package org.apache.cxf.transport.https;

import java.net.Socket;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Logger;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.cert.X509Certificate;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.configuration.jsse.TLSParameterBase;
import org.apache.cxf.configuration.jsse.TLSServerParameters;
import org.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier;
import org.apache.cxf.transport.https.httpclient.PublicSuffixMatcherLoader;

/* loaded from: input_file:lib/cxf-rt-transports-http-4.0.4.jar:org/apache/cxf/transport/https/SSLUtils.class */
public final class SSLUtils {
    private static final Logger LOG = LogUtils.getL7dLogger(SSLUtils.class);

    /* loaded from: input_file:lib/cxf-rt-transports-http-4.0.4.jar:org/apache/cxf/transport/https/SSLUtils$SSLEngineWrapper.class */
    static class SSLEngineWrapper extends SSLEngine {
        final SSLEngine delegate;

        SSLEngineWrapper(SSLEngine sSLEngine) {
            this.delegate = sSLEngine;
        }

        @Override // javax.net.ssl.SSLEngine
        public SSLParameters getSSLParameters() {
            SSLParameters sSLParameters = this.delegate.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm(null);
            return sSLParameters;
        }

        @Override // javax.net.ssl.SSLEngine
        public SSLSession getHandshakeSession() {
            return this.delegate.getHandshakeSession();
        }

        @Override // javax.net.ssl.SSLEngine
        public void beginHandshake() throws SSLException {
            this.delegate.beginHandshake();
        }

        @Override // javax.net.ssl.SSLEngine
        public void closeInbound() throws SSLException {
            this.delegate.closeInbound();
        }

        @Override // javax.net.ssl.SSLEngine
        public void closeOutbound() {
            this.delegate.closeOutbound();
        }

        @Override // javax.net.ssl.SSLEngine
        public Runnable getDelegatedTask() {
            return this.delegate.getDelegatedTask();
        }

        @Override // javax.net.ssl.SSLEngine
        public boolean getEnableSessionCreation() {
            return this.delegate.getEnableSessionCreation();
        }

        @Override // javax.net.ssl.SSLEngine
        public String[] getEnabledCipherSuites() {
            return this.delegate.getEnabledCipherSuites();
        }

        @Override // javax.net.ssl.SSLEngine
        public String[] getEnabledProtocols() {
            return this.delegate.getEnabledProtocols();
        }

        @Override // javax.net.ssl.SSLEngine
        public SSLEngineResult.HandshakeStatus getHandshakeStatus() {
            return this.delegate.getHandshakeStatus();
        }

        @Override // javax.net.ssl.SSLEngine
        public boolean getNeedClientAuth() {
            return this.delegate.getNeedClientAuth();
        }

        @Override // javax.net.ssl.SSLEngine
        public SSLSession getSession() {
            return this.delegate.getSession();
        }

        @Override // javax.net.ssl.SSLEngine
        public String[] getSupportedCipherSuites() {
            return this.delegate.getSupportedCipherSuites();
        }

        @Override // javax.net.ssl.SSLEngine
        public String[] getSupportedProtocols() {
            return this.delegate.getSupportedProtocols();
        }

        @Override // javax.net.ssl.SSLEngine
        public boolean getUseClientMode() {
            return this.delegate.getUseClientMode();
        }

        @Override // javax.net.ssl.SSLEngine
        public boolean getWantClientAuth() {
            return this.delegate.getWantClientAuth();
        }

        @Override // javax.net.ssl.SSLEngine
        public boolean isInboundDone() {
            return this.delegate.isInboundDone();
        }

        @Override // javax.net.ssl.SSLEngine
        public boolean isOutboundDone() {
            return this.delegate.isInboundDone();
        }

        @Override // javax.net.ssl.SSLEngine
        public void setEnableSessionCreation(boolean z) {
            this.delegate.setEnableSessionCreation(z);
        }

        @Override // javax.net.ssl.SSLEngine
        public void setEnabledCipherSuites(String[] strArr) {
            this.delegate.setEnabledCipherSuites(strArr);
        }

