package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLCertificateHelper;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import com.floragunn.searchguard.support.PemKeyReader;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.FileInputStream;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.util.encoders.Hex;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:com/floragunn/searchguard/ssl/DefaultSearchGuardKeyStore.class */
public class DefaultSearchGuardKeyStore implements SearchGuardKeyStore {
    private static final String DEFAULT_STORE_TYPE = "JKS";
    private final Settings settings;
    public final SslProvider sslHTTPProvider;
    public final SslProvider sslTransportServerProvider;
    public final SslProvider sslTransportClientProvider;
    private final boolean httpSSLEnabled;
    private final boolean transportSSLEnabled;
    private List<String> enabledHttpCiphersJDKProvider;
    private List<String> enabledTransportCiphersJDKProvider;
    private List<String> enabledHttpProtocolsJDKProvider;
    private List<String> enabledTransportProtocolsJDKProvider;
    private SslContext httpSslContext;
    private SslContext transportServerSslContext;
    private SslContext transportClientSslContext;
    private X509Certificate[] currentTransportCerts;
    private X509Certificate[] currentHttpCerts;
    private X509Certificate[] currentTransportTrustedCerts;
    private X509Certificate[] currentHttpTrustedCerts;
    private final Environment env;
    private final Logger log = LogManager.getLogger(getClass());
    private final List<String> demoCertHashes = new ArrayList(3);

    private void printJCEWarnings() {
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
            if (maxAllowedKeyLength < 256) {
                this.log.info("AES-256 not supported, max key length for AES is " + maxAllowedKeyLength + " bit. (This is not an issue, it just limits possible encryption strength. To enable AES 256, install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files')");
            }
        } catch (NoSuchAlgorithmException e) {
            this.log.error("AES encryption not supported (SG 1). " + e);
        }
    }

    public DefaultSearchGuardKeyStore(Settings settings, Path path) {
        Environment environment;
        initDemoCertHashes();
        this.settings = settings;
        try {
            environment = new Environment(settings, path);
        } catch (IllegalStateException e) {
            environment = null;
        }
        this.env = environment;
        this.httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, false).booleanValue();
        this.transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true).booleanValue();
        if (this.httpSSLEnabled) {
            this.sslHTTPProvider = SslContext.defaultServerProvider();
        } else if (this.httpSSLEnabled) {
            this.sslHTTPProvider = SslProvider.JDK;
        } else {
            this.sslHTTPProvider = null;
        }
        if (this.transportSSLEnabled) {
            this.sslTransportClientProvider = SslContext.defaultClientProvider();
            this.sslTransportServerProvider = SslContext.defaultServerProvider();
        } else if (this.transportSSLEnabled) {
            SslProvider sslProvider = SslProvider.JDK;
            this.sslTransportServerProvider = sslProvider;
            this.sslTransportClientProvider = sslProvider;
        } else {
            this.sslTransportServerProvider = null;
            this.sslTransportClientProvider = null;
        }
        initEnabledSSLCiphers();
        initSSLConfig();
        printJCEWarnings();
        this.log.info("TLS Transport Client Provider : {}", this.sslTransportClientProvider);
        this.log.info("TLS Transport Server Provider : {}", this.sslTransportServerProvider);
        this.log.info("TLS HTTP Provider             : {}", this.sslHTTPProvider);
        this.log.debug("sslTransportClientProvider:{} with ciphers {}", this.sslTransportClientProvider, getEnabledSSLCiphers(this.sslTransportClientProvider, false));
        this.log.debug("sslTransportServerProvider:{} with ciphers {}", this.sslTransportServerProvider, getEnabledSSLCiphers(this.sslTransportServerProvider, false));
        this.log.debug("sslHTTPProvider:{} with ciphers {}", this.sslHTTPProvider, getEnabledSSLCiphers(this.sslHTTPProvider, true));
        this.log.info("Enabled TLS protocols for transport layer : {}", Arrays.toString(getEnabledSSLProtocols(this.sslTransportServerProvider, false)));
        this.log.info("Enabled TLS protocols for HTTP layer      : {}", Arrays.toString(getEnabledSSLProtocols(this.sslHTTPProvider, true)));
        this.log.debug("sslTransportClientProvider:{} with protocols {}", this.sslTransportClientProvider, getEnabledSSLProtocols(this.sslTransportClientProvider, false));
        this.log.debug("sslTransportServerProvider:{} with protocols {}", this.sslTransportServerProvider, getEnabledSSLProtocols(this.sslTransportServerProvider, false));
        this.log.debug("sslHTTPProvider:{} with protocols {}", this.sslHTTPProvider, getEnabledSSLProtocols(this.sslHTTPProvider, true));
        if (this.transportSSLEnabled && (getEnabledSSLCiphers(this.sslTransportClientProvider, false).isEmpty() || getEnabledSSLCiphers(this.sslTransportServerProvider, false).isEmpty())) {
            throw new ElasticsearchSecurityException("no valid cipher suites for transport protocol", new Object[0]);
        }
        if (this.httpSSLEnabled && getEnabledSSLCiphers(this.sslHTTPProvider, true).isEmpty()) {
            throw new ElasticsearchSecurityException("no valid cipher suites for https", new Object[0]);
        }
        if (this.transportSSLEnabled && getEnabledSSLCiphers(this.sslTransportServerProvider, false).isEmpty()) {
            throw new ElasticsearchSecurityException("no ssl protocols for transport protocol", new Object[0]);
        }
        if (this.transportSSLEnabled && getEnabledSSLCiphers(this.sslTransportClientProvider, false).isEmpty()) {
            throw new ElasticsearchSecurityException("no ssl protocols for transport protocol", new Object[0]);
        }
        if (this.httpSSLEnabled && getEnabledSSLCiphers(this.sslHTTPProvider, true).isEmpty()) {
            throw new ElasticsearchSecurityException("no ssl protocols for https", new Object[0]);
        }
    }

