package com.tangosol.coherence.config.builder;

import com.oracle.coherence.common.base.Logger;
import com.oracle.coherence.common.internal.net.ssl.SSLCertUtility;
import com.oracle.coherence.common.net.SSLSocketProvider;
import com.oracle.coherence.common.util.Duration;
import com.tangosol.coherence.config.Config;
import com.tangosol.coherence.config.ParameterList;
import com.tangosol.coherence.config.unit.Seconds;
import com.tangosol.config.annotation.Injectable;
import com.tangosol.config.expression.NullParameterResolver;
import com.tangosol.config.expression.ParameterResolver;
import com.tangosol.internal.net.LegacyXmlSocketProviderFactoryDependencies;
import com.tangosol.internal.net.ssl.DefaultManagerDependencies;
import com.tangosol.internal.net.ssl.KeyStoreListener;
import com.tangosol.internal.net.ssl.ManagerDependencies;
import com.tangosol.internal.net.ssl.SSLContextDependencies;
import com.tangosol.internal.net.ssl.SSLContextProvider;
import com.tangosol.internal.net.ssl.SSLSocketProviderDefaultDependencies;
import com.tangosol.net.DatagramTest;
import com.tangosol.net.InetAddressHelper;
import com.tangosol.net.SocketProviderFactory;
import com.tangosol.net.security.SecurityProvider;
import com.tangosol.net.ssl.RefreshPolicy;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.Executor;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;

/* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder.class */
public class SSLSocketProviderDependenciesBuilder implements ParameterizedBuilder<SSLSocketProviderDefaultDependencies> {
    public static final String NAME = "CoherenceSSLContextProvider";
    public static final String SERVICE_TYPE = "SSLContext";
    public static final String ACTION_ALLOW = "allow";
    private static final String LOCALHOST_HOSTNAME = "localhost";
    private static final String LOCALHOST_IPADDRESS = "127.0.0.1";
    private ParameterizedBuilder<Executor> m_bldrExecutor;
    private ParameterizedBuilder<HostnameVerifier> m_bldrHostnameVerifier;
    private ProviderBuilder m_bldrProvider;
    private final SSLSocketProviderDefaultDependencies m_deps;
    private NameListDependencies m_depsCipherSuite;
    private ManagerDependencies m_depsIdentityManager;
    private NameListDependencies m_depsProtocolVersion;
    private ManagerDependencies m_depsTrustManager;
    private boolean m_fRealized;
    private SSLSocketProvider.ClientAuthMode m_clientAuthMode;
    private static final boolean VERIFY_CN_AFTER_SAN = Config.getBoolean("coherence.security.ssl.verifyCNAfterSAN", true);
    private static final boolean ALLOW_LOCALHOST = Config.getBoolean("coherence.security.ssl.allowLocalhost", false);
    private static final String WILDCARD_DNSNAME_REGEX = "^\\*((\\.[^*.]+){2,})$";
    private static final Pattern WILDCARD_DNSNAME_PATTERN = Pattern.compile(WILDCARD_DNSNAME_REGEX);
    private static final String URL_HOSTNAME_REGEX = "^[^*.\\s]+((\\.[^*.]+){2,})$";
    private static final Pattern URL_HOSTNAME_PATTERN = Pattern.compile(URL_HOSTNAME_REGEX);
    public static final Seconds NO_REFRESH = new Seconds(0);
    private Seconds m_refreshPeriod = NO_REFRESH;
    private RefreshPolicy m_refreshPolicy = RefreshPolicy.Always;
    private SocketProviderBuilder m_bldrDelegateSocketProvider = new SocketProviderBuilder(SocketProviderFactory.DEFAULT_SOCKET_PROVIDER, false);
    private String m_sNameProtocol = "TLS";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder$DefaultHostnameVerifier.class */
    public static class DefaultHostnameVerifier implements HostnameVerifier {
        DefaultHostnameVerifier() {
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            boolean z = false;
            if (str != null && !str.isEmpty() && sSLSession != null) {
                Collection<String> dNSSubjAltNames = SSLCertUtility.getDNSSubjAltNames(sSLSession, true, false);
                String commonName = SSLCertUtility.getCommonName(sSLSession);
                if (dNSSubjAltNames == null || dNSSubjAltNames.isEmpty()) {
                    z = isLegalWildcarded(str, commonName);
                } else {
                    z = SSLSocketProviderDependenciesBuilder.VERIFY_CN_AFTER_SAN ? verifySANWildcardDNSNames(str, dNSSubjAltNames) || isLegalWildcarded(str, commonName) : verifySANWildcardDNSNames(str, dNSSubjAltNames);
                }
                if (!z) {
                    Collection<String> dNSSubjAltNames2 = SSLCertUtility.getDNSSubjAltNames(sSLSession, false, true);
                    if (dNSSubjAltNames2 == null || dNSSubjAltNames2.isEmpty()) {
                        z = doVerify(str, commonName);
                    } else {
                        z = SSLSocketProviderDependenciesBuilder.VERIFY_CN_AFTER_SAN ? doDNSSubjAltNamesVerify(str, dNSSubjAltNames2) || doVerify(str, commonName) : doDNSSubjAltNamesVerify(str, dNSSubjAltNames2);
                    }
                }
            }
            if (!z) {
                Logger.err("DefaultHostnameVerifier rejecting hostname " + str);
            }
            return z;
        }

