package org.elasticsearch.xpack.core.ssl;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.http.HttpHost;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.http.nio.reactor.IOSession;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.CheckedSupplier;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.DiagnosticTrustManager;
import org.elasticsearch.common.ssl.SslDiagnostics;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
import org.elasticsearch.xpack.core.ml.process.writer.RecordWriter;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;
import org.elasticsearch.xpack.core.watcher.WatcherField;

/* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLService.class */
public class SSLService {
    private static final Logger logger;
    private static final DeprecationLogger deprecationLogger;
    private static final Map<String, String> ORDERED_PROTOCOL_ALGORITHM_MAP;
    private final Settings settings;
    private final boolean diagnoseTrustExceptions;
    private final Map<String, SSLConfiguration> sslConfigurations;
    private final Map<SSLConfiguration, SSLContextHolder> sslContexts;
    private final SetOnce<SSLConfiguration> transportSSLConfiguration;
    private final Environment env;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLService$SSLContextHolder.class */
    public final class SSLContextHolder {
        private volatile SSLContext context;
        private final KeyConfig keyConfig;
        private final TrustConfig trustConfig;
        private final SSLConfiguration sslConfiguration;
        private final List<Runnable> reloadListeners = new ArrayList();

        SSLContextHolder(SSLContext sSLContext, SSLConfiguration sSLConfiguration) {
            this.context = sSLContext;
            this.sslConfiguration = sSLConfiguration;
            this.keyConfig = sSLConfiguration.keyConfig();
            this.trustConfig = sSLConfiguration.trustConfig();
        }

        SSLContext sslContext() {
            return this.context;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public synchronized void reload() {
            SSLService.invalidateSessions(this.context.getClientSessionContext());
            SSLService.invalidateSessions(this.context.getServerSessionContext());
            reloadSslContext();
            this.reloadListeners.forEach((v0) -> {
                v0.run();
            });
        }

        private void reloadSslContext() {
            try {
                X509ExtendedKeyManager createKeyManager = this.keyConfig.createKeyManager(SSLService.this.env);
                X509ExtendedTrustManager wrapWithDiagnostics = SSLService.this.wrapWithDiagnostics(this.trustConfig.createTrustManager(SSLService.this.env), this.sslConfiguration);
                SSLContext sSLContext = SSLContext.getInstance(SSLService.sslContextAlgorithm(this.sslConfiguration.supportedProtocols()));
                sSLContext.init(new X509ExtendedKeyManager[]{createKeyManager}, new X509ExtendedTrustManager[]{wrapWithDiagnostics}, null);
                SSLService.this.supportedCiphers(sSLContext.getSupportedSSLParameters().getCipherSuites(), this.sslConfiguration.cipherSuites(), false);
                this.context = sSLContext;
            } catch (GeneralSecurityException e) {
                throw new ElasticsearchException("failed to initialize the SSLContext", e, new Object[0]);
            }
        }

        public void addReloadListener(Runnable runnable) {
            this.reloadListeners.add(runnable);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLService$SecuritySSLSocketFactory.class */
    private static class SecuritySSLSocketFactory extends SSLSocketFactory {
        private final Supplier<SSLSocketFactory> delegateSupplier;
        private final String[] supportedProtocols;
        private final String[] ciphers;
        private volatile SSLSocketFactory delegate;

        SecuritySSLSocketFactory(Supplier<SSLSocketFactory> supplier, String[] strArr, String[] strArr2) {
            this.delegateSupplier = supplier;
            this.delegate = this.delegateSupplier.get();
            this.supportedProtocols = strArr;
            this.ciphers = strArr2;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public String[] getDefaultCipherSuites() {
            return this.ciphers;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public String[] getSupportedCipherSuites() {
            return this.delegate.getSupportedCipherSuites();
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket() throws IOException {
            SSLSocketFactory sSLSocketFactory = this.delegate;
            Objects.requireNonNull(sSLSocketFactory);
            SSLSocket createWithPermissions = createWithPermissions(sSLSocketFactory::createSocket);
            configureSSLSocket(createWithPermissions);
            return createWithPermissions;
        }

