package org.apache.hc.client5.http.ssl;

import java.io.IOException;
import java.net.Socket;
import java.net.SocketAddress;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.apache.hc.client5.http.config.TlsConfig;
import org.apache.hc.core5.concurrent.FutureCallback;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.URIScheme;
import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
import org.apache.hc.core5.http.protocol.HttpContext;
import org.apache.hc.core5.http.ssl.TLS;
import org.apache.hc.core5.http.ssl.TlsCiphers;
import org.apache.hc.core5.http2.HttpVersionPolicy;
import org.apache.hc.core5.http2.ssl.ApplicationProtocol;
import org.apache.hc.core5.http2.ssl.H2TlsSupport;
import org.apache.hc.core5.io.Closer;
import org.apache.hc.core5.net.NamedEndpoint;
import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
import org.apache.hc.core5.reactor.ssl.SSLSessionInitializer;
import org.apache.hc.core5.reactor.ssl.SSLSessionVerifier;
import org.apache.hc.core5.reactor.ssl.TlsDetails;
import org.apache.hc.core5.reactor.ssl.TransportSecurityLayer;
import org.apache.hc.core5.util.Args;
import org.apache.hc.core5.util.Timeout;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes8.dex */
public abstract class AbstractClientTlsStrategy implements TlsStrategy, TlsSocketStrategy {
    private static final Dc.b LOG = Dc.c.b(AbstractClientTlsStrategy.class);
    private final HostnameVerificationPolicy hostnameVerificationPolicy;
    private final HostnameVerifier hostnameVerifier;
    private final SSLBufferMode sslBufferManagement;
    private final SSLContext sslContext;
    private final String[] supportedCipherSuites;
    private final String[] supportedProtocols;

    public AbstractClientTlsStrategy(SSLContext sSLContext, String[] strArr, String[] strArr2, SSLBufferMode sSLBufferMode, HostnameVerificationPolicy hostnameVerificationPolicy, HostnameVerifier hostnameVerifier) {
        this.sslContext = (SSLContext) Args.notNull(sSLContext, "SSL context");
        this.supportedProtocols = strArr;
        this.supportedCipherSuites = strArr2;
        this.sslBufferManagement = sSLBufferMode == null ? SSLBufferMode.STATIC : sSLBufferMode;
        hostnameVerificationPolicy = hostnameVerificationPolicy == null ? HostnameVerificationPolicy.BOTH : hostnameVerificationPolicy;
        this.hostnameVerificationPolicy = hostnameVerificationPolicy;
        this.hostnameVerifier = hostnameVerifier == null ? hostnameVerificationPolicy == HostnameVerificationPolicy.BUILTIN ? NoopHostnameVerifier.INSTANCE : HttpsSupport.getDefaultHostnameVerifier() : hostnameVerifier;
    }