    private void initDemoCertHashes() {
        this.demoCertHashes.add("54a92508de7a39d06242a0ffbf59414d7eb478633c719e6af03938daf6de8a1a");
        this.demoCertHashes.add("742e4659c79d7cad89ea86aab70aea490f23bbfc7e72abd5f0a5d3fb4c84d212");
        this.demoCertHashes.add("db1264612891406639ecd25c894f256b7c5a6b7e1d9054cbe37b77acd2ddd913");
        this.demoCertHashes.add("2a5398e20fcb851ec30aa141f37233ee91a802683415be2945c3c312c65c97cf");
        this.demoCertHashes.add("33129547ce617f784c04e965104b2c671cce9e794d1c64c7efe58c77026246ae");
        this.demoCertHashes.add("c4af0297cc75546e1905bdfe3934a950161eee11173d979ce929f086fdf9794d");
        this.demoCertHashes.add("7a355f42c90e7543a267fbe3976c02f619036f5a34ce712995a22b342d83c3ce");
        this.demoCertHashes.add("a9b5eca1399ec8518081c0d4a21a34eec4589087ce64c04fb01a488f9ad8edc9");
        this.demoCertHashes.add("d14aefe70a592d7a29e14f3ff89c3d0070c99e87d21776aa07d333ee877e758f");
        this.demoCertHashes.add("54a70016e0837a2b0c5658d1032d7ca32e432c62c55f01a2bf5adcb69a0a7ba9");
        this.demoCertHashes.add("bdc141ab2272c779d0f242b79063152c49e1b06a2af05e0fd90d505f2b44d5f5");
        this.demoCertHashes.add("3e839e2b059036a99ee4f742814995f2fb0ced7e9d68a47851f43a3c630b5324");
        this.demoCertHashes.add("9b13661c073d864c28ad7b13eda67dcb6cbc2f04d116adc7c817c20b4c7ed361");
    }

    private String resolve(String str, boolean z) {
        String str2 = this.settings.get(str, (String) null);
        String str3 = str2;
        this.log.debug("Value for {} is {}", str, str2);
        if (this.env != null && str2 != null && str2.length() > 0) {
            str3 = this.env.configDir().resolve(str2).toAbsolutePath().toString();
            this.log.debug("Resolved {} to {} against {}", str2, str3, this.env.configDir().toAbsolutePath().toString());
        }
        if (z) {
            checkPath(str3, str);
        }
        if ("".equals(str3)) {
            str3 = null;
        }
        return str3;
    }

