package shaded.org.apache.hc.client5.http.ssl;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.net.SocketFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import shaded.org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory;
import shaded.org.apache.hc.core5.annotation.Contract;
import shaded.org.apache.hc.core5.annotation.ThreadingBehavior;
import shaded.org.apache.hc.core5.http.HttpHost;
import shaded.org.apache.hc.core5.http.protocol.HttpContext;
import shaded.org.apache.hc.core5.http.ssl.TLS;
import shaded.org.apache.hc.core5.http.ssl.TlsCiphers;
import shaded.org.apache.hc.core5.io.Closer;
import shaded.org.apache.hc.core5.ssl.SSLContexts;
import shaded.org.apache.hc.core5.ssl.SSLInitializationException;
import shaded.org.apache.hc.core5.util.Args;
import shaded.org.apache.hc.core5.util.Asserts;
import shaded.org.apache.hc.core5.util.TimeValue;
import shaded.org.slf4j.Logger;
import shaded.org.slf4j.LoggerFactory;

@Contract(threading = ThreadingBehavior.STATELESS)
/* loaded from: input_file:shaded/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.class */
public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactory {
    private static final String WEAK_KEY_EXCHANGES = "^(TLS|SSL)_(NULL|ECDH_anon|DH_anon|DH_anon_EXPORT|DHE_RSA_EXPORT|DHE_DSS_EXPORT|DSS_EXPORT|DH_DSS_EXPORT|DH_RSA_EXPORT|RSA_EXPORT|KRB5_EXPORT)_(.*)";
    private static final String WEAK_CIPHERS = "^(TLS|SSL)_(.*)_WITH_(NULL|DES_CBC|DES40_CBC|DES_CBC_40|3DES_EDE_CBC|RC4_128|RC4_40|RC2_CBC_40)_(.*)";
    private static final List<Pattern> WEAK_CIPHER_SUITE_PATTERNS = Collections.unmodifiableList(Arrays.asList(Pattern.compile(WEAK_KEY_EXCHANGES, 2), Pattern.compile(WEAK_CIPHERS, 2)));
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SSLConnectionSocketFactory.class);
    private final SSLSocketFactory socketFactory;
    private final HostnameVerifier hostnameVerifier;
    private final String[] supportedProtocols;
    private final String[] supportedCipherSuites;
    private final TlsSessionValidator tlsSessionValidator;

    public static SSLConnectionSocketFactory getSocketFactory() throws SSLInitializationException {
        return new SSLConnectionSocketFactory(SSLContexts.createDefault(), HttpsSupport.getDefaultHostnameVerifier());
    }

    public static SSLConnectionSocketFactory getSystemSocketFactory() throws SSLInitializationException {
        return new SSLConnectionSocketFactory((SSLSocketFactory) SSLSocketFactory.getDefault(), HttpsSupport.getSystemProtocols(), HttpsSupport.getSystemCipherSuits(), HttpsSupport.getDefaultHostnameVerifier());
    }

    static boolean isWeakCipherSuite(String str) {
        Iterator<Pattern> it = WEAK_CIPHER_SUITE_PATTERNS.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    public SSLConnectionSocketFactory(SSLContext sSLContext) {
        this(sSLContext, HttpsSupport.getDefaultHostnameVerifier());
    }

    public SSLConnectionSocketFactory(SSLContext sSLContext, HostnameVerifier hostnameVerifier) {
        this(((SSLContext) Args.notNull(sSLContext, "SSL context")).getSocketFactory(), (String[]) null, (String[]) null, hostnameVerifier);
    }

    public SSLConnectionSocketFactory(SSLContext sSLContext, String[] strArr, String[] strArr2, HostnameVerifier hostnameVerifier) {
        this(((SSLContext) Args.notNull(sSLContext, "SSL context")).getSocketFactory(), strArr, strArr2, hostnameVerifier);
    }

    public SSLConnectionSocketFactory(SSLSocketFactory sSLSocketFactory, HostnameVerifier hostnameVerifier) {
        this(sSLSocketFactory, (String[]) null, (String[]) null, hostnameVerifier);
    }