        @Override // javax.net.ssl.SSLSocketFactory
        public Socket createSocket(Socket socket, String str, int i, boolean z) throws IOException {
            SSLSocket createWithPermissions = createWithPermissions(() -> {
                return this.delegate.createSocket(socket, str, i, z);
            });
            configureSSLSocket(createWithPermissions);
            return createWithPermissions;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i) throws IOException {
            SSLSocket createWithPermissions = createWithPermissions(() -> {
                return this.delegate.createSocket(str, i);
            });
            configureSSLSocket(createWithPermissions);
            return createWithPermissions;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException {
            SSLSocket createWithPermissions = createWithPermissions(() -> {
                return this.delegate.createSocket(str, i, inetAddress, i2);
            });
            configureSSLSocket(createWithPermissions);
            return createWithPermissions;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
            SSLSocket createWithPermissions = createWithPermissions(() -> {
                return this.delegate.createSocket(inetAddress, i);
            });
            configureSSLSocket(createWithPermissions);
            return createWithPermissions;
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
            SSLSocket createWithPermissions = createWithPermissions(() -> {
                return this.delegate.createSocket(inetAddress, i, inetAddress2, i2);
            });
            configureSSLSocket(createWithPermissions);
            return createWithPermissions;
        }

        public void reload() {
            this.delegate = this.delegateSupplier.get();
        }

        private void configureSSLSocket(SSLSocket sSLSocket) {
            SSLParameters sSLParameters = new SSLParameters(this.ciphers, this.supportedProtocols);
            sSLParameters.setUseCipherSuitesOrder(true);
            sSLSocket.setSSLParameters(sSLParameters);
        }

        private static SSLSocket createWithPermissions(CheckedSupplier<Socket, IOException> checkedSupplier) throws IOException {
            return (SSLSocket) SocketAccess.doPrivileged(checkedSupplier);
        }
    }

    public SSLService(Environment environment) {
        this(environment.settings(), environment);
    }

    public SSLService(Settings settings, Environment environment) {
        this.transportSSLConfiguration = new SetOnce<>();
        this.settings = settings;
        this.env = environment;
        this.diagnoseTrustExceptions = shouldEnableDiagnoseTrust();
        this.sslConfigurations = new HashMap();
        this.sslContexts = loadSSLConfigurations();
    }

    private SSLService(Settings settings, Environment environment, Map<String, SSLConfiguration> map, Map<SSLConfiguration, SSLContextHolder> map2) {
        this.transportSSLConfiguration = new SetOnce<>();
        this.settings = settings;
        this.env = environment;
        this.diagnoseTrustExceptions = shouldEnableDiagnoseTrust();
        this.sslConfigurations = map;
        this.sslContexts = map2;
    }

    public SSLService createDynamicSSLService() {
        return new SSLService(this.settings, this.env, this.sslConfigurations, this.sslContexts) { // from class: org.elasticsearch.xpack.core.ssl.SSLService.1
            @Override // org.elasticsearch.xpack.core.ssl.SSLService
            Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
                return Collections.emptyMap();
            }

            @Override // org.elasticsearch.xpack.core.ssl.SSLService
            SSLContextHolder sslContextHolder(SSLConfiguration sSLConfiguration) {
                SSLContextHolder sSLContextHolder = (SSLContextHolder) SSLService.this.sslContexts.get(sSLConfiguration);
                if (sSLContextHolder == null) {
                    sSLContextHolder = SSLService.this.createSslContext(sSLConfiguration);
                }
                return sSLContextHolder;
            }
        };
    }

    @Deprecated
    public SSLIOSessionStrategy sslIOSessionStrategy(Settings settings) {
        return sslIOSessionStrategy(sslConfiguration(settings));
    }

    public SSLIOSessionStrategy sslIOSessionStrategy(SSLConfiguration sSLConfiguration) {
        SSLContext sslContext = sslContext(sSLConfiguration);
        return sslIOSessionStrategy(sslContext, (String[]) sSLConfiguration.supportedProtocols().toArray(Strings.EMPTY_ARRAY), supportedCiphers(sslParameters(sslContext).getCipherSuites(), sSLConfiguration.cipherSuites(), false), sSLConfiguration.verificationMode().isHostnameVerificationEnabled() ? SSLIOSessionStrategy.getDefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE);
    }

    public static HostnameVerifier getHostnameVerifier(SSLConfiguration sSLConfiguration) {
        return sSLConfiguration.verificationMode().isHostnameVerificationEnabled() ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE;
    }

