package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.util.SSLCertificateHelper;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import com.google.common.base.Strings;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.FileInputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:com/floragunn/searchguard/ssl/SearchGuardKeyStore.class */
public class SearchGuardKeyStore {
    private final Settings settings;
    private final ESLogger log = Loggers.getLogger(getClass());
    public final SslProvider sslHTTPProvider;
    public final SslProvider sslTransportServerProvider;
    public final SslProvider sslTransportClientProvider;
    private final boolean httpSSLEnabled;
    private final boolean transportSSLEnabled;
    private X509Certificate[] trustedHTTPCertificates;
    private X509Certificate[] trustedTransportCertificates;
    private X509Certificate[] httpKeystoreCert;
    private PrivateKey httpKeystoreKey;
    private X509Certificate[] transportKeystoreCert;
    private PrivateKey transportKeystoreKey;
    private boolean enforceHTTPClientAuth;
    private List<String> enabledCiphersJDKProvider;
    private List<String> enabledCiphersOpenSSLProvider;

    private void printJCEWarnings() {
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
            if (maxAllowedKeyLength < 256) {
                this.log.warn("AES 256 not supported, max key length for AES is " + maxAllowedKeyLength + ". To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'", new Object[0]);
            }
        } catch (NoSuchAlgorithmException e) {
            this.log.error("AES encryption not supported. " + e, new Object[0]);
        }
    }

    @Inject
    public SearchGuardKeyStore(Settings settings) {
        this.settings = settings;
        this.httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, false).booleanValue();
        this.transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true).booleanValue();
        boolean booleanValue = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        if (this.httpSSLEnabled && booleanValue) {
            this.sslHTTPProvider = SslContext.defaultServerProvider();
            logOpenSSLInfos();
        } else if (this.httpSSLEnabled) {
            this.sslHTTPProvider = SslProvider.JDK;
        } else {
            this.sslHTTPProvider = null;
        }
        if (this.transportSSLEnabled && booleanValue2) {
            this.sslTransportClientProvider = SslContext.defaultClientProvider();
            this.sslTransportServerProvider = SslContext.defaultServerProvider();
            logOpenSSLInfos();
        } else if (this.transportSSLEnabled) {
            SslProvider sslProvider = SslProvider.JDK;
            this.sslTransportServerProvider = sslProvider;
            this.sslTransportClientProvider = sslProvider;
        } else {
            this.sslTransportServerProvider = null;
            this.sslTransportClientProvider = null;
        }
        initSSLConfig();
        initEnabledSSLCiphers();
        printJCEWarnings();
        this.log.info("sslTransportClientProvider:{} with ciphers {}", new Object[]{this.sslTransportClientProvider, getEnabledSSLCiphers(this.sslTransportClientProvider)});
        this.log.info("sslTransportServerProvider:{} with ciphers {}", new Object[]{this.sslTransportServerProvider, getEnabledSSLCiphers(this.sslTransportServerProvider)});
        this.log.info("sslHTTPProvider:{} with ciphers {}", new Object[]{this.sslHTTPProvider, getEnabledSSLCiphers(this.sslHTTPProvider)});
    }

