package org.apache.qpid.transport.network.security.ssl;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.TreeSet;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import org.apache.qpid.transport.TransportException;
import org.apache.qpid.transport.util.Logger;

/* loaded from: input_file:org/apache/qpid/transport/network/security/ssl/SSLUtil.class */
public class SSLUtil {
    private static final Logger log = Logger.get(SSLUtil.class);
    private static final Integer DNS_NAME_TYPE = 2;
    public static final String SSLV3_PROTOCOL = "SSLv3";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/qpid/transport/network/security/ssl/SSLUtil$SSLEntity.class */
    public interface SSLEntity {
        String[] getEnabledCipherSuites();

        void setEnabledCipherSuites(String[] strArr);

        String[] getEnabledProtocols();

        void setEnabledProtocols(String[] strArr);

        String[] getSupportedCipherSuites();

        String[] getSupportedProtocols();
    }

    private SSLUtil() {
    }

    public static void verifyHostname(SSLEngine sSLEngine, String str) {
        try {
            verifyHostname(str, (X509Certificate) sSLEngine.getSession().getPeerCertificates()[0]);
        } catch (SSLPeerUnverifiedException e) {
            log.warn("Exception received while trying to verify hostname", e);
        }
    }

    public static void verifyHostname(String str, X509Certificate x509Certificate) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        TreeSet<String> treeSet = new TreeSet();
        String name = subjectDN.getName();
        try {
            Iterator it = new LdapName(name).getRdns().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Rdn rdn = (Rdn) it.next();
                if (rdn.getType().equalsIgnoreCase("CN")) {
                    treeSet.add(rdn.getValue().toString());
                    break;
                }
            }
            if (x509Certificate.getSubjectAlternativeNames() != null) {
                for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
                    if (DNS_NAME_TYPE.equals(list.get(0))) {
                        treeSet.add((String) list.get(1));
                    }
                }
            }
            if (treeSet.isEmpty()) {
                throw new TransportException("SSL hostname verification failed. Certificate for did not contain CN or DNS subjectAlt");
            }
            boolean z = false;
            String lowerCase = str.trim().toLowerCase();
            for (String str2 : treeSet) {
                z = str2.startsWith("*.") && str2.lastIndexOf(46) >= 3 && !str2.matches("\\*\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") ? lowerCase.endsWith(str2.substring(1)) && lowerCase.indexOf(".") == (1 + lowerCase.length()) - str2.length() : lowerCase.equals(str2);
                if (z) {
                    break;
                }
            }
            if (!z) {
                throw new TransportException("SSL hostname verification failed. Expected : " + str + " Found in cert : " + treeSet);
            }
        } catch (CertificateParsingException e) {
            throw new TransportException("SSL hostname verification failed. Could not parse certificate:  " + e.getMessage(), e);
        } catch (InvalidNameException e2) {
            throw new TransportException("SSL hostname verification failed. Could not parse name " + name, e2);
        }
    }

    public static String getIdFromSubjectDN(String str) {
        String str2 = null;
        String str3 = null;
        if (str == null) {
            return "";
        }
        try {
            for (Rdn rdn : new LdapName(str).getRdns()) {
                if ("CN".equalsIgnoreCase(rdn.getType())) {
                    str2 = rdn.getValue().toString();
                } else if ("DC".equalsIgnoreCase(rdn.getType())) {
                    str3 = str3 == null ? rdn.getValue().toString() : rdn.getValue().toString() + '.' + str3;
                }
            }
            return (str2 == null || str2.length() == 0) ? "" : str3 == null ? str2 : str2 + '@' + str3;
        } catch (InvalidNameException e) {
            log.warn("Invalid name: '" + str + "'. ", new Object[0]);
            return "";
        }
    }

    public static String retrieveIdentity(SSLEngine sSLEngine) {
        String str = "";
        try {
            str = getIdFromSubjectDN(((X509Certificate) sSLEngine.getSession().getLocalCertificates()[0]).getSubjectDN().getName());
        } catch (Exception e) {
            log.info("Exception received while trying to retrieve client identity from SSL cert", e);
        }
        log.debug("Extracted Identity from client certificate : " + str, new Object[0]);
        return str;
    }