    private void executeHandshake(SSLSocket sSLSocket, String str, Object obj) {
        TlsConfig tlsConfig = obj instanceof TlsConfig ? (TlsConfig) obj : TlsConfig.DEFAULT;
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        String[] strArr = this.supportedProtocols;
        if (strArr != null) {
            sSLParameters.setProtocols(strArr);
        } else {
            sSLParameters.setProtocols(TLS.excludeWeak(sSLSocket.getEnabledProtocols()));
        }
        String[] strArr2 = this.supportedCipherSuites;
        if (strArr2 != null) {
            sSLParameters.setCipherSuites(strArr2);
        } else {
            sSLParameters.setCipherSuites(TlsCiphers.excludeWeak(sSLSocket.getEnabledCipherSuites()));
        }
        HostnameVerificationPolicy hostnameVerificationPolicy = this.hostnameVerificationPolicy;
        if (hostnameVerificationPolicy == HostnameVerificationPolicy.BUILTIN || hostnameVerificationPolicy == HostnameVerificationPolicy.BOTH) {
            sSLParameters.setEndpointIdentificationAlgorithm(URIScheme.HTTPS.id);
        }
        sSLSocket.setSSLParameters(sSLParameters);
        Timeout handshakeTimeout = tlsConfig.getHandshakeTimeout();
        if (handshakeTimeout != null) {
            sSLSocket.setSoTimeout(handshakeTimeout.toMillisecondsIntBound());
        }
        initializeSocket(sSLSocket);
        Dc.b bVar = LOG;
        if (bVar.c()) {
            bVar.o(sSLSocket.getEnabledProtocols(), "Enabled protocols: {}");
            bVar.o(sSLSocket.getEnabledCipherSuites(), "Enabled cipher suites: {}");
            bVar.o(handshakeTimeout, "Starting handshake ({})");
        }
        sSLSocket.startHandshake();
        verifySession(str, sSLSocket.getSession());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$upgrade$0(Object obj, Timeout timeout, NamedEndpoint namedEndpoint, SSLEngine sSLEngine) {
        TlsConfig tlsConfig = obj instanceof TlsConfig ? (TlsConfig) obj : TlsConfig.DEFAULT;
        HttpVersionPolicy httpVersionPolicy = tlsConfig.getHttpVersionPolicy();
        SSLParameters sSLParameters = sSLEngine.getSSLParameters();
        String[] supportedProtocols = tlsConfig.getSupportedProtocols();
        if (supportedProtocols != null) {
            sSLParameters.setProtocols(supportedProtocols);
        } else {
            String[] strArr = this.supportedProtocols;
            if (strArr != null) {
                sSLParameters.setProtocols(strArr);
            } else if (httpVersionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
                sSLParameters.setProtocols(TLS.excludeWeak(sSLParameters.getProtocols()));
            }
        }
        String[] supportedCipherSuites = tlsConfig.getSupportedCipherSuites();
        if (supportedCipherSuites != null) {
            sSLParameters.setCipherSuites(supportedCipherSuites);
        } else {
            String[] strArr2 = this.supportedCipherSuites;
            if (strArr2 != null) {
                sSLParameters.setCipherSuites(strArr2);
            } else if (httpVersionPolicy == HttpVersionPolicy.FORCE_HTTP_2) {
                sSLParameters.setCipherSuites(TlsCiphers.excludeH2Blacklisted(sSLParameters.getCipherSuites()));
            }
        }
        if (httpVersionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
            H2TlsSupport.setEnableRetransmissions(sSLParameters, false);
        }
        applyParameters(sSLEngine, sSLParameters, H2TlsSupport.selectApplicationProtocols(httpVersionPolicy));
        HostnameVerificationPolicy hostnameVerificationPolicy = this.hostnameVerificationPolicy;
        if (hostnameVerificationPolicy == HostnameVerificationPolicy.BUILTIN || hostnameVerificationPolicy == HostnameVerificationPolicy.BOTH) {
            sSLParameters.setEndpointIdentificationAlgorithm(URIScheme.HTTPS.id);
        }
        initializeEngine(sSLEngine);
        Dc.b bVar = LOG;
        if (bVar.c()) {
            bVar.o(Arrays.asList(sSLEngine.getEnabledProtocols()), "Enabled protocols: {}");
            bVar.o(Arrays.asList(sSLEngine.getEnabledCipherSuites()), "Enabled cipher suites: {}");
            bVar.o(timeout, "Starting handshake ({})");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ TlsDetails lambda$upgrade$1(NamedEndpoint namedEndpoint, NamedEndpoint namedEndpoint2, SSLEngine sSLEngine) {
        verifySession(namedEndpoint.getHostName(), sSLEngine.getSession());
        TlsDetails createTlsDetails = createTlsDetails(sSLEngine);
        String cipherSuite = sSLEngine.getSession().getCipherSuite();
        if (createTlsDetails != null && ApplicationProtocol.HTTP_2.id.equals(createTlsDetails.getApplicationProtocol()) && TlsCiphers.isH2Blacklisted(cipherSuite)) {
            throw new SSLHandshakeException(ai.onnxruntime.a.m("Cipher suite `", cipherSuite, "` does not provide adequate security for HTTP/2"));
        }
        return createTlsDetails;
    }

    public abstract void applyParameters(SSLEngine sSLEngine, SSLParameters sSLParameters, String[] strArr);

    public abstract TlsDetails createTlsDetails(SSLEngine sSLEngine);

    public void initializeEngine(SSLEngine sSLEngine) {
    }

    public void initializeSocket(SSLSocket sSLSocket) {
    }

    @Override // org.apache.hc.client5.http.ssl.TlsSocketStrategy
    public SSLSocket upgrade(Socket socket, String str, int i2, Object obj, HttpContext httpContext) {
        SSLSocket sSLSocket = (SSLSocket) this.sslContext.getSocketFactory().createSocket(socket, str, i2, false);
        try {
            executeHandshake(sSLSocket, str, obj);
            return sSLSocket;
        } catch (IOException | RuntimeException e10) {
            Closer.closeQuietly(sSLSocket);
            throw e10;
        }
    }

