package com.huawei.es.security.ssl;

import com.huawei.hadoop.security.crypter.CrypterUtil;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:com/huawei/es/security/ssl/HwSslKeyStoreImpl.class */
public class HwSslKeyStoreImpl implements HwSslKeyStore {
    private static final Logger LOG;
    private static final String DEFAULT_STORE_TYPE = "JKS";
    private static final String CLIENT_TYPE = "client.type";
    private final Settings settings;
    private final SslProvider sslHttpProvider;
    private final SslProvider sslTransportServerProvider;
    private final SslProvider sslTransportClientProvider;
    private final boolean httpSslEnabled;
    private final boolean transportSslEnabled;
    private List<String> enabledHttpJdkCiphers;
    private List<String> enabledHttpOpenSslCiphers;
    private List<String> enabledTransportJdkCiphers;
    private List<String> enabledTransportOpenSslCiphers;
    private SslContext httpSslContext;
    private SslContext transportServerSslContext;
    private SslContext transportClientSslContext;
    private final Environment environment;
    static final /* synthetic */ boolean $assertionsDisabled;

    public HwSslKeyStoreImpl(Settings settings, Path path) {
        Environment environment;
        this.settings = settings;
        try {
            environment = new Environment(settings, path);
        } catch (IllegalStateException e) {
            environment = null;
        }
        this.environment = environment;
        this.httpSslEnabled = settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED, false).booleanValue();
        this.transportSslEnabled = settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED, true).booleanValue();
        boolean booleanValue = settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true).booleanValue();
        if ((booleanValue && this.httpSslEnabled) || (booleanValue2 && this.transportSslEnabled)) {
            printOpenSslInfo();
        }
        if (booleanValue && this.httpSslEnabled) {
            this.sslHttpProvider = SslContext.defaultServerProvider();
        } else if (this.httpSslEnabled) {
            this.sslHttpProvider = SslProvider.JDK;
        } else {
            this.sslHttpProvider = null;
        }
        if (booleanValue2 && this.transportSslEnabled) {
            this.sslTransportServerProvider = SslContext.defaultServerProvider();
            this.sslTransportClientProvider = SslContext.defaultClientProvider();
        } else if (this.transportSslEnabled) {
            this.sslTransportServerProvider = SslProvider.JDK;
            this.sslTransportClientProvider = SslProvider.JDK;
        } else {
            this.sslTransportServerProvider = null;
            this.sslTransportClientProvider = null;
        }
        initEnabledSslCiphers();
        initSslConfig();
        checkInitResult();
    }

    private void checkInitResult() {
        if (this.httpSslEnabled && getEnabledHttpSslCiphers().isEmpty()) {
            throw new ElasticsearchSecurityException("No valid ciphers for http.", new Object[0]);
        }
        if (this.transportSslEnabled && (getEnabledTransportSslCiphers(this.sslTransportClientProvider).isEmpty() || getEnabledTransportSslCiphers(this.sslTransportServerProvider).isEmpty())) {
            throw new ElasticsearchSecurityException("No valid ciphers for transport.", new Object[0]);
        }
        if (this.httpSslEnabled && HwSecurityConstants.getSecureSslProtocols(this.settings, true).length == 0) {
            throw new ElasticsearchSecurityException("No ssl protocols for http.", new Object[0]);
        }
        if (this.transportSslEnabled && HwSecurityConstants.getSecureSslProtocols(this.settings, false).length == 0) {
            throw new ElasticsearchSecurityException("No ssl protocols for transport.", new Object[0]);
        }
    }

    private void printOpenSslInfo() {
        if (!OpenSsl.isAvailable()) {
            LOG.info("OpenSSL is not available  because of {}, will use Jdk SSL", OpenSsl.unavailabilityCause().toString());
            return;
        }
        if (OpenSsl.version() < HwSecurityConstants.MIN_SSL_VERSION) {
            LOG.warn("Current OpenSSL version is before 1.0.2k. It's advised to update to 1.0.2k or later.");
        }
        if (OpenSsl.supportsHostnameValidation()) {
            return;
        }
        LOG.warn("Current OpenSSL does not support hostname verification.");
        LOG.warn("It's advised to update to 1.0.2k or later.");
    }

