package org.apache.qpid.proton.engine.impl.ssl;

import java.io.FileReader;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.proton.engine.SslDomain;
import org.apache.qpid.proton.engine.SslPeerDetails;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PasswordFinder;

/* loaded from: input_file:WEB-INF/lib/proton-j-impl-0.5.jar:org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.class */
public class SslEngineFacadeFactory {
    private static final Logger _logger = Logger.getLogger(SslEngineFacadeFactory.class.getName());
    private static final String TLS_PROTOCOL = "TLS";
    private static final List<String> ANONYMOUS_CIPHER_SUITES;
    private SSLContext _sslContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/proton-j-impl-0.5.jar:org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory$AlwaysTrustingTrustManager.class */
    public final class AlwaysTrustingTrustManager implements X509TrustManager {
        private AlwaysTrustingTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }
    }

    public ProtonSslEngine createProtonSslEngine(SslDomain sslDomain, SslPeerDetails sslPeerDetails) {
        SSLEngine createAndInitialiseSslEngine = createAndInitialiseSslEngine(sslDomain, sslPeerDetails);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("Created SSL engine: " + engineToString(createAndInitialiseSslEngine));
        }
        return new DefaultSslEngineFacade(createAndInitialiseSslEngine);
    }

    public void resetCache() {
        this._sslContext = null;
    }

    private SSLEngine createAndInitialiseSslEngine(SslDomain sslDomain, SslPeerDetails sslPeerDetails) {
        SslDomain.Mode mode = sslDomain.getMode();
        SSLEngine createSslEngine = createSslEngine(getOrCreateSslContext(sslDomain), sslPeerDetails);
        if (sslDomain.getPeerAuthentication() == SslDomain.VerifyMode.ANONYMOUS_PEER) {
            addAnonymousCipherSuites(createSslEngine);
        } else if (mode == SslDomain.Mode.SERVER) {
            createSslEngine.setNeedClientAuth(true);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, mode + " Enabled cipher suites " + Arrays.asList(createSslEngine.getEnabledCipherSuites()));
        }
        createSslEngine.setUseClientMode(mode == SslDomain.Mode.CLIENT);
        return createSslEngine;
    }

    private SSLEngine createSslEngine(SSLContext sSLContext, SslPeerDetails sslPeerDetails) {
        return sslPeerDetails == null ? sSLContext.createSSLEngine() : sSLContext.createSSLEngine(sslPeerDetails.getHostname(), sslPeerDetails.getPort());
    }

    private SSLContext getOrCreateSslContext(SslDomain sslDomain) {
        TrustManager[] trustManagers;
        if (this._sslContext == null) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("lazily creating new SSLContext using domain " + sslDomain);
            }
            char[] charArray = "unused-passphrase".toCharArray();
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                KeyStore createKeyStoreFrom = createKeyStoreFrom(sslDomain, charArray);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(createKeyStoreFrom, charArray);
                if (sslDomain.getPeerAuthentication() == SslDomain.VerifyMode.ANONYMOUS_PEER) {
                    trustManagers = new TrustManager[]{new AlwaysTrustingTrustManager()};
                } else {
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(createKeyStoreFrom);
                    trustManagers = trustManagerFactory.getTrustManagers();
                }
                sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagers, null);
                this._sslContext = sSLContext;
            } catch (KeyManagementException e) {
                throw new IllegalStateException("Unexpected exception creating SSLContext", e);
            } catch (KeyStoreException e2) {
                throw new IllegalStateException("Unexpected exception creating SSLContext", e2);
            } catch (NoSuchAlgorithmException e3) {
                throw new IllegalStateException("Unexpected exception creating SSLContext", e3);
            } catch (UnrecoverableKeyException e4) {
                throw new IllegalStateException("Unexpected exception creating SSLContext", e4);
            }
        }
        return this._sslContext;
    }

    private KeyStore createKeyStoreFrom(SslDomain sslDomain, char[] cArr) {
        PrivateKey privateKey;
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            if (sslDomain.getTrustedCaDb() != null) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "_sslParams.getTrustedCaDb() : " + sslDomain.getTrustedCaDb());
                }
                keyStore.setCertificateEntry("cacert", (Certificate) readPemObject(sslDomain.getTrustedCaDb(), null, Certificate.class));
            }
            if (sslDomain.getCertificateFile() != null && sslDomain.getPrivateKeyFile() != null) {
                Certificate certificate = (Certificate) readPemObject(sslDomain.getCertificateFile(), null, Certificate.class);
                Object readPemObject = readPemObject(sslDomain.getPrivateKeyFile(), sslDomain.getPrivateKeyPassword(), PrivateKey.class, KeyPair.class);
                if (readPemObject instanceof PrivateKey) {
                    privateKey = (PrivateKey) readPemObject;
                } else {
                    if (!(readPemObject instanceof KeyPair)) {
                        throw new IllegalStateException("Unexpected key type " + readPemObject);
                    }
                    privateKey = ((KeyPair) readPemObject).getPrivate();
                }
                keyStore.setKeyEntry("clientPrivateKey", privateKey, cArr, new Certificate[]{certificate});
            }
            return keyStore;
        } catch (IOException e) {
            throw new IllegalStateException("Unexpected exception creating keystore", e);
        } catch (KeyStoreException e2) {
            throw new IllegalStateException("Unexpected exception creating keystore", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new IllegalStateException("Unexpected exception creating keystore", e3);
        } catch (CertificateException e4) {
            throw new IllegalStateException("Unexpected exception creating keystore", e4);
        }
    }

