package org.apache.solr.util;

import com.carrotsearch.randomizedtesting.RandomizedTest;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.SecureRandomParameters;
import java.security.SecureRandomSpi;
import java.security.UnrecoverableKeyException;
import java.util.concurrent.ThreadLocalRandom;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.lucene.util.Constants;
import org.apache.solr.client.solrj.embedded.SSLConfig;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:org/apache/solr/util/SSLTestConfig.class */
public class SSLTestConfig {
    private static final String TEST_KEYSTORE_BOGUSHOST_RESOURCE = "SSLTestConfig.hostname-and-ip-missmatch.keystore";
    private static final String TEST_KEYSTORE_LOCALHOST_RESOURCE = "SSLTestConfig.testing.keystore";
    private static final String TEST_PASSWORD = "secret";
    private final boolean checkPeerName;
    private final Resource keyStore;
    private final Resource trustStore;
    private final boolean useSsl;
    private final boolean clientAuth;
    private static final HttpClientUtil.SocketFactoryRegistryProvider HTTP_ONLY_SCHEMA_PROVIDER;
    private static final Pattern KNOWN_BAD_OPENJDK_JVMS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/solr/util/SSLTestConfig$NotSecurePseudoRandom.class */
    public static class NotSecurePseudoRandom extends SecureRandom {
        public static final SecureRandom INSTANCE = new NotSecurePseudoRandom();
        private static final SecureRandomSpi NOT_SECURE_SPI = new SecureRandomSpi() { // from class: org.apache.solr.util.SSLTestConfig.NotSecurePseudoRandom.1
            @Override // java.security.SecureRandomSpi
            public byte[] engineGenerateSeed(int i) {
                return NotSecurePseudoRandom.fillData(new byte[i]);
            }

            @Override // java.security.SecureRandomSpi
            public void engineNextBytes(byte[] bArr) {
                NotSecurePseudoRandom.fillData(bArr);
            }

            @Override // java.security.SecureRandomSpi
            public void engineSetSeed(byte[] bArr) {
            }
        };

        private static final byte[] fillData(byte[] bArr) {
            ThreadLocalRandom.current().nextBytes(bArr);
            return bArr;
        }

        private NotSecurePseudoRandom() {
            super(NOT_SECURE_SPI, null);
        }

        @Override // java.security.SecureRandom
        public byte[] generateSeed(int i) {
            return fillData(new byte[i]);
        }

        @Override // java.security.SecureRandom, java.util.Random
        public void nextBytes(byte[] bArr) {
            fillData(bArr);
        }

        public void nextBytes(byte[] bArr, SecureRandomParameters secureRandomParameters) {
            fillData(bArr);
        }

        @Override // java.security.SecureRandom
        public void setSeed(byte[] bArr) {
        }

        @Override // java.security.SecureRandom, java.util.Random
        public void setSeed(long j) {
        }

        public void reseed() {
        }

        public void reseed(SecureRandomParameters secureRandomParameters) {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/solr/util/SSLTestConfig$SSLSocketFactoryRegistryProvider.class */
    public static class SSLSocketFactoryRegistryProvider extends HttpClientUtil.SocketFactoryRegistryProvider {
        private final SSLConnectionSocketFactory sslConnectionFactory;

        public SSLSocketFactoryRegistryProvider(SSLConnectionSocketFactory sSLConnectionSocketFactory) {
            this.sslConnectionFactory = sSLConnectionSocketFactory;
        }

        public Registry<ConnectionSocketFactory> getSocketFactoryRegistry() {
            return RegistryBuilder.create().register("https", this.sslConnectionFactory).build();
        }
    }

    public SSLTestConfig() {
        this(false, false);
    }

    public SSLTestConfig(boolean z, boolean z2) {
        this(z, z2, false);
    }

    public SSLTestConfig(boolean z, boolean z2, boolean z3) {
        this.useSsl = z;
        this.clientAuth = z2;
        this.checkPeerName = z3;
        if (this.useSsl) {
            assumeSslIsSafeToTest();
        }
        String str = z3 ? TEST_KEYSTORE_LOCALHOST_RESOURCE : TEST_KEYSTORE_BOGUSHOST_RESOURCE;
        Resource newClassPathResource = Resource.newClassPathResource(str);
        this.keyStore = newClassPathResource;
        this.trustStore = newClassPathResource;
        if (null == this.keyStore || !this.keyStore.exists()) {
            throw new IllegalStateException("Unable to locate keystore resource file in classpath: " + str);
        }
    }

    public boolean getCheckPeerName() {
        return this.checkPeerName;
    }

    public boolean isSSLMode() {
        return this.useSsl;
    }

    public boolean isClientAuthMode() {
        return this.clientAuth;
    }

    public HttpClientUtil.SocketFactoryRegistryProvider buildClientSocketFactoryRegistryProvider() {
        if (!isSSLMode()) {
            return HTTP_ONLY_SCHEMA_PROVIDER;
        }
        SSLConnectionSocketFactory buildClientSSLConnectionSocketFactory = buildClientSSLConnectionSocketFactory();
        if ($assertionsDisabled || null != buildClientSSLConnectionSocketFactory) {
            return new SSLSocketFactoryRegistryProvider(buildClientSSLConnectionSocketFactory);
        }
        throw new AssertionError();
    }

