package org.apache.hadoop.security.ssl;

import java.io.IOException;
import java.net.HttpURLConnection;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocketFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
import org.apache.hadoop.util.PlatformName;
import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/security/ssl/SSLFactory.class */
public class SSLFactory implements ConnectionConfigurator {
    static final Logger LOG = LoggerFactory.getLogger(SSLFactory.class);
    public static final String SSL_REQUIRE_CLIENT_CERT_KEY = "hadoop.ssl.require.client.cert";
    public static final String SSL_HOSTNAME_VERIFIER_KEY = "hadoop.ssl.hostname.verifier";
    public static final String SSL_CLIENT_CONF_KEY = "hadoop.ssl.client.conf";
    public static final String SSL_SERVER_CONF_KEY = "hadoop.ssl.server.conf";
    public static final String SSLCERTIFICATE;
    public static final boolean DEFAULT_SSL_REQUIRE_CLIENT_CERT = false;
    public static final String KEYSTORES_FACTORY_CLASS_KEY = "hadoop.ssl.keystores.factory.class";
    public static final String SSL_ENABLED_PROTOCOLS = "hadoop.ssl.enabled.protocols";
    public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1.2,TLSv1.1";
    public static final String SSL_SERVER_EXCLUDE_CIPHER_LIST = "ssl.server.exclude.cipher.list";
    private Configuration conf;
    private Mode mode;
    private boolean requireClientCert;
    private SSLContext context;
    private HostnameVerifier hostnameVerifier;
    private KeyStoresFactory keystoresFactory;
    private String[] enabledProtocols;
    private List<String> excludeCiphers;

    @InterfaceAudience.Private
    /* loaded from: input_file:org/apache/hadoop/security/ssl/SSLFactory$Mode.class */
    public enum Mode {
        CLIENT,
        SERVER
    }

    public SSLFactory(Mode mode, Configuration configuration) {
        this.enabledProtocols = null;
        this.conf = configuration;
        if (mode == null) {
            throw new IllegalArgumentException("mode cannot be NULL");
        }
        this.mode = mode;
        this.requireClientCert = configuration.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, false);
        Configuration readSSLConfiguration = readSSLConfiguration(mode);
        this.keystoresFactory = (KeyStoresFactory) ReflectionUtils.newInstance(configuration.getClass(KEYSTORES_FACTORY_CLASS_KEY, FileBasedKeyStoresFactory.class, KeyStoresFactory.class), readSSLConfiguration);
        this.enabledProtocols = configuration.getStrings(SSL_ENABLED_PROTOCOLS, DEFAULT_SSL_ENABLED_PROTOCOLS);
        String str = readSSLConfiguration.get(SSL_SERVER_EXCLUDE_CIPHER_LIST, "");
        if (str.isEmpty()) {
            this.excludeCiphers = new LinkedList();
        } else {
            LOG.debug("will exclude cipher suites: {}", str);
            this.excludeCiphers = Arrays.asList(str.split(StringUtils.COMMA_STR));
        }
    }

    private Configuration readSSLConfiguration(Mode mode) {
        Configuration configuration = new Configuration(false);
        configuration.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, this.requireClientCert);
        configuration.addResource(mode == Mode.CLIENT ? this.conf.get(SSL_CLIENT_CONF_KEY, "ssl-client.xml") : this.conf.get(SSL_SERVER_CONF_KEY, "ssl-server.xml"));
        return configuration;
    }

    public void init() throws GeneralSecurityException, IOException {
        this.keystoresFactory.init(this.mode);
        this.context = SSLContext.getInstance("TLS");
        this.context.init(this.keystoresFactory.getKeyManagers(), this.keystoresFactory.getTrustManagers(), null);
        this.context.getDefaultSSLParameters().setProtocols(this.enabledProtocols);
        this.hostnameVerifier = getHostnameVerifier(this.conf);
    }