        @Override // javax.net.ssl.SSLEngine
        public void setEnabledProtocols(String[] strArr) {
            this.delegate.setEnabledProtocols(strArr);
        }

        @Override // javax.net.ssl.SSLEngine
        public void setNeedClientAuth(boolean z) {
            this.delegate.setNeedClientAuth(z);
        }

        @Override // javax.net.ssl.SSLEngine
        public void setUseClientMode(boolean z) {
            this.delegate.setUseClientMode(z);
        }

        @Override // javax.net.ssl.SSLEngine
        public void setWantClientAuth(boolean z) {
            this.delegate.setWantClientAuth(z);
        }

        @Override // javax.net.ssl.SSLEngine
        public SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer[] byteBufferArr, int i, int i2) throws SSLException {
            return null;
        }

        @Override // javax.net.ssl.SSLEngine
        public SSLEngineResult wrap(ByteBuffer[] byteBufferArr, int i, int i2, ByteBuffer byteBuffer) throws SSLException {
            return null;
        }
    }

    /* loaded from: input_file:lib/cxf-rt-transports-http-4.0.4.jar:org/apache/cxf/transport/https/SSLUtils$SSLSessionWrapper.class */
    static class SSLSessionWrapper implements SSLSession {
        SSLSession session;
        Certificate[] certificates;

        SSLSessionWrapper(SSLSession sSLSession, Certificate[] certificateArr) {
            this.certificates = certificateArr;
            this.session = sSLSession;
        }

        @Override // javax.net.ssl.SSLSession
        public byte[] getId() {
            return this.session.getId();
        }

        @Override // javax.net.ssl.SSLSession
        public SSLSessionContext getSessionContext() {
            return this.session.getSessionContext();
        }

        @Override // javax.net.ssl.SSLSession
        public long getCreationTime() {
            return this.session.getCreationTime();
        }

        @Override // javax.net.ssl.SSLSession
        public long getLastAccessedTime() {
            return this.session.getLastAccessedTime();
        }

        @Override // javax.net.ssl.SSLSession
        public void invalidate() {
            this.session.invalidate();
        }

        @Override // javax.net.ssl.SSLSession
        public boolean isValid() {
            return this.session.isValid();
        }

        @Override // javax.net.ssl.SSLSession
        public void putValue(String str, Object obj) {
            this.session.putValue(str, obj);
        }

        @Override // javax.net.ssl.SSLSession
        public Object getValue(String str) {
            return this.session.getValue(str);
        }

        @Override // javax.net.ssl.SSLSession
        public void removeValue(String str) {
            this.session.removeValue(str);
        }

        @Override // javax.net.ssl.SSLSession
        public String[] getValueNames() {
            return this.session.getValueNames();
        }

        @Override // javax.net.ssl.SSLSession
        public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
            return this.certificates;
        }

        @Override // javax.net.ssl.SSLSession
        public Certificate[] getLocalCertificates() {
            return this.session.getLocalCertificates();
        }

        @Override // javax.net.ssl.SSLSession
        public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
            return this.session.getPeerPrincipal();
        }

        @Override // javax.net.ssl.SSLSession
        public Principal getLocalPrincipal() {
            return this.session.getLocalPrincipal();
        }

        @Override // javax.net.ssl.SSLSession
        public String getCipherSuite() {
            return this.session.getCipherSuite();
        }

        @Override // javax.net.ssl.SSLSession
        public String getProtocol() {
            return this.session.getProtocol();
        }

        @Override // javax.net.ssl.SSLSession
        public String getPeerHost() {
            return this.session.getPeerHost();
        }

        @Override // javax.net.ssl.SSLSession
        public int getPeerPort() {
            return this.session.getPeerPort();
        }

        @Override // javax.net.ssl.SSLSession
        public int getPacketBufferSize() {
            return this.session.getPacketBufferSize();
        }

        @Override // javax.net.ssl.SSLSession
        public int getApplicationBufferSize() {
            return this.session.getApplicationBufferSize();
        }

