package com.unboundid.util.ssl;

import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPRuntimeException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.Version;
import com.unboundid.util.CommandLineTool;
import com.unboundid.util.CryptoHelper;
import com.unboundid.util.Debug;
import com.unboundid.util.NotMutable;
import com.unboundid.util.NotNull;
import com.unboundid.util.Nullable;
import com.unboundid.util.ObjectPair;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ThreadSafety;
import com.unboundid.util.ThreadSafetyLevel;
import com.unboundid.util.args.ArgumentException;
import com.unboundid.util.args.ArgumentParser;
import java.io.OutputStream;
import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import java.util.SortedSet;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;

@ThreadSafety(level = ThreadSafetyLevel.COMPLETELY_THREADSAFE)
@NotMutable
/* loaded from: input_file:ingrid-ibus-7.1.0-RC1/lib/unboundid-ldapsdk-6.0.10.jar:com/unboundid/util/ssl/TLSCipherSuiteSelector.class */
public final class TLSCipherSuiteSelector extends CommandLineTool {

    @NotNull
    private static final AtomicReference<TLSCipherSuiteSelector> STATIC_INSTANCE = new AtomicReference<>();

    @NotNull
    public static final String PROPERTY_ALLOW_RSA_KEY_EXCHANGE = TLSCipherSuiteSelector.class.getName() + ".allowRSAKeyExchange";

    @NotNull
    public static final String PROPERTY_ALLOW_SHA_1 = TLSCipherSuiteSelector.class.getName() + ".allowSHA1";

    @NotNull
    public static final String PROPERTY_ALLOW_SSL_PREFIX = TLSCipherSuiteSelector.class.getName() + ".allowSSLPrefix";

    @NotNull
    private static final AtomicBoolean ALLOW_RSA_KEY_EXCHANGE = new AtomicBoolean(false);

    @NotNull
    private static final AtomicBoolean ALLOW_SHA_1 = new AtomicBoolean(false);

    @NotNull
    private static final AtomicBoolean ALLOW_SSL_PREFIX = new AtomicBoolean(false);
    private final boolean jvmSSLDebuggingEnabled;

    @NotNull
    private final SortedMap<String, List<String>> nonRecommendedCipherSuites;

    @NotNull
    private final SortedSet<String> defaultCipherSuites;

    @NotNull
    private final SortedSet<String> recommendedCipherSuites;

    @NotNull
    private final SortedSet<String> supportedCipherSuites;

    @NotNull
    private final String[] recommendedCipherSuiteArray;

    public static void main(@NotNull String... strArr) {
        ResultCode main = main(System.out, System.err, strArr);
        if (main != ResultCode.SUCCESS) {
            System.exit(main.intValue());
        }
    }

    @NotNull
    public static ResultCode main(@Nullable OutputStream outputStream, @Nullable OutputStream outputStream2, @NotNull String... strArr) {
        return new TLSCipherSuiteSelector(outputStream, outputStream2).runTool(strArr);
    }

    private TLSCipherSuiteSelector(boolean z) {
        this(null, null, z);
    }

    public TLSCipherSuiteSelector(@Nullable OutputStream outputStream, @Nullable OutputStream outputStream2) {
        this(outputStream, outputStream2, false);
    }

