package org.apache.hc.client5.http.ssl;

import java.net.SocketAddress;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.apache.hc.client5.http.psl.PublicSuffixMatcherLoader;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
import org.apache.hc.core5.http2.ssl.H2TlsSupport;
import org.apache.hc.core5.net.NamedEndpoint;
import org.apache.hc.core5.reactor.ssl.SSLBufferManagement;
import org.apache.hc.core5.reactor.ssl.SSLSessionInitializer;
import org.apache.hc.core5.reactor.ssl.SSLSessionVerifier;
import org.apache.hc.core5.reactor.ssl.TlsDetails;
import org.apache.hc.core5.reactor.ssl.TransportSecurityLayer;
import org.apache.hc.core5.ssl.SSLContexts;
import org.apache.hc.core5.util.Args;
import org.apache.hc.core5.util.TextUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hc/client5/http/ssl/H2TlsStrategy.class */
public class H2TlsStrategy implements TlsStrategy {
    private final Logger log;
    private final SSLContext sslContext;
    private final String[] supportedProtocols;
    private final String[] supportedCipherSuites;
    private final SSLBufferManagement sslBufferManagement;
    private final HostnameVerifier hostnameVerifier;

    private static String[] split(String str) {
        if (TextUtils.isBlank(str)) {
            return null;
        }
        return str.split(" *, *");
    }

    private static String getProperty(final String str) {
        return (String) AccessController.doPrivileged(new PrivilegedAction<String>() { // from class: org.apache.hc.client5.http.ssl.H2TlsStrategy.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public String run() {
                return System.getProperty(str);
            }
        });
    }

    public static HostnameVerifier getDefaultHostnameVerifier() {
        return new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
    }

    public static TlsStrategy getDefault() {
        return new H2TlsStrategy(SSLContexts.createDefault(), getDefaultHostnameVerifier());
    }

    public static TlsStrategy getSystemDefault() {
        return new H2TlsStrategy(SSLContexts.createSystemDefault(), split(getProperty("https.protocols")), split(getProperty("https.cipherSuites")), SSLBufferManagement.STATIC, getDefaultHostnameVerifier());
    }

    public H2TlsStrategy(SSLContext sSLContext, String[] strArr, String[] strArr2, SSLBufferManagement sSLBufferManagement, HostnameVerifier hostnameVerifier) {
        this.log = LoggerFactory.getLogger(getClass());
        this.sslContext = (SSLContext) Args.notNull(sSLContext, "SSL context");
        this.supportedProtocols = strArr;
        this.supportedCipherSuites = strArr2;
        this.sslBufferManagement = sSLBufferManagement != null ? sSLBufferManagement : SSLBufferManagement.STATIC;
        this.hostnameVerifier = hostnameVerifier != null ? hostnameVerifier : getDefaultHostnameVerifier();
    }

    public H2TlsStrategy(SSLContext sSLContext, HostnameVerifier hostnameVerifier) {
        this(sSLContext, null, null, SSLBufferManagement.STATIC, hostnameVerifier);
    }

    public H2TlsStrategy(SSLContext sSLContext) {
        this(sSLContext, getDefaultHostnameVerifier());
    }

    public boolean upgrade(TransportSecurityLayer transportSecurityLayer, HttpHost httpHost, SocketAddress socketAddress, SocketAddress socketAddress2, Object obj) {
        transportSecurityLayer.startTls(this.sslContext, this.sslBufferManagement, H2TlsSupport.enforceRequirements(obj, new SSLSessionInitializer() { // from class: org.apache.hc.client5.http.ssl.H2TlsStrategy.2
            public void initialize(NamedEndpoint namedEndpoint, SSLEngine sSLEngine) {
                if (H2TlsStrategy.this.supportedProtocols != null) {
                    sSLEngine.setEnabledProtocols(H2TlsStrategy.this.supportedProtocols);
                }
                if (H2TlsStrategy.this.supportedCipherSuites != null) {
                    sSLEngine.setEnabledCipherSuites(H2TlsStrategy.this.supportedCipherSuites);
                }
                H2TlsStrategy.this.initializeEngine(sSLEngine);
                if (H2TlsStrategy.this.log.isDebugEnabled()) {
                    H2TlsStrategy.this.log.debug("Enabled protocols: " + Arrays.asList(sSLEngine.getEnabledProtocols()));
                    H2TlsStrategy.this.log.debug("Enabled cipher suites:" + Arrays.asList(sSLEngine.getEnabledCipherSuites()));
                }
            }
        }), new SSLSessionVerifier() { // from class: org.apache.hc.client5.http.ssl.H2TlsStrategy.3
            public TlsDetails verify(NamedEndpoint namedEndpoint, SSLEngine sSLEngine) throws SSLException {
                H2TlsStrategy.this.verifySession(namedEndpoint.getHostName(), sSLEngine.getSession());
                return H2TlsStrategy.this.createTlsDetails(sSLEngine);
            }
        });
        return true;
    }

    protected void initializeEngine(SSLEngine sSLEngine) {
    }

    protected void verifySession(String str, SSLSession sSLSession) throws SSLException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Secure session established");
            this.log.debug(" negotiated protocol: " + sSLSession.getProtocol());
            this.log.debug(" negotiated cipher suite: " + sSLSession.getCipherSuite());
            try {
                X509Certificate x509Certificate = (X509Certificate) sSLSession.getPeerCertificates()[0];
                this.log.debug(" peer principal: " + x509Certificate.getSubjectX500Principal().toString());
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames != null) {
                    ArrayList arrayList = new ArrayList();
                    for (List<?> list : subjectAlternativeNames) {
                        if (!list.isEmpty()) {
                            arrayList.add((String) list.get(1));
                        }
                    }
                    this.log.debug(" peer alternative names: " + arrayList);
                }
                this.log.debug(" issuer principal: " + x509Certificate.getIssuerX500Principal().toString());
                Collection<List<?>> issuerAlternativeNames = x509Certificate.getIssuerAlternativeNames();
                if (issuerAlternativeNames != null) {
                    ArrayList arrayList2 = new ArrayList();
                    for (List<?> list2 : issuerAlternativeNames) {
                        if (!list2.isEmpty()) {
                            arrayList2.add((String) list2.get(1));
                        }
                    }
                    this.log.debug(" issuer alternative names: " + arrayList2);
                }
            } catch (Exception e) {
            }
        }
        if (!(this.hostnameVerifier instanceof HttpClientHostnameVerifier)) {
            if (this.hostnameVerifier.verify(str, sSLSession)) {
                return;
            }
            throw new SSLPeerUnverifiedException("Certificate for <" + str + "> doesn't match any of the subject alternative names: " + DefaultHostnameVerifier.getSubjectAltNames((X509Certificate) sSLSession.getPeerCertificates()[0]));
        }
        ((HttpClientHostnameVerifier) this.hostnameVerifier).verify(str, (X509Certificate) sSLSession.getPeerCertificates()[0]);
    }

    protected TlsDetails createTlsDetails(SSLEngine sSLEngine) {
        return null;
    }
}
