package org.apache.synapse.transport.http.conn;

import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import org.apache.http.conn.ssl.AbstractVerifier;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.nio.reactor.IOSession;
import org.apache.http.nio.reactor.ssl.SSLSetupHandler;
import org.apache.synapse.commons.snmp.SNMPConstants;
import org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
import org.apache.synapse.transport.certificatevalidation.RevocationVerificationManager;

/* loaded from: input_file:WEB-INF/lib/synapse-nhttp-transport-4.0.0-wso2v69.jar:org/apache/synapse/transport/http/conn/ClientSSLSetupHandler.class */
public class ClientSSLSetupHandler implements SSLSetupHandler {
    private static final String[] LOCALHOSTS = {"::1", SNMPConstants.SNMP_DEFAULT_HOST, "localhost", "localhost.localdomain"};
    private String[] httpsProtocols;
    private String[] preferredCiphers;
    public static final X509HostnameVerifier DEFAULT;
    public static final X509HostnameVerifier DEFAULT_AND_LOCALHOST;
    public static final X509HostnameVerifier STRICT;
    public static final X509HostnameVerifier ALLOW_ALL;
    private final X509HostnameVerifier hostnameVerifier;
    private final RevocationVerificationManager verificationManager;

    static boolean isLocalhost(String str) {
        int lastIndexOf;
        String lowerCase = str != null ? str.trim().toLowerCase() : "";
        if (lowerCase.startsWith("::1") && (lastIndexOf = lowerCase.lastIndexOf(37)) >= 0) {
            lowerCase = lowerCase.substring(0, lastIndexOf);
        }
        return Arrays.binarySearch(LOCALHOSTS, lowerCase) >= 0;
    }

    public ClientSSLSetupHandler(X509HostnameVerifier x509HostnameVerifier, RevocationVerificationManager revocationVerificationManager) {
        this.hostnameVerifier = x509HostnameVerifier != null ? x509HostnameVerifier : DEFAULT;
        this.verificationManager = revocationVerificationManager;
    }

    @Override // org.apache.http.nio.reactor.ssl.SSLSetupHandler
    public void initalize(SSLEngine sSLEngine) {
        if (null != this.httpsProtocols) {
            sSLEngine.setEnabledProtocols(this.httpsProtocols);
        }
        if (this.preferredCiphers != null) {
            sSLEngine.setEnabledCipherSuites(this.preferredCiphers);
        }
    }

    @Override // org.apache.http.nio.reactor.ssl.SSLSetupHandler
    public void verify(IOSession iOSession, SSLSession sSLSession) throws SSLException {
        String hostName;
        SocketAddress remoteAddress = iOSession.getRemoteAddress();
        String str = (String) iOSession.getAttribute(SynapseHTTPRequestFactory.ENDPOINT_URL);
        if (str == null || str.isEmpty()) {
            hostName = remoteAddress instanceof InetSocketAddress ? ((InetSocketAddress) remoteAddress).getHostName() : remoteAddress.toString();
        } else {
            try {
                hostName = new URI(str).getHost();
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException("Invalid endpointURI: " + str, e);
            }
        }
        if (!this.hostnameVerifier.verify(hostName, sSLSession)) {
            throw new SSLException("Host name verification failed for host : " + hostName);
        }
        if (this.verificationManager != null) {
            try {
                this.verificationManager.verifyRevocationStatus(sSLSession.getPeerCertificateChain());
            } catch (CertificateVerificationException e2) {
                throw new SSLException("Certificate Chain Validation failed for host : " + hostName, e2);
            }
        }
    }

    public void setHttpsProtocols(String[] strArr) {
        this.httpsProtocols = strArr;
    }

    public void setPreferredCiphers(String[] strArr) {
        this.preferredCiphers = strArr;
    }

    static {
        Arrays.sort(LOCALHOSTS);
        DEFAULT = new AbstractVerifier() { // from class: org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.1
            @Override // org.apache.http.conn.ssl.X509HostnameVerifier
            public void verify(String str, String[] strArr, String[] strArr2) throws SSLException {
                verify(str, strArr, strArr2, false);
            }
        };
        DEFAULT_AND_LOCALHOST = new AbstractVerifier() { // from class: org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.2
            @Override // org.apache.http.conn.ssl.X509HostnameVerifier
            public void verify(String str, String[] strArr, String[] strArr2) throws SSLException {
                if (ClientSSLSetupHandler.isLocalhost(str)) {
                    return;
                }
                verify(str, strArr, strArr2, false);
            }
        };
        STRICT = new AbstractVerifier() { // from class: org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.3
            @Override // org.apache.http.conn.ssl.X509HostnameVerifier
            public void verify(String str, String[] strArr, String[] strArr2) throws SSLException {
                verify(str, strArr, strArr2, true);
            }
        };
        ALLOW_ALL = new AbstractVerifier() { // from class: org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.4
            @Override // org.apache.http.conn.ssl.X509HostnameVerifier
            public void verify(String str, String[] strArr, String[] strArr2) throws SSLException {
            }
        };
    }
}