        private boolean doVerify(String str, String str2) {
            int indexOf;
            if (str2 == null || str2.length() == 0) {
                return false;
            }
            if (str.equalsIgnoreCase(str2)) {
                return true;
            }
            if (str2.indexOf(".") < 0 && str.indexOf(".") > 0 && (indexOf = str.indexOf(".")) == str2.length() && str2.compareToIgnoreCase(str.substring(0, indexOf)) == 0) {
                return true;
            }
            if (!SSLSocketProviderDependenciesBuilder.ALLOW_LOCALHOST) {
                return false;
            }
            try {
                InetAddress localHost = InetAddressHelper.getLocalHost();
                if (!localHost.getHostName().equalsIgnoreCase(str2)) {
                    return false;
                }
                if (localHost.getHostAddress().equalsIgnoreCase(str) || "localhost".equalsIgnoreCase(str)) {
                    return true;
                }
                return SSLSocketProviderDependenciesBuilder.LOCALHOST_IPADDRESS.equalsIgnoreCase(str);
            } catch (UnknownHostException e) {
                Logger.err("HostnameVerifier: " + e.getMessage());
                return false;
            }
        }

        private boolean doDNSSubjAltNamesVerify(String str, Collection<String> collection) {
            if (collection == null || collection.isEmpty()) {
                return false;
            }
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                if (it.next().equalsIgnoreCase(str)) {
                    return true;
                }
            }
            return false;
        }

        private static boolean isLegalWildcarded(String str, String str2) {
            return str2 != null && str2.contains("*") && str2.indexOf(".") != str2.lastIndexOf(".") && str2.startsWith("*.") && str2.indexOf("*") == str2.lastIndexOf("*") && domainMatchesDomain(str, str2);
        }

        private static boolean domainMatchesDomain(String str, String str2) {
            int indexOf = str2.indexOf("*");
            if (indexOf == -1) {
                return false;
            }
            String lowerCase = str2.substring(indexOf + 1).toLowerCase();
            String lowerCase2 = str.toLowerCase();
            if (!lowerCase2.endsWith(lowerCase) || lowerCase2.lastIndexOf(lowerCase) == -1) {
                return false;
            }
            String substring = lowerCase2.substring(0, lowerCase2.length() - lowerCase.length());
            return substring.length() > 0 && !substring.contains(".");
        }

        private static boolean verifySANWildcardDNSNames(String str, Collection<String> collection) {
            boolean z = false;
            if (collection != null && !collection.isEmpty()) {
                Matcher matcher = SSLSocketProviderDependenciesBuilder.URL_HOSTNAME_PATTERN.matcher(str);
                boolean matches = matcher.matches();
                Iterator<String> it = collection.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Matcher matcher2 = SSLSocketProviderDependenciesBuilder.WILDCARD_DNSNAME_PATTERN.matcher(it.next());
                    if (matcher2.matches()) {
                        String group = matcher2.group(1);
                        if (matches) {
                            String group2 = matcher.group(1);
                            if (group != null && group.equalsIgnoreCase(group2)) {
                                z = true;
                                break;
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
            return z;
        }
    }

