package tigase.io;

import java.io.IOException;
import java.nio.ByteOrder;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import tigase.eventbus.EventBus;
import tigase.eventbus.EventBusFactory;
import tigase.eventbus.HandleEvent;
import tigase.io.CertificateContainer;
import tigase.io.SSLContextContainerAbstract;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.Initializable;
import tigase.kernel.beans.Inject;
import tigase.kernel.beans.UnregisterAware;
import tigase.kernel.beans.config.ConfigField;
import tigase.kernel.core.Kernel;
import tigase.server.ConnectionManager;
import tigase.vhosts.VHostItem;

@Bean(name = "sslContextContainer", parent = ConnectionManager.class, active = true)
/* loaded from: input_file:tigase/io/SSLContextContainer.class */
public class SSLContextContainer extends SSLContextContainerAbstract {
    private static final String[] TLS_WORKAROUND_CIPHERS = {"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "SSL_RSA_WITH_DES_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"};
    private static final String[] HARDENED_MODE_FORBIDDEN_CIPHERS = {"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "TLS_KRB5_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_MD5", "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "TLS_KRB5_EXPORT_WITH_RC4_40_MD5"};
    private static final String[] HARDENED_MODE_PROTOCOLS = {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
    private static final Logger log = Logger.getLogger(SSLContextContainer.class.getName());
    private static String[] HARDENED_MODE_CIPHERS;

    @Inject
    protected EventBus eventBus;
    protected Map<String, SSLContextContainerAbstract.SSLHolder> sslContexts;

    @ConfigField(desc = "Enabled TLS/SSL ciphers", alias = "tls-enabled-ciphers")
    private String[] enabledCiphers;

    @ConfigField(desc = "Enabled TLS/SSL protocols", alias = "tls-enabled-protocols")
    private String[] enabledProtocols;

    @ConfigField(desc = "TLS/SSL hardened mode", alias = "hardened-mode")
    private boolean hardenedMode;

    @Inject(bean = "rootSslContextContainer", type = Root.class, nullAllowed = true)
    private SSLContextContainerIfc parent;

    @ConfigField(desc = "TLS/SSL", alias = "tls-jdk-nss-bug-workaround-active")
    private boolean tlsJdkNssBugWorkaround;

    @Bean(name = "rootSslContextContainer", parent = Kernel.class, active = true, exportable = true)
    /* loaded from: input_file:tigase/io/SSLContextContainer$Root.class */
    public static class Root extends SSLContextContainer implements Initializable, UnregisterAware {
        @Override // tigase.kernel.beans.UnregisterAware
        public void beforeUnregister() {
            stop();
        }

        @Override // tigase.kernel.beans.Initializable
        public void initialize() {
            start();
        }

        @Override // tigase.io.SSLContextContainer
        public void setParent(SSLContextContainerIfc sSLContextContainerIfc) {
            SSLContextContainer.log.log(Level.FINE, "setting root = " + sSLContextContainerIfc);
        }
    }

    private static String markEnabled(String[] strArr, String[] strArr2) {
        List arrayList = strArr == null ? new ArrayList() : Arrays.asList(strArr);
        String str = "";
        if (strArr2 != null) {
            for (int i = 0; i < strArr2.length; i++) {
                String str2 = strArr2[i];
                str = (str + (arrayList.contains(str2) ? "(+)" : "(-)")) + str2;
                if (i + 1 < strArr2.length) {
                    str = str + ",";
                }
            }
        }
        return str;
    }

    public SSLContextContainer() {
        this(null, null);
    }

    public SSLContextContainer(CertificateContainerIfc certificateContainerIfc) {
        this(certificateContainerIfc, null);
    }

    public SSLContextContainer(CertificateContainerIfc certificateContainerIfc, SSLContextContainerIfc sSLContextContainerIfc) {
        super(certificateContainerIfc);
        this.eventBus = EventBusFactory.getInstance();
        this.sslContexts = new ConcurrentSkipListMap();
        this.hardenedMode = false;
        this.tlsJdkNssBugWorkaround = false;
        this.parent = sSLContextContainerIfc;
    }

    @Override // tigase.io.SSLContextContainerIfc
    public IOInterface createIoInterface(String str, String str2, int i, boolean z, boolean z2, boolean z3, ByteOrder byteOrder, TrustManager[] trustManagerArr, TLSEventHandler tLSEventHandler, IOInterface iOInterface, CertificateContainerIfc certificateContainerIfc) throws IOException {
        return new TLSIO(iOInterface, new JcaTLSWrapper(getSSLContext(str, str2, z, trustManagerArr), tLSEventHandler, str2, i, z, z2, z3, getEnabledCiphers(), getEnabledProtocols()), byteOrder);
    }

    @Override // tigase.io.SSLContextContainerIfc
    public String[] getEnabledCiphers() {
        if (this.enabledCiphers != null && this.enabledCiphers.length != 0) {
            return this.enabledCiphers;
        }
        if (this.hardenedMode) {
            return HARDENED_MODE_CIPHERS;
        }
        if (this.tlsJdkNssBugWorkaround) {
            return TLS_WORKAROUND_CIPHERS;
        }
        return null;
    }

    public void setEnabledCiphers(String[] strArr) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Enabled ciphers: " + (strArr == null ? "default" : Arrays.toString(strArr)));
        }
        this.enabledCiphers = strArr;
    }

