package org.elasticsearch.shield.ssl;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.primitives.Ints;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedList;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:org/elasticsearch/shield/ssl/AbstractSSLService.class */
public abstract class AbstractSSLService extends AbstractComponent {
    public static final String CIPHERS_SETTING = "shield.ssl.ciphers";
    public static final String SUPPORTED_PROTOCOLS_SETTING = "shield.ssl.supported_protocols";
    static final int DEFAULT_SESSION_CACHE_SIZE = 1000;
    protected final LoadingCache<SSLSettings, SSLContext> sslContexts;
    protected Environment env;
    static final String DEFAULT_PROTOCOL = "TLSv1.2";
    public static final String[] DEFAULT_SUPPORTED_PROTOCOLS = {"TLSv1", "TLSv1.1", DEFAULT_PROTOCOL};
    static final String[] DEFAULT_CIPHERS = {"TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"};
    static final TimeValue DEFAULT_SESSION_CACHE_TIMEOUT = TimeValue.timeValueHours(24);

    /* loaded from: input_file:org/elasticsearch/shield/ssl/AbstractSSLService$SSLContextCacheLoader.class */
    private class SSLContextCacheLoader extends CacheLoader<SSLSettings, SSLContext> {
        static final /* synthetic */ boolean $assertionsDisabled;

        private SSLContextCacheLoader() {
        }

        public SSLContext load(SSLSettings sSLSettings) throws Exception {
            if (AbstractSSLService.this.logger.isDebugEnabled()) {
                AbstractSSLService.this.logger.debug("using keystore[{}], key_algorithm[{}], truststore[{}], truststore_algorithm[{}], tls_protocol[{}], session_cache_size[{}], session_cache_timeout[{}]", new Object[]{sSLSettings.keyStorePath, sSLSettings.keyStoreAlgorithm, sSLSettings.trustStorePath, sSLSettings.trustStoreAlgorithm, sSLSettings.sslProtocol, Integer.valueOf(sSLSettings.sessionCacheSize), sSLSettings.sessionCacheTimeout});
            }
            return createSslContext(keyManagers(sSLSettings.keyStorePath, sSLSettings.keyStorePassword, sSLSettings.keyStoreAlgorithm, sSLSettings.keyPassword), trustManagers(sSLSettings.trustStorePath, sSLSettings.trustStorePassword, sSLSettings.trustStoreAlgorithm), sSLSettings.sslProtocol, sSLSettings.sessionCacheSize, sSLSettings.sessionCacheTimeout);
        }

        private KeyManager[] keyManagers(String str, String str2, String str3, String str4) {
            if (str == null) {
                return null;
            }
            try {
                KeyStore readKeystore = readKeystore(str, str2);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(str3);
                keyManagerFactory.init(readKeystore, str4.toCharArray());
                return keyManagerFactory.getKeyManagers();
            } catch (Exception e) {
                throw new ElasticsearchException("failed to initialize a KeyManagerFactory", e, new Object[0]);
            }
        }

        private SSLContext createSslContext(KeyManager[] keyManagerArr, TrustManager[] trustManagerArr, String str, int i, TimeValue timeValue) {
            try {
                SSLContext sSLContext = SSLContext.getInstance(str);
                sSLContext.init(keyManagerArr, trustManagerArr, null);
                sSLContext.getServerSessionContext().setSessionCacheSize(i);
                sSLContext.getServerSessionContext().setSessionTimeout(Ints.checkedCast(timeValue.seconds()));
                return sSLContext;
            } catch (Exception e) {
                throw new ElasticsearchException("failed to initialize the SSLContext", e, new Object[0]);
            }
        }

        private TrustManager[] trustManagers(String str, String str2, String str3) {
            KeyStore keyStore = null;
            if (str != null) {
                try {
                    keyStore = readKeystore(str, str2);
                } catch (Exception e) {
                    throw new ElasticsearchException("failed to initialize a TrustManagerFactory", e, new Object[0]);
                }
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str3);
            trustManagerFactory.init(keyStore);
            return trustManagerFactory.getTrustManagers();
        }

        private KeyStore readKeystore(String str, String str2) throws Exception {
            InputStream newInputStream = Files.newInputStream(AbstractSSLService.this.resolvePath(str), new OpenOption[0]);
            Throwable th = null;
            try {
                KeyStore keyStore = KeyStore.getInstance("jks");
                if (!$assertionsDisabled && str2 == null) {
                    throw new AssertionError();
                }
                keyStore.load(newInputStream, str2.toCharArray());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return keyStore;
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th3;
            }
        }

