package org.apache.qpid.transport.network.security.ssl;

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
import java.math.BigInteger;
import java.net.URL;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.TreeSet;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.transport.TransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/transport/network/security/ssl/SSLUtil.class */
public class SSLUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger(SSLUtil.class);
    private static final Integer DNS_NAME_TYPE = 2;
    public static final String[] TLS_PROTOCOL_PREFERENCES = {"TLSv1.2", "TLSv1.1", "TLS", "TLSv1"};

    private SSLUtil() {
    }

    public static void verifyHostname(SSLEngine sSLEngine, String str) {
        try {
            Certificate certificate = sSLEngine.getSession().getPeerCertificates()[0];
            if (!(certificate instanceof X509Certificate)) {
                throw new TransportException("Cannot verify peer's hostname as peer does not present a X509Certificate. Presented certificate : " + certificate);
            }
            verifyHostname(str, (X509Certificate) certificate);
        } catch (SSLPeerUnverifiedException e) {
            throw new TransportException("Failed to verify peer's hostname", e);
        }
    }

    public static void verifyHostname(String str, X509Certificate x509Certificate) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        TreeSet<String> treeSet = new TreeSet();
        String name = subjectDN.getName();
        try {
            Iterator it = new LdapName(name).getRdns().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Rdn rdn = (Rdn) it.next();
                if (rdn.getType().equalsIgnoreCase("CN")) {
                    treeSet.add(rdn.getValue().toString());
                    break;
                }
            }
            if (x509Certificate.getSubjectAlternativeNames() != null) {
                for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
                    if (DNS_NAME_TYPE.equals(list.get(0))) {
                        treeSet.add((String) list.get(1));
                    }
                }
            }
            if (treeSet.isEmpty()) {
                throw new TransportException("SSL hostname verification failed. Certificate for did not contain CN or DNS subjectAlt");
            }
            boolean z = false;
            String lowerCase = str.trim().toLowerCase();
            for (String str2 : treeSet) {
                z = str2.startsWith("*.") && str2.lastIndexOf(46) >= 3 && !str2.matches("\\*\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") ? lowerCase.endsWith(str2.substring(1)) && lowerCase.indexOf(".") == (1 + lowerCase.length()) - str2.length() : lowerCase.equals(str2);
                if (z) {
                    break;
                }
            }
            if (!z) {
                throw new TransportException("SSL hostname verification failed. Expected : " + str + " Found in cert : " + treeSet);
            }
        } catch (CertificateParsingException e) {
            throw new TransportException("SSL hostname verification failed. Could not parse certificate:  " + e.getMessage(), e);
        } catch (InvalidNameException e2) {
            throw new TransportException("SSL hostname verification failed. Could not parse name " + name, e2);
        }
    }

    public static String getIdFromSubjectDN(String str) {
        String str2 = null;
        String str3 = null;
        if (str == null) {
            return "";
        }
        try {
            for (Rdn rdn : new LdapName(str).getRdns()) {
                if ("CN".equalsIgnoreCase(rdn.getType())) {
                    str2 = rdn.getValue().toString();
                } else if ("DC".equalsIgnoreCase(rdn.getType())) {
                    str3 = str3 == null ? rdn.getValue().toString() : rdn.getValue().toString() + '.' + str3;
                }
            }
            return (str2 == null || str2.length() == 0) ? "" : str3 == null ? str2 : str2 + '@' + str3;
        } catch (InvalidNameException e) {
            LOGGER.warn("Invalid name: '{}'", str);
            return "";
        }
    }

    public static String retrieveIdentity(SSLEngine sSLEngine) {
        String str = "";
        try {
            str = getIdFromSubjectDN(((X509Certificate) sSLEngine.getSession().getLocalCertificates()[0]).getSubjectDN().getName());
        } catch (Exception e) {
            LOGGER.info("Exception received while trying to retrieve client identity from SSL cert", e);
        }
        LOGGER.debug("Extracted Identity from client certificate : {}", str);
        return str;
    }