    /* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder$DependenciesAware.class */
    public interface DependenciesAware {
        void setDependencies(SSLSocketProvider.Dependencies dependencies, ManagerDependencies managerDependencies, ManagerDependencies managerDependencies2);
    }

    /* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder$HostnameVerifierBuilder.class */
    public static class HostnameVerifierBuilder implements ParameterizedBuilder<HostnameVerifier> {
        private String m_sAction;
        private ParameterizedBuilder<HostnameVerifier> m_builder;

        @Injectable("action")
        public void setAction(String str) {
            this.m_sAction = str;
        }

        public String getAction() {
            return this.m_sAction;
        }

        @Injectable("instance")
        public void setBuilder(ParameterizedBuilder<HostnameVerifier> parameterizedBuilder) {
            this.m_builder = parameterizedBuilder;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // com.tangosol.coherence.config.builder.ParameterizedBuilder
        public HostnameVerifier realize(ParameterResolver parameterResolver, ClassLoader classLoader, ParameterList parameterList) {
            return this.m_builder != null ? this.m_builder.realize(parameterResolver, classLoader, parameterList) : SSLSocketProviderDependenciesBuilder.ACTION_ALLOW.equals(this.m_sAction) ? (str, sSLSession) -> {
                return true;
            } : new DefaultHostnameVerifier();
        }
    }

    /* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder$NameListDependencies.class */
    public static class NameListDependencies {
        final String f_sDescription;
        public static final USAGE USAGE_DEFAULT = USAGE.WHITE_LIST;
        private final List<String> m_lstNames = new LinkedList();
        private USAGE m_usage = USAGE_DEFAULT;

        /* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder$NameListDependencies$USAGE.class */
        public enum USAGE {
            WHITE_LIST("white-list"),
            BLACK_LIST("black-list");

            private final String f_value;

            USAGE(String str) {
                this.f_value = str;
            }

            @Override // java.lang.Enum
            public String toString() {
                return this.f_value;
            }

            public static USAGE myValueOf(String str) {
                if ("white-list".equals(str)) {
                    return WHITE_LIST;
                }
                if ("black-list".equals(str)) {
                    return BLACK_LIST;
                }
                throw new IllegalArgumentException("unknown usage value of " + str + "; expected either \"white-list\" or \"black-list\"");
            }

            public boolean equalsName(String str) {
                return this.f_value.equals(str);
            }
        }

        public NameListDependencies(String str) {
            this.f_sDescription = str;
        }

        public void add(String str) {
            this.m_lstNames.add(str);
        }

        public List<String> getNameList() {
            return this.m_lstNames;
        }

        public void setUsage(String str) {
            this.m_usage = USAGE.myValueOf(str);
        }

        public boolean isBlackList() {
            return this.m_usage == USAGE.BLACK_LIST;
        }
    }

    /* loaded from: input_file:com/tangosol/coherence/config/builder/SSLSocketProviderDependenciesBuilder$ProviderBuilder.class */
    public static class ProviderBuilder implements ParameterizedBuilder<Provider> {
        private String m_sName;
        private ParameterizedBuilder<Provider> m_builder;
        private static boolean m_fRegisteredCoherenceSecurityProvider = false;

        @Injectable("name")
        public void setName(String str) {
            this.m_sName = str;
            if (m_fRegisteredCoherenceSecurityProvider || !SecurityProvider.NAME.equals(str)) {
                return;
            }
            SecurityProvider.ensureRegistration();
        }

        public String getName() {
            return this.m_sName;
        }

        @Injectable(DatagramTest.COMMAND_PROVIDER)
        public void setBuilder(ParameterizedBuilder<Provider> parameterizedBuilder) {
            this.m_builder = parameterizedBuilder;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // com.tangosol.coherence.config.builder.ParameterizedBuilder
        public Provider realize(ParameterResolver parameterResolver, ClassLoader classLoader, ParameterList parameterList) {
            if (this.m_builder == null) {
                return null;
            }
            return this.m_builder.realize(parameterResolver, classLoader, parameterList);
        }
    }

    public SSLSocketProviderDependenciesBuilder(SSLSocketProviderDefaultDependencies sSLSocketProviderDefaultDependencies) {
        this.m_deps = sSLSocketProviderDefaultDependencies;
    }

