package com.mysql.cj.protocol;

import com.mysql.cj.ServerVersion;
import com.mysql.cj.conf.PropertyDefinitions;
import com.mysql.cj.conf.PropertyKey;
import com.mysql.cj.conf.PropertySet;
import com.mysql.cj.exceptions.CJCommunicationsException;
import com.mysql.cj.exceptions.ExceptionFactory;
import com.mysql.cj.exceptions.ExceptionInterceptor;
import com.mysql.cj.exceptions.FeatureNotAvailableException;
import com.mysql.cj.exceptions.RSAException;
import com.mysql.cj.exceptions.SSLParamsException;
import com.mysql.cj.exceptions.WrongArgumentException;
import com.mysql.cj.log.Log;
import com.mysql.cj.util.Base64Decoder;
import com.mysql.cj.util.StringUtils;
import com.mysql.cj.util.Util;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.Socket;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.hsqldb.DatabaseURL;
import org.hsqldb.Tokens;

/* loaded from: input_file:lib/mysql-connector-java-8.0.26.jar:com/mysql/cj/protocol/ExportControlled.class */
public class ExportControlled {
    private static final String TLS_SETTINGS_RESOURCE = "/com/mysql/cj/TlsSettings.properties";
    private static final String TLSv1_3 = "TLSv1.3";
    private static final String TLSv1_2 = "TLSv1.2";
    private static final String TLSv1_1 = "TLSv1.1";
    private static final String TLSv1 = "TLSv1";
    private static final String[] TLS_PROTOCOLS = {TLSv1_3, TLSv1_2, TLSv1_1, TLSv1};
    private static final List<String> ALLOWED_CIPHERS = new ArrayList();
    private static final List<String> RESTRICTED_CIPHER_SUBSTR = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/mysql-connector-java-8.0.26.jar:com/mysql/cj/protocol/ExportControlled$KeyStoreConf.class */
    public static class KeyStoreConf {
        public String keyStoreUrl;
        public String keyStorePassword;
        public String keyStoreType;

        public KeyStoreConf() {
            this.keyStoreUrl = null;
            this.keyStorePassword = null;
            this.keyStoreType = "JKS";
        }

        public KeyStoreConf(String str, String str2, String str3) {
            this.keyStoreUrl = null;
            this.keyStorePassword = null;
            this.keyStoreType = "JKS";
            this.keyStoreUrl = str;
            this.keyStorePassword = str2;
            this.keyStoreType = str3;
        }
    }

    /* loaded from: input_file:lib/mysql-connector-java-8.0.26.jar:com/mysql/cj/protocol/ExportControlled$X509TrustManagerWrapper.class */
    public static class X509TrustManagerWrapper implements X509TrustManager {
        private X509TrustManager origTm;
        private boolean verifyServerCert;
        private String hostName;
        private CertificateFactory certFactory;
        private PKIXParameters validatorParams;
        private CertPathValidator validator;

        public X509TrustManagerWrapper(X509TrustManager x509TrustManager, boolean z, String str) throws CertificateException {
            this.origTm = null;
            this.verifyServerCert = false;
            this.hostName = null;
            this.certFactory = null;
            this.validatorParams = null;
            this.validator = null;
            this.origTm = x509TrustManager;
            this.verifyServerCert = z;
            this.hostName = str;
            if (z) {
                try {
                    this.validatorParams = new PKIXParameters((Set<TrustAnchor>) Arrays.stream(x509TrustManager.getAcceptedIssuers()).map(x509Certificate -> {
                        return new TrustAnchor(x509Certificate, null);
                    }).collect(Collectors.toSet()));
                    this.validatorParams.setRevocationEnabled(false);
                    this.validator = CertPathValidator.getInstance("PKIX");
                    this.certFactory = CertificateFactory.getInstance("X.509");
                } catch (Exception e) {
                    throw new CertificateException(e);
                }
            }
        }

        public X509TrustManagerWrapper(boolean z, String str) {
            this.origTm = null;
            this.verifyServerCert = false;
            this.hostName = null;
            this.certFactory = null;
            this.validatorParams = null;
            this.validator = null;
            this.verifyServerCert = z;
            this.hostName = str;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.origTm != null ? this.origTm.getAcceptedIssuers() : new X509Certificate[0];
        }

        /* JADX WARN: Code restructure failed: missing block: B:68:0x01a4, code lost:
        
            r11 = r0.getValue().toString();
         */
        @Override // javax.net.ssl.X509TrustManager
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        public void checkServerTrusted(java.security.cert.X509Certificate[] r6, java.lang.String r7) throws java.security.cert.CertificateException {
            /*
                Method dump skipped, instructions count: 506
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: com.mysql.cj.protocol.ExportControlled.X509TrustManagerWrapper.checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String):void");
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.origTm.checkClientTrusted(x509CertificateArr, str);
        }

