package com.oracle.graal.python.builtins.objects.ssl;

import com.oracle.graal.python.builtins.modules.SSLModuleBuiltins;
import com.oracle.graal.python.builtins.objects.object.PythonBuiltinObject;
import com.oracle.graal.python.util.PythonUtils;
import com.oracle.truffle.api.CompilerDirectives;
import com.oracle.truffle.api.object.Shape;
import java.io.IOException;
import java.net.Socket;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;

/* loaded from: input_file:com/oracle/graal/python/builtins/objects/ssl/PSSLContext.class */
public final class PSSLContext extends PythonBuiltinObject {
    private final SSLMethod method;
    private final SSLContext context;
    private boolean checkHostname;
    private int verifyMode;
    private SSLCipher[] ciphers;
    private long options;
    private SSLProtocol minimumVersion;
    private SSLProtocol maximumVersion;
    private int verifyFlags;
    private String[] alpnProtocols;
    private KeyStore caKeystore;
    private KeyStore chainKeystore;
    private Set<X509CRL> crls;
    private boolean useDefaultTrustStore;
    private char[] password;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:com/oracle/graal/python/builtins/objects/ssl/PSSLContext$DelegateTrustManager.class */
    private static class DelegateTrustManager extends X509ExtendedTrustManager {
        private final X509ExtendedTrustManager delegate;
        private final X509ExtendedTrustManager defaultTM;
        private final int verifyMode;
        private X509Certificate[] issuers;

        public DelegateTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, X509ExtendedTrustManager x509ExtendedTrustManager2, int i) {
            this.delegate = x509ExtendedTrustManager;
            this.defaultTM = x509ExtendedTrustManager2;
            this.verifyMode = i;
            SSLModuleBuiltins.LOGGER.fine(() -> {
                Object[] objArr = new Object[1];
                objArr[0] = i == 1 ? "SSL_CERT_OPTIONAL" : "SSL_CERT_REQUIRED";
                return String.format("PSSLContext.init() using DelegateTrustManager, verifyMode=", objArr);
            });
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (skipCheckClientTrusted(x509CertificateArr)) {
                return;
            }
            if (canCheckDelegateTrustManager()) {
                try {
                    this.delegate.checkClientTrusted(x509CertificateArr, str);
                    return;
                } catch (CertificateException e) {
                    if (this.defaultTM != null) {
                        throw e;
                    }
                }
            }
            if (!canCheckDefaultTrustManager()) {
                throw new CertificateException("certificate verify failed: unable to get local issuer certificate");
            }
            this.defaultTM.checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            if (skipCheckClientTrusted(x509CertificateArr)) {
                return;
            }
            if (canCheckDelegateTrustManager()) {
                try {
                    this.delegate.checkClientTrusted(x509CertificateArr, str, socket);
                    return;
                } catch (CertificateException e) {
                    if (this.defaultTM == null) {
                        throw e;
                    }
                }
            }
            if (!canCheckDefaultTrustManager()) {
                throw new CertificateException("certificate verify failed: unable to get local issuer certificate");
            }
            this.defaultTM.checkClientTrusted(x509CertificateArr, str, socket);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            if (skipCheckClientTrusted(x509CertificateArr)) {
                return;
            }
            if (canCheckDelegateTrustManager()) {
                try {
                    this.delegate.checkClientTrusted(x509CertificateArr, str, sSLEngine);
                    return;
                } catch (CertificateException e) {
                    if (this.defaultTM == null) {
                        throw e;
                    }
                }
            }
            if (!canCheckDefaultTrustManager()) {
                throw new CertificateException("certificate verify failed: unable to get local issuer certificate");
            }
            this.defaultTM.checkClientTrusted(x509CertificateArr, str, sSLEngine);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (skipCheckServerTrusted()) {
                return;
            }
            if (canCheckDelegateTrustManager()) {
                try {
                    this.delegate.checkServerTrusted(x509CertificateArr, str);
                    return;
                } catch (CertificateException e) {
                    if (this.defaultTM == null) {
                        throw e;
                    }
                }
            }
            if (!canCheckDefaultTrustManager()) {
                throw new CertificateException("certificate verify failed: unable to get local issuer certificate");
            }
            this.defaultTM.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
            if (skipCheckServerTrusted()) {
                return;
            }
            if (canCheckDelegateTrustManager()) {
                try {
                    this.delegate.checkServerTrusted(x509CertificateArr, str, socket);
                    return;
                } catch (CertificateException e) {
                    if (this.defaultTM == null) {
                        throw e;
                    }
                }
            }
            if (!canCheckDefaultTrustManager()) {
                throw new CertificateException("certificate verify failed: unable to get local issuer certificate");
            }
            this.defaultTM.checkServerTrusted(x509CertificateArr, str, socket);
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
            if (skipCheckServerTrusted()) {
                return;
            }
            if (canCheckDelegateTrustManager()) {
                try {
                    this.delegate.checkServerTrusted(x509CertificateArr, str, sSLEngine);
                    return;
                } catch (CertificateException e) {
                    if (this.defaultTM == null) {
                        throw e;
                    }
                }
            }
            if (!canCheckDefaultTrustManager()) {
                throw new CertificateException("certificate verify failed: unable to get local issuer certificate");
            }
            this.defaultTM.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        }