    @Override // tigase.io.SSLContextContainerIfc
    public String[] getEnabledProtocols() {
        if (this.enabledProtocols != null && this.enabledProtocols.length != 0) {
            return this.enabledProtocols;
        }
        if (this.hardenedMode) {
            return HARDENED_MODE_PROTOCOLS;
        }
        return null;
    }

    public void setEnabledProtocols(String[] strArr) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Enabled protocols: " + (strArr == null ? "default" : Arrays.toString(strArr)));
        }
        this.enabledProtocols = strArr;
    }

    @Override // tigase.io.SSLContextContainerIfc
    public SSLContext getSSLContext(String str, String str2, boolean z, TrustManager[] trustManagerArr) {
        SSLContextContainerAbstract.SSLHolder sSLHolder;
        String str3 = str2;
        if (trustManagerArr == null) {
            try {
                if (this.parent != null) {
                    return this.parent.getSSLContext(str, str2, z, trustManagerArr);
                }
                trustManagerArr = getTrustManagers();
            } catch (Exception e) {
                log.log(Level.SEVERE, "Can not initialize SSLContext for domain: " + str3 + ", protocol: " + str, (Throwable) e);
                sSLHolder = null;
            }
        }
        if (str3 == null) {
            str3 = getDefCertAlias();
        }
        sSLHolder = (SSLContextContainerAbstract.SSLHolder) find(this.sslContexts, str3);
        if (!validateDomainCertificate(sSLHolder, str2)) {
            sSLHolder = null;
        }
        if (sSLHolder == null || !sSLHolder.isValid(trustManagerArr)) {
            sSLHolder = createContextHolder(str, str2, str3, z, trustManagerArr);
            if (z) {
                return sSLHolder.sslContext;
            }
            if (!validateDomainCertificate(sSLHolder, str2)) {
                sSLHolder = createContextHolder(str, str2, str3, z, trustManagerArr);
            }
            this.sslContexts.put(str3, sSLHolder);
        }
        if (sSLHolder != null) {
            return sSLHolder.getSSLContext();
        }
        return null;
    }

    @Override // tigase.io.SSLContextContainerAbstract, tigase.io.SSLContextContainerIfc
    public KeyStore getTrustStore() {
        KeyStore trustStore = super.getTrustStore();
        if (trustStore == null && this.parent != null) {
            trustStore = this.parent.getTrustStore();
        }
        return trustStore;
    }

    private void invalidateContextHolder(SSLContextContainerAbstract.SSLHolder sSLHolder, String str) throws Exception {
        this.sslContexts.remove(str);
        createCertificate(str);
    }

    @HandleEvent
    private void onCertificateChange(CertificateContainer.CertificateChanged certificateChanged) {
        this.sslContexts.remove(certificateChanged.getAlias());
    }

    public void setHardenedMode(boolean z) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Hardened mode is " + (z ? VHostItem.ENABLED_ATT : "disabled"));
        }
        if (z) {
            System.setProperty("jdk.tls.ephemeralDHKeySize", "2048");
        }
        this.hardenedMode = z;
    }

    public void setParent(SSLContextContainerIfc sSLContextContainerIfc) {
        log.log(Level.FINE, "setting root = " + sSLContextContainerIfc);
        this.parent = sSLContextContainerIfc;
    }

    public void setTlsJdkNssBugWorkaround(boolean z) {
        if (log.isLoggable(Level.CONFIG)) {
            log.config("Workaround for TLS/SSL bug is " + (z ? VHostItem.ENABLED_ATT : "disabled"));
        }
        this.tlsJdkNssBugWorkaround = z;
    }

    @Override // tigase.server.Lifecycle
    public void start() {
        this.eventBus.registerAll(this);
    }

    @Override // tigase.server.Lifecycle
    public void stop() {
        this.eventBus.unregisterAll(this);
    }

    private boolean validateDomainCertificate(SSLContextContainerAbstract.SSLHolder sSLHolder, String str) throws Exception {
        if (sSLHolder == null || sSLHolder.domainCertificate == null || !sSLHolder.domainCertificate.getIssuerDN().equals(sSLHolder.domainCertificate.getSubjectDN())) {
            return true;
        }
        try {
            sSLHolder.domainCertificate.checkValidity();
            return true;
        } catch (CertificateException e) {
            invalidateContextHolder(sSLHolder, str);
            return false;
        }
    }

    static {
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            String[] enabledCipherSuites = createSSLEngine.getEnabledCipherSuites();
            log.config("Supported protocols: " + markEnabled(createSSLEngine.getEnabledProtocols(), createSSLEngine.getSupportedProtocols()));
            log.config("Supported ciphers: " + markEnabled(enabledCipherSuites, createSSLEngine.getSupportedCipherSuites()));
            ArrayList arrayList = new ArrayList(Arrays.asList(enabledCipherSuites));
            arrayList.removeAll(Arrays.asList(HARDENED_MODE_FORBIDDEN_CIPHERS));
            HARDENED_MODE_CIPHERS = (String[]) arrayList.toArray(new String[0]);
        } catch (NoSuchAlgorithmException e) {
            log.log(Level.WARNING, "Can't determine supported protocols", (Throwable) e);
        }
    }
}