    private void initSSLConfig() {
        if (this.env == null) {
            this.log.info("No config directory, key- and truststore files are resolved absolutely");
        } else {
            this.log.info("Config directory is {}/, from there the key- and truststore files are resolved relatively", this.env.configDir().toAbsolutePath());
        }
        if (this.transportSSLEnabled) {
            initTransportSSLConfig();
        }
        if (this.httpSSLEnabled) {
            initHttpSSLConfig();
        }
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public void initTransportSSLConfig() {
        String str = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, (String) null);
        String str2 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, (String) null);
        if (str == null) {
            if (str2 == null) {
                throw new ElasticsearchException("searchguard.ssl.transport.keystore_filepath or searchguard.ssl.transport.pemkey_filepath must be set if transport ssl is reqested.", new Object[0]);
            }
            String resolve = resolve(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, true);
            String resolve2 = resolve(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, true);
            String resolve3 = resolve(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true);
            validateIfDemoCertsAreNotUsedWhenNotAllowed(resolve, resolve2, resolve3);
            try {
                X509Certificate[] loadCertificatesFromFile = PemKeyReader.loadCertificatesFromFile(resolve);
                X509Certificate[] loadCertificatesFromFile2 = resolve3 != null ? PemKeyReader.loadCertificatesFromFile(resolve3) : null;
                PrivateKey loadKeyFromFile = PemKeyReader.loadKeyFromFile(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_PASSWORD), resolve2);
                onNewCerts("Transport", this.currentTransportCerts, loadCertificatesFromFile, this.currentTransportTrustedCerts, loadCertificatesFromFile2);
                this.transportServerSslContext = buildSSLServerContext(loadKeyFromFile, loadCertificatesFromFile, loadCertificatesFromFile2, getEnabledSSLCiphers(this.sslTransportServerProvider, false), this.sslTransportServerProvider, ClientAuth.REQUIRE);
                this.transportClientSslContext = buildSSLClientContext(loadKeyFromFile, loadCertificatesFromFile, loadCertificatesFromFile2, getEnabledSSLCiphers(this.sslTransportClientProvider, false), this.sslTransportClientProvider);
                setCurrentTransportSSLCerts(loadCertificatesFromFile);
                setCurrentTransportTrustedCerts(loadCertificatesFromFile2);
                return;
            } catch (Exception e) {
                logExplanation(e);
                throw new ElasticsearchSecurityException("Error while initializing transport SSL layer from PEM: " + e.toString(), e, new Object[0]);
            }
        }
        String resolve4 = resolve(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, true);
        String str3 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
        String str4 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
        String str5 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, str4);
        String str6 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS, (String) null);
        String resolve5 = resolve(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, true);
        if (this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, (String) null) == null) {
            throw new ElasticsearchException("searchguard.ssl.transport.truststore_filepath must be set if transport ssl is requested.", new Object[0]);
        }
        String str7 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
        String str8 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
        String str9 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_ALIAS, (String) null);
        try {
            KeyStore keyStore = KeyStore.getInstance(str3);
            keyStore.load(new FileInputStream(new File(resolve4)), (str4 == null || str4.length() == 0) ? null : str4.toCharArray());
            X509Certificate[] exportServerCertChain = SSLCertificateHelper.exportServerCertChain(keyStore, str6);
            PrivateKey exportDecryptedKey = SSLCertificateHelper.exportDecryptedKey(keyStore, str6, (str5 == null || str5.length() == 0) ? null : str5.toCharArray());
            if (exportDecryptedKey == null) {
                throw new ElasticsearchException("No key found in " + resolve4 + " with alias " + str6, new Object[0]);
            }
            if (exportServerCertChain == null || exportServerCertChain.length == 0) {
                throw new ElasticsearchException("No certificates found in " + resolve4 + " with alias " + str6, new Object[0]);
            }
            KeyStore keyStore2 = KeyStore.getInstance(str7);
            keyStore2.load(new FileInputStream(new File(resolve5)), (str8 == null || str8.length() == 0) ? null : str8.toCharArray());
            X509Certificate[] exportRootCertificates = SSLCertificateHelper.exportRootCertificates(keyStore2, str9);
            if (exportRootCertificates == null || exportRootCertificates.length == 0) {
                throw new ElasticsearchException("No truststore configured for server", new Object[0]);
            }
            onNewCerts("Transport", this.currentTransportCerts, exportServerCertChain, this.currentTransportTrustedCerts, exportRootCertificates);
            this.transportServerSslContext = buildSSLServerContext(exportDecryptedKey, exportServerCertChain, exportRootCertificates, getEnabledSSLCiphers(this.sslTransportServerProvider, false), this.sslTransportServerProvider, ClientAuth.REQUIRE);
            this.transportClientSslContext = buildSSLClientContext(exportDecryptedKey, exportServerCertChain, exportRootCertificates, getEnabledSSLCiphers(this.sslTransportClientProvider, false), this.sslTransportClientProvider);
            setCurrentTransportSSLCerts(exportServerCertChain);
            setCurrentTransportTrustedCerts(exportRootCertificates);
        } catch (Exception e2) {
            logExplanation(e2);
            throw new ElasticsearchSecurityException("Error while initializing transport SSL layer: " + e2.toString(), e2, new Object[0]);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:32:0x015c A[Catch: Exception -> 0x0272, TryCatch #5 {Exception -> 0x0272, blocks: (B:19:0x00db, B:75:0x00fd, B:77:0x0109, B:23:0x010e, B:24:0x0113, B:25:0x012f, B:27:0x0141, B:29:0x014d, B:30:0x0152, B:32:0x015c, B:33:0x0170, B:36:0x0176, B:38:0x0191, B:40:0x01a2, B:57:0x01f9, B:59:0x0205, B:44:0x020a, B:45:0x020f, B:46:0x022b, B:50:0x0217, B:52:0x022a, B:55:0x0221, B:60:0x0234, B:62:0x017c, B:63:0x0190, B:68:0x011b, B:70:0x012e, B:73:0x0125), top: B:18:0x00db, inners: #0, #1, #3, #4 }] */
    /* JADX WARN: Removed duplicated region for block: B:34:0x0171  */
    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void initHttpSSLConfig() {
        /*
            Method dump skipped, instructions count: 890
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initHttpSSLConfig():void");
    }