        private boolean skipCheckClientTrusted(X509Certificate[] x509CertificateArr) {
            return this.verifyMode == 0 || (this.verifyMode == 1 && (x509CertificateArr == null || x509CertificateArr.length == 0));
        }

        private boolean skipCheckServerTrusted() {
            return this.verifyMode == 0;
        }

        private boolean canCheckDelegateTrustManager() {
            return this.delegate.getAcceptedIssuers().length > 0;
        }

        private boolean canCheckDefaultTrustManager() {
            return this.defaultTM != null && this.defaultTM.getAcceptedIssuers().length > 0;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            if (this.issuers == null) {
                if (this.defaultTM == null) {
                    this.issuers = this.delegate.getAcceptedIssuers();
                } else {
                    X509Certificate[] acceptedIssuers = this.delegate.getAcceptedIssuers();
                    X509Certificate[] acceptedIssuers2 = this.defaultTM.getAcceptedIssuers();
                    this.issuers = new X509Certificate[acceptedIssuers.length + acceptedIssuers2.length];
                    PythonUtils.arraycopy(acceptedIssuers, 0, this.issuers, 0, acceptedIssuers.length);
                    PythonUtils.arraycopy(acceptedIssuers2, 0, this.issuers, acceptedIssuers.length, acceptedIssuers2.length);
                }
            }
            return this.issuers;
        }
    }

    public PSSLContext(Object obj, Shape shape, SSLMethod sSLMethod, int i, boolean z, int i2, SSLContext sSLContext) {
        super(obj, shape);
        this.password = PythonUtils.EMPTY_CHAR_ARRAY;
        if (!$assertionsDisabled && sSLMethod == null) {
            throw new AssertionError();
        }
        this.method = sSLMethod;
        this.context = sSLContext;
        this.verifyFlags = i;
        this.checkHostname = z;
        this.verifyMode = i2;
        this.ciphers = SSLModuleBuiltins.defaultCiphers;
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext() method: %s, verifyMode: %d, verifyFlags: %d, checkHostname: %b", sSLMethod, Integer.valueOf(i2), Integer.valueOf(i), Boolean.valueOf(z));
        });
    }

    @CompilerDirectives.TruffleBoundary
    private KeyStore getCAKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        if (this.caKeystore == null) {
            this.caKeystore = KeyStore.getInstance("JKS");
            this.caKeystore.load(null);
        }
        return this.caKeystore;
    }

    @CompilerDirectives.TruffleBoundary
    private KeyStore getChainKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        if (this.chainKeystore == null) {
            this.chainKeystore = KeyStore.getInstance("JKS");
            this.chainKeystore.load(null);
        }
        return this.chainKeystore;
    }