    @Injectable("protocol")
    public void setProtocol(String str) {
        this.m_sNameProtocol = str;
    }

    public String getProtocol() {
        return this.m_sNameProtocol;
    }

    @Injectable(DatagramTest.COMMAND_PROVIDER)
    public void setProviderBuilder(ProviderBuilder providerBuilder) {
        this.m_bldrProvider = providerBuilder;
    }

    public ProviderBuilder getProviderBuilder() {
        return this.m_bldrProvider;
    }

    protected Provider realizeProvider() {
        if (this.m_bldrProvider == null) {
            return null;
        }
        return this.m_bldrProvider.realize((ParameterResolver) null, (ClassLoader) null, (ParameterList) null);
    }

    protected String getProviderName() {
        if (this.m_bldrProvider == null) {
            return null;
        }
        return this.m_bldrProvider.getName();
    }

    @Injectable("executor")
    public void setExecutor(ParameterizedBuilder<Executor> parameterizedBuilder) {
        this.m_bldrExecutor = parameterizedBuilder;
    }

    @Injectable("identity-manager")
    public void setIdentityManager(DefaultManagerDependencies defaultManagerDependencies) {
        this.m_depsIdentityManager = defaultManagerDependencies;
    }

    public ManagerDependencies getIdentityManager() {
        return this.m_depsIdentityManager;
    }

    public ManagerDependencies getTrustManager() {
        return this.m_depsTrustManager;
    }

    @Injectable("trust-manager")
    public void setTrustManager(ManagerDependencies managerDependencies) {
        this.m_depsTrustManager = managerDependencies;
    }

    @Injectable("hostname-verifier")
    public void setHostnameVerifierBuilder(ParameterizedBuilder<HostnameVerifier> parameterizedBuilder) {
        this.m_bldrHostnameVerifier = parameterizedBuilder;
    }

    public ParameterizedBuilder<HostnameVerifier> getHostnameVerifierBuilder() {
        return this.m_bldrHostnameVerifier;
    }

    @Injectable("cipher-suites")
    public void setCipherSuitesNameList(NameListDependencies nameListDependencies) {
        this.m_depsCipherSuite = nameListDependencies;
    }

    @Injectable("protocol-versions")
    public void setProtocolVersionsNameList(NameListDependencies nameListDependencies) {
        this.m_depsProtocolVersion = nameListDependencies;
    }

    @Injectable(LegacyXmlSocketProviderFactoryDependencies.XML_PROVIDER_NAME)
    public void setDelegate(SocketProviderBuilder socketProviderBuilder) {
        this.m_bldrDelegateSocketProvider = socketProviderBuilder;
    }

    @Injectable("client-auth")
    public void setClientAuth(String str) {
        if (str == null || str.isEmpty()) {
            this.m_clientAuthMode = SSLSocketProvider.ClientAuthMode.none;
            return;
        }
        try {
            this.m_clientAuthMode = SSLSocketProvider.ClientAuthMode.valueOf(str);
        } catch (IllegalArgumentException e) {
            throw new IllegalArgumentException("Invalid client auth configuration", e);
        }
    }

    @Injectable("refresh-period")
    public void setRefreshPeriod(Seconds seconds) {
        this.m_refreshPeriod = seconds == null ? NO_REFRESH : seconds;
    }

    public Seconds getRefreshPeriod() {
        return this.m_refreshPeriod;
    }

    @Injectable("refresh-policy")
    public void setRefreshPolicy(RefreshPolicy refreshPolicy) {
        this.m_refreshPolicy = refreshPolicy == null ? RefreshPolicy.Always : refreshPolicy;
    }

    public RefreshPolicy getRefreshPolicy() {
        return this.m_refreshPolicy;
    }