    @Override // org.apache.hc.core5.http.nio.ssl.TlsStrategy
    public void upgrade(TransportSecurityLayer transportSecurityLayer, final NamedEndpoint namedEndpoint, final Object obj, final Timeout timeout, FutureCallback<TransportSecurityLayer> futureCallback) {
        transportSecurityLayer.startTls(this.sslContext, namedEndpoint, this.sslBufferManagement, new SSLSessionInitializer() { // from class: org.apache.hc.client5.http.ssl.a
            @Override // org.apache.hc.core5.reactor.ssl.SSLSessionInitializer
            public final void initialize(NamedEndpoint namedEndpoint2, SSLEngine sSLEngine) {
                AbstractClientTlsStrategy.this.lambda$upgrade$0(obj, timeout, namedEndpoint2, sSLEngine);
            }
        }, new SSLSessionVerifier() { // from class: org.apache.hc.client5.http.ssl.b
            @Override // org.apache.hc.core5.reactor.ssl.SSLSessionVerifier
            public final TlsDetails verify(NamedEndpoint namedEndpoint2, SSLEngine sSLEngine) {
                TlsDetails lambda$upgrade$1;
                lambda$upgrade$1 = AbstractClientTlsStrategy.this.lambda$upgrade$1(namedEndpoint, namedEndpoint2, sSLEngine);
                return lambda$upgrade$1;
            }
        }, timeout, futureCallback);
    }

    @Override // org.apache.hc.core5.http.nio.ssl.TlsStrategy
    @Deprecated
    public boolean upgrade(TransportSecurityLayer transportSecurityLayer, HttpHost httpHost, SocketAddress socketAddress, SocketAddress socketAddress2, Object obj, Timeout timeout) {
        upgrade(transportSecurityLayer, httpHost, obj, timeout, (FutureCallback<TransportSecurityLayer>) null);
        return true;
    }

    public void verifySession(String str, SSLSession sSLSession) {
        HostnameVerificationPolicy hostnameVerificationPolicy = this.hostnameVerificationPolicy;
        verifySession(str, sSLSession, (hostnameVerificationPolicy == HostnameVerificationPolicy.CLIENT || hostnameVerificationPolicy == HostnameVerificationPolicy.BOTH) ? this.hostnameVerifier : null);
    }

    public void verifySession(String str, SSLSession sSLSession, HostnameVerifier hostnameVerifier) {
        Dc.b bVar = LOG;
        if (bVar.c()) {
            bVar.h("Secure session established");
            bVar.o(sSLSession.getProtocol(), " negotiated protocol: {}");
            bVar.o(sSLSession.getCipherSuite(), " negotiated cipher suite: {}");
            try {
                Certificate certificate = sSLSession.getPeerCertificates()[0];
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    bVar.o(x509Certificate.getSubjectX500Principal(), " peer principal: {}");
                    Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                    if (subjectAlternativeNames != null) {
                        ArrayList arrayList = new ArrayList();
                        for (List<?> list : subjectAlternativeNames) {
                            if (!list.isEmpty()) {
                                arrayList.add(Objects.toString(list.get(1), null));
                            }
                        }
                        LOG.o(arrayList, " peer alternative names: {}");
                    }
                    LOG.o(x509Certificate.getIssuerX500Principal(), " issuer principal: {}");
                    Collection<List<?>> issuerAlternativeNames = x509Certificate.getIssuerAlternativeNames();
                    if (issuerAlternativeNames != null) {
                        ArrayList arrayList2 = new ArrayList();
                        for (List<?> list2 : issuerAlternativeNames) {
                            if (!list2.isEmpty()) {
                                arrayList2.add(Objects.toString(list2.get(1), null));
                            }
                        }
                        LOG.o(arrayList2, " issuer alternative names: {}");
                    }
                }
            } catch (Exception unused) {
            }
        }
        if (hostnameVerifier != null) {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates.length < 1) {
                throw new SSLPeerUnverifiedException("Peer certificate chain is empty");
            }
            Certificate certificate2 = peerCertificates[0];
            if (!(certificate2 instanceof X509Certificate)) {
                throw new SSLPeerUnverifiedException("Unexpected certificate type: " + certificate2.getType());
            }
            X509Certificate x509Certificate2 = (X509Certificate) certificate2;
            if (hostnameVerifier instanceof HttpClientHostnameVerifier) {
                ((HttpClientHostnameVerifier) hostnameVerifier).verify(str, x509Certificate2);
                return;
            }
            if (hostnameVerifier.verify(str, sSLSession)) {
                return;
            }
            throw new SSLPeerUnverifiedException("Certificate for <" + str + "> doesn't match any of the subject alternative names: " + DefaultHostnameVerifier.getSubjectAltNames(x509Certificate2));
        }
    }
}
