package com.floragunn.searchguard.ssl.util;

import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import io.netty.handler.ssl.SslHandler;
import java.io.File;
import java.io.FileInputStream;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.netty4.Netty4HttpChannel;
import org.elasticsearch.rest.RestRequest;

/* loaded from: input_file:com/floragunn/searchguard/ssl/util/SSLRequestHelper.class */
public class SSLRequestHelper {
    private static final Logger log = LogManager.getLogger(SSLRequestHelper.class);

    /* loaded from: input_file:com/floragunn/searchguard/ssl/util/SSLRequestHelper$SSLInfo.class */
    public static class SSLInfo {
        private final X509Certificate[] x509Certs;
        private final X509Certificate[] localCertificates;
        private final String principal;
        private final String protocol;
        private final String cipher;

        public SSLInfo(X509Certificate[] x509CertificateArr, String str, String str2, String str3) {
            this(x509CertificateArr, str, str2, str3, null);
        }

        public SSLInfo(X509Certificate[] x509CertificateArr, String str, String str2, String str3, X509Certificate[] x509CertificateArr2) {
            this.x509Certs = x509CertificateArr;
            this.principal = str;
            this.protocol = str2;
            this.cipher = str3;
            this.localCertificates = x509CertificateArr2;
        }

        public X509Certificate[] getX509Certs() {
            if (this.x509Certs == null) {
                return null;
            }
            return (X509Certificate[]) this.x509Certs.clone();
        }

        public X509Certificate[] getLocalCertificates() {
            if (this.localCertificates == null) {
                return null;
            }
            return (X509Certificate[]) this.localCertificates.clone();
        }

        public String getPrincipal() {
            return this.principal;
        }

        public String getProtocol() {
            return this.protocol;
        }

        public String getCipher() {
            return this.cipher;
        }

        public String toString() {
            return "SSLInfo [x509Certs=" + Arrays.toString(this.x509Certs) + ", principal=" + this.principal + ", protocol=" + this.protocol + ", cipher=" + this.cipher + "]";
        }
    }

    public static SSLInfo getSSLInfo(final Settings settings, final Path path, RestRequest restRequest, PrincipalExtractor principalExtractor) throws SSLPeerUnverifiedException {
        SslHandler sslHandler;
        if (restRequest == null || restRequest.getHttpChannel() == null || !(restRequest.getHttpChannel() instanceof Netty4HttpChannel) || (sslHandler = restRequest.getHttpChannel().getNettyChannel().pipeline().get("ssl_http")) == null) {
            return null;
        }
        SSLEngine engine = sslHandler.engine();
        SSLSession session = engine.getSession();
        final X509Certificate[] x509CertificateArr = null;
        String protocol = session.getProtocol();
        String cipherSuite = session.getCipherSuite();
        String str = null;
        if (engine.getNeedClientAuth() || engine.getWantClientAuth()) {
            try {
                Certificate[] peerCertificates = session.getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length > 0 && (peerCertificates[0] instanceof X509Certificate)) {
                    x509CertificateArr = (X509Certificate[]) Arrays.copyOf(peerCertificates, peerCertificates.length, X509Certificate[].class);
                    SecurityManager securityManager = System.getSecurityManager();
                    if (securityManager != null) {
                        securityManager.checkPermission(new SpecialPermission());
                    }
                    if (((Boolean) AccessController.doPrivileged(new PrivilegedAction<Boolean>() { // from class: com.floragunn.searchguard.ssl.util.SSLRequestHelper.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedAction
                        public Boolean run() {
                            return Boolean.valueOf(!SSLRequestHelper.validate(x509CertificateArr, settings, path));
                        }
                    })).booleanValue()) {
                        throw new SSLPeerUnverifiedException("Unable to validate certificate (CRL)");
                    }
                    str = principalExtractor == null ? null : principalExtractor.extractPrincipal(x509CertificateArr[0], PrincipalExtractor.Type.HTTP);
                } else if (engine.getNeedClientAuth()) {
                    throw new ElasticsearchException("No client certificates found but such are needed (SG 9).", new Object[0]);
                }
            } catch (SSLPeerUnverifiedException e) {
                if (engine.getNeedClientAuth() || 0 != 0) {
                    throw e;
                }
            }
        }
        Certificate[] localCertificates = session.getLocalCertificates();
        return new SSLInfo(x509CertificateArr, str, protocol, cipherSuite, localCertificates == null ? null : (X509Certificate[]) Arrays.copyOf(localCertificates, localCertificates.length, X509Certificate[].class));
    }