    private void initSSLConfig() {
        if (this.transportSSLEnabled) {
            Environment environment = new Environment(this.settings);
            String path = environment.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "")).toAbsolutePath().toString();
            String str = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, "JKS");
            String str2 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit");
            String str3 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS, (String) null);
            String path2 = environment.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "")).toAbsolutePath().toString();
            if (Strings.isNullOrEmpty(path)) {
                throw new ElasticsearchException("searchguard.ssl.transport.keystore_filepath must be set if transport ssl is reqested.", new Object[0]);
            }
            if (Files.isDirectory(Paths.get(path, new String[0]), LinkOption.NOFOLLOW_LINKS) || !Files.isReadable(Paths.get(path, new String[0]))) {
                throw new ElasticsearchException("No such keystore file " + path, new Object[0]);
            }
            if (Strings.isNullOrEmpty(path2)) {
                throw new ElasticsearchException("searchguard.ssl.transport.truststore_filepath must be set if transport ssl is reqested.", new Object[0]);
            }
            if (Files.isDirectory(Paths.get(path2, new String[0]), LinkOption.NOFOLLOW_LINKS) || !Files.isReadable(Paths.get(path2, new String[0]))) {
                throw new ElasticsearchException("No such truststore file " + path2, new Object[0]);
            }
            String str4 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_TYPE, "JKS");
            String str5 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit");
            String str6 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_ALIAS, (String) null);
            try {
                KeyStore keyStore = KeyStore.getInstance(str);
                keyStore.load(new FileInputStream(new File(path)), str2.toCharArray());
                this.transportKeystoreCert = SSLCertificateHelper.exportCertificateChain(keyStore, str3);
                this.transportKeystoreKey = SSLCertificateHelper.exportDecryptedKey(keyStore, str3, str2.toCharArray());
                KeyStore keyStore2 = KeyStore.getInstance(str4);
                keyStore2.load(new FileInputStream(new File(path2)), str5.toCharArray());
                this.trustedTransportCertificates = SSLCertificateHelper.exportCertificateChain(keyStore2, str6);
            } catch (Exception e) {
                throw ExceptionsHelper.convertToElastic(e);
            }
        }
        if ((!"node".equals(this.settings.get("client.type"))) || !this.httpSSLEnabled) {
            return;
        }
        Environment environment2 = new Environment(this.settings);
        String path3 = environment2.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_FILEPATH, "")).toAbsolutePath().toString();
        String str7 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_TYPE, "JKS");
        String str8 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_PASSWORD, "changeit");
        String str9 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_ALIAS, (String) null);
        this.enforceHTTPClientAuth = this.settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENFORCE_CLIENTAUTH, false).booleanValue();
        String path4 = environment2.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, "")).toAbsolutePath().toString();
        if (Strings.isNullOrEmpty(path3)) {
            throw new ElasticsearchException("searchguard.ssl.http.keystore_filepath must be set if https is reqested.", new Object[0]);
        }
        if (Files.isDirectory(Paths.get(path3, new String[0]), LinkOption.NOFOLLOW_LINKS) || !Files.isReadable(Paths.get(path3, new String[0]))) {
            throw new ElasticsearchException("No such keystore file (for https) " + path3, new Object[0]);
        }
        if (this.enforceHTTPClientAuth && Strings.isNullOrEmpty(path4)) {
            throw new ElasticsearchException("{} must not be null or empty if {} is true", new Object[]{SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENFORCE_CLIENTAUTH});
        }
        if (this.enforceHTTPClientAuth && (Files.isDirectory(Paths.get(path4, new String[0]), LinkOption.NOFOLLOW_LINKS) || !Files.isReadable(Paths.get(path4, new String[0])))) {
            throw new ElasticsearchException("No such truststore file (for https) " + path4, new Object[0]);
        }
        try {
            KeyStore keyStore3 = KeyStore.getInstance(str7);
            keyStore3.load(new FileInputStream(new File(path3)), str8.toCharArray());
            this.httpKeystoreCert = SSLCertificateHelper.exportCertificateChain(keyStore3, str9);
            this.httpKeystoreKey = SSLCertificateHelper.exportDecryptedKey(keyStore3, str9, str8.toCharArray());
            if (this.enforceHTTPClientAuth) {
                String str10 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_TYPE, "JKS");
                String str11 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_PASSWORD, "changeit");
                String str12 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_ALIAS, (String) null);
                KeyStore keyStore4 = KeyStore.getInstance(str10);
                keyStore4.load(new FileInputStream(new File(path4)), str11.toCharArray());
                this.trustedHTTPCertificates = SSLCertificateHelper.exportCertificateChain(keyStore4, str12);
            }
        } catch (Exception e2) {
            throw ExceptionsHelper.convertToElastic(e2);
        }
    }

    public SSLEngine createHTTPSSLEngine() throws SSLException {
        SslContextBuilder sslProvider = SslContextBuilder.forServer(this.httpKeystoreKey, this.httpKeystoreCert).ciphers(getEnabledSSLCiphers(this.sslHTTPProvider)).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth(this.enforceHTTPClientAuth ? ClientAuth.REQUIRE : ClientAuth.NONE).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(this.sslHTTPProvider);
        if (this.enforceHTTPClientAuth) {
            sslProvider.trustManager(this.trustedHTTPCertificates);
        }
        SSLEngine newEngine = buildSSLContext(sslProvider).newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols());
        return newEngine;
    }