    public static KeyStore getInitializedKeyStore(String str, String str2, String str3) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(str3);
        InputStream inputStream = null;
        try {
            File file = new File(str);
            InputStream fileInputStream = file.exists() ? new FileInputStream(file) : Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
            if (fileInputStream == null && !"PKCS11".equalsIgnoreCase(str3)) {
                throw new IOException("Unable to load keystore resource: " + str);
            }
            keyStore.load(fileInputStream, str2 == null ? null : str2.toCharArray());
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e) {
                }
            }
            return keyStore;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                }
            }
            throw th;
        }
    }

    public static KeyStore getInitializedKeyStore(URL url, String str, String str2) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(str2);
        InputStream openStream = url.openStream();
        Throwable th = null;
        try {
            if (openStream == null) {
                if (!"PKCS11".equalsIgnoreCase(str2)) {
                    throw new IOException("Unable to load keystore resource: " + url);
                }
            }
            keyStore.load(openStream, str == null ? null : str.toCharArray());
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openStream.close();
                }
            }
            return keyStore;
        } catch (Throwable th3) {
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            throw th3;
        }
    }

    private static SSLEntity asSSLEntity(final Object obj, final Class<?> cls) {
        return (SSLEntity) Proxy.newProxyInstance(SSLEntity.class.getClassLoader(), new Class[]{SSLEntity.class}, new InvocationHandler() { // from class: org.apache.qpid.transport.network.security.ssl.SSLUtil.1
            @Override // java.lang.reflect.InvocationHandler
            public Object invoke(Object obj2, Method method, Object[] objArr) throws Throwable {
                return cls.getMethod(method.getName(), method.getParameterTypes()).invoke(obj, objArr);
            }
        });
    }

    private static void removeSSLv3Support(SSLEntity sSLEntity) {
        List asList = Arrays.asList(sSLEntity.getEnabledProtocols());
        if (asList.contains("SSLv3")) {
            ArrayList arrayList = new ArrayList(asList);
            arrayList.remove("SSLv3");
            sSLEntity.setEnabledProtocols((String[]) arrayList.toArray(new String[arrayList.size()]));
        }
    }

    public static void removeSSLv3Support(SSLEngine sSLEngine) {
        removeSSLv3Support(asSSLEntity(sSLEngine, SSLEngine.class));
    }

    public static void removeSSLv3Support(SSLSocket sSLSocket) {
        removeSSLv3Support(asSSLEntity(sSLSocket, SSLSocket.class));
    }

    public static void removeSSLv3Support(SSLServerSocket sSLServerSocket) {
        removeSSLv3Support(asSSLEntity(sSLServerSocket, SSLServerSocket.class));
    }

    private static void updateEnabledCipherSuites(SSLEntity sSLEntity, Collection<String> collection, Collection<String> collection2) {
        if (collection != null && !collection.isEmpty()) {
            HashSet hashSet = new HashSet(Arrays.asList(sSLEntity.getSupportedCipherSuites()));
            hashSet.retainAll(collection);
            sSLEntity.setEnabledCipherSuites((String[]) hashSet.toArray(new String[hashSet.size()]));
        }
        if (collection2 == null || collection2.isEmpty()) {
            return;
        }
        HashSet hashSet2 = new HashSet(Arrays.asList(sSLEntity.getEnabledCipherSuites()));
        hashSet2.removeAll(collection2);
        sSLEntity.setEnabledCipherSuites((String[]) hashSet2.toArray(new String[hashSet2.size()]));
    }

    public static void updateEnabledCipherSuites(SSLEngine sSLEngine, Collection<String> collection, Collection<String> collection2) {
        updateEnabledCipherSuites(asSSLEntity(sSLEngine, SSLEngine.class), collection, collection2);
    }

    public static void updateEnabledCipherSuites(SSLServerSocket sSLServerSocket, Collection<String> collection, Collection<String> collection2) {
        updateEnabledCipherSuites(asSSLEntity(sSLServerSocket, SSLServerSocket.class), collection, collection2);
    }

    public static void updateEnabledCipherSuites(SSLSocket sSLSocket, Collection<String> collection, Collection<String> collection2) {
        updateEnabledCipherSuites(asSSLEntity(sSLSocket, SSLSocket.class), collection, collection2);
    }
}