    SSLParameters sslParameters(SSLContext sSLContext) {
        return sSLContext.getSupportedSSLParameters();
    }

    SSLIOSessionStrategy sslIOSessionStrategy(SSLContext sSLContext, String[] strArr, String[] strArr2, final HostnameVerifier hostnameVerifier) {
        return new SSLIOSessionStrategy(sSLContext, strArr, strArr2, hostnameVerifier) { // from class: org.elasticsearch.xpack.core.ssl.SSLService.2
            protected void verifySession(HttpHost httpHost, IOSession iOSession, SSLSession sSLSession) throws SSLException {
                if (hostnameVerifier.verify(httpHost.getHostName(), sSLSession)) {
                    return;
                }
                X509Certificate x509Certificate = (X509Certificate) sSLSession.getPeerCertificates()[0];
                throw new SSLPeerUnverifiedException(LoggerMessageFormat.format("Expected SSL certificate to be valid for host [{}], but it is only valid for subject alternative names [{}] and subject [{}]", new Object[]{httpHost.getHostName(), Strings.collectionToCommaDelimitedString(SslDiagnostics.describeValidHostnames(x509Certificate)), x509Certificate.getSubjectX500Principal().toString()}));
            }
        };
    }

    public SSLSocketFactory sslSocketFactory(SSLConfiguration sSLConfiguration) {
        SSLContextHolder sslContextHolder = sslContextHolder(sSLConfiguration);
        SecuritySSLSocketFactory securitySSLSocketFactory = new SecuritySSLSocketFactory(() -> {
            return sslContextHolder.sslContext().getSocketFactory();
        }, (String[]) sSLConfiguration.supportedProtocols().toArray(Strings.EMPTY_ARRAY), supportedCiphers(sslContextHolder.sslContext().getSocketFactory().getSupportedCipherSuites(), sSLConfiguration.cipherSuites(), false));
        Objects.requireNonNull(securitySSLSocketFactory);
        sslContextHolder.addReloadListener(securitySSLSocketFactory::reload);
        return securitySSLSocketFactory;
    }

    public SSLEngine createSSLEngine(SSLConfiguration sSLConfiguration, String str, int i) {
        SSLEngine createSSLEngine = sslContext(sSLConfiguration).createSSLEngine(str, i);
        SSLParameters sSLParameters = new SSLParameters(supportedCiphers(createSSLEngine.getSupportedCipherSuites(), sSLConfiguration.cipherSuites(), false), (String[]) sSLConfiguration.supportedProtocols().toArray(Strings.EMPTY_ARRAY));
        if (sSLConfiguration.verificationMode().isHostnameVerificationEnabled() && str != null) {
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        }
        sSLParameters.setUseCipherSuitesOrder(true);
        sSLConfiguration.sslClientAuth().configure(sSLParameters);
        createSSLEngine.setSSLParameters(sSLParameters);
        return createSSLEngine;
    }

    public boolean isConfigurationValidForServerUsage(SSLConfiguration sSLConfiguration) {
        Objects.requireNonNull(sSLConfiguration, "SSLConfiguration cannot be null");
        return sSLConfiguration.keyConfig() != KeyConfig.NONE;
    }

    public boolean isSSLClientAuthEnabled(SSLConfiguration sSLConfiguration) {
        Objects.requireNonNull(sSLConfiguration, "SSLConfiguration cannot be null");
        return sSLConfiguration.sslClientAuth().enabled();
    }

    public SSLContext sslContext(SSLConfiguration sSLConfiguration) {
        return sslContextHolder(sSLConfiguration).sslContext();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLContextHolder sslContextHolder(SSLConfiguration sSLConfiguration) {
        Objects.requireNonNull(sSLConfiguration, "SSL Configuration cannot be null");
        SSLContextHolder sSLContextHolder = this.sslContexts.get(sSLConfiguration);
        if (sSLContextHolder == null) {
            throw new IllegalArgumentException("did not find an SSLContext for [" + sSLConfiguration.toString() + "]");
        }
        return sSLContextHolder;
    }

    public SSLConfiguration sslConfiguration(Settings settings) {
        return new SSLConfiguration(settings);
    }

    public Set<String> getTransportProfileContextNames() {
        return Collections.unmodifiableSet((Set) this.sslConfigurations.keySet().stream().filter(str -> {
            return str.startsWith("transport.profiles.");
        }).collect(Collectors.toSet()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<SSLConfiguration> getLoadedSSLConfigurations() {
        return Collections.unmodifiableSet(new HashSet(this.sslContexts.keySet()));
    }

