package net.shibboleth.utilities.java.support.httpclient;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.apache.http.HttpHost;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.conn.ssl.AllowAllHostnameVerifier;
import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
import org.apache.http.conn.ssl.StrictHostnameVerifier;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.Args;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:BOOT-INF/lib/java-support-7.4.0.jar:net/shibboleth/utilities/java/support/httpclient/TLSSocketFactory.class */
public class TLSSocketFactory implements LayeredConnectionSocketFactory {
    public static final String CONTEXT_KEY_TLS_PROTOCOLS = "javasupport.TLSProtocols";
    public static final String CONTEXT_KEY_TLS_CIPHER_SUITES = "javasupport.TLSCipherSuites";
    public static final String CONTEXT_KEY_HOSTNAME_VERIFIER = "javasupport.HostnameVerifier";
    public static final String TLS = "TLS";
    public static final String SSL = "SSL";
    public static final String SSLV2 = "SSLv2";
    public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new AllowAllHostnameVerifier();
    public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER = new BrowserCompatHostnameVerifier();
    public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER = new StrictHostnameVerifier();
    private final Logger log;
    private final SSLSocketFactory socketfactory;
    private final X509HostnameVerifier hostnameVerifier;
    private final String[] supportedProtocols;
    private final String[] supportedCipherSuites;

    public TLSSocketFactory(@Nonnull SSLContext sSLContext) {
        this(sSLContext, STRICT_HOSTNAME_VERIFIER);
    }

    public TLSSocketFactory(@Nonnull SSLContext sSLContext, @Nullable X509HostnameVerifier x509HostnameVerifier) {
        this(((SSLContext) Args.notNull(sSLContext, "SSL context")).getSocketFactory(), (String[]) null, (String[]) null, x509HostnameVerifier);
    }

    public TLSSocketFactory(@Nonnull SSLContext sSLContext, @Nullable String[] strArr, @Nullable String[] strArr2, @Nullable X509HostnameVerifier x509HostnameVerifier) {
        this(((SSLContext) Args.notNull(sSLContext, "SSL context")).getSocketFactory(), strArr, strArr2, x509HostnameVerifier);
    }

    public TLSSocketFactory(@Nonnull SSLSocketFactory sSLSocketFactory, @Nullable X509HostnameVerifier x509HostnameVerifier) {
        this(sSLSocketFactory, (String[]) null, (String[]) null, x509HostnameVerifier);
    }

    public TLSSocketFactory(@Nonnull SSLSocketFactory sSLSocketFactory, @Nullable String[] strArr, @Nullable String[] strArr2, @Nullable X509HostnameVerifier x509HostnameVerifier) {
        this.log = LoggerFactory.getLogger((Class<?>) TLSSocketFactory.class);
        this.socketfactory = (SSLSocketFactory) Args.notNull(sSLSocketFactory, "SSL socket factory");
        this.supportedProtocols = strArr;
        this.supportedCipherSuites = strArr2;
        this.hostnameVerifier = x509HostnameVerifier != null ? x509HostnameVerifier : STRICT_HOSTNAME_VERIFIER;
    }

    @Nonnull
    protected SSLSocketFactory getSocketfactory() {
        return this.socketfactory;
    }

    @Nonnull
    protected X509HostnameVerifier getHostnameVerifier() {
        return this.hostnameVerifier;
    }

    @Nullable
    protected String[] getSupportedProtocols() {
        return this.supportedProtocols;
    }

    @Nullable
    protected String[] getSupportedCipherSuites() {
        return this.supportedCipherSuites;
    }

    protected void prepareSocket(@Nonnull SSLSocket sSLSocket, @Nullable HttpContext httpContext) throws IOException {
    }

    @Override // org.apache.http.conn.socket.ConnectionSocketFactory
    @Nonnull
    public Socket createSocket(@Nullable HttpContext httpContext) throws IOException {
        this.log.trace("In createSocket");
        return SocketFactory.getDefault().createSocket();
    }

    @Override // org.apache.http.conn.socket.ConnectionSocketFactory
    public Socket connectSocket(int i, @Nullable Socket socket, @Nonnull HttpHost httpHost, @Nonnull InetSocketAddress inetSocketAddress, @Nullable InetSocketAddress inetSocketAddress2, @Nullable HttpContext httpContext) throws IOException {
        this.log.trace("In connectSocket");
        Args.notNull(httpHost, "HTTP host");
        Args.notNull(inetSocketAddress, "Remote address");
        Socket createSocket = socket != null ? socket : createSocket(httpContext);
        if (inetSocketAddress2 != null) {
            createSocket.bind(inetSocketAddress2);
        }
        if (i > 0) {
            try {
                if (createSocket.getSoTimeout() == 0) {
                    createSocket.setSoTimeout(i);
                }
            } catch (IOException e) {
                try {
                    createSocket.close();
                } catch (IOException e2) {
                }
                throw e;
            }
        }
        createSocket.connect(inetSocketAddress, i);
        if (!(createSocket instanceof SSLSocket)) {
            return createLayeredSocket(createSocket, httpHost.getHostName(), inetSocketAddress.getPort(), httpContext);
        }
        SSLSocket sSLSocket = (SSLSocket) createSocket;
        sSLSocket.startHandshake();
        verifyHostname(sSLSocket, httpHost.getHostName(), httpContext);
        return createSocket;
    }

