package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.util.SSLCertificateHelper;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.FileInputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:com/floragunn/searchguard/ssl/SearchGuardKeyStore.class */
public class SearchGuardKeyStore {
    private static final String DEFAULT_STORE_TYPE = "JKS";
    private static final String DEFAULT_STORE_PASSWORD = "changeit";
    private final Settings settings;
    private final Logger log = LogManager.getLogger(getClass());
    public final SslProvider sslHTTPProvider;
    public final SslProvider sslTransportServerProvider;
    public final SslProvider sslTransportClientProvider;
    private final boolean httpSSLEnabled;
    private final boolean transportSSLEnabled;
    private X509Certificate[] trustedHTTPCertificates;
    private X509Certificate[] trustedTransportCertificates;
    private X509Certificate[] httpKeystoreCert;
    private PrivateKey httpKeystoreKey;
    private X509Certificate[] transportKeystoreCert;
    private PrivateKey transportKeystoreKey;
    private ClientAuth httpClientAuthMode;
    private List<String> enabledHttpCiphersJDKProvider;
    private List<String> enabledHttpCiphersOpenSSLProvider;
    private List<String> enabledTransportCiphersJDKProvider;
    private List<String> enabledTransportCiphersOpenSSLProvider;
    private SslContext httpSslContext;
    private SslContext transportServerSslContext;
    private SslContext transportClientSslContext;

    private void printJCEWarnings() {
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
            if (maxAllowedKeyLength < 256) {
                this.log.info("AES-256 not supported, max key length for AES is " + maxAllowedKeyLength + " bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'");
            }
        } catch (NoSuchAlgorithmException e) {
            this.log.error("AES encryption not supported (SG 1). " + e);
        }
    }

    @Inject
    public SearchGuardKeyStore(Settings settings) {
        this.settings = settings;
        this.httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, false).booleanValue();
        this.transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true).booleanValue();
        boolean booleanValue = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        if (this.httpSSLEnabled && booleanValue) {
            this.sslHTTPProvider = SslContext.defaultServerProvider();
            logOpenSSLInfos();
        } else if (this.httpSSLEnabled) {
            this.sslHTTPProvider = SslProvider.JDK;
        } else {
            this.sslHTTPProvider = null;
        }
        if (this.transportSSLEnabled && booleanValue2) {
            this.sslTransportClientProvider = SslContext.defaultClientProvider();
            this.sslTransportServerProvider = SslContext.defaultServerProvider();
            logOpenSSLInfos();
        } else if (this.transportSSLEnabled) {
            SslProvider sslProvider = SslProvider.JDK;
            this.sslTransportServerProvider = sslProvider;
            this.sslTransportClientProvider = sslProvider;
        } else {
            this.sslTransportServerProvider = null;
            this.sslTransportClientProvider = null;
        }
        initEnabledSSLCiphers();
        initSSLConfig();
        printJCEWarnings();
        this.log.info("sslTransportClientProvider:{} with ciphers {}", this.sslTransportClientProvider, getEnabledSSLCiphers(this.sslTransportClientProvider, false));
        this.log.info("sslTransportServerProvider:{} with ciphers {}", this.sslTransportServerProvider, getEnabledSSLCiphers(this.sslTransportServerProvider, false));
        this.log.info("sslHTTPProvider:{} with ciphers {}", this.sslHTTPProvider, getEnabledSSLCiphers(this.sslHTTPProvider, true));
        this.log.info("sslTransport protocols {}", Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, false)));
        this.log.info("sslHTTP protocols {}", Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, true)));
        if (this.transportSSLEnabled && (getEnabledSSLCiphers(this.sslTransportClientProvider, false).isEmpty() || getEnabledSSLCiphers(this.sslTransportServerProvider, false).isEmpty())) {
            throw new ElasticsearchSecurityException("no valid cipher suites for transport protocol", new Object[0]);
        }
        if (this.httpSSLEnabled && getEnabledSSLCiphers(this.sslHTTPProvider, true).isEmpty()) {
            throw new ElasticsearchSecurityException("no valid cipher suites for http", new Object[0]);
        }
        if (this.transportSSLEnabled && SSLConfigConstants.getSecureSSLProtocols(settings, false).length == 0) {
            throw new ElasticsearchSecurityException("no ssl protocols for transport protocol", new Object[0]);
        }
        if (this.httpSSLEnabled && SSLConfigConstants.getSecureSSLProtocols(settings, true).length == 0) {
            throw new ElasticsearchSecurityException("no ssl protocols for http", new Object[0]);
        }
    }