    public SSLEngine createServerTransportSSLEngine() throws SSLException {
        if (this.trustedTransportCertificates == null) {
            throw new ElasticsearchException("No truststore configured for server", new Object[0]);
        }
        SSLEngine newEngine = buildSSLContext(SslContextBuilder.forServer(this.transportKeystoreKey, this.transportKeystoreCert).ciphers(getEnabledSSLCiphers(this.sslTransportServerProvider)).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth(ClientAuth.REQUIRE).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(this.sslTransportServerProvider).trustManager(this.trustedTransportCertificates)).newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols());
        return newEngine;
    }

    public SSLEngine createClientTransportSSLEngine(String str, int i) throws SSLException {
        if (this.trustedTransportCertificates == null) {
            throw new ElasticsearchException("No truststore configured for client", new Object[0]);
        }
        SslContext buildSSLContext = buildSSLContext(SslContextBuilder.forClient().ciphers(getEnabledSSLCiphers(this.sslTransportClientProvider)).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(this.sslTransportClientProvider).trustManager(this.trustedTransportCertificates).keyManager(this.transportKeystoreKey, this.transportKeystoreCert));
        if (str == null) {
            SSLEngine newEngine = buildSSLContext.newEngine(PooledByteBufAllocator.DEFAULT);
            newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols());
            return newEngine;
        }
        SSLEngine newEngine2 = buildSSLContext.newEngine(PooledByteBufAllocator.DEFAULT, str, i);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        newEngine2.setSSLParameters(sSLParameters);
        newEngine2.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols());
        return newEngine2;
    }

    private void logOpenSSLInfos() {
        if (!OpenSsl.isAvailable()) {
            this.log.info("Open SSL not available because of " + OpenSsl.unavailabilityCause(), new Object[0]);
            return;
        }
        this.log.info("Open SSL " + OpenSsl.versionString() + " available", new Object[0]);
        this.log.debug("Open SSL available ciphers " + OpenSsl.availableCipherSuites(), new Object[0]);
        this.log.debug("Open SSL ALPN supported " + OpenSsl.isAlpnSupported(), new Object[0]);
    }

    private List<String> getEnabledSSLCiphers(SslProvider sslProvider) {
        return sslProvider == null ? Collections.emptyList() : sslProvider == SslProvider.JDK ? this.enabledCiphersJDKProvider : this.enabledCiphersOpenSSLProvider;
    }

    private void initEnabledSSLCiphers() {
        if (OpenSsl.isAvailable()) {
            HashSet hashSet = new HashSet();
            for (String str : SSLConfigConstants.SECURE_SSL_CIPHERS) {
                if (OpenSsl.isCipherSuiteAvailable(str)) {
                    hashSet.add(str);
                }
            }
            this.enabledCiphersOpenSSLProvider = Collections.unmodifiableList(new ArrayList(hashSet));
        } else {
            this.enabledCiphersOpenSSLProvider = Collections.emptyList();
        }
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, null, null);
            SSLEngine createSSLEngine = sSLContext.createSSLEngine();
            ArrayList arrayList = new ArrayList(Arrays.asList(createSSLEngine.getSupportedCipherSuites()));
            arrayList.retainAll(SSLConfigConstants.SECURE_SSL_CIPHERS);
            createSSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
            this.enabledCiphersJDKProvider = Collections.unmodifiableList(Arrays.asList(createSSLEngine.getEnabledCipherSuites()));
        } catch (Exception e) {
            this.enabledCiphersJDKProvider = Collections.emptyList();
        }
    }

    private SslContext buildSSLContext(final SslContextBuilder sslContextBuilder) throws SSLException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SslContext) AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { // from class: com.floragunn.searchguard.ssl.SearchGuardKeyStore.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SslContext run() throws Exception {
                    return sslContextBuilder.build();
                }
            });
        } catch (PrivilegedActionException e) {
            throw ((SSLException) e.getCause());
        }
    }
}