    @Override // org.apache.http.conn.socket.LayeredConnectionSocketFactory
    public Socket createLayeredSocket(@Nonnull Socket socket, @NotEmpty @Nonnull String str, int i, @Nullable HttpContext httpContext) throws IOException {
        this.log.trace("In createLayeredSocket");
        SSLSocket sSLSocket = (SSLSocket) getSocketfactory().createSocket(socket, str, i, true);
        String[] listAttribute = getListAttribute(httpContext, "javasupport.TLSProtocols");
        if (listAttribute != null) {
            sSLSocket.setEnabledProtocols(listAttribute);
        } else if (getSupportedProtocols() != null) {
            sSLSocket.setEnabledProtocols(getSupportedProtocols());
        } else {
            String[] supportedProtocols = sSLSocket.getSupportedProtocols();
            ArrayList arrayList = new ArrayList(supportedProtocols.length);
            for (String str2 : supportedProtocols) {
                if (!str2.startsWith("SSL")) {
                    arrayList.add(str2);
                }
            }
            sSLSocket.setEnabledProtocols((String[]) arrayList.toArray(new String[arrayList.size()]));
        }
        String[] listAttribute2 = getListAttribute(httpContext, "javasupport.TLSCipherSuites");
        if (listAttribute2 != null) {
            sSLSocket.setEnabledCipherSuites(listAttribute2);
        } else if (getSupportedCipherSuites() != null) {
            sSLSocket.setEnabledCipherSuites(getSupportedCipherSuites());
        }
        prepareSocket(sSLSocket, httpContext);
        sSLSocket.startHandshake();
        logSocketInfo(sSLSocket);
        verifyHostname(sSLSocket, str, httpContext);
        return sSLSocket;
    }

    private void logSocketInfo(SSLSocket sSLSocket) {
        SSLSession session = sSLSocket.getSession();
        if (this.log.isDebugEnabled()) {
            this.log.debug("Connected to: {}", sSLSocket.getRemoteSocketAddress());
            this.log.debug("Supported protocols: {}", (Object) sSLSocket.getSupportedProtocols());
            this.log.debug("Enabled protocols:   {}", (Object) sSLSocket.getEnabledProtocols());
            this.log.debug("Selected protocol:   {}", session.getProtocol());
            this.log.debug("Supported cipher suites: {}", (Object) sSLSocket.getSupportedCipherSuites());
            this.log.debug("Enabled cipher suites:   {}", (Object) sSLSocket.getEnabledCipherSuites());
            this.log.debug("Selected cipher suite:   {}", session.getCipherSuite());
        }
        if (this.log.isTraceEnabled()) {
            try {
                this.log.trace("Peer principal: {}", session.getPeerPrincipal());
                this.log.trace("Peer certificates: {}", (Object) session.getPeerCertificates());
                this.log.trace("Local principal: {}", session.getLocalPrincipal());
                this.log.trace("Local certificates: {}", (Object) session.getLocalCertificates());
            } catch (SSLPeerUnverifiedException e) {
                this.log.warn("SSL exception enumerating peer certificates", (Throwable) e);
            }
        }
    }

    @Nullable
    protected String[] getListAttribute(@Nullable HttpContext httpContext, @Nonnull String str) {
        ArrayList arrayList;
        if (httpContext == null || (arrayList = new ArrayList(StringSupport.normalizeStringCollection((List) httpContext.getAttribute(str)))) == null || arrayList.isEmpty()) {
            return null;
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    protected void verifyHostname(@Nonnull SSLSocket sSLSocket, @Nonnull String str, @Nullable HttpContext httpContext) throws IOException {
        X509HostnameVerifier x509HostnameVerifier = null;
        if (httpContext != null) {
            try {
                x509HostnameVerifier = (X509HostnameVerifier) httpContext.getAttribute("javasupport.HostnameVerifier");
            } catch (IOException e) {
                try {
                    sSLSocket.close();
                } catch (Exception e2) {
                }
                throw e;
            }
        }
        if (x509HostnameVerifier == null) {
            x509HostnameVerifier = getHostnameVerifier();
        }
        x509HostnameVerifier.verify(str, sSLSocket);
    }
}