    private void initSSLConfig() {
        Environment environment = new Environment(this.settings);
        this.log.info("Config directory is {}/, from there the key- and truststore files are resolved relatively", environment.configFile().toAbsolutePath());
        if (this.transportSSLEnabled) {
            String path = environment.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "")).toAbsolutePath().toString();
            String str = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
            String str2 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, DEFAULT_STORE_PASSWORD);
            String str3 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS, (String) null);
            String path2 = environment.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "")).toAbsolutePath().toString();
            if (this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, (String) null) == null) {
                throw new ElasticsearchException("searchguard.ssl.transport.keystore_filepath must be set if transport ssl is reqested.", new Object[0]);
            }
            checkStorePath(path);
            if (this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, (String) null) == null) {
                throw new ElasticsearchException("searchguard.ssl.transport.truststore_filepath must be set if transport ssl is reqested.", new Object[0]);
            }
            checkStorePath(path2);
            String str4 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
            String str5 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, DEFAULT_STORE_PASSWORD);
            String str6 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_ALIAS, (String) null);
            try {
                KeyStore keyStore = KeyStore.getInstance(str);
                keyStore.load(new FileInputStream(new File(path)), (str2 == null || str2.length() == 0) ? null : str2.toCharArray());
                this.transportKeystoreCert = SSLCertificateHelper.exportCertificateChain(keyStore, str3);
                this.transportKeystoreKey = SSLCertificateHelper.exportDecryptedKey(keyStore, str3, (str2 == null || str2.length() == 0) ? null : str2.toCharArray());
                if (this.transportKeystoreKey == null) {
                    throw new ElasticsearchException("No key found in " + path + " with alias " + str3, new Object[0]);
                }
                if (this.transportKeystoreCert == null || this.transportKeystoreCert.length <= 0) {
                    throw new ElasticsearchException("No certificates found in " + path + " with alias " + str3, new Object[0]);
                }
                KeyStore keyStore2 = KeyStore.getInstance(str4);
                keyStore2.load(new FileInputStream(new File(path2)), (str5 == null || str5.length() == 0) ? null : str5.toCharArray());
                this.trustedTransportCertificates = SSLCertificateHelper.exportCertificateChain(keyStore2, str6);
                if (this.trustedTransportCertificates == null) {
                    throw new ElasticsearchException("No truststore configured for server", new Object[0]);
                }
                this.transportServerSslContext = buildSSLContext(SslContextBuilder.forServer(this.transportKeystoreKey, this.transportKeystoreCert).ciphers(getEnabledSSLCiphers(this.sslTransportServerProvider, false)).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth(ClientAuth.REQUIRE).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(this.sslTransportServerProvider).trustManager(this.trustedTransportCertificates));
                if (this.trustedTransportCertificates == null) {
                    throw new ElasticsearchException("No truststore configured for client", new Object[0]);
                }
                this.transportClientSslContext = buildSSLContext(SslContextBuilder.forClient().ciphers(getEnabledSSLCiphers(this.sslTransportClientProvider, false)).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(this.sslTransportClientProvider).trustManager(this.trustedTransportCertificates).keyManager(this.transportKeystoreKey, this.transportKeystoreCert));
            } catch (Exception e) {
                throw new ElasticsearchSecurityException("Error while initializing transport SSL layer: " + e.toString(), e, new Object[0]);
            }
        }
        if ((!"node".equals(this.settings.get("client.type"))) || !this.httpSSLEnabled) {
            return;
        }
        String path3 = environment.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_FILEPATH, "")).toAbsolutePath().toString();
        String str7 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
        String str8 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_PASSWORD, DEFAULT_STORE_PASSWORD);
        String str9 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_ALIAS, (String) null);
        this.httpClientAuthMode = ClientAuth.valueOf(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CLIENTAUTH_MODE, ClientAuth.OPTIONAL.toString()));
        if (this.settings.get("searchguard.ssl.http.enforce_clientauth") != null) {
            this.log.error("{} is deprecated and replaced by {}", "searchguard.ssl.http.enforce_clientauth", SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CLIENTAUTH_MODE);
            throw new RuntimeException("searchguard.ssl.http.enforce_clientauth is deprecated");
        }
        this.log.info("HTTPS client auth mode {}", this.httpClientAuthMode);
        String path4 = environment.configFile().resolve(this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, "")).toAbsolutePath().toString();
        if (this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_FILEPATH, (String) null) == null) {
            throw new ElasticsearchException("searchguard.ssl.http.keystore_filepath must be set if https is reqested.", new Object[0]);
        }
        checkStorePath(path3);
        if (this.httpClientAuthMode == ClientAuth.REQUIRE && this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, (String) null) == null) {
            throw new ElasticsearchException("searchguard.ssl.http.truststore_filepath must be set if http ssl and client auth is reqested.", new Object[0]);
        }
        try {
            KeyStore keyStore3 = KeyStore.getInstance(str7);
            keyStore3.load(new FileInputStream(new File(path3)), (str8 == null || str8.length() == 0) ? null : str8.toCharArray());
            this.httpKeystoreCert = SSLCertificateHelper.exportCertificateChain(keyStore3, str9);
            this.httpKeystoreKey = SSLCertificateHelper.exportDecryptedKey(keyStore3, str9, (str8 == null || str8.length() == 0) ? null : str8.toCharArray());
            if (this.httpKeystoreKey == null) {
                throw new ElasticsearchException("No key found in " + path3 + " with alias " + str9, new Object[0]);
            }
            if (this.httpKeystoreCert == null || this.httpKeystoreCert.length <= 0) {
                throw new ElasticsearchException("No certificates found in " + path3 + " with alias " + str9, new Object[0]);
            }
            if (this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, (String) null) != null) {
                checkStorePath(path4);
                String str10 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
                String str11 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_PASSWORD, DEFAULT_STORE_PASSWORD);
                String str12 = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_ALIAS, (String) null);
                KeyStore keyStore4 = KeyStore.getInstance(str10);
                keyStore4.load(new FileInputStream(new File(path4)), (str11 == null || str11.length() == 0) ? null : str11.toCharArray());
                this.trustedHTTPCertificates = SSLCertificateHelper.exportCertificateChain(keyStore4, str12);
            }
            SslContextBuilder sslProvider = SslContextBuilder.forServer(this.httpKeystoreKey, this.httpKeystoreCert).ciphers(getEnabledSSLCiphers(this.sslHTTPProvider, true)).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth((ClientAuth) Objects.requireNonNull(this.httpClientAuthMode)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(this.sslHTTPProvider);
            if (this.trustedHTTPCertificates != null && this.trustedHTTPCertificates.length > 0) {
                sslProvider.trustManager(this.trustedHTTPCertificates);
            }
            this.httpSslContext = buildSSLContext(sslProvider);
        } catch (Exception e2) {
            throw new ElasticsearchSecurityException("Error while initializing HTTP SSL layer: " + e2.toString(), e2, new Object[0]);
        }
    }

