package com.floragunn.searchguard.ssl.util.config;

import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;

/* loaded from: input_file:com/floragunn/searchguard/ssl/util/config/GenericSSLConfig.class */
public class GenericSSLConfig {
    private static final List<String> DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1");
    private String[] enabledProtocols;
    private String[] enabledCiphers;
    private HostnameVerifier hostnameVerifier;
    private boolean hostnameVerificationEnabled;
    private boolean trustAll;
    private SSLContext sslContext;

    /* loaded from: input_file:com/floragunn/searchguard/ssl/util/config/GenericSSLConfig$Builder.class */
    public static class Builder {
        private GenericSSLConfig result = new GenericSSLConfig();
        private ClientAuthCredentials clientAuthCredentials;
        private TrustStore trustStore;
        private String clientName;

        public Builder clientName(String str) {
            this.clientName = str;
            return this;
        }

        public Builder verifyHostnames(boolean z) {
            this.result.hostnameVerificationEnabled = z;
            return this;
        }

        public Builder trustAll(boolean z) {
            this.result.trustAll = z;
            return this;
        }

        public Builder useCiphers(String... strArr) {
            this.result.enabledCiphers = strArr;
            return this;
        }

        public Builder useProtocols(String... strArr) {
            this.result.enabledProtocols = strArr;
            return this;
        }

        public Builder useClientAuth(ClientAuthCredentials clientAuthCredentials) {
            this.clientAuthCredentials = clientAuthCredentials;
            return this;
        }

        public Builder useTrustStore(TrustStore trustStore) {
            this.trustStore = trustStore;
            return this;
        }

        public GenericSSLConfig build() throws GenericSSLConfigException {
            if (this.result.hostnameVerificationEnabled) {
                this.result.hostnameVerifier = new DefaultHostnameVerifier();
            } else {
                this.result.hostnameVerifier = NoopHostnameVerifier.INSTANCE;
            }
            if (this.result.enabledProtocols == null) {
                this.result.enabledProtocols = (String[]) GenericSSLConfig.DEFAULT_TLS_PROTOCOLS.toArray(new String[0]);
            }
            this.result.sslContext = buildSSLContext();
            return this.result;
        }

        public SSLIOSessionStrategy toSSLIOSessionStrategy() throws GenericSSLConfigException {
            return build().toSSLIOSessionStrategy();
        }

        public SSLConnectionSocketFactory toSSLConnectionSocketFactory() throws GenericSSLConfigException {
            return build().toSSLConnectionSocketFactory();
        }

        SSLContext buildSSLContext() throws GenericSSLConfigException {
            try {
                SSLContextBuilder overlyTrustfulSSLContextBuilder = this.result.trustAll ? new OverlyTrustfulSSLContextBuilder() : SSLContexts.custom();
                if (this.trustStore != null) {
                    overlyTrustfulSSLContextBuilder.loadTrustMaterial(this.trustStore.getKeyStore(), (TrustStrategy) null);
                }
                if (this.clientAuthCredentials != null) {
                    overlyTrustfulSSLContextBuilder.loadKeyMaterial(this.clientAuthCredentials.getKeyStore(), this.clientAuthCredentials.getKeyPassword(), new PrivateKeySelector(this.clientAuthCredentials.getKeyAlias()));
                }
                return overlyTrustfulSSLContextBuilder.build();
            } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
                throw new GenericSSLConfigException("Error while initializing SSL configuration for " + this.clientName, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/ssl/util/config/GenericSSLConfig$OverlyTrustfulSSLContextBuilder.class */
    public static class OverlyTrustfulSSLContextBuilder extends SSLContextBuilder {
        private OverlyTrustfulSSLContextBuilder() {
        }

        protected void initSSLContext(SSLContext sSLContext, Collection<KeyManager> collection, Collection<TrustManager> collection2, SecureRandom secureRandom) throws KeyManagementException {
            sSLContext.init(!collection.isEmpty() ? (KeyManager[]) collection.toArray(new KeyManager[collection.size()]) : null, new TrustManager[]{new OverlyTrustfulTrustManager()}, secureRandom);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/ssl/util/config/GenericSSLConfig$OverlyTrustfulTrustManager.class */
    private static class OverlyTrustfulTrustManager implements X509TrustManager {
        private OverlyTrustfulTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/ssl/util/config/GenericSSLConfig$PrivateKeySelector.class */
    public static class PrivateKeySelector implements PrivateKeyStrategy {
        private final String effectiveKeyAlias;

        PrivateKeySelector(String str) {
            this.effectiveKeyAlias = str;
        }

        public String chooseAlias(Map<String, PrivateKeyDetails> map, Socket socket) {
            return (map == null || map.isEmpty()) ? this.effectiveKeyAlias : (this.effectiveKeyAlias == null || this.effectiveKeyAlias.isEmpty()) ? map.keySet().iterator().next() : this.effectiveKeyAlias;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/ssl/util/config/GenericSSLConfig$RestrictingSSLSocketFactory.class */
    private static class RestrictingSSLSocketFactory extends SSLSocketFactory {
        private final SSLSocketFactory delegate;
        private final String[] enabledProtocols;
        private final String[] enabledCipherSuites;

        public RestrictingSSLSocketFactory(SSLSocketFactory sSLSocketFactory, String[] strArr, String[] strArr2) {
            this.delegate = sSLSocketFactory;
            this.enabledProtocols = strArr;
            this.enabledCipherSuites = strArr2;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public String[] getDefaultCipherSuites() {
            return this.enabledCipherSuites == null ? this.delegate.getDefaultCipherSuites() : this.enabledCipherSuites;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public String[] getSupportedCipherSuites() {
            return this.enabledCipherSuites == null ? this.delegate.getSupportedCipherSuites() : this.enabledCipherSuites;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket() throws IOException {
            return enforce(this.delegate.createSocket());
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public Socket createSocket(Socket socket, String str, int i, boolean z) throws IOException {
            return enforce(this.delegate.createSocket(socket, str, i, z));
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i) throws IOException, UnknownHostException {
            return enforce(this.delegate.createSocket(str, i));
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException, UnknownHostException {
            return enforce(this.delegate.createSocket(str, i, inetAddress, i2));
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
            return enforce(this.delegate.createSocket(inetAddress, i));
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
            return enforce(this.delegate.createSocket(inetAddress, i, inetAddress2, i2));
        }

        private Socket enforce(Socket socket) {
            if (socket != null && (socket instanceof SSLSocket)) {
                if (this.enabledProtocols != null) {
                    ((SSLSocket) socket).setEnabledProtocols(this.enabledProtocols);
                }
                if (this.enabledCipherSuites != null) {
                    ((SSLSocket) socket).setEnabledCipherSuites(this.enabledCipherSuites);
                }
            }
            return socket;
        }
    }

    public SSLContext getUnrestrictedSslContext() {
        return this.sslContext;
    }

    public RestrictingSSLSocketFactory getRestrictedSSLSocketFactory() {
        return new RestrictingSSLSocketFactory(this.sslContext.getSocketFactory(), this.enabledProtocols, this.enabledCiphers);
    }

    public SSLIOSessionStrategy toSSLIOSessionStrategy() {
        return new SSLIOSessionStrategy(this.sslContext, this.enabledProtocols, this.enabledCiphers, this.hostnameVerifier);
    }

    public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
        return new SSLConnectionSocketFactory(this.sslContext, this.enabledProtocols, this.enabledCiphers, this.hostnameVerifier);
    }
}