    public static KeyStore getInitializedKeyStore(String str, String str2, String str3) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(str3);
        InputStream inputStream = null;
        try {
            File file = new File(str);
            InputStream fileInputStream = file.exists() ? new FileInputStream(file) : Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
            if (fileInputStream == null && !"PKCS11".equalsIgnoreCase(str3)) {
                throw new IOException("Unable to load keystore resource: " + str);
            }
            keyStore.load(fileInputStream, str2 == null ? null : str2.toCharArray());
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e) {
                }
            }
            return keyStore;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                }
            }
            throw th;
        }
    }

    public static KeyStore getInitializedKeyStore(URL url, String str, String str2) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(str2);
        InputStream openStream = url.openStream();
        Throwable th = null;
        try {
            if (openStream == null) {
                if (!"PKCS11".equalsIgnoreCase(str2)) {
                    throw new IOException("Unable to load keystore resource: " + url);
                }
            }
            keyStore.load(openStream, str == null ? null : str.toCharArray());
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openStream.close();
                }
            }
            return keyStore;
        } catch (Throwable th3) {
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            throw th3;
        }
    }

    public static X509Certificate[] readCertificates(URL url) throws IOException, GeneralSecurityException {
        InputStream openStream = url.openStream();
        Throwable th = null;
        try {
            X509Certificate[] readCertificates = readCertificates(url.openStream());
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openStream.close();
                }
            }
            return readCertificates;
        } catch (Throwable th3) {
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            throw th3;
        }
    }

    public static X509Certificate[] readCertificates(InputStream inputStream) throws IOException, GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        do {
            try {
                arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream));
            } catch (CertificateException e) {
                if (arrayList.isEmpty()) {
                    throw e;
                }
            }
        } while (inputStream.available() != 0);
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    public static PrivateKey readPrivateKey(URL url) throws IOException, GeneralSecurityException {
        InputStream openStream = url.openStream();
        Throwable th = null;
        try {
            PrivateKey readPrivateKey = readPrivateKey(openStream);
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openStream.close();
                }
            }
            return readPrivateKey;
        } catch (Throwable th3) {
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            throw th3;
        }
    }

    public static PrivateKey readPrivateKey(InputStream inputStream) throws IOException, GeneralSecurityException {
        String readLine;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] bArr = new byte[1024];
        while (true) {
            int read = inputStream.read(bArr);
            if (read == -1) {
                break;
            }
            byteArrayOutputStream.write(bArr, 0, read);
        }
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        String str = new String(byteArray, StandardCharsets.US_ASCII);
        if (str.contains("-----BEGIN ") && str.contains(" PRIVATE KEY-----")) {
            BufferedReader bufferedReader = new BufferedReader(new StringReader(str));
            while (true) {
                readLine = bufferedReader.readLine();
                if (readLine == null || (readLine.startsWith("-----BEGIN ") && readLine.endsWith(" PRIVATE KEY-----"))) {
                    break;
                }
            }
            if (readLine != null) {
                StringBuilder sb = new StringBuilder();
                while (true) {
                    String readLine2 = bufferedReader.readLine();
                    if (readLine2 == null || (readLine2.startsWith("-----END ") && readLine2.endsWith(" PRIVATE KEY-----"))) {
                        break;
                    }
                    sb.append(readLine2);
                }
                byteArray = DatatypeConverter.parseBase64Binary(sb.toString());
            }
        }
        return readPrivateKey(byteArray, "RSA");
    }

    public static PrivateKey readPrivateKey(byte[] bArr, String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        PrivateKey generatePrivate;
        try {
            generatePrivate = KeyFactory.getInstance(str).generatePrivate(new PKCS8EncodedKeySpec(bArr));
        } catch (InvalidKeySpecException e) {
            try {
                generatePrivate = KeyFactory.getInstance(str).generatePrivate(getRSAKeySpec(bArr));
            } catch (InvalidKeySpecException e2) {
                throw new InvalidKeySpecException("Cannot parse the provided key as either PKCS#1 or PCKS#8 format");
            }
        }
        return generatePrivate;
    }