    private HostnameVerifier getHostnameVerifier(Configuration configuration) throws GeneralSecurityException, IOException {
        return getHostnameVerifier(StringUtils.toUpperCase(configuration.get(SSL_HOSTNAME_VERIFIER_KEY, "DEFAULT").trim()));
    }

    public static HostnameVerifier getHostnameVerifier(String str) throws GeneralSecurityException, IOException {
        SSLHostnameVerifier sSLHostnameVerifier;
        if (str.equals("DEFAULT")) {
            sSLHostnameVerifier = SSLHostnameVerifier.DEFAULT;
        } else if (str.equals("DEFAULT_AND_LOCALHOST")) {
            sSLHostnameVerifier = SSLHostnameVerifier.DEFAULT_AND_LOCALHOST;
        } else if (str.equals("STRICT")) {
            sSLHostnameVerifier = SSLHostnameVerifier.STRICT;
        } else if (str.equals("STRICT_IE6")) {
            sSLHostnameVerifier = SSLHostnameVerifier.STRICT_IE6;
        } else {
            if (!str.equals("ALLOW_ALL")) {
                throw new GeneralSecurityException("Invalid hostname verifier: " + str);
            }
            sSLHostnameVerifier = SSLHostnameVerifier.ALLOW_ALL;
        }
        return sSLHostnameVerifier;
    }

    public void destroy() {
        this.keystoresFactory.destroy();
    }

    public KeyStoresFactory getKeystoresFactory() {
        return this.keystoresFactory;
    }

    public SSLEngine createSSLEngine() throws GeneralSecurityException, IOException {
        SSLEngine createSSLEngine = this.context.createSSLEngine();
        if (this.mode == Mode.CLIENT) {
            createSSLEngine.setUseClientMode(true);
        } else {
            createSSLEngine.setUseClientMode(false);
            createSSLEngine.setNeedClientAuth(this.requireClientCert);
            disableExcludedCiphers(createSSLEngine);
        }
        createSSLEngine.setEnabledProtocols(this.enabledProtocols);
        return createSSLEngine;
    }

    private void disableExcludedCiphers(SSLEngine sSLEngine) {
        ArrayList arrayList = new ArrayList(Arrays.asList(sSLEngine.getEnabledCipherSuites()));
        for (String str : this.excludeCiphers) {
            if (arrayList.contains(str)) {
                arrayList.remove(str);
                LOG.debug("Disabling cipher suite {}.", str);
            }
        }
        sSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[arrayList.size()]));
    }

    public SSLServerSocketFactory createSSLServerSocketFactory() throws GeneralSecurityException, IOException {
        if (this.mode != Mode.SERVER) {
            throw new IllegalStateException("Factory is in CLIENT mode");
        }
        return this.context.getServerSocketFactory();
    }

    public SSLSocketFactory createSSLSocketFactory() throws GeneralSecurityException, IOException {
        if (this.mode != Mode.CLIENT) {
            throw new IllegalStateException("Factory is in CLIENT mode");
        }
        return this.context.getSocketFactory();
    }

    public HostnameVerifier getHostnameVerifier() {
        if (this.mode != Mode.CLIENT) {
            throw new IllegalStateException("Factory is in CLIENT mode");
        }
        return this.hostnameVerifier;
    }

    public boolean isClientCertRequired() {
        return this.requireClientCert;
    }

    public HttpURLConnection configure(HttpURLConnection httpURLConnection) throws IOException {
        if (httpURLConnection instanceof HttpsURLConnection) {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) httpURLConnection;
            try {
                httpsURLConnection.setSSLSocketFactory(createSSLSocketFactory());
                httpsURLConnection.setHostnameVerifier(getHostnameVerifier());
                httpURLConnection = httpsURLConnection;
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        }
        return httpURLConnection;
    }

    static {
        SSLCERTIFICATE = PlatformName.IBM_JAVA ? "ibmX509" : "SunX509";
    }
}
