package com.ghc.ssl;

import com.ghc.config.Config;
import com.ghc.identity.CertificateSettings;
import com.ghc.identity.IdentityProvider;
import com.ghc.identity.IdentityResource;
import com.ghc.identity.IdentityStoreResource;
import com.ghc.identity.IdentityType;
import com.ghc.lang.Providers;
import com.ghc.lang.ThrowingProvider;
import com.ghc.security.nls.GHMessages;
import com.ghc.ssl.analyze.AnalyzeEndpoint;
import com.ghc.utils.StringUtils;
import com.ghc.utils.net.TestConnectionDiagnosticTool;
import com.google.common.base.Splitter;
import com.ibm.greenhat.logging.Level;
import com.ibm.greenhat.logging.Logger;
import com.ibm.greenhat.logging.LoggerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.net.URI;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/ghc/ssl/SSLUtils.class */
public final class SSLUtils {
    private static final Logger log = LoggerFactory.getLogger(SSLUtils.class.getName());
    private static final Set<String> UNWANTED_PROVIDERS = new HashSet();

    /* loaded from: input_file:com/ghc/ssl/SSLUtils$SavingTrustManager.class */
    private static class SavingTrustManager implements X509TrustManager {
        private final X509TrustManager tm;
        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager x509TrustManager) {
            this.tm = x509TrustManager;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.chain = x509CertificateArr;
            this.tm.checkServerTrusted(x509CertificateArr, str);
        }
    }

    static {
        UNWANTED_PROVIDERS.add("Entrust");
        UNWANTED_PROVIDERS.add("IAIK");
    }

    private SSLUtils() {
    }

    public static boolean isHTTPS(URI uri) {
        return SSLURLStreamHandlerService.PROTOCOL.equals(uri.getScheme());
    }

    public static boolean isHTTPS(URL url) {
        return SSLURLStreamHandlerService.PROTOCOL.equals(url.getProtocol());
    }

    public static final void runUsingIdentityForUrl(URL url, IdentityProvider identityProvider, Runnable runnable) {
        runUsingIdentityForUrl(url, identityProvider, (ThrowingProvider) Providers.onceBefore((Object) null, runnable));
    }

    public static final <T, X extends Exception> T runUsingIdentityForUrl(URL url, IdentityProvider identityProvider, ThrowingProvider<T, X> throwingProvider) throws Exception {
        Map<Provider, Integer> removeUnwantedProviders = removeUnwantedProviders();
        try {
            X_addSSLConfiguration(url, identityProvider);
            return (T) throwingProvider.get();
        } finally {
            reAddUnwantedProviders(removeUnwantedProviders);
            X_clearSSLConfiguration(url);
        }
    }

    public static SSLContext createSecureContext(String str, boolean z, IdentityStoreResource identityStoreResource, String str2, boolean z2, IdentityStoreResource identityStoreResource2, boolean z3, boolean z4) {
        return createSecureContext(null, str, z, identityStoreResource, str2, z2, identityStoreResource2, z3, z4);
    }

    public static Iterable<String> getProtocols(Iterable<String> iterable) {
        return (iterable == null || !iterable.iterator().hasNext()) ? Arrays.asList("SSL_TLSv2", "TLS", "TLSv1") : iterable;
    }

    public static SSLContext getSSLContext(Iterable<String> iterable) throws NoSuchAlgorithmException {
        NoSuchAlgorithmException noSuchAlgorithmException = new NoSuchAlgorithmException(GHMessages.SSLUtils_noProtocols);
        Iterator<String> it = getProtocols(iterable).iterator();
        while (it.hasNext()) {
            try {
                return SSLContext.getInstance(it.next().trim());
            } catch (NoSuchAlgorithmException e) {
                noSuchAlgorithmException = e;
            }
        }
        throw noSuchAlgorithmException;
    }

    public static SSLContext createSecureContext(Iterable<String> iterable, String str, boolean z, IdentityStoreResource identityStoreResource, String str2, boolean z2, IdentityStoreResource identityStoreResource2, boolean z3, boolean z4) {
        TrustManager[] trustManagerArr;
        try {
            SSLContext sSLContext = getSSLContext(iterable);
            KeyManager[] keyManagerArr = {new SSLKeyManager(identityStoreResource, str2, z)};
            if (identityStoreResource2 != null) {
                trustManagerArr = X_getTrustManagers(identityStoreResource2);
                for (int i = 0; i < trustManagerArr.length; i++) {
                    if (trustManagerArr[i] instanceof X509TrustManager) {
                        trustManagerArr[i] = new SSLTrustManager((X509TrustManager) trustManagerArr[i], identityStoreResource2, str, z2, z3, z4);
                    }
                }
            } else {
                trustManagerArr = new TrustManager[]{new SSLTrustManager(null, null, str, z2, z3, z4)};
            }
            sSLContext.init(keyManagerArr, trustManagerArr, null);
            return sSLContext;
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new SSLConfigurationException(GHMessages.SSLUtils_invalidSSL, e);
        }
    }

    public static void addUsageConfiguration(Config config, boolean z, boolean z2, boolean z3, boolean z4, boolean z5) {
        config.set(SSLConstants.USE_SSL, z);
        config.set(SSLConstants.SPECIFY_PROVIDED_CERTIFICATE, z2);
        config.set(SSLConstants.SPECIFY_TRUSTED_CERTIFICATE, z3);
        config.set(SSLConstants.PERFORM_AUTHENTICATION, z4);
        config.set(SSLConstants.VERIFY_CERTS, z5);
    }

