package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:com/floragunn/searchguard/ssl/DefaultSearchGuardKeyStore.class */
public class DefaultSearchGuardKeyStore implements SearchGuardKeyStore {
    private static final String DEFAULT_STORE_TYPE = "JKS";
    private final Settings settings;
    private final Logger log = LogManager.getLogger(getClass());
    public final SslProvider sslHTTPProvider;
    public final SslProvider sslTransportServerProvider;
    public final SslProvider sslTransportClientProvider;
    private final boolean httpSSLEnabled;
    private final boolean transportSSLEnabled;
    private List<String> enabledHttpCiphersJDKProvider;
    private List<String> enabledHttpCiphersOpenSSLProvider;
    private List<String> enabledTransportCiphersJDKProvider;
    private List<String> enabledTransportCiphersOpenSSLProvider;
    private SslContext httpSslContext;
    private SslContext transportServerSslContext;
    private SslContext transportClientSslContext;
    private final Environment env;

    private void printJCEWarnings() {
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
            if (maxAllowedKeyLength < 256) {
                this.log.info("AES-256 not supported, max key length for AES is " + maxAllowedKeyLength + " bit. (This is not an issue, it just limits possible encryption strength. To enable AES 256, install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files')");
            }
        } catch (NoSuchAlgorithmException e) {
            this.log.error("AES encryption not supported (SG 1). " + e);
        }
    }

    public DefaultSearchGuardKeyStore(Settings settings, Path path) {
        Environment environment;
        this.settings = settings;
        try {
            environment = new Environment(settings, path);
        } catch (IllegalStateException e) {
            environment = null;
        }
        this.env = environment;
        this.httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, false).booleanValue();
        this.transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true).booleanValue();
        boolean booleanValue = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        boolean z = false;
        if (this.httpSSLEnabled && booleanValue) {
            this.sslHTTPProvider = SslContext.defaultServerProvider();
            logOpenSSLInfos();
            z = true;
        } else if (this.httpSSLEnabled) {
            this.sslHTTPProvider = SslProvider.JDK;
        } else {
            this.sslHTTPProvider = null;
        }
        if (this.transportSSLEnabled && booleanValue2) {
            this.sslTransportClientProvider = SslContext.defaultClientProvider();
            this.sslTransportServerProvider = SslContext.defaultServerProvider();
            if (!z) {
                logOpenSSLInfos();
            }
        } else if (this.transportSSLEnabled) {
            SslProvider sslProvider = SslProvider.JDK;
            this.sslTransportServerProvider = sslProvider;
            this.sslTransportClientProvider = sslProvider;
        } else {
            this.sslTransportServerProvider = null;
            this.sslTransportClientProvider = null;
        }
        initEnabledSSLCiphers();
        initSSLConfig();
        printJCEWarnings();
        this.log.info("TLS Transport Client Provider : {}", this.sslTransportClientProvider);
        this.log.info("TLS Transport Server Provider : {}", this.sslTransportServerProvider);
        this.log.info("TLS HTTP Provider             : {}", this.sslHTTPProvider);
        this.log.debug("sslTransportClientProvider:{} with ciphers {}", this.sslTransportClientProvider, getEnabledSSLCiphers(this.sslTransportClientProvider, false));
        this.log.debug("sslTransportServerProvider:{} with ciphers {}", this.sslTransportServerProvider, getEnabledSSLCiphers(this.sslTransportServerProvider, false));
        this.log.debug("sslHTTPProvider:{} with ciphers {}", this.sslHTTPProvider, getEnabledSSLCiphers(this.sslHTTPProvider, true));
        this.log.info("Enabled TLS protocols for transport layer : {}", Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, false)));
        this.log.info("Enabled TLS protocols for HTTP layer      : {}", Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, true)));
        if (this.transportSSLEnabled && (getEnabledSSLCiphers(this.sslTransportClientProvider, false).isEmpty() || getEnabledSSLCiphers(this.sslTransportServerProvider, false).isEmpty())) {
            throw new ElasticsearchSecurityException("no valid cipher suites for transport protocol", new Object[0]);
        }
        if (this.httpSSLEnabled && getEnabledSSLCiphers(this.sslHTTPProvider, true).isEmpty()) {
            throw new ElasticsearchSecurityException("no valid cipher suites for http", new Object[0]);
        }
        if (this.transportSSLEnabled && SSLConfigConstants.getSecureSSLProtocols(settings, false).length == 0) {
            throw new ElasticsearchSecurityException("no ssl protocols for transport protocol", new Object[0]);
        }
        if (this.httpSSLEnabled && SSLConfigConstants.getSecureSSLProtocols(settings, true).length == 0) {
            throw new ElasticsearchSecurityException("no ssl protocols for http", new Object[0]);
        }
    }