    @Override // com.huawei.es.security.ssl.HwSslKeyStore
    public SSLEngine createHttpSslEngine() throws SSLException {
        SSLEngine newEngine = this.httpSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(HwSecurityConstants.getSecureSslProtocols(this.settings, true));
        return newEngine;
    }

    @Override // com.huawei.es.security.ssl.HwSslKeyStore
    public SSLEngine createServerTransportSslEngine() throws SSLException {
        SSLEngine newEngine = this.transportServerSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
        newEngine.setEnabledProtocols(HwSecurityConstants.getSecureSslProtocols(this.settings, false));
        newEngine.setUseClientMode(false);
        newEngine.setWantClientAuth(false);
        return newEngine;
    }

    @Override // com.huawei.es.security.ssl.HwSslKeyStore
    public SSLEngine createClientTransportSslEngine(String str, int i) throws SSLException {
        if (str == null) {
            SSLEngine newEngine = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT);
            newEngine.setEnabledProtocols(HwSecurityConstants.getSecureSslProtocols(this.settings, false));
            newEngine.setUseClientMode(false);
            newEngine.setWantClientAuth(false);
            return newEngine;
        }
        SSLEngine newEngine2 = this.transportClientSslContext.newEngine(PooledByteBufAllocator.DEFAULT, str, i);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        newEngine2.setSSLParameters(sSLParameters);
        newEngine2.setEnabledProtocols(HwSecurityConstants.getSecureSslProtocols(this.settings, false));
        newEngine2.setUseClientMode(false);
        newEngine2.setWantClientAuth(false);
        return newEngine2;
    }

    private void isFieldSet(String str) {
        String str2 = this.settings.get(str);
        if (null == str2 || str2.length() == 0) {
            throw new ElasticsearchException("SSL password is null.", new Object[0]);
        }
    }

    private void buildTransportContextByKeyStore() {
        String filePathByConfigure = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, true);
        String str = this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
        isFieldSet(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_CONF);
        String decrypt = CrypterUtil.decrypt(this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_CONF, (String) null));
        String str2 = this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, (String) null);
        String filePathByConfigure2 = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, true);
        if (this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, (String) null) == null) {
            throw new ElasticsearchException("security.ssl.transport.truststore_filepath must be configured for transport.", new Object[0]);
        }
        String str3 = this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
        isFieldSet(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_CONF);
        String decrypt2 = CrypterUtil.decrypt(this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_CONF, (String) null));
        String str4 = this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, (String) null);
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            if (!$assertionsDisabled && filePathByConfigure == null) {
                throw new AssertionError();
            }
            char[] charArray = (decrypt == null || decrypt.length() == 0) ? null : decrypt.toCharArray();
            FileInputStream fileInputStream = new FileInputStream(new File(filePathByConfigure));
            try {
                keyStore.load(fileInputStream, charArray);
                fileInputStream.close();
                X509Certificate[] certificateChain = HwSslCertificateGenerator.getCertificateChain(keyStore, str2);
                PrivateKey decryptedKey = HwSslCertificateGenerator.getDecryptedKey(keyStore, str2, charArray);
                if (decryptedKey == null) {
                    throw new ElasticsearchException(String.format(Locale.ENGLISH, "Can not get key in key store file, the used alias is: %s", str2), new Object[0]);
                }
                if (certificateChain == null || certificateChain.length <= 0) {
                    throw new ElasticsearchException(String.format(Locale.ENGLISH, "Can not get certificates in key store file, the used alias is: %s", str2), new Object[0]);
                }
                KeyStore keyStore2 = KeyStore.getInstance(str3);
                char[] charArray2 = (decrypt2 == null || decrypt2.length() == 0) ? null : decrypt2.toCharArray();
                if (!$assertionsDisabled && filePathByConfigure2 == null) {
                    throw new AssertionError();
                }
                fileInputStream = new FileInputStream(new File(filePathByConfigure2));
                try {
                    keyStore2.load(fileInputStream, charArray2);
                    fileInputStream.close();
                    this.transportServerSslContext = buildSslServerContext(decryptedKey, certificateChain, HwSslCertificateGenerator.getRootCertificates(keyStore2, str4), getEnabledTransportSslCiphers(this.sslTransportServerProvider), this.sslTransportServerProvider, ClientAuth.REQUIRE);
                    this.transportClientSslContext = buildSslClientContext(decryptedKey, certificateChain, getEnabledTransportSslCiphers(this.sslTransportClientProvider), this.sslTransportClientProvider);
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Error when building transport ssl: " + e.toString(), new Object[0]);
        }
    }

