package com.mapr.web.security;

import com.mapr.security.FipsLoader;
import com.mapr.web.security.SslConfig;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.util.security.Password;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:com/mapr/web/security/WebSecurityManager.class */
public final class WebSecurityManager {
    private static final String SSL_TRUSTSTORE_PASSWORD = ".ssl.truststore.password";
    private static final String SSL_DEFAULT_BANNED_CIPHERS = "^TLS_DHE.*,^TLS_EDH.*,^TLS_RSA_.*,^.*_(MD5|SHA|SHA1)$";
    private static final String SSL_DEFAULT_BANNED_PROTOCOLS = "SSLv3,TLSv1.0,TLSv1.1";
    private static volatile WebSecurityManager securityManager;
    private final SslContextFactory sslContextFactory = new SslContextFactory.Server();

    /* loaded from: input_file:com/mapr/web/security/WebSecurityManager$SavingTrustManager.class */
    private static class SavingTrustManager implements X509TrustManager {
        private final X509TrustManager tm;
        private X509Certificate[] chain;

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.chain = x509CertificateArr;
            this.tm.checkServerTrusted(this.chain, str);
        }

        public X509TrustManager getTm() {
            return this.tm;
        }

        public X509Certificate[] getChain() {
            return this.chain;
        }

        public SavingTrustManager(X509TrustManager x509TrustManager) {
            this.tm = x509TrustManager;
        }
    }

    public boolean importUrlCertificate(String str, String str2) {
        URL url = new URL(str);
        String host = url.getHost();
        if (!url.getProtocol().equals("https")) {
            System.out.println("URL is not an https url");
            return false;
        }
        int port = url.getPort();
        if (port < 0) {
            port = 443;
        }
        String processName = WebSecurityConfig.CONFIG.getProcessName();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        String deobfuscate = Password.deobfuscate(System.getProperty(processName + ".ssl.truststore.password"));
        FileInputStream fileInputStream = new FileInputStream(str2);
        try {
            keyStore.load(fileInputStream, deobfuscate.toCharArray());
            fileInputStream.close();
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            X509TrustManager x509TrustManager = null;
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            int length = trustManagers.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                TrustManager trustManager = trustManagers[i];
                if (trustManager instanceof X509TrustManager) {
                    x509TrustManager = (X509TrustManager) trustManager;
                    break;
                }
                i++;
            }
            if (x509TrustManager == null) {
                System.out.println("Could not obtain a X509TrustManager");
                return false;
            }
            SavingTrustManager savingTrustManager = new SavingTrustManager(x509TrustManager);
            sSLContext.init(null, new TrustManager[]{savingTrustManager}, null);
            SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
            System.out.println("Opening connection to " + host + ":" + port + "...");
            try {
                SSLSocket sSLSocket = (SSLSocket) socketFactory.createSocket(host, port);
                try {
                    sSLSocket.setSoTimeout(10000);
                    System.out.println("Starting SSL handshake...");
                    sSLSocket.startHandshake();
                    sSLSocket.close();
                    System.out.println();
                    System.out.println("No errors, certificate is already trusted");
                    if (sSLSocket != null) {
                        sSLSocket.close();
                    }
                    return false;
                } catch (Throwable th) {
                    if (sSLSocket != null) {
                        try {
                            sSLSocket.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (SSLException e) {
                System.out.println("Certificate is not currently trusted. Attempting to add...");
                X509Certificate[] chain = savingTrustManager.getChain();
                if (chain == null) {
                    System.out.println("Could not obtain server certificate chain");
                    return false;
                }
                X509Certificate x509Certificate = chain[0];
                String str3 = host + ":" + port;
                keyStore.setCertificateEntry(str3, x509Certificate);
                FileOutputStream fileOutputStream = new FileOutputStream(str2);
                try {
                    keyStore.store(fileOutputStream, deobfuscate.toCharArray());
                    fileOutputStream.close();
                    System.out.println("Added certificate to truststore using alias: " + str3);
                    return true;
                } finally {
                }
            }
        } finally {
        }
    }

    private void init(String str) {
        WebSecurityConfig.CONFIG.setProcessName(str);
        SslConfig sslConfig = WebSecurityConfig.CONFIG.getSslConfig();
        try {
            KeystoreFileType serverKeystoreFileType = sslConfig.getServerKeystoreFileType();
            switch (serverKeystoreFileType) {
                case JKS:
                    break;
                case BCFKS:
                    FipsLoader.loadFipsProviders();
                    this.sslContextFactory.setProvider("BCJSSE");
                    break;
                default:
                    throw new IllegalArgumentException("Unsupported Java Keystore type: " + serverKeystoreFileType);
            }
            String property = System.getProperty(str + ".ssl.truststore.password");
            boolean z = property != null;
            String str2 = z ? property : new String(sslConfig.getServerKeystorePassword());
            this.sslContextFactory.setKeyStorePassword(str2);
            this.sslContextFactory.setKeyManagerPassword(str2);
            this.sslContextFactory.setKeyStorePath(sslConfig.getServerKeystoreLocation());
            this.sslContextFactory.setKeyManagerFactoryAlgorithm("PKIX");
            this.sslContextFactory.setKeyStoreType(sslConfig.getServerKeystoreType());
            this.sslContextFactory.setTrustStorePassword(z ? property : new String(sslConfig.getServerTruststorePassword()));
            this.sslContextFactory.setTrustStorePath(sslConfig.getServerTruststoreLocation());
            this.sslContextFactory.setExcludeCipherSuites(System.getProperty(str + ".ssl.exclude-ciphers", SSL_DEFAULT_BANNED_CIPHERS).split(","));
            this.sslContextFactory.setExcludeProtocols(System.getProperty(str + ".ssl.exclude-protocols", SSL_DEFAULT_BANNED_PROTOCOLS).split(","));
            this.sslContextFactory.setRenegotiationAllowed(false);
            if (Collections.singletonList(sslConfig).get(0) != null) {
                sslConfig.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(sslConfig).get(0) != null) {
                sslConfig.close();
            }
            throw th;
        }
    }

    public static synchronized WebSecurityManager getSecurityManager(String str) {
        if (securityManager == null) {
            securityManager = new WebSecurityManager();
            securityManager.init(str);
        }
        return securityManager;
    }

    public static SslConfig getSslConfig() throws SecurityException {
        return WebSecurityConfig.CONFIG.getSslConfig();
    }

    public static SslConfig getSslConfig(SslConfig.SslConfigScope sslConfigScope) throws SecurityException {
        return WebSecurityConfig.CONFIG.getSslConfig(sslConfigScope);
    }

    public SslContextFactory getSslContextFactory() {
        return this.sslContextFactory;
    }
}