    public static boolean containsBadHeader(ThreadContext threadContext, String str) {
        if (threadContext == null) {
            return false;
        }
        for (Map.Entry entry : threadContext.getHeaders().entrySet()) {
            if (entry != null && entry.getKey() != null && ((String) entry.getKey()).trim().toLowerCase().startsWith(str)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean validate(X509Certificate[] x509CertificateArr, Settings settings, Path path) {
        FileInputStream fileInputStream;
        CertificateValidator certificateValidator;
        char[] charArray;
        boolean booleanValue = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_VALIDATE, false).booleanValue();
        if (log.isTraceEnabled()) {
            log.trace("validateCrl: " + booleanValue);
        }
        if (!booleanValue) {
            return true;
        }
        Environment environment = new Environment(settings, path);
        try {
            Collection<? extends CRL> collection = null;
            String str = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_FILE);
            if (str != null) {
                fileInputStream = new FileInputStream(environment.configFile().resolve(str).toAbsolutePath().toFile());
                try {
                    collection = CertificateFactory.getInstance("X.509").generateCRLs(fileInputStream);
                    fileInputStream.close();
                    if (log.isTraceEnabled()) {
                        log.trace("crls from file: " + collection.size());
                    }
                } finally {
                }
            } else if (log.isTraceEnabled()) {
                log.trace("no crl file configured");
            }
            String str2 = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH);
            if (str2 != null) {
                String str3 = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_TYPE, "JKS");
                String str4 = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
                KeyStore keyStore = KeyStore.getInstance(str3);
                FileInputStream fileInputStream2 = new FileInputStream(new File(environment.configFile().resolve(str2).toAbsolutePath().toString()));
                if (str4 != null) {
                    try {
                        if (str4.length() != 0) {
                            charArray = str4.toCharArray();
                            keyStore.load(fileInputStream2, charArray);
                            fileInputStream2.close();
                            certificateValidator = new CertificateValidator(keyStore, collection);
                        }
                    } finally {
                    }
                }
                charArray = null;
                keyStore.load(fileInputStream2, charArray);
                fileInputStream2.close();
                certificateValidator = new CertificateValidator(keyStore, collection);
            } else {
                fileInputStream = new FileInputStream(environment.configFile().resolve(settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile());
                try {
                    certificateValidator = new CertificateValidator((X509Certificate[]) CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream).toArray(new X509Certificate[0]), collection);
                    fileInputStream.close();
                } finally {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th) {
                        th.addSuppressed(th);
                    }
                }
            }
            certificateValidator.setEnableCRLDP(!settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_DISABLE_CRLDP, false).booleanValue());
            certificateValidator.setEnableOCSP(!settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_DISABLE_OCSP, false).booleanValue());
            certificateValidator.setCheckOnlyEndEntities(settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true).booleanValue());
            certificateValidator.setPreferCrl(settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false).booleanValue());
            Long asLong = settings.getAsLong(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_VALIDATION_DATE, (Long) null);
            if (asLong != null && asLong.longValue() < 0) {
                asLong = null;
            }
            certificateValidator.setDate(asLong == null ? null : new Date(asLong.longValue()));
            certificateValidator.validate(x509CertificateArr);
            return true;
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Unable to validate CRL: " + ExceptionsHelper.stackTrace(e));
            }
            log.warn("Unable to validate CRL: " + ExceptionUtils.getRootCause(e));
            return false;
        }
    }
}