    private static RSAPrivateCrtKeySpec getRSAKeySpec(byte[] bArr) throws InvalidKeySpecException {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        try {
            int i = wrap.get() & 255;
            if ((i & 32) != 32 || (i & 31) != 16) {
                throw new InvalidKeySpecException("Unable to parse key as PKCS#1 format");
            }
            int length = getLength(wrap);
            ByteBuffer slice = wrap.slice();
            slice.limit(length);
            slice.get();
            slice.position(slice.position() + getLength(slice));
            return new RSAPrivateCrtKeySpec(getInteger(slice), getInteger(slice), getInteger(slice), getInteger(slice), getInteger(slice), getInteger(slice), getInteger(slice), getInteger(slice));
        } catch (BufferUnderflowException e) {
            throw new InvalidKeySpecException("Unable to parse key as PKCS#1 format");
        }
    }

    private static int getLength(ByteBuffer byteBuffer) {
        int i = byteBuffer.get() & 255;
        if ((i & (-128)) == 0) {
            return i;
        }
        byte[] bArr = new byte[i & 127];
        byteBuffer.get(bArr);
        return new BigInteger(1, bArr).intValue();
    }

    private static BigInteger getInteger(ByteBuffer byteBuffer) throws InvalidKeySpecException {
        if ((byteBuffer.get() & 255 & 31) != 2) {
            throw new InvalidKeySpecException("Unable to parse key as PKCS#1 format");
        }
        byte[] bArr = new byte[getLength(byteBuffer)];
        byteBuffer.get(bArr);
        return new BigInteger(bArr);
    }

    public static void updateEnabledTlsProtocols(SSLEngine sSLEngine, List<String> list, List<String> list2) {
        sSLEngine.setEnabledProtocols(filterEnabledProtocols(sSLEngine.getEnabledProtocols(), sSLEngine.getSupportedProtocols(), list, list2));
    }

    public static void updateEnabledTlsProtocols(SSLSocket sSLSocket, List<String> list, List<String> list2) {
        sSLSocket.setEnabledProtocols(filterEnabledProtocols(sSLSocket.getEnabledProtocols(), sSLSocket.getSupportedProtocols(), list, list2));
    }

    public static String[] filterEnabledProtocols(String[] strArr, String[] strArr2, List<String> list, List<String> list2) {
        return filterEntries(strArr, strArr2, list, list2);
    }

    public static String[] filterEnabledCipherSuites(String[] strArr, String[] strArr2, List<String> list, List<String> list2) {
        return filterEntries(strArr, strArr2, list, list2);
    }

    public static void updateEnabledCipherSuites(SSLEngine sSLEngine, List<String> list, List<String> list2) {
        sSLEngine.setEnabledCipherSuites(filterEntries(sSLEngine.getEnabledCipherSuites(), sSLEngine.getSupportedCipherSuites(), list, list2));
    }

    public static void updateEnabledCipherSuites(SSLSocket sSLSocket, List<String> list, List<String> list2) {
        sSLSocket.setEnabledCipherSuites(filterEntries(sSLSocket.getEnabledCipherSuites(), sSLSocket.getSupportedCipherSuites(), list, list2));
    }

    static String[] filterEntries(String[] strArr, String[] strArr2, List<String> list, List<String> list2) {
        ArrayList arrayList;
        if (list == null || list.isEmpty()) {
            arrayList = new ArrayList(Arrays.asList(strArr));
        } else {
            arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList(Arrays.asList(strArr2));
            for (String str : list) {
                Iterator it = arrayList2.iterator();
                while (it.hasNext()) {
                    String str2 = (String) it.next();
                    if (str2.matches(str)) {
                        arrayList.add(str2);
                        it.remove();
                    }
                }
            }
        }
        if (list2 != null && !list2.isEmpty()) {
            for (String str3 : list2) {
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    if (((String) it2.next()).matches(str3)) {
                        it2.remove();
                    }
                }
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    public static SSLContext tryGetSSLContext() throws NoSuchAlgorithmException {
        return tryGetSSLContext(TLS_PROTOCOL_PREFERENCES);
    }

    public static SSLContext tryGetSSLContext(String[] strArr) throws NoSuchAlgorithmException {
        for (String str : strArr) {
            try {
                return SSLContext.getInstance(str);
            } catch (NoSuchAlgorithmException e) {
            }
        }
        throw new NoSuchAlgorithmException(String.format("Could not create SSLContext with one of the requested protocols: %s", Arrays.toString(strArr)));
    }
}