        @Override // javax.net.ssl.SSLSession
        public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
            return this.session.getPeerCertificateChain();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/cxf-rt-transports-http-4.0.4.jar:org/apache/cxf/transport/https/SSLUtils$X509TrustManagerWrapper.class */
    public static class X509TrustManagerWrapper extends X509ExtendedTrustManager {
        private final X509TrustManager delegate;
        private final X509ExtendedTrustManager extendedDelegate;
        private final HostnameVerifier verifier;

        X509TrustManagerWrapper(X509TrustManager x509TrustManager, HostnameVerifier hostnameVerifier) {
            this.delegate = x509TrustManager;
            this.verifier = hostnameVerifier;
            this.extendedDelegate = x509TrustManager instanceof X509ExtendedTrustManager ? (X509ExtendedTrustManager) x509TrustManager : null;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(java.security.cert.X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.delegate.checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(java.security.cert.X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            if (this.extendedDelegate != null) {
                this.extendedDelegate.checkClientTrusted(x509CertificateArr, str, socket);
            } else {
                this.delegate.checkClientTrusted(x509CertificateArr, str);
            }
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(java.security.cert.X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            if (this.extendedDelegate != null) {
                this.extendedDelegate.checkClientTrusted(x509CertificateArr, str, sSLEngine);
            } else {
                this.delegate.checkClientTrusted(x509CertificateArr, str);
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(java.security.cert.X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            System.out.println("cst1: " + str);
            this.delegate.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(java.security.cert.X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            System.out.println("cst2: " + str);
            if (this.extendedDelegate != null) {
                this.extendedDelegate.checkServerTrusted(x509CertificateArr, str, socket);
            } else {
                this.delegate.checkServerTrusted(x509CertificateArr, str);
            }
        }

        private String getHostName(List<SNIServerName> list) {
            if (list == null) {
                return null;
            }
            for (SNIServerName sNIServerName : list) {
                if (sNIServerName.getType() == 0 && (sNIServerName instanceof SNIHostName)) {
                    return ((SNIHostName) sNIServerName).getAsciiName();
                }
            }
            return null;
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(java.security.cert.X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            if (this.extendedDelegate == null) {
                this.delegate.checkServerTrusted(x509CertificateArr, str);
                return;
            }
            this.extendedDelegate.checkServerTrusted(x509CertificateArr, str, new SSLEngineWrapper(sSLEngine));
            SSLSession handshakeSession = sSLEngine.getHandshakeSession();
            List<SNIServerName> list = null;
            if (handshakeSession instanceof ExtendedSSLSession) {
                list = ((ExtendedSSLSession) handshakeSession).getRequestedServerNames();
            }
            boolean z = false;
            String peerHost = handshakeSession.getPeerHost();
            String hostName = getHostName(list);
            SSLSessionWrapper sSLSessionWrapper = new SSLSessionWrapper(handshakeSession, x509CertificateArr);
            if (hostName != null && this.verifier.verify(hostName, sSLSessionWrapper)) {
                z = true;
            }
            if (!z && !this.verifier.verify(peerHost, sSLSessionWrapper)) {
                throw new CertificateException("No name matching " + peerHost + " found");
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return this.delegate.getAcceptedIssuers();
        }
    }

    private SSLUtils() {
    }

    public static HostnameVerifier getHostnameVerifier(TLSClientParameters tLSClientParameters) {
        return tLSClientParameters.getHostnameVerifier() != null ? tLSClientParameters.getHostnameVerifier() : tLSClientParameters.isUseHttpsURLConnectionDefaultHostnameVerifier() ? HttpsURLConnection.getDefaultHostnameVerifier() : tLSClientParameters.isDisableCNCheck() ? new AllowAllHostnameVerifier() : new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
    }