    private String resolve(String str, boolean z) {
        String str2 = this.settings.get(str, (String) null);
        String str3 = str2;
        this.log.debug("Value for {} is {}", str, str2);
        if (this.env != null && str2 != null && str2.length() > 0) {
            str3 = this.env.configFile().resolve(str2).toAbsolutePath().toString();
            this.log.debug("Resolved {} to {} against {}", str2, str3, this.env.configFile().toAbsolutePath().toString());
        }
        if (z) {
            checkPath(str3, str);
        }
        if ("".equals(str3)) {
            str3 = null;
        }
        return str3;
    }

    /* JADX WARN: Removed duplicated region for block: B:104:0x0496 A[Catch: Exception -> 0x05f0, TryCatch #0 {Exception -> 0x05f0, blocks: (B:83:0x03d9, B:160:0x03fe, B:162:0x040a, B:87:0x040f, B:93:0x041c, B:91:0x0430, B:96:0x0426, B:97:0x0469, B:99:0x047b, B:101:0x0487, B:102:0x048c, B:104:0x0496, B:105:0x04bf, B:108:0x04c5, B:111:0x04f8, B:113:0x0508, B:147:0x055c, B:149:0x0568, B:117:0x056d, B:123:0x057a, B:121:0x058e, B:126:0x0584, B:127:0x05c7, B:131:0x059e, B:140:0x05ab, B:138:0x05bf, B:143:0x05b5, B:145:0x05c6, B:150:0x05d0, B:152:0x04ce, B:153:0x04f7, B:158:0x0440, B:173:0x044d, B:171:0x0461, B:176:0x0457, B:178:0x0468), top: B:82:0x03d9, inners: #1, #3, #4, #5, #7, #9 }] */
    /* JADX WARN: Removed duplicated region for block: B:106:0x04c0  */
    /* JADX WARN: Removed duplicated region for block: B:119:0x0575  */
    /* JADX WARN: Removed duplicated region for block: B:89:0x0417  */
    /* JADX WARN: Type inference failed for: r0v169, types: [java.lang.String, java.io.FileInputStream] */
    /* JADX WARN: Type inference failed for: r0v173, types: [java.lang.Throwable, java.security.KeyStore] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void initSSLConfig() {
        /*
            Method dump skipped, instructions count: 1748
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig():void");
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public SSLEngine createHTTPSSLEngine() throws SSLException {
        SSLEngine newEngine = this.httpSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, true));
        return newEngine;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public SSLEngine createServerTransportSSLEngine() throws SSLException {
        SSLEngine newEngine = this.transportServerSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
        return newEngine;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public SSLEngine createClientTransportSSLEngine(String str, int i) throws SSLException {
        if (str == null) {
            SSLEngine newEngine = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
            newEngine.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
            return newEngine;
        }
        SSLEngine newEngine2 = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT, str, i);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        newEngine2.setSSLParameters(sSLParameters);
        newEngine2.setEnabledProtocols(SSLConfigConstants.getSecureSSLProtocols(this.settings, false));
        return newEngine2;
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public String getHTTPProviderName() {
        if (this.sslHTTPProvider == null) {
            return null;
        }
        return this.sslHTTPProvider.toString();
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public String getTransportServerProviderName() {
        if (this.sslTransportServerProvider == null) {
            return null;
        }
        return this.sslTransportServerProvider.toString();
    }