    String[] supportedCiphers(String[] strArr, List<String> list, boolean z) {
        ArrayList arrayList = new ArrayList(list.size());
        LinkedList linkedList = new LinkedList();
        for (String str : list) {
            boolean z2 = false;
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (strArr[i].equals(str)) {
                    z2 = true;
                    arrayList.add(str);
                    break;
                }
                i++;
            }
            if (!z2) {
                linkedList.add(str);
            }
        }
        if (arrayList.isEmpty()) {
            throw new IllegalArgumentException("none of the ciphers " + Arrays.toString(list.toArray()) + " are supported by this JVM");
        }
        if (z && !linkedList.isEmpty()) {
            logger.error("unsupported ciphers [{}] were requested but cannot be used in this JVM, however there are supported ciphers that will be used [{}]. If you are trying to use ciphers with a key length greater than 128 bits on an Oracle JVM, you will need to install the unlimited strength JCE policy files.", linkedList, arrayList);
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SSLContextHolder createSslContext(SSLConfiguration sSLConfiguration) {
        if (logger.isDebugEnabled()) {
            logger.debug("using ssl settings [{}]", sSLConfiguration);
        }
        return createSslContext(sSLConfiguration.keyConfig().createKeyManager(this.env), sSLConfiguration.trustConfig().createTrustManager(this.env), sSLConfiguration);
    }

    private SSLContextHolder createSslContext(X509ExtendedKeyManager x509ExtendedKeyManager, X509ExtendedTrustManager x509ExtendedTrustManager, SSLConfiguration sSLConfiguration) {
        X509ExtendedTrustManager wrapWithDiagnostics = wrapWithDiagnostics(x509ExtendedTrustManager, sSLConfiguration);
        try {
            SSLContext sSLContext = SSLContext.getInstance(sslContextAlgorithm(sSLConfiguration.supportedProtocols()));
            sSLContext.init(new X509ExtendedKeyManager[]{x509ExtendedKeyManager}, new X509ExtendedTrustManager[]{wrapWithDiagnostics}, null);
            supportedCiphers(sSLContext.getSupportedSSLParameters().getCipherSuites(), sSLConfiguration.cipherSuites(), true);
            return new SSLContextHolder(sSLContext, sSLConfiguration);
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new ElasticsearchException("failed to initialize the SSLContext", e, new Object[0]);
        }
    }

    X509ExtendedTrustManager wrapWithDiagnostics(X509ExtendedTrustManager x509ExtendedTrustManager, SSLConfiguration sSLConfiguration) {
        if (this.diagnoseTrustExceptions && !(x509ExtendedTrustManager instanceof DiagnosticTrustManager)) {
            Logger logger2 = LogManager.getLogger(DiagnosticTrustManager.class);
            Supplier supplier = () -> {
                List list = (List) this.sslConfigurations.entrySet().stream().filter(entry -> {
                    return ((SSLConfiguration) entry.getValue()).equals(sSLConfiguration);
                }).limit(2L).map((v0) -> {
                    return v0.getKey();
                }).collect(Collectors.toList());
                switch (list.size()) {
                    case 0:
                        return "(unknown)";
                    case 1:
                        return (String) list.get(0);
                    default:
                        return "(shared)";
                }
            };
            Objects.requireNonNull(logger2);
            x509ExtendedTrustManager = new DiagnosticTrustManager(x509ExtendedTrustManager, supplier, (v1, v2) -> {
                r4.warn(v1, v2);
            });
        }
        return x509ExtendedTrustManager;
    }