    public TLSCipherSuiteSelector(@Nullable OutputStream outputStream, @Nullable OutputStream outputStream2, boolean z) {
        super(outputStream, outputStream2);
        try {
            SSLContext sSLContext = z ? SSLContext.getDefault() : CryptoHelper.getDefaultSSLContext();
            SSLParameters supportedSSLParameters = sSLContext.getSupportedSSLParameters();
            TreeSet treeSet = new TreeSet(TLSCipherSuiteComparator.getInstance());
            treeSet.addAll(Arrays.asList(supportedSSLParameters.getCipherSuites()));
            this.supportedCipherSuites = Collections.unmodifiableSortedSet(treeSet);
            SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
            TreeSet treeSet2 = new TreeSet(TLSCipherSuiteComparator.getInstance());
            treeSet2.addAll(Arrays.asList(defaultSSLParameters.getCipherSuites()));
            this.defaultCipherSuites = Collections.unmodifiableSortedSet(treeSet2);
            if (z) {
                this.recommendedCipherSuites = this.defaultCipherSuites;
                this.nonRecommendedCipherSuites = Collections.unmodifiableSortedMap(new TreeMap());
            } else {
                ObjectPair<SortedSet<String>, SortedMap<String, List<String>>> selectCipherSuites = selectCipherSuites(supportedSSLParameters.getCipherSuites());
                if (selectCipherSuites.getFirst().isEmpty()) {
                    this.recommendedCipherSuites = this.defaultCipherSuites;
                    this.nonRecommendedCipherSuites = Collections.unmodifiableSortedMap(new TreeMap());
                } else {
                    this.recommendedCipherSuites = Collections.unmodifiableSortedSet(selectCipherSuites.getFirst());
                    this.nonRecommendedCipherSuites = Collections.unmodifiableSortedMap(selectCipherSuites.getSecond());
                }
            }
            this.recommendedCipherSuiteArray = (String[]) this.recommendedCipherSuites.toArray(StaticUtils.NO_STRINGS);
            String systemProperty = StaticUtils.getSystemProperty("javax.net.debug");
            if (systemProperty == null) {
                this.jvmSSLDebuggingEnabled = false;
                return;
            }
            String lowerCase = StaticUtils.toLowerCase(systemProperty);
            this.jvmSSLDebuggingEnabled = lowerCase.contains("all") || lowerCase.contains("ssl");
            if (this.jvmSSLDebuggingEnabled) {
                System.err.println();
                System.err.println(getClass().getName() + " Results:");
                generateOutput(System.err);
                System.err.println();
            }
        } catch (Exception e) {
            Debug.debugException(e);
            throw new LDAPRuntimeException(new LDAPException(ResultCode.LOCAL_ERROR, SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_INIT_ERROR.get(StaticUtils.getExceptionMessage(e)), e));
        }
    }

    @NotNull
    public static SortedSet<String> getSupportedCipherSuites() {
        return getStaticInstance().supportedCipherSuites;
    }

    @NotNull
    public static SortedSet<String> getDefaultCipherSuites() {
        return getStaticInstance().defaultCipherSuites;
    }

    @NotNull
    public static SortedSet<String> getRecommendedCipherSuites() {
        return getStaticInstance().recommendedCipherSuites;
    }

    @NotNull
    public static String[] getRecommendedCipherSuiteArray() {
        return (String[]) getStaticInstance().recommendedCipherSuiteArray.clone();
    }

    @NotNull
    public static SortedMap<String, List<String>> getNonRecommendedCipherSuites() {
        return getStaticInstance().nonRecommendedCipherSuites;
    }

    @NotNull
    static ObjectPair<SortedSet<String>, SortedMap<String, List<String>>> selectCipherSuites(@NotNull String[] strArr) {
        return selectCipherSuites(strArr, ALLOW_SSL_PREFIX.get());
    }