    @Override // com.floragunn.searchguard.ssl.SearchGuardKeyStore
    public String getTransportClientProviderName() {
        if (this.sslTransportClientProvider == null) {
            return null;
        }
        return this.sslTransportClientProvider.toString();
    }

    private void logOpenSSLInfos() {
        if (!OpenSsl.isAvailable()) {
            this.log.info("OpenSSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of " + OpenSsl.unavailabilityCause());
            return;
        }
        this.log.info("OpenSSL " + OpenSsl.versionString() + " (" + OpenSsl.version() + ") available");
        if (OpenSsl.version() < 268443648) {
            this.log.warn("Outdated OpenSSL version detected. You should update to 1.0.2k or later. Currently installed: " + OpenSsl.versionString());
        }
        if (!OpenSsl.supportsHostnameValidation()) {
            this.log.warn("Your OpenSSL version " + OpenSsl.versionString() + " does not support hostname verification. You should update to 1.0.2k or later.");
        }
        this.log.debug("OpenSSL available ciphers " + OpenSsl.availableOpenSslCipherSuites());
    }

    private List<String> getEnabledSSLCiphers(SslProvider sslProvider, boolean z) {
        return sslProvider == null ? Collections.emptyList() : z ? sslProvider == SslProvider.JDK ? this.enabledHttpCiphersJDKProvider : this.enabledHttpCiphersOpenSSLProvider : sslProvider == SslProvider.JDK ? this.enabledTransportCiphersJDKProvider : this.enabledTransportCiphersOpenSSLProvider;
    }

    /* JADX WARN: Finally extract failed */
    private void initEnabledSSLCiphers() {
        List<String> secureSSLCiphers = SSLConfigConstants.getSecureSSLCiphers(this.settings, true);
        if (OpenSsl.isAvailable()) {
            HashSet hashSet = new HashSet();
            for (String str : secureSSLCiphers) {
                if (OpenSsl.isCipherSuiteAvailable(str)) {
                    hashSet.add(str);
                }
            }
            this.enabledHttpCiphersOpenSSLProvider = Collections.unmodifiableList(new ArrayList(hashSet));
        } else {
            this.enabledHttpCiphersOpenSSLProvider = Collections.emptyList();
        }
        SSLEngine sSLEngine = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, null, null);
                sSLEngine = sSLContext.createSSLEngine();
                ArrayList arrayList = new ArrayList(Arrays.asList(sSLEngine.getSupportedCipherSuites()));
                this.log.debug("JVM supports the following {} ciphers for https {}", Integer.valueOf(arrayList.size()), arrayList);
                arrayList.retainAll(secureSSLCiphers);
                sSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
                this.enabledHttpCiphersJDKProvider = Collections.unmodifiableList(Arrays.asList(sSLEngine.getEnabledCipherSuites()));
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e) {
                        this.log.debug("Unable to close inbound ssl engine", e);
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th) {
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e2) {
                        this.log.debug("Unable to close inbound ssl engine", e2);
                    }
                    sSLEngine.closeOutbound();
                }
                throw th;
            }
        } catch (Throwable th2) {
            this.log.error("Unable to determine supported ciphers due to " + ExceptionsHelper.stackTrace(th2));
            this.enabledHttpCiphersJDKProvider = secureSSLCiphers;
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e3) {
                    this.log.debug("Unable to close inbound ssl engine", e3);
                }
                sSLEngine.closeOutbound();
            }
        }
        List<String> secureSSLCiphers2 = SSLConfigConstants.getSecureSSLCiphers(this.settings, false);
        if (OpenSsl.isAvailable()) {
            HashSet hashSet2 = new HashSet();
            for (String str2 : secureSSLCiphers2) {
                if (OpenSsl.isCipherSuiteAvailable(str2)) {
                    hashSet2.add(str2);
                }
            }
            this.enabledTransportCiphersOpenSSLProvider = Collections.unmodifiableList(new ArrayList(hashSet2));
        } else {
            this.enabledTransportCiphersOpenSSLProvider = Collections.emptyList();
        }
        try {
            try {
                SSLContext sSLContext2 = SSLContext.getInstance("TLS");
                sSLContext2.init(null, null, null);
                sSLEngine = sSLContext2.createSSLEngine();
                ArrayList arrayList2 = new ArrayList(Arrays.asList(sSLEngine.getSupportedCipherSuites()));
                this.log.debug("JVM supports the following {} ciphers for transport {}", Integer.valueOf(arrayList2.size()), arrayList2);
                arrayList2.retainAll(secureSSLCiphers2);
                sSLEngine.setEnabledCipherSuites((String[]) arrayList2.toArray(new String[0]));
                this.enabledTransportCiphersJDKProvider = Collections.unmodifiableList(Arrays.asList(sSLEngine.getEnabledCipherSuites()));
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e4) {
                        this.log.debug("Unable to close inbound ssl engine", e4);
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th3) {
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e5) {
                        this.log.debug("Unable to close inbound ssl engine", e5);
                    }
                    sSLEngine.closeOutbound();
                }
                throw th3;
            }
        } catch (Throwable th4) {
            this.log.error("Unable to determine supported ciphers due to " + ExceptionsHelper.stackTrace(th4));
            this.enabledTransportCiphersJDKProvider = secureSSLCiphers2;
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e6) {
                    this.log.debug("Unable to close inbound ssl engine", e6);
                }
                sSLEngine.closeOutbound();
            }
        }
    }

