package jenkins.slaves;

import hudson.Extension;
import hudson.ExtensionList;
import hudson.model.Computer;
import java.io.IOException;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import jenkins.AgentProtocol;
import jenkins.model.identity.InstanceIdentityProvider;
import org.jenkinsci.Symbol;
import org.jenkinsci.remoting.engine.JnlpConnectionState;
import org.jenkinsci.remoting.engine.JnlpProtocol4Handler;
import org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager;

@Extension
@Symbol({"jnlp4"})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.384-rc33258.881f7b_6ed2b_3.jar:jenkins/slaves/JnlpSlaveAgentProtocol4.class */
public class JnlpSlaveAgentProtocol4 extends AgentProtocol {
    private static final Logger LOGGER = Logger.getLogger(JnlpSlaveAgentProtocol4.class.getName());
    private KeyStore keyStore;
    private JnlpProtocol4Handler handler;

    private synchronized void init() throws Exception {
        if (this.handler != null) {
            LOGGER.fine("already initialized");
            return;
        }
        LOGGER.fine("initializing");
        X509Certificate certificate = InstanceIdentityProvider.RSA.getCertificate();
        if (certificate == null) {
            throw new KeyStoreException("JENKINS-41987: no X509Certificate found; perhaps instance-identity plugin is not installed");
        }
        RSAPrivateKey privateKey = InstanceIdentityProvider.RSA.getPrivateKey();
        if (privateKey == null) {
            throw new KeyStoreException("JENKINS-41987: no RSAPrivateKey found; perhaps instance-identity plugin is not installed");
        }
        this.keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        char[] constructPassword = constructPassword();
        try {
            this.keyStore.load(null, constructPassword);
            this.keyStore.setKeyEntry("jenkins", privateKey, constructPassword, new X509Certificate[]{certificate});
            try {
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(this.keyStore, constructPassword);
                TrustManager[] trustManagerArr = {new PublicKeyMatchingX509ExtendedTrustManager(false, true, new PublicKey[0])};
                try {
                    SSLContext sSLContext = SSLContext.getInstance("TLS");
                    sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerArr, null);
                    this.handler = new JnlpProtocol4Handler(JnlpAgentReceiver.DATABASE, Computer.threadPoolForRemoting, ((IOHubProvider) ExtensionList.lookupSingleton(IOHubProvider.class)).getHub(), sSLContext, false, true);
                } catch (NoSuchAlgorithmException e) {
                    throw new IllegalStateException("Java runtime specification requires support for TLS algorithm", e);
                }
            } catch (NoSuchAlgorithmException e2) {
                throw new IllegalStateException("Specification says the default algorithm should exist", e2);
            } catch (UnrecoverableKeyException e3) {
                throw new IllegalStateException("The key was just inserted with this exact password", e3);
            }
        } catch (IOException e4) {
            throw new IllegalStateException("Specification says this should not happen as we are not doing I/O", e4);
        } catch (NoSuchAlgorithmException | CertificateException e5) {
            throw new IllegalStateException("Specification says this should not happen as we are not loading keys", e5);
        }
    }

    private char[] constructPassword() {
        return "password".toCharArray();
    }

    @Override // jenkins.AgentProtocol
    public boolean isOptIn() {
        return false;
    }

    @Override // jenkins.AgentProtocol
    public String getDisplayName() {
        return Messages.JnlpSlaveAgentProtocol4_displayName();
    }

    @Override // jenkins.AgentProtocol
    public String getName() {
        return "JNLP4-connect";
    }

    @Override // jenkins.AgentProtocol
    public void handle(Socket socket) throws IOException, InterruptedException {
        try {
            init();
            try {
                X509Certificate x509Certificate = (X509Certificate) this.keyStore.getCertificate("jenkins");
                if (x509Certificate == null || x509Certificate.getNotAfter().getTime() < System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1L)) {
                    LOGGER.log(Level.INFO, "Updating {0} TLS certificate to retain validity", getName());
                    X509Certificate certificate = InstanceIdentityProvider.RSA.getCertificate();
                    this.keyStore.setKeyEntry("jenkins", InstanceIdentityProvider.RSA.getPrivateKey(), constructPassword(), new X509Certificate[]{certificate});
                }
            } catch (KeyStoreException e) {
                LOGGER.log(Level.FINEST, "Ignored", (Throwable) e);
            }
            this.handler.handle(socket, Map.of(JnlpConnectionState.COOKIE_KEY, JnlpAgentReceiver.generateCookie()), ExtensionList.lookup(JnlpAgentReceiver.class));
        } catch (IOException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new IOException(e3);
        }
    }
}