    @NotNull
    private static ObjectPair<SortedSet<String>, SortedMap<String, List<String>>> selectCipherSuites(@NotNull String[] strArr, boolean z) {
        TreeSet treeSet = new TreeSet(TLSCipherSuiteComparator.getInstance());
        TreeMap treeMap = new TreeMap(TLSCipherSuiteComparator.getInstance());
        for (String str : strArr) {
            String replace = StaticUtils.toUpperCase(str).replace('-', '_');
            if (replace.endsWith("_SCSV")) {
                treeSet.add(str);
            } else {
                ArrayList arrayList = new ArrayList(5);
                if (replace.startsWith("SSL_") && !z) {
                    arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_LEGACY_SSL_PROTOCOL.get());
                } else if (replace.startsWith("TLS_") || replace.startsWith("SSL_")) {
                    if (replace.startsWith("SSL_")) {
                        replace = "TLS_" + replace.substring(4);
                    }
                    if (!replace.startsWith("TLS_AES_") && !replace.startsWith("TLS_CHACHA20_") && !replace.startsWith("TLS_ECDHE_") && !replace.startsWith("TLS_DHE_")) {
                        if (replace.startsWith("TLS_RSA_")) {
                            if (!ALLOW_RSA_KEY_EXCHANGE.get()) {
                                arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_KE_ALG.get("RSA"));
                            }
                        } else if (replace.startsWith("TLS_ECDH_")) {
                            arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_KE_ALG.get("ECDH"));
                        } else if (replace.startsWith("TLS_DH_")) {
                            arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_KE_ALG.get("DH"));
                        } else if (replace.startsWith("TLS_KRB5_")) {
                            arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_KE_ALG.get("KRB5"));
                        } else {
                            arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_UNKNOWN_KE_ALG.get());
                        }
                    }
                } else {
                    arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_UNRECOGNIZED_PROTOCOL.get());
                }
                if (replace.contains("_PSK")) {
                    arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_PSK.get());
                }
                if (replace.contains("_NULL")) {
                    arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NULL_COMPONENT.get());
                }
                if (replace.contains("_ANON")) {
                    arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_ANON_AUTH.get());
                }
                if (replace.contains("_EXPORT")) {
                    arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_EXPORT_ENCRYPTION.get());
                }
                if (!replace.contains("_AES") && !replace.contains("_CHACHA20")) {
                    if (replace.contains("_RC4")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_BE_ALG.get("RC4"));
                    } else if (replace.contains("_3DES")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_BE_ALG.get("3DES"));
                    } else if (replace.contains("_DES")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_BE_ALG.get("DES"));
                    } else if (replace.contains("_IDEA")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_BE_ALG.get("IDEA"));
                    } else if (replace.contains("_CAMELLIA")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_BE_ALG.get("Camellia"));
                    } else if (replace.contains("_ARIA")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_BE_ALG.get("ARIA"));
                    } else {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_UNKNOWN_BE_ALG.get());
                    }
                }
                if (!replace.endsWith("_SHA512") && !replace.endsWith("_SHA384") && !replace.endsWith("_SHA256")) {
                    if (replace.endsWith("_SHA")) {
                        if (!ALLOW_SHA_1.get()) {
                            arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_DIGEST_ALG.get(MessageDigestAlgorithms.SHA_1));
                        }
                    } else if (replace.endsWith("_MD5")) {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_KNOWN_DIGEST_ALG.get(MessageDigestAlgorithms.MD5));
                    } else {
                        arrayList.add(SSLMessages.ERR_TLS_CIPHER_SUITE_SELECTOR_NON_RECOMMENDED_UNKNOWN_DIGEST_ALG.get());
                    }
                }
                if (arrayList.isEmpty()) {
                    treeSet.add(str);
                } else {
                    treeMap.put(str, Collections.unmodifiableList(arrayList));
                }
            }
        }
        return new ObjectPair<>(treeSet, treeMap);
    }

    @Override // com.unboundid.util.CommandLineTool
    @NotNull
    public String getToolName() {
        return "tls-cipher-suite-selector";
    }

    @Override // com.unboundid.util.CommandLineTool
    @NotNull
    public String getToolDescription() {
        return SSLMessages.INFO_TLS_CIPHER_SUITE_SELECTOR_TOOL_DESC.get();
    }

    @Override // com.unboundid.util.CommandLineTool
    @NotNull
    public String getToolVersion() {
        return Version.NUMERIC_VERSION_STRING;
    }

    @Override // com.unboundid.util.CommandLineTool
    public void addToolArguments(@NotNull ArgumentParser argumentParser) throws ArgumentException {
    }

    @Override // com.unboundid.util.CommandLineTool
    @NotNull
    public ResultCode doToolProcessing() {
        generateOutput(getOut());
        return ResultCode.SUCCESS;
    }

    private void generateOutput(@NotNull PrintStream printStream) {
        try {
            SSLContext defaultSSLContext = CryptoHelper.getDefaultSSLContext();
            printStream.println("Supported TLS Protocols:");
            for (String str : defaultSSLContext.getSupportedSSLParameters().getProtocols()) {
                printStream.println("* " + str);
            }
            printStream.println();
            printStream.println("Enabled TLS Protocols:");
            Iterator<String> it = SSLUtil.getEnabledSSLProtocols().iterator();
            while (it.hasNext()) {
                printStream.println("* " + it.next());
            }
            printStream.println();
        } catch (Exception e) {
            Debug.debugException(e);
        }
        printStream.println("Supported TLS Cipher Suites:");
        Iterator<String> it2 = this.supportedCipherSuites.iterator();
        while (it2.hasNext()) {
            printStream.println("* " + it2.next());
        }
        printStream.println();
        printStream.println("JVM-Default TLS Cipher Suites:");
        Iterator<String> it3 = this.defaultCipherSuites.iterator();
        while (it3.hasNext()) {
            printStream.println("* " + it3.next());
        }
        printStream.println();
        printStream.println("Non-Recommended TLS Cipher Suites:");
        for (Map.Entry<String, List<String>> entry : this.nonRecommendedCipherSuites.entrySet()) {
            printStream.println("* " + entry.getKey());
            Iterator<String> it4 = entry.getValue().iterator();
            while (it4.hasNext()) {
                printStream.println("  - " + it4.next());
            }
        }
        printStream.println();
        printStream.println("Recommended TLS Cipher Suites:");
        Iterator<String> it5 = this.recommendedCipherSuites.iterator();
        while (it5.hasNext()) {
            printStream.println("* " + it5.next());
        }
    }