    public static SSLContextInitParameters getSSLContextInitParameters(TLSParameterBase tLSParameterBase) throws GeneralSecurityException {
        SSLContextInitParameters sSLContextInitParameters = new SSLContextInitParameters();
        KeyManager[] keyManagers = tLSParameterBase.getKeyManagers();
        if (keyManagers == null && (tLSParameterBase instanceof TLSClientParameters)) {
            keyManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultKeyStoreManagers(LOG);
        }
        KeyManager[] configureKeyManagersWithCertAlias = configureKeyManagersWithCertAlias(tLSParameterBase, keyManagers);
        TrustManager[] trustManagers = tLSParameterBase.getTrustManagers();
        if (trustManagers == null && (tLSParameterBase instanceof TLSClientParameters)) {
            trustManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultTrustStoreManagers(LOG);
        }
        sSLContextInitParameters.setKeyManagers(configureKeyManagersWithCertAlias);
        sSLContextInitParameters.setTrustManagers(trustManagers);
        return sSLContextInitParameters;
    }

    public static SSLContext getSSLContext(TLSParameterBase tLSParameterBase) throws GeneralSecurityException {
        return getSSLContext(tLSParameterBase, false);
    }

    public static SSLContext getSSLContext(TLSParameterBase tLSParameterBase, boolean z) throws GeneralSecurityException {
        String jsseProvider = tLSParameterBase.getJsseProvider();
        String secureSocketProtocol = tLSParameterBase.getSecureSocketProtocol() != null ? tLSParameterBase.getSecureSocketProtocol() : "TLS";
        SSLContext sSLContext = jsseProvider == null ? SSLContext.getInstance(secureSocketProtocol) : SSLContext.getInstance(secureSocketProtocol, jsseProvider);
        SSLContextInitParameters sSLContextInitParameters = getSSLContextInitParameters(tLSParameterBase);
        TrustManager[] trustManagers = sSLContextInitParameters.getTrustManagers();
        if (trustManagers != null && z && (tLSParameterBase instanceof TLSClientParameters)) {
            HostnameVerifier hostnameVerifier = getHostnameVerifier((TLSClientParameters) tLSParameterBase);
            for (int i = 0; i < trustManagers.length; i++) {
                if (trustManagers[i] instanceof X509TrustManager) {
                    trustManagers[i] = new X509TrustManagerWrapper((X509TrustManager) trustManagers[i], hostnameVerifier);
                }
            }
        }
        sSLContext.init(sSLContextInitParameters.getKeyManagers(), trustManagers, tLSParameterBase.getSecureRandom());
        if ((tLSParameterBase instanceof TLSClientParameters) && sSLContext.getClientSessionContext() != null) {
            sSLContext.getClientSessionContext().setSessionTimeout(((TLSClientParameters) tLSParameterBase).getSslCacheTimeout());
        }
        return sSLContext;
    }

    public static KeyManager[] configureKeyManagersWithCertAlias(TLSParameterBase tLSParameterBase, KeyManager[] keyManagerArr) throws GeneralSecurityException {
        if (tLSParameterBase.getCertAlias() == null || keyManagerArr == null) {
            return keyManagerArr;
        }
        KeyManager[] keyManagerArr2 = (KeyManager[]) Arrays.copyOf(keyManagerArr, keyManagerArr.length);
        for (int i = 0; i < keyManagerArr2.length; i++) {
            if ((keyManagerArr2[i] instanceof X509KeyManager) && !(keyManagerArr2[i] instanceof AliasedX509ExtendedKeyManager)) {
                try {
                    keyManagerArr2[i] = new AliasedX509ExtendedKeyManager(tLSParameterBase.getCertAlias(), (X509KeyManager) keyManagerArr2[i]);
                } catch (Exception e) {
                    throw new GeneralSecurityException(e);
                }
            }
        }
        return keyManagerArr2;
    }

    public static SSLEngine createServerSSLEngine(TLSServerParameters tLSServerParameters) throws Exception {
        SSLEngine createSSLEngine = getSSLContext(tLSServerParameters).createSSLEngine();
        createSSLEngine.setUseClientMode(false);
        createSSLEngine.setNeedClientAuth(tLSServerParameters.getClientAuthentication().isRequired().booleanValue());
        return createSSLEngine;
    }

    public static SSLEngine createClientSSLEngine(TLSClientParameters tLSClientParameters) throws Exception {
        SSLEngine createSSLEngine = getSSLContext(tLSClientParameters).createSSLEngine();
        createSSLEngine.setUseClientMode(true);
        return createSSLEngine;
    }
}