        static {
            $assertionsDisabled = !AbstractSSLService.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/elasticsearch/shield/ssl/AbstractSSLService$SSLSettings.class */
    public static class SSLSettings {
        private static final ESLogger logger = Loggers.getLogger(SSLSettings.class);
        String keyStorePath;
        String keyStorePassword;
        String keyStoreAlgorithm;
        String keyPassword;
        String trustStorePath;
        String trustStorePassword;
        String trustStoreAlgorithm;
        String sslProtocol;
        int sessionCacheSize;
        TimeValue sessionCacheTimeout;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SSLSettings(Settings settings, Settings settings2) {
            this.keyStorePath = settings.get("keystore.path", settings2.get("shield.ssl.keystore.path", System.getProperty("javax.net.ssl.keyStore")));
            this.keyStorePassword = settings.get("keystore.password", settings2.get("shield.ssl.keystore.password", System.getProperty("javax.net.ssl.keyStorePassword")));
            this.keyStoreAlgorithm = settings.get("keystore.algorithm", settings2.get("shield.ssl.keystore.algorithm", System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm())));
            this.keyPassword = settings.get("keystore.key_password", settings2.get("shield.ssl.keystore.key_password", this.keyStorePassword));
            this.trustStorePath = settings.get("truststore.path", settings2.get("shield.ssl.truststore.path", System.getProperty("javax.net.ssl.trustStore")));
            this.trustStorePassword = settings.get("truststore.password", settings2.get("shield.ssl.truststore.password", System.getProperty("javax.net.ssl.trustStorePassword")));
            this.trustStoreAlgorithm = settings.get("truststore.algorithm", settings2.get("shield.ssl.truststore.algorithm", System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm())));
            this.sslProtocol = settings.get("protocol", settings2.get("shield.ssl.protocol", AbstractSSLService.DEFAULT_PROTOCOL));
            this.sessionCacheSize = settings.getAsInt("session.cache_size", settings2.getAsInt("shield.ssl.session.cache_size", 1000)).intValue();
            this.sessionCacheTimeout = settings.getAsTime("session.cache_timeout", settings2.getAsTime("shield.ssl.session.cache_timeout", AbstractSSLService.DEFAULT_SESSION_CACHE_TIMEOUT));
            if (this.trustStorePath == null) {
                if (logger.isDebugEnabled()) {
                    logger.debug("no truststore defined. using keystore [{}] as truststore", new Object[]{this.keyStorePath});
                }
                this.trustStorePath = this.keyStorePath;
                this.trustStorePassword = this.keyStorePassword;
            }
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            SSLSettings sSLSettings = (SSLSettings) obj;
            if (this.keyStorePath != null) {
                if (!this.keyStorePath.equals(sSLSettings.keyStorePath)) {
                    return false;
                }
            } else if (sSLSettings.keyStorePath != null) {
                return false;
            }
            if (this.sslProtocol != null) {
                if (!this.sslProtocol.equals(sSLSettings.sslProtocol)) {
                    return false;
                }
            } else if (sSLSettings.sslProtocol != null) {
                return false;
            }
            return this.trustStorePath != null ? this.trustStorePath.equals(sSLSettings.trustStorePath) : sSLSettings.trustStorePath == null;
        }

        public int hashCode() {
            return (31 * ((31 * (this.keyStorePath != null ? this.keyStorePath.hashCode() : 0)) + (this.trustStorePath != null ? this.trustStorePath.hashCode() : 0))) + (this.sslProtocol != null ? this.sslProtocol.hashCode() : 0);
        }
    }

    /* loaded from: input_file:org/elasticsearch/shield/ssl/AbstractSSLService$ShieldSSLSocketFactory.class */
    static class ShieldSSLSocketFactory extends SSLSocketFactory {
        private final SSLSocketFactory delegate;
        private final String[] supportedProtocols;
        private final String[] ciphers;

        ShieldSSLSocketFactory(SSLSocketFactory sSLSocketFactory, String[] strArr, String[] strArr2) {
            this.delegate = sSLSocketFactory;
            this.supportedProtocols = strArr;
            this.ciphers = strArr2;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public String[] getDefaultCipherSuites() {
            return this.ciphers;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public String[] getSupportedCipherSuites() {
            return this.delegate.getSupportedCipherSuites();
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket() throws IOException {
            SSLSocket sSLSocket = (SSLSocket) this.delegate.createSocket();
            configureSSLSocket(sSLSocket);
            return sSLSocket;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public Socket createSocket(Socket socket, String str, int i, boolean z) throws IOException {
            SSLSocket sSLSocket = (SSLSocket) this.delegate.createSocket(socket, str, i, z);
            configureSSLSocket(sSLSocket);
            return sSLSocket;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i) throws IOException {
            SSLSocket sSLSocket = (SSLSocket) this.delegate.createSocket(str, i);
            configureSSLSocket(sSLSocket);
            return sSLSocket;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException {
            SSLSocket sSLSocket = (SSLSocket) this.delegate.createSocket(str, i, inetAddress, i2);
            configureSSLSocket(sSLSocket);
            return sSLSocket;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
            SSLSocket sSLSocket = (SSLSocket) this.delegate.createSocket(inetAddress, i);
            configureSSLSocket(sSLSocket);
            return sSLSocket;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
            SSLSocket sSLSocket = (SSLSocket) this.delegate.createSocket(inetAddress, i, inetAddress2, i2);
            configureSSLSocket(sSLSocket);
            return sSLSocket;
        }

