package org.apache.cassandra.security;

import com.google.common.base.Predicates;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import java.io.Closeable;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.cassandra.config.EncryptionOptions;
import org.apache.cassandra.io.util.FileUtils;
import org.apache.http.HttpStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:pekko/persistence/cassandra/launcher/cassandra-bundle.jar:org/apache/cassandra/security/SSLFactory.class */
public final class SSLFactory {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SSLFactory.class);
    private static boolean checkedExpiry = false;

    public static SSLServerSocket getServerSocket(EncryptionOptions encryptionOptions, InetAddress inetAddress, int i) throws IOException {
        SSLServerSocket sSLServerSocket = (SSLServerSocket) createSSLContext(encryptionOptions, true).getServerSocketFactory().createServerSocket();
        try {
            sSLServerSocket.setReuseAddress(true);
            prepareSocket(sSLServerSocket, encryptionOptions);
            sSLServerSocket.bind(new InetSocketAddress(inetAddress, i), HttpStatus.SC_INTERNAL_SERVER_ERROR);
            return sSLServerSocket;
        } catch (IOException | IllegalArgumentException | SecurityException e) {
            sSLServerSocket.close();
            throw e;
        }
    }

    public static SSLSocket getSocket(EncryptionOptions encryptionOptions, InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) createSSLContext(encryptionOptions, true).getSocketFactory().createSocket(inetAddress, i, inetAddress2, i2);
        try {
            prepareSocket(sSLSocket, encryptionOptions);
            return sSLSocket;
        } catch (IllegalArgumentException e) {
            sSLSocket.close();
            throw e;
        }
    }

    public static SSLSocket getSocket(EncryptionOptions encryptionOptions, InetAddress inetAddress, int i) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) createSSLContext(encryptionOptions, true).getSocketFactory().createSocket(inetAddress, i);
        try {
            prepareSocket(sSLSocket, encryptionOptions);
            return sSLSocket;
        } catch (IllegalArgumentException e) {
            sSLSocket.close();
            throw e;
        }
    }

    public static SSLSocket getSocket(EncryptionOptions encryptionOptions) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) createSSLContext(encryptionOptions, true).getSocketFactory().createSocket();
        try {
            prepareSocket(sSLSocket, encryptionOptions);
            return sSLSocket;
        } catch (IllegalArgumentException e) {
            sSLSocket.close();
            throw e;
        }
    }

    private static void prepareSocket(SSLServerSocket sSLServerSocket, EncryptionOptions encryptionOptions) {
        String[] filterCipherSuites = filterCipherSuites(sSLServerSocket.getSupportedCipherSuites(), encryptionOptions.cipher_suites);
        if (encryptionOptions.require_endpoint_verification) {
            SSLParameters sSLParameters = sSLServerSocket.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            sSLServerSocket.setSSLParameters(sSLParameters);
        }
        sSLServerSocket.setEnabledCipherSuites(filterCipherSuites);
        sSLServerSocket.setNeedClientAuth(encryptionOptions.require_client_auth);
    }

    private static void prepareSocket(SSLSocket sSLSocket, EncryptionOptions encryptionOptions) {
        String[] filterCipherSuites = filterCipherSuites(sSLSocket.getSupportedCipherSuites(), encryptionOptions.cipher_suites);
        if (encryptionOptions.require_endpoint_verification) {
            SSLParameters sSLParameters = sSLSocket.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            sSLSocket.setSSLParameters(sSLParameters);
        }
        sSLSocket.setEnabledCipherSuites(filterCipherSuites);
    }

    public static SSLContext createSSLContext(EncryptionOptions encryptionOptions, boolean z) throws IOException {
        FileInputStream fileInputStream = null;
        FileInputStream fileInputStream2 = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance(encryptionOptions.protocol);
                TrustManager[] trustManagerArr = null;
                if (z) {
                    fileInputStream = new FileInputStream(encryptionOptions.truststore);
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(encryptionOptions.algorithm);
                    KeyStore keyStore = KeyStore.getInstance(encryptionOptions.store_type);
                    keyStore.load(fileInputStream, encryptionOptions.truststore_password.toCharArray());
                    trustManagerFactory.init(keyStore);
                    trustManagerArr = trustManagerFactory.getTrustManagers();
                }
                fileInputStream2 = new FileInputStream(encryptionOptions.keystore);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(encryptionOptions.algorithm);
                KeyStore keyStore2 = KeyStore.getInstance(encryptionOptions.store_type);
                keyStore2.load(fileInputStream2, encryptionOptions.keystore_password.toCharArray());
                if (!checkedExpiry) {
                    Enumeration<String> aliases = keyStore2.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (keyStore2.getCertificate(nextElement).getType().equals("X.509")) {
                            Date notAfter = ((X509Certificate) keyStore2.getCertificate(nextElement)).getNotAfter();
                            if (notAfter.before(new Date())) {
                                logger.warn("Certificate for {} expired on {}", nextElement, notAfter);
                            }
                        }
                    }
                    checkedExpiry = true;
                }
                keyManagerFactory.init(keyStore2, encryptionOptions.keystore_password.toCharArray());
                sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerArr, null);
                FileUtils.closeQuietly((Closeable) fileInputStream);
                FileUtils.closeQuietly((Closeable) fileInputStream2);
                return sSLContext;
            } catch (Exception e) {
                throw new IOException("Error creating the initializing the SSL Context", e);
            }
        } catch (Throwable th) {
            FileUtils.closeQuietly((Closeable) fileInputStream);
            FileUtils.closeQuietly((Closeable) fileInputStream2);
            throw th;
        }
    }

    public static String[] filterCipherSuites(String[] strArr, String[] strArr2) {
        if (Arrays.equals(strArr, strArr2)) {
            return strArr2;
        }
        List asList = Arrays.asList(strArr2);
        String[] strArr3 = (String[]) Iterables.toArray(Iterables.filter(asList, Predicates.in(ImmutableSet.copyOf(strArr))), String.class);
        if (strArr2.length > strArr3.length && logger.isWarnEnabled()) {
            logger.warn("Filtering out {} as it isn't supported by the socket", Iterables.toString(Iterables.filter(asList, Predicates.not(Predicates.in(Sets.newHashSet(strArr3))))));
        }
        return strArr3;
    }
}