    Map<SSLConfiguration, SSLContextHolder> loadSSLConfigurations() {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put(XPackSettings.HTTP_SSL_PREFIX, getHttpTransportSSLSettings(this.settings));
        hashMap2.put("xpack.http.ssl", this.settings.getByPrefix("xpack.http.ssl."));
        hashMap2.putAll(getRealmsSSLSettings(this.settings));
        hashMap2.putAll(getMonitoringExporterSettings(this.settings));
        hashMap2.put(WatcherField.EMAIL_NOTIFICATION_SSL_PREFIX, this.settings.getByPrefix(WatcherField.EMAIL_NOTIFICATION_SSL_PREFIX));
        hashMap2.forEach((str, settings) -> {
            loadConfiguration(str, settings, hashMap);
        });
        this.transportSSLConfiguration.set(loadConfiguration(XPackSettings.TRANSPORT_SSL_PREFIX, this.settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX), hashMap));
        getTransportProfileSSLSettings(this.settings).forEach((str2, settings2) -> {
            loadConfiguration(str2, settings2, hashMap);
        });
        Iterator it = Arrays.asList("xpack.security.transport.ssl", "xpack.security.http.ssl").iterator();
        while (it.hasNext()) {
            validateServerConfiguration((String) it.next());
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private SSLConfiguration loadConfiguration(String str, Settings settings, Map<SSLConfiguration, SSLContextHolder> map) {
        if (str.endsWith(RecordWriter.CONTROL_FIELD_NAME)) {
            str = str.substring(0, str.length() - 1);
        }
        try {
            SSLConfiguration sSLConfiguration = new SSLConfiguration(settings);
            storeSslConfiguration(str, sSLConfiguration);
            map.computeIfAbsent(sSLConfiguration, this::createSslContext);
            return sSLConfiguration;
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("failed to load SSL configuration [{}]", e, new Object[]{str});
        }
    }

    private void validateServerConfiguration(String str) {
        if (!$assertionsDisabled && !str.endsWith(".ssl")) {
            throw new AssertionError();
        }
        SSLConfiguration sSLConfiguration = getSSLConfiguration(str);
        String str2 = str + ".enabled";
        if (this.settings.getAsBoolean(str2, false).booleanValue()) {
            SSLConfigurationSettings withPrefix = SSLConfigurationSettings.withPrefix(str + RecordWriter.CONTROL_FIELD_NAME);
            if (isConfigurationValidForServerUsage(sSLConfiguration)) {
                return;
            }
            deprecationLogger.deprecated("invalid SSL configuration for " + str + " - server ssl configuration requires a key and certificate, but these have not been configured; you must set either [" + withPrefix.x509KeyPair.keystorePath.getKey() + "], or both [" + withPrefix.x509KeyPair.keyPath.getKey() + "] and [" + withPrefix.x509KeyPair.certificatePath.getKey() + "]", new Object[0]);
            return;
        }
        if (this.settings.hasValue(str2)) {
            return;
        }
        List list = (List) this.settings.keySet().stream().filter(str3 -> {
            return str3.startsWith(str);
        }).sorted().collect(Collectors.toList());
        if (list.isEmpty()) {
            return;
        }
        deprecationLogger.deprecated("invalid configuration for " + str + " - [" + str2 + "] is not set, but the following settings have been configured in elasticsearch.yml : [" + Strings.collectionToCommaDelimitedString(list) + "]", new Object[0]);
    }

    private void storeSslConfiguration(String str, SSLConfiguration sSLConfiguration) {
        if (str.endsWith(RecordWriter.CONTROL_FIELD_NAME)) {
            str = str.substring(0, str.length() - 1);
        }
        this.sslConfigurations.put(str, sSLConfiguration);
    }

    public Set<CertificateInfo> getLoadedCertificates() throws GeneralSecurityException, IOException {
        HashSet hashSet = new HashSet();
        Iterator<SSLConfiguration> it = getLoadedSSLConfigurations().iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getDefinedCertificates(this.env));
        }
        return hashSet;
    }

    static void invalidateSessions(SSLSessionContext sSLSessionContext) {
        Enumeration<byte[]> ids = sSLSessionContext.getIds();
        while (ids.hasMoreElements()) {
            SSLSession session = sSLSessionContext.getSession(ids.nextElement());
            if (session != null) {
                session.invalidate();
            }
        }
    }