        private boolean verifyHostName(String str) {
            int indexOf = str.indexOf(42);
            if (indexOf < 0 || indexOf >= str.indexOf(46)) {
                return this.hostName.equalsIgnoreCase(str);
            }
            String substring = str.substring(0, indexOf);
            String substring2 = str.substring(indexOf + 1);
            return StringUtils.startsWithIgnoreCase(this.hostName, substring) && StringUtils.endsWithIgnoreCase(this.hostName, substring2) && this.hostName.substring(substring.length(), this.hostName.length() - substring2.length()).indexOf(46) == -1;
        }
    }

    private ExportControlled() {
    }

    public static boolean enabled() {
        return true;
    }

    private static String[] getAllowedCiphers(PropertySet propertySet, List<String> list) {
        Stream<String> filter;
        String value = propertySet.getStringProperty(PropertyKey.enabledSSLCipherSuites).getValue();
        if (StringUtils.isNullOrEmpty(value)) {
            filter = list.stream();
        } else {
            Stream stream = Arrays.stream(value.split("\\s*,\\s*"));
            list.getClass();
            filter = stream.filter((v1) -> {
                return r1.contains(v1);
            });
        }
        List<String> list2 = ALLOWED_CIPHERS;
        list2.getClass();
        return (String[]) ((List) filter.filter((v1) -> {
            return r1.contains(v1);
        }).filter(str -> {
            return !RESTRICTED_CIPHER_SUBSTR.stream().filter(str -> {
                return str.contains(str);
            }).findFirst().isPresent();
        }).collect(Collectors.toList())).toArray(new String[0]);
    }

    private static String[] getAllowedProtocols(PropertySet propertySet, ServerVersion serverVersion, String[] strArr) {
        String value = propertySet.getStringProperty(PropertyKey.enabledTLSProtocols).getValue();
        ArrayList arrayList = new ArrayList(Arrays.asList((value == null || value.length() <= 0) ? serverVersion == null ? TLS_PROTOCOLS : (serverVersion.meetsMinimum(new ServerVersion(5, 7, 28)) || (serverVersion.meetsMinimum(new ServerVersion(5, 6, 46)) && !serverVersion.meetsMinimum(new ServerVersion(5, 7, 0))) || (serverVersion.meetsMinimum(new ServerVersion(5, 6, 0)) && Util.isEnterpriseEdition(serverVersion.toString()))) ? TLS_PROTOCOLS : new String[]{TLSv1_1, TLSv1} : value.split("\\s*,\\s*")));
        List asList = Arrays.asList(strArr);
        ArrayList arrayList2 = new ArrayList();
        for (String str : TLS_PROTOCOLS) {
            if (asList.contains(str) && arrayList.contains(str)) {
                arrayList2.add(str);
            }
        }
        return (String[]) arrayList2.toArray(new String[0]);
    }

    public static void checkValidProtocols(List<String> list) {
        List asList = Arrays.asList(TLS_PROTOCOLS);
        for (String str : list) {
            if (!asList.contains(str)) {
                throw ((WrongArgumentException) ExceptionFactory.createException(WrongArgumentException.class, "'" + str + "' not recognized as a valid TLS protocol version (should be one of " + ((String) Arrays.stream(TLS_PROTOCOLS).collect(Collectors.joining(", "))) + ")."));
            }
        }
    }

    private static KeyStoreConf getTrustStoreConf(PropertySet propertySet, boolean z) {
        String value = propertySet.getStringProperty(PropertyKey.trustCertificateKeyStoreUrl).getValue();
        String value2 = propertySet.getStringProperty(PropertyKey.trustCertificateKeyStorePassword).getValue();
        String value3 = propertySet.getStringProperty(PropertyKey.trustCertificateKeyStoreType).getValue();
        if (propertySet.getBooleanProperty(PropertyKey.fallbackToSystemTrustStore).getValue().booleanValue() && StringUtils.isNullOrEmpty(value)) {
            value = System.getProperty("javax.net.ssl.trustStore");
            value2 = System.getProperty("javax.net.ssl.trustStorePassword");
            value3 = System.getProperty("javax.net.ssl.trustStoreType");
            if (StringUtils.isNullOrEmpty(value3)) {
                value3 = propertySet.getStringProperty(PropertyKey.trustCertificateKeyStoreType).getInitialValue();
            }
            if (!StringUtils.isNullOrEmpty(value)) {
                try {
                    new URL(value);
                } catch (MalformedURLException e) {
                    value = DatabaseURL.S_FILE + value;
                }
            }
        }
        if (z && StringUtils.isNullOrEmpty(value)) {
            throw new CJCommunicationsException("No truststore provided to verify the Server certificate.");
        }
        return new KeyStoreConf(value, value2, value3);
    }

    private static KeyStoreConf getKeyStoreConf(PropertySet propertySet) {
        String value = propertySet.getStringProperty(PropertyKey.clientCertificateKeyStoreUrl).getValue();
        String value2 = propertySet.getStringProperty(PropertyKey.clientCertificateKeyStorePassword).getValue();
        String value3 = propertySet.getStringProperty(PropertyKey.clientCertificateKeyStoreType).getValue();
        if (propertySet.getBooleanProperty(PropertyKey.fallbackToSystemKeyStore).getValue().booleanValue() && StringUtils.isNullOrEmpty(value)) {
            value = System.getProperty("javax.net.ssl.keyStore");
            value2 = System.getProperty("javax.net.ssl.keyStorePassword");
            value3 = System.getProperty("javax.net.ssl.keyStoreType");
            if (StringUtils.isNullOrEmpty(value3)) {
                value3 = propertySet.getStringProperty(PropertyKey.clientCertificateKeyStoreType).getInitialValue();
            }
            if (!StringUtils.isNullOrEmpty(value)) {
                try {
                    new URL(value);
                } catch (MalformedURLException e) {
                    value = DatabaseURL.S_FILE + value;
                }
            }
        }
        return new KeyStoreConf(value, value2, value3);
    }