    private void addAnonymousCipherSuites(SSLEngine sSLEngine) {
        sSLEngine.setEnabledCipherSuites((String[]) buildEnabledSuitesIncludingAnonymous(ANONYMOUS_CIPHER_SUITES, Arrays.asList(sSLEngine.getSupportedCipherSuites()), Arrays.asList(sSLEngine.getEnabledCipherSuites())).toArray(new String[0]));
    }

    private List<String> buildEnabledSuitesIncludingAnonymous(List<String> list, List<String> list2, List<String> list3) {
        ArrayList arrayList = new ArrayList(list3);
        int i = 0;
        for (String str : list) {
            if (list2.contains(str)) {
                arrayList.add(str);
                i++;
            }
        }
        if (i == 0) {
            throw new IllegalStateException("None of " + list + " anonymous cipher suites are within the supported list " + list2);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("There are now " + arrayList.size() + " cipher suites enabled (previously " + list3.size() + "), including " + i + " out of the " + list.size() + " requested anonymous ones.");
        }
        return arrayList;
    }

    private String engineToString(SSLEngine sSLEngine) {
        return "[ " + sSLEngine + ", needClientAuth=" + sSLEngine.getNeedClientAuth() + ", useClientMode=" + sSLEngine.getUseClientMode() + ", peerHost=" + sSLEngine.getPeerHost() + ", peerPort=" + sSLEngine.getPeerPort() + " ]";
    }

    private Object readPemObject(String str, String str2, Class... clsArr) {
        PasswordFinder passwordFinderFor = str2 != null ? getPasswordFinderFor(str2) : null;
        FileReader fileReader = null;
        PEMReader pEMReader = null;
        try {
            try {
                try {
                    fileReader = new FileReader(str);
                    pEMReader = new PEMReader(fileReader, passwordFinderFor);
                    Object readObject = pEMReader.readObject();
                    if (!checkPemObjectIsOfAllowedTypes(readObject, clsArr)) {
                        throw new IllegalStateException("File " + str + " does not provide a object of the required type. Read an object of class " + readObject.getClass().getName() + " whilst expecting an implementation of one of the following  : " + Arrays.asList(clsArr));
                    }
                    if (pEMReader != null) {
                        try {
                            pEMReader.close();
                        } catch (IOException e) {
                            _logger.log(Level.SEVERE, "Couldn't close PEM reader", (Throwable) e);
                        }
                    }
                    if (fileReader != null) {
                        try {
                            fileReader.close();
                        } catch (IOException e2) {
                            _logger.log(Level.SEVERE, "Couldn't close PEM file reader", (Throwable) e2);
                        }
                    }
                    return readObject;
                } catch (IOException e3) {
                    throw new RuntimeException("Unable to read PEM object from file " + str, e3);
                }
            } catch (PEMException e4) {
                _logger.log(Level.SEVERE, "Unable to read PEM object. Perhaps you need the unlimited strength libraries in <java-home>/jre/lib/security/ ?", (Throwable) e4);
                throw new IllegalStateException("Unable to read PEM object from file " + str, e4);
            }
        } catch (Throwable th) {
            if (pEMReader != null) {
                try {
                    pEMReader.close();
                } catch (IOException e5) {
                    _logger.log(Level.SEVERE, "Couldn't close PEM reader", (Throwable) e5);
                }
            }
            if (fileReader != null) {
                try {
                    fileReader.close();
                } catch (IOException e6) {
                    _logger.log(Level.SEVERE, "Couldn't close PEM file reader", (Throwable) e6);
                }
            }
            throw th;
        }
    }

    private boolean checkPemObjectIsOfAllowedTypes(Object obj, Class... clsArr) {
        if (clsArr.length == 0) {
            throw new IllegalArgumentException("Must be at least one expectedKeyTypes");
        }
        for (Class cls : clsArr) {
            if (cls.isInstance(obj)) {
                return true;
            }
        }
        return false;
    }

    private PasswordFinder getPasswordFinderFor(final String str) {
        return new PasswordFinder() { // from class: org.apache.qpid.proton.engine.impl.ssl.SslEngineFacadeFactory.1
            @Override // org.bouncycastle.openssl.PasswordFinder
            public char[] getPassword() {
                return str.toCharArray();
            }
        };
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        ANONYMOUS_CIPHER_SUITES = Arrays.asList("TLS_DH_anon_WITH_AES_128_CBC_SHA", "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "SSL_DH_anon_WITH_DES_CBC_SHA", "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA");
    }
}