    private void onNewCerts(String str, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, X509Certificate[] x509CertificateArr3, X509Certificate[] x509CertificateArr4) throws Exception {
        validateNewCerts(str, x509CertificateArr != null ? Arrays.asList(x509CertificateArr) : null, x509CertificateArr2 != null ? Arrays.asList(x509CertificateArr2) : null, x509CertificateArr3 != null ? Arrays.asList(x509CertificateArr3) : null, x509CertificateArr4 != null ? Arrays.asList(x509CertificateArr4) : null);
    }

    private void validateNewCerts(String str, List<? extends Certificate> list, List<? extends Certificate> list2, List<? extends Certificate> list3, List<? extends Certificate> list4) throws Exception {
        if (list3 != null && !list3.equals(list4)) {
            this.log.warn("================================\n" + str + " ROOT certificates updated:\n================================\nOld:\n" + list3 + "\n================================\nNew:\n" + list4 + "\n================================");
        }
        if (list == null || list.equals(list2)) {
            return;
        }
        this.log.warn("================================\n" + str + " NODE certificates updated:\n================================\nOld:\n" + list + "\n================================\nNew:\n" + list2 + "\n================================");
    }

    private void validateIfDemoCertsAreNotUsedWhenNotAllowed(final String... strArr) {
        if (this.settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_ALLOW_UNSAFE_DEMOCERTIFICATES, false).booleanValue()) {
            return;
        }
        List list = (List) AccessController.doPrivileged(new PrivilegedAction<List<String>>() { // from class: com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public List<String> run() {
                try {
                    Stream of = Stream.of((Object[]) strArr);
                    try {
                        List<String> list2 = (List) of.distinct().map(str -> {
                            return Paths.get(str, new String[0]);
                        }).map(path -> {
                            return DefaultSearchGuardKeyStore.this.sha256(path);
                        }).collect(Collectors.toList());
                        if (of != null) {
                            of.close();
                        }
                        return list2;
                    } finally {
                    }
                } catch (Exception e) {
                    DefaultSearchGuardKeyStore.this.log.error(e);
                    return null;
                }
            }
        });
        if (list == null) {
            throw new ElasticsearchException("Unable to load demo certificates from files {}", new Object[]{Arrays.asList(strArr)});
        }
        this.demoCertHashes.retainAll(list);
        if (this.demoCertHashes.isEmpty()) {
            return;
        }
        this.log.error("Demo certificates found but searchguard.allow_unsafe_democertificates is set to false.See http://docs.search-guard.com/latest/demo-installer-generated-artefacts#allow-demo-certificates-and-auto-initialization");
        throw new ElasticsearchException("Demo certificates found " + this.demoCertHashes, new Object[0]);
    }

