private static String normalizeSettingsKeyPrefix(String str) {
        return (str == null || str.length() == 0) ? "" : !str.endsWith(".") ? str + "." : str;
    }
}