        private void configureSSLSocket(SSLSocket sSLSocket) {
            sSLSocket.setEnabledProtocols(this.supportedProtocols);
            sSLSocket.setEnabledCipherSuites(this.ciphers);
        }
    }

    public AbstractSSLService(Settings settings, Environment environment) {
        super(settings);
        this.sslContexts = CacheBuilder.newBuilder().build(new SSLContextCacheLoader());
        this.env = environment;
    }

    public SSLSocketFactory sslSocketFactory() {
        SSLSocketFactory socketFactory = sslContext().getSocketFactory();
        return new ShieldSSLSocketFactory(socketFactory, supportedProtocols(), supportedCiphers(socketFactory.getSupportedCipherSuites(), ciphers()));
    }

    public String[] supportedProtocols() {
        return this.settings.getAsArray(SUPPORTED_PROTOCOLS_SETTING, DEFAULT_SUPPORTED_PROTOCOLS);
    }

    public String[] ciphers() {
        return this.settings.getAsArray(CIPHERS_SETTING, DEFAULT_CIPHERS);
    }

    public SSLEngine createSSLEngine() {
        return createSSLEngine(Settings.EMPTY);
    }

    public SSLEngine createSSLEngine(Settings settings) {
        return createSSLEngine(settings, null, -1);
    }

    public SSLEngine createSSLEngine(Settings settings, String str, int i) {
        return createSSLEngine(sslContext(settings), settings.getAsArray(CIPHERS_SETTING, ciphers()), settings.getAsArray(SUPPORTED_PROTOCOLS_SETTING, supportedProtocols()), str, i);
    }

    public SSLContext sslContext() {
        return sslContext(Settings.EMPTY);
    }

    protected SSLContext sslContext(Settings settings) {
        try {
            return (SSLContext) this.sslContexts.getUnchecked(sslSettings(settings));
        } catch (UncheckedExecutionException e) {
            if (e.getCause() instanceof ElasticsearchException) {
                throw e.getCause();
            }
            throw new ElasticsearchException("failed to load SSLContext", e, new Object[0]);
        }
    }

    public static String[] sensitiveSettings() {
        return new String[]{CIPHERS_SETTING, SUPPORTED_PROTOCOLS_SETTING, "protocol", "session.cache_size", "session.cache_timeout", "keystore.path", "keystore.password", "keystore.algorithm", "keystore.key_password", "truststore.path", "truststore.password", "truststore.algorithm"};
    }

    protected abstract SSLSettings sslSettings(Settings settings);

    SSLEngine createSSLEngine(SSLContext sSLContext, String[] strArr, String[] strArr2, String str, int i) {
        SSLEngine createSSLEngine = sSLContext.createSSLEngine(str, i);
        try {
            createSSLEngine.setEnabledCipherSuites(supportedCiphers(createSSLEngine.getSupportedCipherSuites(), strArr));
            try {
                createSSLEngine.setEnabledProtocols(strArr2);
                return createSSLEngine;
            } catch (IllegalArgumentException e) {
                throw new IllegalArgumentException("failed setting supported protocols [" + Arrays.asList(strArr2) + "]", e);
            }
        } catch (ElasticsearchException e2) {
            throw e2;
        } catch (Throwable th) {
            throw new IllegalArgumentException("failed loading cipher suites [" + Arrays.asList(strArr) + "]", th);
        }
    }

    String[] supportedCiphers(String[] strArr, String[] strArr2) {
        ArrayList arrayList = new ArrayList(strArr2.length);
        LinkedList linkedList = new LinkedList();
        for (String str : strArr2) {
            boolean z = false;
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (strArr[i].equals(str)) {
                    z = true;
                    arrayList.add(str);
                    break;
                }
                i++;
            }
            if (!z) {
                linkedList.add(str);
            }
        }
        if (arrayList.isEmpty()) {
            throw new IllegalArgumentException("none of the ciphers [" + Arrays.asList(strArr2) + "] are supported by this JVM");
        }
        if (!linkedList.isEmpty()) {
            this.logger.error("unsupported ciphers [{}] were requested but cannot be used in this JVM. If you are trying to use ciphers\nwith a key length greater than 128 bits on an Oracle JVM, you will need to install the unlimited strength\nJCE policy files. Additionally, please ensure the PKCS11 provider is enabled for your JVM.", new Object[]{linkedList});
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Path resolvePath(String str) {
        return this.env.configFile().resolve(str);
    }
}