    private String sha256(Path path) {
        if (!Files.isRegularFile(path, LinkOption.NOFOLLOW_LINKS)) {
            return "";
        }
        if (!Files.isReadable(path)) {
            this.log.debug("Unreadable file " + path + " found");
            return "";
        }
        if (!FileSystems.getDefault().getPathMatcher("regex:(?i).*\\.(pem|jks|pfx|p12)").matches(path)) {
            this.log.debug("Not a .pem, .jks, .pfx or .p12 file, skipping");
            return "";
        }
        try {
            String hexString = Hex.toHexString(MessageDigest.getInstance("SHA256").digest(Files.readAllBytes(path)));
            this.log.debug(hexString + " :: " + path);
            return hexString;
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Unable to digest file " + path, e, new Object[0]);
        }
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public SSLEngine createHTTPSSLEngine() throws SSLException {
        SSLEngine newEngine = this.httpSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(getEnabledSSLProtocols(this.sslHTTPProvider, true));
        return newEngine;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public SSLEngine createServerTransportSSLEngine() throws SSLException {
        SSLEngine newEngine = this.transportServerSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(getEnabledSSLProtocols(this.sslTransportServerProvider, false));
        return newEngine;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public SSLEngine createClientTransportSSLEngine(String str, int i) throws SSLException {
        if (str == null) {
            SSLEngine newEngine = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
            newEngine.setEnabledProtocols(getEnabledSSLProtocols(this.sslTransportClientProvider, false));
            return newEngine;
        }
        SSLEngine newEngine2 = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT, str, i);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        newEngine2.setSSLParameters(sSLParameters);
        newEngine2.setEnabledProtocols(getEnabledSSLProtocols(this.sslTransportClientProvider, false));
        return newEngine2;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public String getHTTPProviderName() {
        if (this.sslHTTPProvider == null) {
            return null;
        }
        return this.sslHTTPProvider.toString();
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public String getTransportServerProviderName() {
        if (this.sslTransportServerProvider == null) {
            return null;
        }
        return this.sslTransportServerProvider.toString();
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public String getTransportClientProviderName() {
        if (this.sslTransportClientProvider == null) {
            return null;
        }
        return this.sslTransportClientProvider.toString();
    }

    private void setCurrentHttpSSLCerts(X509Certificate[] x509CertificateArr) {
        this.currentHttpCerts = x509CertificateArr;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public X509Certificate[] getHttpCerts() {
        return this.currentHttpCerts;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public X509Certificate[] getTransportCerts() {
        return this.currentTransportCerts;
    }

    private void setCurrentTransportSSLCerts(X509Certificate[] x509CertificateArr) {
        this.currentTransportCerts = x509CertificateArr;
    }

    private void setCurrentHttpTrustedCerts(X509Certificate[] x509CertificateArr) {
        this.currentHttpTrustedCerts = x509CertificateArr;
    }

    private void setCurrentTransportTrustedCerts(X509Certificate[] x509CertificateArr) {
        this.currentTransportTrustedCerts = x509CertificateArr;
    }

    private List<String> getEnabledSSLCiphers(SslProvider sslProvider, boolean z) {
        return sslProvider == null ? Collections.emptyList() : z ? this.enabledHttpCiphersJDKProvider : this.enabledTransportCiphersJDKProvider;
    }

    private String[] getEnabledSSLProtocols(SslProvider sslProvider, boolean z) {
        return sslProvider == null ? new String[0] : z ? (String[]) this.enabledHttpProtocolsJDKProvider.toArray(new String[0]) : (String[]) this.enabledTransportProtocolsJDKProvider.toArray(new String[0]);
    }