    @CompilerDirectives.TruffleBoundary
    public X509Certificate[] getCACerts() throws KeyStoreException, NoSuchAlgorithmException {
        ArrayList arrayList = new ArrayList();
        if (this.caKeystore != null) {
            Enumeration<String> aliases = this.caKeystore.aliases();
            while (aliases.hasMoreElements()) {
                arrayList.add((X509Certificate) this.caKeystore.getCertificate(aliases.nextElement()));
            }
        }
        if (this.useDefaultTrustStore) {
            for (X509Certificate x509Certificate : getDefaultTrustManager().getAcceptedIssuers()) {
                arrayList.add(x509Certificate);
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    public SSLMethod getMethod() {
        return this.method;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CompilerDirectives.TruffleBoundary
    public void setCAEntries(Collection<? extends Object> collection) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        for (Object obj : collection) {
            if (obj instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) obj;
                getCAKeyStore().setCertificateEntry(CertUtils.getAlias(x509Certificate), x509Certificate);
            } else {
                if (!(obj instanceof X509CRL)) {
                    throw new IllegalStateException("expected X509Certificate or X509CRL but got " + obj.getClass().getName());
                }
                getCRLs().add((X509CRL) obj);
            }
        }
    }

    @CompilerDirectives.TruffleBoundary
    private Set<X509CRL> getCRLs() {
        if (this.crls == null) {
            this.crls = new HashSet();
        }
        return this.crls;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setCertChain(PrivateKey privateKey, char[] cArr, X509Certificate[] x509CertificateArr) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        this.password = cArr;
        getChainKeyStore().setKeyEntry(CertUtils.getAlias(privateKey), privateKey, cArr, x509CertificateArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void init() throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException, InvalidAlgorithmParameterException, IOException, CertificateException {
        DelegateTrustManager delegateTrustManager = new DelegateTrustManager(getX509ExtendedTrustManager(getTrustManagerFactory(getCAKeyStore()).getTrustManagers()), getDefaultTrustManager(), this.verifyMode);
        KeyManager[] keyManagerArr = null;
        if (this.chainKeystore != null) {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(this.chainKeystore, this.password);
            keyManagerArr = keyManagerFactory.getKeyManagers();
        }
        this.context.init(keyManagerArr, new TrustManager[]{delegateTrustManager}, null);
    }

    private X509ExtendedTrustManager getDefaultTrustManager() throws KeyStoreException, NoSuchAlgorithmException {
        if (!this.useDefaultTrustStore) {
            return null;
        }
        TrustManagerFactory trustManagerFactory = getTrustManagerFactory();
        trustManagerFactory.init((KeyStore) null);
        return getX509ExtendedTrustManager(trustManagerFactory.getTrustManagers());
    }

    private static X509ExtendedTrustManager getX509ExtendedTrustManager(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509ExtendedTrustManager) {
                return (X509ExtendedTrustManager) trustManager;
            }
        }
        CompilerDirectives.transferToInterpreterAndInvalidate();
        throw new IllegalStateException("at least one X509ExtendedTrustManager should be provided.");
    }

    @CompilerDirectives.TruffleBoundary
    private static TrustManagerFactory getTrustManagerFactory() throws NoSuchAlgorithmException {
        return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    }

    @CompilerDirectives.TruffleBoundary
    private TrustManagerFactory getTrustManagerFactory(KeyStore keyStore) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory trustManagerFactory = getTrustManagerFactory();
        boolean z = (this.verifyFlags & 4) != 0;
        boolean z2 = (this.verifyFlags & 8) != 0;
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.getTrustManagerFactory() crlCheck: %b, crlCheckAll: %b", Boolean.valueOf(z), Boolean.valueOf(z2));
        });
        if (z || z2) {
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance("PKIX").getRevocationChecker();
            EnumSet of = EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK);
            if (z) {
                of.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            pKIXRevocationChecker.setOptions(of);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            if (this.crls != null && !this.crls.isEmpty()) {
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.crls)));
                SSLModuleBuiltins.LOGGER.fine("PSSLContext.getTrustManagerFactory() adding crls");
            }
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        } else {
            trustManagerFactory.init(keyStore);
        }
        return trustManagerFactory;
    }

    public SSLContext getContext() {
        return this.context;
    }

    public boolean getCheckHostname() {
        return this.checkHostname;
    }

    public void setCheckHostname(boolean z) {
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.setCheckHostname: %b", Boolean.valueOf(z));
        });
        this.checkHostname = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getVerifyMode() {
        return this.verifyMode;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setVerifyMode(int i) {
        if (!$assertionsDisabled && i != 0 && i != 1 && i != 2) {
            throw new AssertionError();
        }
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.setVerifyMode: %d", Integer.valueOf(i));
        });
        this.verifyMode = i;
    }

    public void setUseDefaultTrustStore(boolean z) {
        this.useDefaultTrustStore = z;
    }