    public static void addProvidedConfiguration(CertificateSettings certificateSettings, Config config) {
        config.set(SSLConstants.PROVIDED_KEY_SELECTED, certificateSettings.getKey());
        config.set(SSLConstants.PROVIDED_IDENTITY_STORE, certificateSettings.getStoreID());
    }

    public static void addServerCertificatesToIdStore(URL url, File file, String str) {
        if (url == null || !isHTTPS(url) || file == null || !file.isFile() || StringUtils.isBlankOrNull(str)) {
            return;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(fileInputStream, str.toCharArray());
            fileInputStream.close();
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            SavingTrustManager savingTrustManager = new SavingTrustManager((X509TrustManager) trustManagerFactory.getTrustManagers()[0]);
            sSLContext.init(null, new TrustManager[]{savingTrustManager}, null);
            SSLSocket sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(url.getHost(), url.getPort() == -1 ? 443 : url.getPort());
            sSLSocket.setSoTimeout(10000);
            try {
                sSLSocket.startHandshake();
                sSLSocket.close();
            } catch (SSLException unused) {
                X509Certificate[] x509CertificateArr = savingTrustManager.chain;
                if (x509CertificateArr == null) {
                    log.log(Level.ERROR, "Could not obtain server certificate chain");
                    return;
                }
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    keyStore.setCertificateEntry(String.valueOf(url.getHost()) + "-" + UUID.randomUUID().toString(), x509Certificate);
                }
                FileOutputStream fileOutputStream = new FileOutputStream(file);
                keyStore.store(fileOutputStream, str.toCharArray());
                fileOutputStream.close();
            }
        } catch (Exception e) {
            log.log(Level.ERROR, e, "Error when import server certificates from site '" + url + "' to id store - " + file.getAbsolutePath(), new Object[0]);
        }
    }

    private static TrustManager[] X_getTrustManagers(IdentityStoreResource identityStoreResource) {
        TrustManagerFactory trustManagerFactory = null;
        try {
            trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(identityStoreResource.getKeyStore());
        } catch (Exception unused) {
        }
        return trustManagerFactory.getTrustManagers();
    }

    private static void X_addSSLConfiguration(URL url, IdentityProvider identityProvider) {
        IdentityStoreResource X_getSSLStore = X_getSSLStore(identityProvider);
        if (X_getSSLStore != null) {
            SSLSocketFactoryRegistry.getInstance().addSSLFactory(url, createSecureContext(url.getHost(), true, X_getSSLStore, X_getSSLKey(identityProvider), false, null, false, false).getSocketFactory());
        }
    }

    private static void X_clearSSLConfiguration(URL url) {
        SSLSocketFactoryRegistry.getInstance().removeSSLFactory(url);
    }

    private static String X_getSSLKey(IdentityProvider identityProvider) {
        IdentityResource selectedIdentity;
        if (identityProvider == null || (selectedIdentity = identityProvider.getSelectedIdentity()) == null || selectedIdentity.getType() != IdentityType.CERTIFICATE) {
            return null;
        }
        return selectedIdentity.getCertificateSettings().getKey();
    }

    private static IdentityStoreResource X_getSSLStore(IdentityProvider identityProvider) {
        IdentityResource selectedIdentity;
        if (identityProvider == null || (selectedIdentity = identityProvider.getSelectedIdentity()) == null || selectedIdentity.getType() != IdentityType.CERTIFICATE) {
            return null;
        }
        return identityProvider.getStore(selectedIdentity.getCertificateSettings().getStoreID());
    }

    public static Map<Provider, Integer> removeUnwantedProviders() {
        if (!Boolean.valueOf(System.getProperty("gh.ssl.ignore.entrust", Boolean.toString(true))).booleanValue()) {
            return Collections.emptyMap();
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Provider[] providers = Security.getProviders();
        for (int i = 0; i < providers.length; i++) {
            Provider provider = providers[i];
            if (UNWANTED_PROVIDERS.contains(provider.getName())) {
                linkedHashMap.put(provider, Integer.valueOf(i));
            }
        }
        Iterator it = linkedHashMap.keySet().iterator();
        while (it.hasNext()) {
            Security.removeProvider(((Provider) it.next()).getName());
        }
        return linkedHashMap;
    }

    public static void reAddUnwantedProviders(Map<Provider, Integer> map) {
        if (map != null) {
            for (Map.Entry<Provider, Integer> entry : map.entrySet()) {
                Security.insertProviderAt(entry.getKey(), entry.getValue().intValue() + 1);
            }
        }
    }

    public static Iterable<String> splitProtocolList(String str, char c) {
        return org.apache.commons.lang.StringUtils.isBlank(str) ? Collections.emptyList() : Splitter.on(c).omitEmptyStrings().trimResults().split(str);
    }

    public static void carryOutDiagnostics(String str, String str2, SslSettings sslSettings, StringBuilder sb) {
        TestConnectionDiagnosticTool.carryOutDiagnostics(str, str2, sb);
        new AnalyzeEndpoint(str, Integer.parseInt(str2), sslSettings).report(sb);
    }

    public static void carryOutDiagnostics(String str, SslSettings sslSettings, StringBuilder sb) {
        TestConnectionDiagnosticTool.formatHostname(str, sb);
        String[] formatHostname = TestConnectionDiagnosticTool.formatHostname(str, sb);
        if (formatHostname != null && formatHostname.length == 2) {
            carryOutDiagnostics(formatHostname[0], formatHostname[1], sslSettings, sb);
        }
    }
}