    public SocketProviderBuilder getSocketProviderBuilder() {
        return this.m_bldrDelegateSocketProvider;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public synchronized SSLSocketProviderDefaultDependencies realize() {
        if (this.m_fRealized) {
            return this.m_deps;
        }
        SSLSocketProviderDefaultDependencies sSLSocketProviderDefaultDependencies = this.m_deps;
        try {
            String protocol = getProtocol();
            ManagerDependencies identityManager = getIdentityManager();
            ManagerDependencies trustManager = getTrustManager();
            Provider realizeProvider = realizeProvider();
            String providerName = getProviderName();
            KeyStoreListener refreshPolicy = sSLSocketProviderDefaultDependencies.getRefreshPolicy();
            if (identityManager != null) {
                identityManager.addListener(refreshPolicy);
            }
            if (trustManager != null) {
                trustManager.addListener(refreshPolicy);
            }
            if (realizeProvider instanceof DependenciesAware) {
                ((DependenciesAware) realizeProvider).setDependencies(sSLSocketProviderDefaultDependencies, identityManager, trustManager);
            }
            if (this.m_bldrExecutor == null) {
                sSLSocketProviderDefaultDependencies.setExecutor(SSLSocketProviderDefaultDependencies.DEFAULT_EXECUTOR);
            } else {
                sSLSocketProviderDefaultDependencies.setExecutor(this.m_bldrExecutor.realize(new NullParameterResolver(), null, null));
            }
            sSLSocketProviderDefaultDependencies.setRefreshPeriod(this.m_refreshPeriod);
            sSLSocketProviderDefaultDependencies.setRefreshPolicy(this.m_refreshPolicy);
            sSLSocketProviderDefaultDependencies.setClientAuth(this.m_clientAuthMode);
            ParameterizedBuilder<HostnameVerifier> hostnameVerifierBuilder = getHostnameVerifierBuilder();
            if (hostnameVerifierBuilder != null) {
                sSLSocketProviderDefaultDependencies.setHostnameVerifier(hostnameVerifierBuilder.realize(null, null, null));
            }
            SecureRandom secureRandom = new SecureRandom();
            secureRandom.nextInt();
            SSLContextDependencies sSLContextDependencies = new SSLContextDependencies(null);
            sSLContextDependencies.setProvider(realizeProvider, providerName);
            sSLContextDependencies.setDependencies(sSLSocketProviderDefaultDependencies, identityManager, trustManager);
            sSLContextDependencies.setClientAuth(sSLSocketProviderDefaultDependencies.getClientAuth());
            sSLContextDependencies.setRefreshPeriodInMillis(this.m_refreshPeriod.as(Duration.Magnitude.MILLI));
            sSLContextDependencies.setSecureRandom(secureRandom);
            sSLSocketProviderDefaultDependencies.setSSLContextDependencies(sSLContextDependencies);
            SSLContext sSLContext = SSLContext.getInstance(protocol, new SSLContextProvider(protocol, sSLSocketProviderDefaultDependencies));
            sSLSocketProviderDefaultDependencies.setSSLContext(sSLContext);
            sSLContext.init(null, null, secureRandom);
            SSLEngine createSSLEngine = sSLContext.createSSLEngine();
            if (this.m_depsCipherSuite != null) {
                List<String> nameList = this.m_depsCipherSuite.getNameList();
                if (this.m_depsCipherSuite.isBlackList()) {
                    ArrayList arrayList = new ArrayList(Arrays.asList(createSSLEngine.getEnabledCipherSuites()));
                    arrayList.removeAll(nameList);
                    nameList = arrayList;
                }
                sSLSocketProviderDefaultDependencies.setEnabledCipherSuites((String[]) nameList.toArray(new String[0]));
            }
            if (this.m_depsProtocolVersion != null) {
                List<String> nameList2 = this.m_depsProtocolVersion.getNameList();
                if (this.m_depsProtocolVersion.isBlackList()) {
                    ArrayList arrayList2 = new ArrayList(Arrays.asList(createSSLEngine.getEnabledProtocols()));
                    arrayList2.removeAll(nameList2);
                    nameList2 = arrayList2;
                }
                sSLSocketProviderDefaultDependencies.setEnabledProtocolVersions((String[]) nameList2.toArray(new String[0]));
            }
            sSLSocketProviderDefaultDependencies.setDelegateSocketProviderBuilder(this.m_bldrDelegateSocketProvider);
            this.m_fRealized = true;
            return sSLSocketProviderDefaultDependencies;
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("Invalid configuration ", e);
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.tangosol.coherence.config.builder.ParameterizedBuilder
    public SSLSocketProviderDefaultDependencies realize(ParameterResolver parameterResolver, ClassLoader classLoader, ParameterList parameterList) {
        return realize();
    }
}