    private static Map<String, Settings> getRealmsSSLSettings(Settings settings) {
        HashMap hashMap = new HashMap();
        settings.getGroups(RealmSettings.PREFIX).forEach((str, settings2) -> {
            Optional findAny = settings2.keySet().stream().filter(str -> {
                return str.indexOf(46) == -1;
            }).findAny();
            if (findAny.isPresent()) {
                logger.warn("Skipping any SSL configuration from realm [{}{}] because the key [{}] is not in the correct format", RealmSettings.PREFIX, str, findAny.get());
            } else {
                settings2.getAsGroups().forEach((str2, settings2) -> {
                    hashMap.put(RealmSettings.PREFIX + str + RecordWriter.CONTROL_FIELD_NAME + str2 + ".ssl", settings2.getByPrefix(SamlRealmSettings.SSL_PREFIX));
                });
            }
        });
        return hashMap;
    }

    private static Map<String, Settings> getTransportProfileSSLSettings(Settings settings) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : settings.getGroups("transport.profiles.", true).entrySet()) {
            hashMap.put("transport.profiles." + ((String) entry.getKey()) + ".xpack.security.ssl", ((Settings) entry.getValue()).getByPrefix("xpack.security.ssl."));
        }
        return hashMap;
    }

    private Settings getHttpTransportSSLSettings(Settings settings) {
        Settings byPrefix = settings.getByPrefix(XPackSettings.HTTP_SSL_PREFIX);
        if (byPrefix.isEmpty()) {
            return byPrefix;
        }
        Settings.Builder put = Settings.builder().put(byPrefix);
        if (put.get("client_authentication") == null) {
            put.put("client_authentication", XPackSettings.HTTP_CLIENT_AUTH_DEFAULT);
        }
        return put.build();
    }

    public SSLConfiguration getHttpTransportSSLConfiguration() {
        return getSSLConfiguration(XPackSettings.HTTP_SSL_PREFIX);
    }

    private static Map<String, Settings> getMonitoringExporterSettings(Settings settings) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : settings.getGroups("xpack.monitoring.exporters.").entrySet()) {
            hashMap.put("xpack.monitoring.exporters." + ((String) entry.getKey()) + ".ssl", ((Settings) entry.getValue()).getByPrefix(SamlRealmSettings.SSL_PREFIX));
        }
        return hashMap;
    }

    public SSLConfiguration getSSLConfiguration(String str) {
        if (str.endsWith(RecordWriter.CONTROL_FIELD_NAME)) {
            str = str.substring(0, str.length() - 1);
        }
        SSLConfiguration sSLConfiguration = this.sslConfigurations.get(str);
        if (sSLConfiguration == null) {
            logger.warn("Cannot find SSL configuration for context {}. Known contexts are: {}", str, Strings.collectionToCommaDelimitedString(this.sslConfigurations.keySet()));
        }
        return sSLConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String sslContextAlgorithm(List<String> list) {
        if (list.isEmpty()) {
            throw new IllegalArgumentException("no SSL/TLS protocols have been configured");
        }
        for (Map.Entry<String, String> entry : ORDERED_PROTOCOL_ALGORITHM_MAP.entrySet()) {
            if (list.contains(entry.getKey())) {
                return entry.getValue();
            }
        }
        throw new IllegalArgumentException("no supported SSL/TLS protocol was found in the configured supported protocols: " + list);
    }

    private boolean shouldEnableDiagnoseTrust() {
        if (!((Boolean) XPackSettings.FIPS_MODE_ENABLED.get(this.settings)).booleanValue() || XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.exists(this.settings)) {
            return ((Boolean) XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING.get(this.settings)).booleanValue();
        }
        logger.info("diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default.");
        return false;
    }

    static {
        $assertionsDisabled = !SSLService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(SSLService.class);
        deprecationLogger = new DeprecationLogger(logger);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS.contains("TLSv1.3")) {
            linkedHashMap.put("TLSv1.3", "TLSv1.3");
        }
        linkedHashMap.put("TLSv1.2", "TLSv1.2");
        linkedHashMap.put("TLSv1.1", "TLSv1.1");
        linkedHashMap.put("TLSv1", "TLSv1");
        linkedHashMap.put("SSLv3", "SSLv3");
        linkedHashMap.put("SSLv2", "SSL");
        linkedHashMap.put("SSLv2Hello", "SSL");
        ORDERED_PROTOCOL_ALGORITHM_MAP = Collections.unmodifiableMap(linkedHashMap);
    }
}