    @CompilerDirectives.TruffleBoundary
    public List<SSLCipher> computeEnabledCiphers(SSLEngine sSLEngine) {
        HashSet hashSet = new HashSet(Arrays.asList(sSLEngine.getSupportedCipherSuites()));
        ArrayList arrayList = new ArrayList(this.ciphers.length);
        for (SSLCipher sSLCipher : this.ciphers) {
            if (hashSet.contains(sSLCipher.name())) {
                arrayList.add(sSLCipher);
            }
        }
        return arrayList;
    }

    public void setCiphers(SSLCipher[] sSLCipherArr) {
        if (SSLModuleBuiltins.LOGGER.isLoggable(Level.FINE)) {
            SSLModuleBuiltins.LOGGER.fine("PSSLContext.setCiphers:");
            for (SSLCipher sSLCipher : sSLCipherArr) {
                SSLModuleBuiltins.LOGGER.fine(() -> {
                    return String.format("\t", sSLCipher);
                });
            }
        }
        this.ciphers = sSLCipherArr;
    }

    public long getOptions() {
        return this.options;
    }

    public void setOptions(long j) {
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.setOptions: %d", Long.valueOf(j));
        });
        this.options = j;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getVerifyFlags() {
        return this.verifyFlags;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setVerifyFlags(int i) {
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.setVerifyFlags: %d", Integer.valueOf(i));
        });
        this.verifyFlags = i;
    }

    public String[] getAlpnProtocols() {
        return this.alpnProtocols;
    }

    public void setAlpnProtocols(String[] strArr) {
        if (SSLModuleBuiltins.LOGGER.isLoggable(Level.FINE)) {
            SSLModuleBuiltins.LOGGER.fine("PSSLContext.setAlpnProtocols:");
            for (String str : strArr) {
                SSLModuleBuiltins.LOGGER.fine(() -> {
                    return String.format("\t", str);
                });
            }
        }
        this.alpnProtocols = strArr;
    }

    public SSLProtocol getMinimumVersion() {
        return this.minimumVersion;
    }

    public void setMinimumVersion(SSLProtocol sSLProtocol) {
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.setMinimumVersion: %s", sSLProtocol);
        });
        this.minimumVersion = sSLProtocol;
    }

    public SSLProtocol getMaximumVersion() {
        return this.maximumVersion;
    }

    public void setMaximumVersion(SSLProtocol sSLProtocol) {
        SSLModuleBuiltins.LOGGER.fine(() -> {
            return String.format("PSSLContext.setMaximumVersion: %s", sSLProtocol);
        });
        this.maximumVersion = sSLProtocol;
    }

    public boolean allowsProtocol(SSLProtocol sSLProtocol) {
        return (this.minimumVersion == null || sSLProtocol.getId() >= this.minimumVersion.getId()) && (this.maximumVersion == null || sSLProtocol.getId() <= this.maximumVersion.getId()) && (((this.options & ((long) sSLProtocol.getDisableOption())) > 0L ? 1 : ((this.options & ((long) sSLProtocol.getDisableOption())) == 0L ? 0 : -1)) == 0) && this.method.allowsProtocol(sSLProtocol);
    }

    @CompilerDirectives.TruffleBoundary
    public String[] computeEnabledProtocols() {
        List<SSLProtocol> supportedProtocols = SSLModuleBuiltins.getSupportedProtocols();
        ArrayList arrayList = new ArrayList(supportedProtocols.size());
        for (SSLProtocol sSLProtocol : supportedProtocols) {
            if (allowsProtocol(sSLProtocol)) {
                arrayList.add(sSLProtocol.getName());
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    static {
        $assertionsDisabled = !PSSLContext.class.desiredAssertionStatus();
    }
}