    private void buildTransportContextByPemCert() {
        String filePathByConfigure = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, true);
        String filePathByConfigure2 = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, true);
        String filePathByConfigure3 = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true);
        try {
            this.transportServerSslContext = buildSslServerContext(new File(filePathByConfigure2), new File(filePathByConfigure), new File(filePathByConfigure3), this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMKEY_CONF), getEnabledTransportSslCiphers(this.sslTransportServerProvider), this.sslTransportServerProvider, ClientAuth.REQUIRE);
            this.transportClientSslContext = buildSslClientContext(new File(filePathByConfigure2), new File(filePathByConfigure), new File(filePathByConfigure3), this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMKEY_CONF), getEnabledTransportSslCiphers(this.sslTransportClientProvider), this.sslTransportClientProvider);
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Fail to  build transport ssl by permCert: " + e.toString(), new Object[0]);
        }
    }

    private void checkHttpKey(X509Certificate[] x509CertificateArr, PrivateKey privateKey, String str, String str2) {
        if (privateKey == null) {
            throw new ElasticsearchException(String.format(Locale.ENGLISH, "Can not get http key from key store file, the used alias is %s.", str2), new Object[0]);
        }
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            throw new ElasticsearchException(String.format(Locale.ENGLISH, "Can not get certificates from key store file, the used alias is %s.", str2), new Object[0]);
        }
    }

    private void buildHttpContextByKeyStore() {
        String filePathByConfigure = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, true);
        String str = this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
        isFieldSet(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_CONF);
        String decrypt = CrypterUtil.decrypt(this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_CONF, (String) null));
        String str2 = this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, (String) null);
        ClientAuth valueOf = ClientAuth.valueOf(this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, ClientAuth.OPTIONAL.toString()));
        LOG.info("http client auth mode: {}", valueOf);
        if (this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, (String) null) == null) {
            throw new ElasticsearchException("security.ssl.http.keystore_filepath must be configured for https.", new Object[0]);
        }
        if (valueOf == ClientAuth.REQUIRE && this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, (String) null) == null) {
            throw new ElasticsearchException("security.ssl.http.truststore_filepath must be configured.", new Object[0]);
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            char[] charArray = (decrypt == null || decrypt.length() == 0) ? null : decrypt.toCharArray();
            FileInputStream fileInputStream = new FileInputStream(new File(filePathByConfigure));
            try {
                keyStore.load(fileInputStream, charArray);
                fileInputStream.close();
                X509Certificate[] certificateChain = HwSslCertificateGenerator.getCertificateChain(keyStore, str2);
                PrivateKey decryptedKey = HwSslCertificateGenerator.getDecryptedKey(keyStore, str2, charArray);
                checkHttpKey(certificateChain, decryptedKey, filePathByConfigure, str2);
                X509Certificate[] x509CertificateArr = null;
                if (this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, (String) null) != null) {
                    String filePathByConfigure2 = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, true);
                    String str3 = this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
                    isFieldSet(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_CONF);
                    String decrypt2 = CrypterUtil.decrypt(this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_CONF, (String) null));
                    String str4 = this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, (String) null);
                    KeyStore keyStore2 = KeyStore.getInstance(str3);
                    char[] charArray2 = (decrypt2 == null || decrypt2.length() == 0) ? null : decrypt2.toCharArray();
                    fileInputStream = new FileInputStream(new File(filePathByConfigure2));
                    try {
                        keyStore2.load(fileInputStream, charArray2);
                        fileInputStream.close();
                        x509CertificateArr = HwSslCertificateGenerator.getRootCertificates(keyStore2, str4);
                    } finally {
                    }
                }
                this.httpSslContext = buildSslServerContext(decryptedKey, certificateChain, x509CertificateArr, getEnabledHttpSslCiphers(), this.sslHttpProvider, valueOf);
            } finally {
            }
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Fail to init Http ssl: " + e.toString(), new Object[0]);
        }
    }