    public SSLEngine createHTTPSSLEngine() throws SSLException {
        SSLEngine newEngine = this.httpSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, true));
        return newEngine;
    }

    public SSLEngine createServerTransportSSLEngine() throws SSLException {
        SSLEngine newEngine = this.transportServerSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
        return newEngine;
    }

    public SSLEngine createClientTransportSSLEngine(String str, int i) throws SSLException {
        if (str == null) {
            SSLEngine newEngine = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
            newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
            return newEngine;
        }
        SSLEngine newEngine2 = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT, str, i);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        newEngine2.setSSLParameters(sSLParameters);
        newEngine2.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
        return newEngine2;
    }

    private void logOpenSSLInfos() {
        if (!OpenSsl.isAvailable()) {
            this.log.info("Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of " + OpenSsl.unavailabilityCause());
        } else {
            this.log.info("Open SSL " + OpenSsl.versionString() + " available");
            this.log.debug("Open SSL available ciphers " + OpenSsl.availableCipherSuites());
        }
    }

    private List<String> getEnabledSSLCiphers(SslProvider sslProvider, boolean z) {
        return sslProvider == null ? Collections.emptyList() : z ? sslProvider == SslProvider.JDK ? this.enabledHttpCiphersJDKProvider : this.enabledHttpCiphersOpenSSLProvider : sslProvider == SslProvider.JDK ? this.enabledTransportCiphersJDKProvider : this.enabledTransportCiphersOpenSSLProvider;
    }