    @NotNull
    public static Set<String> selectSupportedCipherSuites(@Nullable Collection<String> collection) {
        if (collection == null) {
            return Collections.emptySet();
        }
        TLSCipherSuiteSelector staticInstance = getStaticInstance();
        int computeMapCapacity = StaticUtils.computeMapCapacity(staticInstance.supportedCipherSuites.size());
        HashMap hashMap = new HashMap(computeMapCapacity);
        for (String str : staticInstance.supportedCipherSuites) {
            hashMap.put(StaticUtils.toUpperCase(str).replace('-', '_'), str);
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet(computeMapCapacity);
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            String str2 = (String) hashMap.get(StaticUtils.toUpperCase(it.next()).replace('-', '_'));
            if (str2 != null) {
                linkedHashSet.add(str2);
            }
        }
        return Collections.unmodifiableSet(linkedHashSet);
    }

    public static boolean allowRSAKeyExchange() {
        return ALLOW_RSA_KEY_EXCHANGE.get();
    }

    public static void setAllowRSAKeyExchange(boolean z) {
        ALLOW_RSA_KEY_EXCHANGE.set(z);
        recompute();
    }

    public static boolean allowSHA1() {
        return ALLOW_SHA_1.get();
    }

    public static void setAllowSHA1(boolean z) {
        ALLOW_SHA_1.set(z);
        recompute();
    }

    public static boolean allowSSLPrefixedSuites() {
        return ALLOW_SSL_PREFIX.get();
    }

    public static void setAllowSSLPrefixedSuites(boolean z) {
        ALLOW_SSL_PREFIX.set(z);
        recompute();
    }

    @NotNull
    private static TLSCipherSuiteSelector getStaticInstance() {
        TLSCipherSuiteSelector tLSCipherSuiteSelector = STATIC_INSTANCE.get();
        if (tLSCipherSuiteSelector == null) {
            synchronized (TLSCipherSuiteSelector.class) {
                STATIC_INSTANCE.compareAndSet(null, new TLSCipherSuiteSelector(null, null, false));
                tLSCipherSuiteSelector = STATIC_INSTANCE.get();
            }
        }
        return tLSCipherSuiteSelector;
    }

    public static void recompute() {
        synchronized (TLSCipherSuiteSelector.class) {
            STATIC_INSTANCE.set(null);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean jvmSSLDebuggingEnabled() {
        return getStaticInstance().jvmSSLDebuggingEnabled;
    }

    static {
        boolean z;
        String systemProperty = StaticUtils.getSystemProperty(PROPERTY_ALLOW_RSA_KEY_EXCHANGE);
        boolean equalsIgnoreCase = systemProperty != null ? systemProperty.equalsIgnoreCase("true") : false;
        String systemProperty2 = StaticUtils.getSystemProperty(PROPERTY_ALLOW_SHA_1);
        boolean equalsIgnoreCase2 = systemProperty2 != null ? systemProperty2.equalsIgnoreCase("true") : false;
        String systemProperty3 = StaticUtils.getSystemProperty(PROPERTY_ALLOW_SSL_PREFIX);
        if (systemProperty3 != null) {
            z = systemProperty3.equalsIgnoreCase("true");
        } else {
            String systemProperty4 = StaticUtils.getSystemProperty("java.vendor");
            String systemProperty5 = StaticUtils.getSystemProperty("java.vm.vendor");
            z = (systemProperty4 != null && systemProperty4.toUpperCase().contains("IBM")) || (systemProperty5 != null && systemProperty5.toUpperCase().contains("IBM"));
        }
        ALLOW_RSA_KEY_EXCHANGE.set(equalsIgnoreCase);
        ALLOW_SHA_1.set(equalsIgnoreCase2);
        ALLOW_SSL_PREFIX.set(z);
    }
}