    private void buildHttpContextByPemCert() {
        String filePathByConfigure = getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, false);
        ClientAuth valueOf = ClientAuth.valueOf(this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, ClientAuth.OPTIONAL.toString()));
        if (valueOf == ClientAuth.REQUIRE) {
            checkFilePathValidity(filePathByConfigure, HwSecurityConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH);
        }
        try {
            this.httpSslContext = buildSslServerContext(new File(getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, true)), new File(getFilePathByConfigure(HwSecurityConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, true)), filePathByConfigure == null ? null : new File(filePathByConfigure), this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_PEMKEY_CONF), getEnabledHttpSslCiphers(), this.sslHttpProvider, valueOf);
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Fail to build httpSslContext by pemCert: " + e.toString(), new Object[0]);
        }
    }

    private void initSslConfig() {
        if (this.environment == null) {
            LOG.info("Config environment is null, keyStore and trustStore files will be resolved absolutely");
        } else {
            LOG.info("KeyStore and trustStore files will be resolved relatively from cluster Es instance config.");
        }
        if (this.transportSslEnabled) {
            String str = this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, (String) null);
            String str2 = this.settings.get(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, (String) null);
            if (str != null) {
                buildTransportContextByKeyStore();
            } else {
                if (str2 == null) {
                    throw new ElasticsearchException("security.ssl.transport.keystore_filepath and security.ssl.transport.pemkey_filepath are both not configured for transport.", new Object[0]);
                }
                buildTransportContextByPemCert();
            }
        }
        if ((!"node".equals(this.settings.get(CLIENT_TYPE))) || !this.httpSslEnabled) {
            return;
        }
        String str3 = this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, (String) null);
        String str4 = this.settings.get(HwSecurityConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, (String) null);
        if (str3 != null) {
            buildHttpContextByKeyStore();
        } else {
            if (str4 == null) {
                throw new ElasticsearchException("security.ssl.http.keystore_filepath and security.ssl.http.pemkey_filepath are both not configured for http ssl.", new Object[0]);
            }
            buildHttpContextByPemCert();
        }
    }

    private SslContext buildSslClientContext(File file, File file2, File file3, String str, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSslContext(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(file3).keyManager(file2, file, str));
    }

    private SslContext buildSslClientContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSslContext(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(InsecureTrustManagerFactory.INSTANCE).keyManager(privateKey, x509CertificateArr));
    }

    private List<String> getEnabledTransportSslCiphers(SslProvider sslProvider) {
        return sslProvider == SslProvider.JDK ? this.enabledTransportJdkCiphers : this.enabledTransportOpenSslCiphers;
    }

    private List<String> getEnabledHttpSslCiphers() {
        return this.sslHttpProvider == SslProvider.JDK ? this.enabledHttpJdkCiphers : this.enabledHttpOpenSslCiphers;
    }

    private SslContext buildSslServerContext(File file, File file2, File file3, String str, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder sslProvider2 = SslContextBuilder.forServer(file2, file, str).ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth((ClientAuth) Objects.requireNonNull(clientAuth)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider);
        if (file3 != null) {
            sslProvider2.trustManager(file3);
        }
        return buildSslContext(sslProvider2);
    }

    private SslContext buildSslServerContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder sslProvider2 = SslContextBuilder.forServer(privateKey, x509CertificateArr).ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).clientAuth((ClientAuth) Objects.requireNonNull(clientAuth)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider);
        if (x509CertificateArr2 != null && x509CertificateArr2.length > 0) {
            sslProvider2.trustManager(x509CertificateArr2);
        }
        return buildSslContext(sslProvider2);
    }