    private void initEnabledSSLCiphers() {
        List<String> secureSSLCiphers = SSLConfigConstants.getSecureSSLCiphers(this.settings, true);
        List<String> secureSSLCiphers2 = SSLConfigConstants.getSecureSSLCiphers(this.settings, false);
        List asList = Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(this.settings, true));
        List asList2 = Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
        SSLEngine sSLEngine = null;
        List list = null;
        List list2 = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, null, null);
                sSLEngine = sSLContext.createSSLEngine();
                list = Arrays.asList(sSLEngine.getEnabledCipherSuites());
                list2 = Arrays.asList(sSLEngine.getEnabledProtocols());
                this.log.debug("JVM supports the following {} protocols {}", Integer.valueOf(list2.size()), list2);
                this.log.debug("JVM supports the following {} ciphers {}", Integer.valueOf(list.size()), list);
                if (list2.contains("TLSv1.3")) {
                    this.log.info("JVM supports TLSv1.3");
                }
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e) {
                        this.log.debug("Unable to close inbound ssl engine", e);
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th) {
                this.log.error("Unable to determine supported ciphers due to " + th, th);
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e2) {
                        this.log.debug("Unable to close inbound ssl engine", e2);
                    }
                    sSLEngine.closeOutbound();
                }
            }
            if (list == null || list.isEmpty() || list2 == null || list2.isEmpty()) {
                throw new ElasticsearchException("Unable to determine supported ciphers or protocols", new Object[0]);
            }
            this.enabledHttpCiphersJDKProvider = new ArrayList(list);
            this.enabledHttpCiphersJDKProvider.retainAll(secureSSLCiphers);
            ArrayList arrayList = new ArrayList(secureSSLCiphers);
            arrayList.removeAll(list);
            if (!arrayList.isEmpty()) {
                this.log.warn("The following https TLS ciphers are configured but not supported by the JVM: {}", arrayList);
            }
            this.enabledTransportCiphersJDKProvider = new ArrayList(list);
            this.enabledTransportCiphersJDKProvider.retainAll(secureSSLCiphers2);
            ArrayList arrayList2 = new ArrayList(secureSSLCiphers2);
            arrayList2.removeAll(list);
            if (!arrayList2.isEmpty()) {
                this.log.warn("The following transport TLS ciphers are configured but not supported by the JVM: {}", arrayList2);
            }
            this.enabledHttpProtocolsJDKProvider = new ArrayList(list2);
            this.enabledHttpProtocolsJDKProvider.retainAll(asList);
            ArrayList arrayList3 = new ArrayList(asList);
            arrayList3.removeAll(list2);
            if (!arrayList3.isEmpty()) {
                this.log.warn("The following https TLS protocols are configured but not supported by the JVM: {}", arrayList3);
            }
            this.enabledTransportProtocolsJDKProvider = new ArrayList(list2);
            this.enabledTransportProtocolsJDKProvider.retainAll(asList2);
            ArrayList arrayList4 = new ArrayList(asList2);
            arrayList4.removeAll(list2);
            if (arrayList4.isEmpty()) {
                return;
            }
            this.log.warn("The following transport TLS protocols are configured but not supported by the JVM: {}", arrayList4);
        } catch (Throwable th2) {
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e3) {
                    this.log.debug("Unable to close inbound ssl engine", e3);
                }
                sSLEngine.closeOutbound();
            }
            throw th2;
        }
    }

    private SslContext buildSSLServerContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder sslProvider2 = SslContextBuilder.forServer(privateKey, x509CertificateArr).ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth((ClientAuth) Objects.requireNonNull(clientAuth)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider);
        if (x509CertificateArr2 != null && x509CertificateArr2.length > 0) {
            sslProvider2.trustManager(x509CertificateArr2);
        }
        return buildSSLContext0(sslProvider2);
    }

    private SslContext buildSSLClientContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSSLContext0(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(x509CertificateArr2).keyManager(privateKey, x509CertificateArr));
    }

    private SslContext buildSSLContext0(final SslContextBuilder sslContextBuilder) throws SSLException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SslContext) AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { // from class: com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SslContext run() throws Exception {
                    return sslContextBuilder.build();
                }
            });
        } catch (PrivilegedActionException e) {
            throw ((SSLException) e.getCause());
        }
    }

    private void logExplanation(Exception exc) {
        if (ExceptionUtils.findMsg(exc, "not contain valid private key") != null) {
            this.log.error("Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.");
        }
        if (ExceptionUtils.findMsg(exc, "not contain valid certificates") != null) {
            this.log.error("Your keystore or PEM does not contain a certificate. Maybe you confused keys and certificates.");
        }
    }

    private static void checkPath(String str, String str2) {
        if (str == null || str.length() == 0) {
            throw new ElasticsearchException("Empty file path for " + str2, new Object[0]);
        }
        if (Files.isDirectory(Paths.get(str, new String[0]), LinkOption.NOFOLLOW_LINKS)) {
            throw new ElasticsearchException("Is a directory: " + str + " Expected a file for " + str2, new Object[0]);
        }
        if (!Files.isReadable(Paths.get(str, new String[0]))) {
            throw new ElasticsearchException("Unable to read " + str + " (" + Paths.get(str, new String[0]) + "). Please make sure this files exists and is readable regarding to permissions. Property: " + str2, new Object[0]);
        }
    }
}