    /* JADX WARN: Finally extract failed */
    private void initEnabledSSLCiphers() {
        List<String> secureSSLCiphers = SSLConfigConstants.getSecureSSLCiphers(this.settings, true);
        if (OpenSsl.isAvailable()) {
            HashSet hashSet = new HashSet();
            for (String str : secureSSLCiphers) {
                if (OpenSsl.isCipherSuiteAvailable(str)) {
                    hashSet.add(str);
                }
            }
            this.enabledHttpCiphersOpenSSLProvider = Collections.unmodifiableList(new ArrayList(hashSet));
        } else {
            this.enabledHttpCiphersOpenSSLProvider = Collections.emptyList();
        }
        SSLEngine sSLEngine = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, null, null);
                sSLEngine = sSLContext.createSSLEngine();
                ArrayList arrayList = new ArrayList(Arrays.asList(sSLEngine.getSupportedCipherSuites()));
                arrayList.retainAll(secureSSLCiphers);
                sSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
                this.enabledHttpCiphersJDKProvider = Collections.unmodifiableList(Arrays.asList(sSLEngine.getEnabledCipherSuites()));
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e) {
                        e.printStackTrace();
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th) {
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e2) {
                        e2.printStackTrace();
                    }
                    sSLEngine.closeOutbound();
                }
                throw th;
            }
        } catch (Exception e3) {
            this.enabledHttpCiphersJDKProvider = Collections.emptyList();
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e4) {
                    e4.printStackTrace();
                }
                sSLEngine.closeOutbound();
            }
        }
        List<String> secureSSLCiphers2 = SSLConfigConstants.getSecureSSLCiphers(this.settings, false);
        if (OpenSsl.isAvailable()) {
            HashSet hashSet2 = new HashSet();
            for (String str2 : secureSSLCiphers2) {
                if (OpenSsl.isCipherSuiteAvailable(str2)) {
                    hashSet2.add(str2);
                }
            }
            this.enabledTransportCiphersOpenSSLProvider = Collections.unmodifiableList(new ArrayList(hashSet2));
        } else {
            this.enabledTransportCiphersOpenSSLProvider = Collections.emptyList();
        }
        try {
            try {
                SSLContext sSLContext2 = SSLContext.getInstance("TLS");
                sSLContext2.init(null, null, null);
                sSLEngine = sSLContext2.createSSLEngine();
                ArrayList arrayList2 = new ArrayList(Arrays.asList(sSLEngine.getSupportedCipherSuites()));
                arrayList2.retainAll(secureSSLCiphers2);
                sSLEngine.setEnabledCipherSuites((String[]) arrayList2.toArray(new String[0]));
                this.enabledTransportCiphersJDKProvider = Collections.unmodifiableList(Arrays.asList(sSLEngine.getEnabledCipherSuites()));
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e5) {
                        e5.printStackTrace();
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th2) {
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e6) {
                        e6.printStackTrace();
                    }
                    sSLEngine.closeOutbound();
                }
                throw th2;
            }
        } catch (Exception e7) {
            this.enabledTransportCiphersJDKProvider = Collections.emptyList();
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e8) {
                    e8.printStackTrace();
                }
                sSLEngine.closeOutbound();
            }
        }
    }

    private SslContext buildSSLContext(final SslContextBuilder sslContextBuilder) throws SSLException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SslContext) AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { // from class: com.floragunn.searchguard.ssl.SearchGuardKeyStore.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SslContext run() throws Exception {
                    return sslContextBuilder.build();
                }
            });
        } catch (PrivilegedActionException e) {
            throw ((SSLException) e.getCause());
        }
    }

    private static void checkStorePath(String str) {
        if (Files.isDirectory(Paths.get(str, new String[0]), LinkOption.NOFOLLOW_LINKS)) {
            throw new ElasticsearchException("Is a directory: " + str + " Expected file!", new Object[0]);
        }
        if (!Files.isReadable(Paths.get(str, new String[0]))) {
            throw new ElasticsearchException("Unable to read " + str + " (" + Paths.get(str, new String[0]) + ") Please make sure this files exists and is readable regarding to permissions", new Object[0]);
        }
    }
}