    public SSLContext buildClientSSLContext() throws KeyManagementException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
        if (!$assertionsDisabled && !isSSLMode()) {
            throw new AssertionError();
        }
        SSLContextBuilder custom = SSLContexts.custom();
        custom.setSecureRandom(NotSecurePseudoRandom.INSTANCE);
        custom.loadTrustMaterial(buildKeyStore(this.keyStore, TEST_PASSWORD), new TrustSelfSignedStrategy()).build();
        if (isClientAuthMode()) {
            custom.loadKeyMaterial(buildKeyStore(this.trustStore, TEST_PASSWORD), TEST_PASSWORD.toCharArray());
        }
        return custom.build();
    }

    public SSLConfig buildClientSSLConfig() {
        if (isSSLMode()) {
            return new SSLConfig(isSSLMode(), isClientAuthMode(), null, null, null, null) { // from class: org.apache.solr.util.SSLTestConfig.1
                public SslContextFactory.Client createClientContextFactory() {
                    SslContextFactory.Client client = new SslContextFactory.Client(!SSLTestConfig.this.checkPeerName);
                    try {
                        client.setSslContext(SSLTestConfig.this.buildClientSSLContext());
                        return client;
                    } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
                        throw new IllegalStateException("Unable to setup https scheme for HTTPClient to test SSL.", e);
                    }
                }
            };
        }
        return null;
    }

    public SSLConfig buildServerSSLConfig() {
        if (isSSLMode()) {
            return new SSLConfig(isSSLMode(), isClientAuthMode(), null, null, null, null) { // from class: org.apache.solr.util.SSLTestConfig.2
                public SslContextFactory.Server createContextFactory() {
                    SslContextFactory.Server server = new SslContextFactory.Server();
                    try {
                        SSLContextBuilder custom = SSLContexts.custom();
                        custom.setSecureRandom(NotSecurePseudoRandom.INSTANCE);
                        custom.loadKeyMaterial(SSLTestConfig.buildKeyStore(SSLTestConfig.this.keyStore, SSLTestConfig.TEST_PASSWORD), SSLTestConfig.TEST_PASSWORD.toCharArray());
                        if (isClientAuthMode()) {
                            custom.loadTrustMaterial(SSLTestConfig.buildKeyStore(SSLTestConfig.this.trustStore, SSLTestConfig.TEST_PASSWORD), new TrustSelfSignedStrategy()).build();
                        }
                        server.setSslContext(custom.build());
                        server.setNeedClientAuth(isClientAuthMode());
                        return server;
                    } catch (Exception e) {
                        throw new RuntimeException("ssl context init failure: " + e.getMessage(), e);
                    }
                }
            };
        }
        return null;
    }

    private static KeyStore buildKeyStore(Resource resource, String str) {
        try {
            return CertificateUtils.getKeyStore(resource, "JKS", (String) null, str);
        } catch (Exception e) {
            throw new IllegalStateException("Unable to build KeyStore from resource: " + resource.getName(), e);
        }
    }

    public SSLConnectionSocketFactory buildClientSSLConnectionSocketFactory() {
        if (!isSSLMode()) {
            return null;
        }
        try {
            SSLContext buildClientSSLContext = buildClientSSLContext();
            return !this.checkPeerName ? new SSLConnectionSocketFactory(buildClientSSLContext, NoopHostnameVerifier.INSTANCE) : new SSLConnectionSocketFactory(buildClientSSLContext);
        } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new IllegalStateException("Unable to setup https scheme for HTTPClient to test SSL.", e);
        }
    }

    public static void assumeSslIsSafeToTest() {
        if (Constants.JVM_NAME.startsWith("OpenJDK") || Constants.JVM_NAME.startsWith("Java HotSpot(TM)")) {
            RandomizedTest.assumeFalse("Test (or randomization for this seed) wants to use SSL, but SSL is known to fail on your JVM: " + Constants.JVM_NAME + " / " + Constants.JVM_VERSION, isOpenJdkJvmVersionKnownToHaveProblems(Constants.JVM_VERSION));
        }
    }

    static boolean isOpenJdkJvmVersionKnownToHaveProblems(String str) {
        return KNOWN_BAD_OPENJDK_JVMS.matcher(str).matches();
    }

    static {
        $assertionsDisabled = !SSLTestConfig.class.desiredAssertionStatus();
        HTTP_ONLY_SCHEMA_PROVIDER = new HttpClientUtil.SocketFactoryRegistryProvider() { // from class: org.apache.solr.util.SSLTestConfig.3
            public Registry<ConnectionSocketFactory> getSocketFactoryRegistry() {
                return RegistryBuilder.create().register("http", PlainConnectionSocketFactory.getSocketFactory()).build();
            }
        };
        KNOWN_BAD_OPENJDK_JVMS = Pattern.compile("(^11(\\.0(\\.0|\\.1|\\.2)?)?($|(\\_|\\+|\\-).*$))|(^(11|12|13).*-testing.*$)|(^13-ea.*$)");
    }
}