    private SslContext buildSslContext(final SslContextBuilder sslContextBuilder) throws SSLException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SslContext) AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { // from class: com.huawei.es.security.ssl.HwSslKeyStoreImpl.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SslContext run() throws Exception {
                    return sslContextBuilder.build();
                }
            });
        } catch (PrivilegedActionException e) {
            throw ((SSLException) e.getCause());
        }
    }

    private String getFilePathByConfigure(String str, boolean z) {
        String str2 = this.settings.get(str, (String) null);
        String str3 = str2;
        if (this.environment != null && str2 != null && str2.length() > 0) {
            str3 = this.environment.configFile().resolve(str2).toAbsolutePath().toString();
        }
        if (z) {
            checkFilePathValidity(str3, str);
        } else if (StringUtils.isEmpty(str3)) {
            return null;
        }
        return str3;
    }

    private static void checkFilePathValidity(String str, String str2) {
        if (StringUtils.isEmpty(str)) {
            throw new ElasticsearchException(String.format(Locale.ENGLISH, "Loaded file path is empty for: %s", str2), new Object[0]);
        }
        if (Files.isDirectory(Paths.get(str, new String[0]), LinkOption.NOFOLLOW_LINKS)) {
            throw new ElasticsearchException(String.format(Locale.ENGLISH, "The loaded value for %s is a directory, it should be a file.", str2), new Object[0]);
        }
        if (!Files.isReadable(Paths.get(str, new String[0]))) {
            throw new ElasticsearchException(String.format(Locale.ENGLISH, "The key store file is not readable, please configure it correctly: %s", str2), new Object[0]);
        }
    }

    private List<String> getOpenSslCiphers(List<String> list) {
        List<String> emptyList;
        if (OpenSsl.isAvailable()) {
            HashSet hashSet = new HashSet();
            for (String str : list) {
                if (OpenSsl.isCipherSuiteAvailable(str)) {
                    hashSet.add(str);
                }
            }
            emptyList = Collections.unmodifiableList(new ArrayList(hashSet));
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private List<String> getJdkCiphers(List<String> list) {
        List<String> list2;
        SSLEngine sSLEngine = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, null, SecureRandom.getInstanceStrong());
                sSLEngine = sSLContext.createSSLEngine();
                ArrayList arrayList = new ArrayList(Arrays.asList(sSLEngine.getSupportedCipherSuites()));
                LOG.debug("JVM supports the following {} ciphers: {}", Integer.valueOf(arrayList.size()), arrayList);
                arrayList.retainAll(list);
                sSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
                list2 = Collections.unmodifiableList(Arrays.asList(sSLEngine.getEnabledCipherSuites()));
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e) {
                        LOG.debug("Can not close inbound ssl engine: ", e);
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th) {
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e2) {
                        LOG.debug("Can not close inbound ssl engine: ", e2);
                    }
                    sSLEngine.closeOutbound();
                }
                throw th;
            }
        } catch (UnsupportedOperationException | KeyManagementException | NoSuchAlgorithmException e3) {
            LOG.error("Can not get supported ciphers, exception: " + ExceptionsHelper.stackTrace(e3));
            list2 = list;
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e4) {
                    LOG.debug("Can not close inbound ssl engine: ", e4);
                }
                sSLEngine.closeOutbound();
            }
        }
        return list2;
    }

    private void initHttpCiphers() {
        List<String> secureSslCiphers = HwSecurityConstants.getSecureSslCiphers(this.settings, true);
        this.enabledHttpOpenSslCiphers = getOpenSslCiphers(secureSslCiphers);
        this.enabledHttpJdkCiphers = getJdkCiphers(secureSslCiphers);
    }

    private void initTransportCiphers() {
        List<String> secureSslCiphers = HwSecurityConstants.getSecureSslCiphers(this.settings, false);
        this.enabledTransportOpenSslCiphers = getOpenSslCiphers(secureSslCiphers);
        this.enabledTransportJdkCiphers = getJdkCiphers(secureSslCiphers);
    }

    private void initEnabledSslCiphers() {
        initHttpCiphers();
        initTransportCiphers();
    }

    static {
        $assertionsDisabled = !HwSslKeyStoreImpl.class.desiredAssertionStatus();
        LOG = LogManager.getLogger(HwSslKeyStoreImpl.class);
    }
}