    public SSLConnectionSocketFactory(SSLSocketFactory sSLSocketFactory, String[] strArr, String[] strArr2, HostnameVerifier hostnameVerifier) {
        this.socketFactory = (SSLSocketFactory) Args.notNull(sSLSocketFactory, "SSL socket factory");
        this.supportedProtocols = strArr;
        this.supportedCipherSuites = strArr2;
        this.hostnameVerifier = hostnameVerifier != null ? hostnameVerifier : HttpsSupport.getDefaultHostnameVerifier();
        this.tlsSessionValidator = new TlsSessionValidator(LOG);
    }

    protected void prepareSocket(SSLSocket sSLSocket) throws IOException {
    }

    @Override // shaded.org.apache.hc.client5.http.socket.ConnectionSocketFactory
    public Socket createSocket(HttpContext httpContext) throws IOException {
        return SocketFactory.getDefault().createSocket();
    }

    @Override // shaded.org.apache.hc.client5.http.socket.ConnectionSocketFactory
    public Socket connectSocket(final TimeValue timeValue, Socket socket, HttpHost httpHost, final InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, HttpContext httpContext) throws IOException {
        Args.notNull(httpHost, "HTTP host");
        Args.notNull(inetSocketAddress, "Remote address");
        final Socket createSocket = socket != null ? socket : createSocket(httpContext);
        if (inetSocketAddress2 != null) {
            createSocket.bind(inetSocketAddress2);
        }
        try {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Connecting socket to {} with timeout {}", inetSocketAddress, timeValue);
            }
            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: shaded.org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws IOException {
                        createSocket.connect(inetSocketAddress, timeValue != null ? timeValue.toMillisecondsIntBound() : 0);
                        return null;
                    }
                });
                if (!(createSocket instanceof SSLSocket)) {
                    return createLayeredSocket(createSocket, httpHost.getHostName(), inetSocketAddress.getPort(), httpContext);
                }
                SSLSocket sSLSocket = (SSLSocket) createSocket;
                LOG.debug("Starting handshake");
                sSLSocket.startHandshake();
                verifyHostname(sSLSocket, httpHost.getHostName());
                return createSocket;
            } catch (PrivilegedActionException e) {
                Asserts.check(e.getCause() instanceof IOException, "method contract violation only checked exceptions are wrapped: " + e.getCause());
                throw ((IOException) e.getCause());
            }
        } catch (IOException e2) {
            Closer.closeQuietly(createSocket);
            throw e2;
        }
    }

    @Override // shaded.org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory
    public Socket createLayeredSocket(Socket socket, String str, int i, HttpContext httpContext) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) this.socketFactory.createSocket(socket, str, i, true);
        if (this.supportedProtocols != null) {
            sSLSocket.setEnabledProtocols(this.supportedProtocols);
        } else {
            sSLSocket.setEnabledProtocols(TLS.excludeWeak(sSLSocket.getEnabledProtocols()));
        }
        if (this.supportedCipherSuites != null) {
            sSLSocket.setEnabledCipherSuites(this.supportedCipherSuites);
        } else {
            sSLSocket.setEnabledCipherSuites(TlsCiphers.excludeWeak(sSLSocket.getEnabledCipherSuites()));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Enabled protocols: {}", (Object) sSLSocket.getEnabledProtocols());
            LOG.debug("Enabled cipher suites: {}", (Object) sSLSocket.getEnabledCipherSuites());
        }
        prepareSocket(sSLSocket);
        LOG.debug("Starting handshake");
        sSLSocket.startHandshake();
        verifyHostname(sSLSocket, str);
        return sSLSocket;
    }

    private void verifyHostname(SSLSocket sSLSocket, String str) throws IOException {
        try {
            SSLSession session = sSLSocket.getSession();
            if (session == null) {
                sSLSocket.getInputStream().available();
                session = sSLSocket.getSession();
                if (session == null) {
                    sSLSocket.startHandshake();
                    session = sSLSocket.getSession();
                }
            }
            if (session == null) {
                throw new SSLHandshakeException("SSL session not available");
            }
            verifySession(str, session);
        } catch (IOException e) {
            Closer.closeQuietly(sSLSocket);
            throw e;
        }
    }

    protected void verifySession(String str, SSLSession sSLSession) throws SSLException {
        this.tlsSessionValidator.verifySession(str, sSLSession, this.hostnameVerifier);
    }
}
