package com.ibm.mqlight.api.impl.network.ssl;

import com.ibm.mqlight.api.ClientOptions;
import com.ibm.mqlight.api.impl.LogbackLogging;
import com.ibm.mqlight.api.logging.Logger;
import com.ibm.mqlight.api.logging.LoggerFactory;
import com.ibm.mqlight.api.security.KeyStoreUtils;
import com.ibm.mqlight.api.security.PemFile;
import java.io.File;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:com/ibm/mqlight/api/impl/network/ssl/SSLEngineFactory.class */
public class SSLEngineFactory {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SSLEngineFactory.class);
    final Pattern disabledProtocolPattern = Pattern.compile("(SSLv2|SSLv3).*");
    final Pattern disabledCipherPattern = Pattern.compile(".*_(NULL|EXPORT|DES|RC4|MD5|PSK|SRP|CAMELLIA)_.*");

    public static SSLEngineFactory newInstance() {
        return new SSLEngineFactory();
    }

    private SSLEngineFactory() {
    }

    public SSLEngine createClientSSLEngine(ClientOptions.SSLOptions sSLOptions, String str, int i) throws SSLException, NoSuchAlgorithmException, KeyManagementException {
        KeyStore keyStore;
        logger.entry(this, "createClientSSLEngine", sSLOptions, str, Integer.valueOf(i));
        KeyManagerFactory keyManagerFactory = null;
        TrustManagerFactory trustManagerFactory = null;
        File keyStoreFile = sSLOptions.getKeyStoreFile();
        if (keyStoreFile != null) {
            try {
                KeyStore loadKeyStore = KeyStoreUtils.loadKeyStore(keyStoreFile, sSLOptions.getKeyStoreFilePassphrase());
                keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(loadKeyStore, sSLOptions.getKeyStoreFilePassphrase().toCharArray());
                trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(loadKeyStore);
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
                throw new SSLException("failed to load key store", e);
            }
        } else {
            if (sSLOptions.getClientCertificateFile() != null && sSLOptions.getClientCertificateFile().exists()) {
                try {
                    KeyStore keyStore2 = KeyStore.getInstance("JKS");
                    keyStore2.load(null, null);
                    char[] charArray = sSLOptions.getClientKeyFilePassphrase() == null ? Long.toHexString(new SecureRandom().nextLong()).toCharArray() : sSLOptions.getClientKeyFilePassphrase().toCharArray();
                    KeyStoreUtils.addPrivateKey(keyStore2, sSLOptions.getClientKeyFile(), charArray, new PemFile(sSLOptions.getClientCertificateFile()).getCertificates());
                    keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    keyManagerFactory.init(keyStore2, charArray);
                } catch (Exception e2) {
                    throw new SSLException("failed to load client certificate or private key", e2);
                }
            }
            if (sSLOptions.getTrustCertificateFile() != null && sSLOptions.getTrustCertificateFile().exists()) {
                try {
                    try {
                        keyStore = KeyStoreUtils.loadKeyStore(sSLOptions.getTrustCertificateFile(), null);
                    } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e3) {
                        logger.data(this, "createClientSSLEngine", e3.toString());
                        keyStore = null;
                    }
                    if (keyStore == null) {
                        keyStore = KeyStore.getInstance("JKS");
                        keyStore.load(null, null);
                        int i2 = 0;
                        Iterator<Certificate> it = new PemFile(sSLOptions.getTrustCertificateFile()).getCertificates().iterator();
                        while (it.hasNext()) {
                            i2++;
                            keyStore.setCertificateEntry("cert" + i2, it.next());
                        }
                    }
                    trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(keyStore);
                } catch (Exception e4) {
                    throw new SSLException("failed to load trust certificates", e4);
                }
            }
        }
        SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
        sSLContext.init(keyManagerFactory == null ? null : keyManagerFactory.getKeyManagers(), trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(), null);
        final SSLEngine createSSLEngine = sSLContext.createSSLEngine(str, i);
        createSSLEngine.setUseClientMode(true);
        LinkedList<String> linkedList = new LinkedList<String>() { // from class: com.ibm.mqlight.api.impl.network.ssl.SSLEngineFactory.1
            private static final long serialVersionUID = 7838479468739671083L;

            {
                for (String str2 : createSSLEngine.getSupportedProtocols()) {
                    if (!SSLEngineFactory.this.disabledProtocolPattern.matcher(str2).matches()) {
                        add(str2);
                    }
                }
            }
        };
        createSSLEngine.setEnabledProtocols((String[]) linkedList.toArray(new String[linkedList.size()]));
        logger.data(this, "createClientSSLEngine", "enabledProtocols", Arrays.toString(createSSLEngine.getEnabledProtocols()));
        LinkedList<String> linkedList2 = new LinkedList<String>() { // from class: com.ibm.mqlight.api.impl.network.ssl.SSLEngineFactory.2
            private static final long serialVersionUID = 7838479468739671083L;

            {
                for (String str2 : createSSLEngine.getSupportedCipherSuites()) {
                    if (!SSLEngineFactory.this.disabledCipherPattern.matcher(str2).matches()) {
                        add(str2);
                    }
                }
            }
        };
        createSSLEngine.setEnabledCipherSuites((String[]) linkedList2.toArray(new String[linkedList2.size()]));
        logger.data(this, "createClientSSLEngine", "enabledCipherSuites", Arrays.toString(createSSLEngine.getEnabledCipherSuites()));
        if (sSLOptions.getVerifyName()) {
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        logger.exit(this, "createClientSSLEngine", createSSLEngine);
        return createSSLEngine;
    }

    static {
        LogbackLogging.setup();
    }
}