    private SslContext buildSSLServerContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder sslProvider2 = SslContextBuilder.forServer(privateKey, x509CertificateArr).ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth((ClientAuth) Objects.requireNonNull(clientAuth)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider);
        if (x509CertificateArr2 != null && x509CertificateArr2.length > 0) {
            sslProvider2.trustManager(x509CertificateArr2);
        }
        return buildSSLContext0(sslProvider2);
    }

    private SslContext buildSSLServerContext(File file, File file2, File file3, String str, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder sslProvider2 = SslContextBuilder.forServer(file2, file, str).ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth((ClientAuth) Objects.requireNonNull(clientAuth)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider);
        if (file3 != null) {
            sslProvider2.trustManager(file3);
        }
        return buildSSLContext0(sslProvider2);
    }

    private SslContext buildSSLClientContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSSLContext0(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(x509CertificateArr2).keyManager(privateKey, x509CertificateArr));
    }

    private SslContext buildSSLClientContext(File file, File file2, File file3, String str, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSSLContext0(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(file3).keyManager(file2, file, str));
    }

    private SslContext buildSSLContext0(final SslContextBuilder sslContextBuilder) throws SSLException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SslContext) AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { // from class: com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SslContext run() throws Exception {
                    return sslContextBuilder.build();
                }
            });
        } catch (PrivilegedActionException e) {
            throw ((SSLException) e.getCause());
        }
    }

    private void logExplanation(Exception exc) {
        if (ExceptionUtils.findMsg(exc, "not contain valid private key") != null) {
            this.log.error("Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.");
        }
        if (ExceptionUtils.findMsg(exc, "not contain valid certificates") != null) {
            this.log.error("Your keystore or PEM does not contain a certificate. Maybe you confused keys and certificates.");
        }
    }

    private static void checkPath(String str, String str2) {
        if (str == null || str.length() == 0) {
            throw new ElasticsearchException("Empty file path for " + str2, new Object[0]);
        }
        if (Files.isDirectory(Paths.get(str, new String[0]), LinkOption.NOFOLLOW_LINKS)) {
            throw new ElasticsearchException("Is a directory: " + str + " Expected a file for " + str2, new Object[0]);
        }
        if (!Files.isReadable(Paths.get(str, new String[0]))) {
            throw new ElasticsearchException("Unable to read " + str + " (" + Paths.get(str, new String[0]) + "). Please make sure this files exists and is readable regarding to permissions. Property: " + str2, new Object[0]);
        }
    }
}
