package io.apiman.gateway.platforms.servlet.connectors.ssl;

import io.apiman.common.config.options.TLSOptions;
import java.io.File;
import java.io.IOException;
import java.net.Socket;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.Args;

/* loaded from: input_file:io/apiman/gateway/platforms/servlet/connectors/ssl/SSLSessionStrategyFactory.class */
public class SSLSessionStrategyFactory {
    private static final HostnameVerifier ALLOW_ANY = new AllowAnyVerifier();
    private static final TrustStrategy SELF_SIGNED = new TrustSelfSignedStrategy();

    /* loaded from: input_file:io/apiman/gateway/platforms/servlet/connectors/ssl/SSLSessionStrategyFactory$AllowAnyVerifier.class */
    private static final class AllowAnyVerifier implements HostnameVerifier {
        private AllowAnyVerifier() {
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/apiman/gateway/platforms/servlet/connectors/ssl/SSLSessionStrategyFactory$SelectByAlias.class */
    public static final class SelectByAlias implements PrivateKeyStrategy {
        private Set<String> keyAliases = new HashSet();

        public SelectByAlias(String[] strArr) {
            for (String str : strArr) {
                this.keyAliases.add(str);
            }
        }

        public String chooseAlias(Map<String, PrivateKeyDetails> map, Socket socket) {
            for (String str : map.keySet()) {
                if (this.keyAliases.contains(str)) {
                    return str;
                }
            }
            return null;
        }
    }

    private SSLSessionStrategyFactory() {
    }

    public static SSLSessionStrategy buildStandard(TLSOptions tLSOptions) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException, CertificateException, IOException {
        return build(tLSOptions.getTrustStore(), tLSOptions.getTrustStorePassword(), null, null, null, null, optionalVar(tLSOptions.getAllowedProtocols(), getDefaultProtocols()), optionalVar(tLSOptions.getAllowedCiphers(), getDefaultCipherSuites()), tLSOptions.isAllowAnyHost(), tLSOptions.isTrustSelfSigned());
    }

    public static SSLSessionStrategy buildMutual(TLSOptions tLSOptions) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException, UnrecoverableKeyException {
        Args.notNull(tLSOptions.getKeyStore(), "KeyStore");
        Args.notEmpty(tLSOptions.getKeyStore(), "KeyStore must not be empty");
        return build(tLSOptions.getTrustStore(), tLSOptions.getTrustStorePassword(), tLSOptions.getKeyStore(), tLSOptions.getKeyStorePassword(), tLSOptions.getKeyAliases(), tLSOptions.getKeyPassword(), optionalVar(tLSOptions.getAllowedProtocols(), getDefaultProtocols()), optionalVar(tLSOptions.getAllowedCiphers(), getDefaultCipherSuites()), tLSOptions.isAllowAnyHost(), tLSOptions.isTrustSelfSigned());
    }

    public static SSLSessionStrategy build(String str, String str2, String str3, String str4, String[] strArr, String str5, String[] strArr2, String[] strArr3, boolean z, boolean z2) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {
        Args.notNull(strArr2, "Allowed protocols");
        Args.notNull(strArr3, "Allowed ciphers");
        TrustStrategy trustStrategy = z2 ? SELF_SIGNED : null;
        HostnameVerifier defaultHostnameVerifier = z ? ALLOW_ANY : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
        SelectByAlias selectByAlias = strArr == null ? null : new SelectByAlias(strArr);
        boolean z3 = str3 != null;
        SSLContextBuilder custom = SSLContexts.custom();
        if (str != null) {
            custom.loadTrustMaterial(new File(str), str2.toCharArray(), trustStrategy);
        }
        if (str3 != null) {
            custom.loadKeyMaterial(new File(str3), str4 == null ? null : str4.toCharArray(), str5 == null ? null : str5.toCharArray(), selectByAlias);
        }
        return new SSLSessionStrategy(defaultHostnameVerifier, new CipherSelectingSSLSocketFactory(custom.build().getSocketFactory(), strArr3, strArr2, z3));
    }

    public static SSLSessionStrategy buildUnsafe() {
        System.err.println("ATTENTION: SSLSessionStrategy will trust *any* certificate. This is extremely unsafe for production. Caveat utilitor!");
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLSv1");
            sSLContext.init(null, new X509TrustManager[]{new X509TrustManager() { // from class: io.apiman.gateway.platforms.servlet.connectors.ssl.SSLSessionStrategyFactory.1
                @Override // javax.net.ssl.X509TrustManager
                public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                }

                @Override // javax.net.ssl.X509TrustManager
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            }}, new SecureRandom());
            return new SSLSessionStrategy(ALLOW_ANY, sSLContext.getSocketFactory());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static String[] getDefaultCipherSuites() throws NoSuchAlgorithmException {
        return SSLContext.getDefault().getDefaultSSLParameters().getCipherSuites();
    }

    private static String[] getDefaultProtocols() throws NoSuchAlgorithmException {
        return SSLContext.getDefault().getDefaultSSLParameters().getProtocols();
    }

    private static String[] optionalVar(String[] strArr, String[] strArr2) {
        return (strArr == null || strArr.length == 0) ? strArr2 : strArr;
    }
}