    public static Socket performTlsHandshake(Socket socket, SocketConnection socketConnection, ServerVersion serverVersion, Log log) throws IOException, SSLParamsException, FeatureNotAvailableException {
        KeyStoreConf trustStoreConf;
        PropertySet propertySet = socketConnection.getPropertySet();
        PropertyDefinitions.SslMode sslMode = (PropertyDefinitions.SslMode) propertySet.getEnumProperty(PropertyKey.sslMode).getValue();
        boolean z = sslMode == PropertyDefinitions.SslMode.VERIFY_CA || sslMode == PropertyDefinitions.SslMode.VERIFY_IDENTITY;
        boolean booleanValue = propertySet.getBooleanProperty(PropertyKey.fallbackToSystemTrustStore).getValue().booleanValue();
        if (z) {
            trustStoreConf = getTrustStoreConf(propertySet, serverVersion == null && z && !booleanValue);
        } else {
            trustStoreConf = new KeyStoreConf();
        }
        SSLSocket sSLSocket = (SSLSocket) getSSLContext(getKeyStoreConf(propertySet), trustStoreConf, booleanValue, z, sslMode == PropertyDefinitions.SslMode.VERIFY_IDENTITY ? socketConnection.getHost() : null, socketConnection.getExceptionInterceptor()).getSocketFactory().createSocket(socket, socketConnection.getHost(), socketConnection.getPort(), true);
        sSLSocket.setEnabledProtocols(getAllowedProtocols(propertySet, serverVersion, sSLSocket.getSupportedProtocols()));
        String[] allowedCiphers = getAllowedCiphers(propertySet, Arrays.asList(sSLSocket.getEnabledCipherSuites()));
        if (allowedCiphers != null) {
            sSLSocket.setEnabledCipherSuites(allowedCiphers);
        }
        sSLSocket.startHandshake();
        if (log != null) {
            String protocol = sSLSocket.getSession().getProtocol();
            if (TLSv1.equalsIgnoreCase(protocol) || TLSv1_1.equalsIgnoreCase(protocol)) {
                log.logWarn("This connection is using " + protocol + " which is now deprecated and will be removed in a future release of Connector/J.");
            }
        }
        return sSLSocket;
    }

    public static SSLContext getSSLContext(KeyStoreConf keyStoreConf, KeyStoreConf keyStoreConf2, boolean z, boolean z2, String str, ExceptionInterceptor exceptionInterceptor) throws SSLParamsException {
        String str2 = keyStoreConf.keyStoreUrl;
        String str3 = keyStoreConf.keyStoreType;
        String str4 = keyStoreConf.keyStorePassword;
        String str5 = keyStoreConf2.keyStoreUrl;
        String str6 = keyStoreConf2.keyStoreType;
        String str7 = keyStoreConf2.keyStorePassword;
        KeyManager[] keyManagerArr = null;
        ArrayList arrayList = new ArrayList();
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            if (!StringUtils.isNullOrEmpty(str2)) {
                InputStream inputStream = null;
                try {
                    try {
                        try {
                            try {
                                try {
                                    if (!StringUtils.isNullOrEmpty(str3)) {
                                        KeyStore keyStore = KeyStore.getInstance(str3);
                                        URL url = new URL(str2);
                                        char[] charArray = str4 == null ? new char[0] : str4.toCharArray();
                                        inputStream = url.openStream();
                                        keyStore.load(inputStream, charArray);
                                        keyManagerFactory.init(keyStore, charArray);
                                        keyManagerArr = keyManagerFactory.getKeyManagers();
                                    }
                                } catch (MalformedURLException e) {
                                    throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, str2 + " does not appear to be a valid URL.", e, exceptionInterceptor));
                                }
                            } catch (UnrecoverableKeyException e2) {
                                throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Could not recover keys from client keystore.  Check password?", e2, exceptionInterceptor));
                            }
                        } catch (KeyStoreException e3) {
                            throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Could not create KeyStore instance [" + e3.getMessage() + Tokens.T_RIGHTBRACKET, e3, exceptionInterceptor));
                        } catch (NoSuchAlgorithmException e4) {
                            throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Unsupported keystore algorithm [" + e4.getMessage() + Tokens.T_RIGHTBRACKET, e4, exceptionInterceptor));
                        }
                    } finally {
                    }
                } catch (IOException e5) {
                    throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Cannot open " + str2 + " [" + e5.getMessage() + Tokens.T_RIGHTBRACKET, e5, exceptionInterceptor));
                } catch (CertificateException e6) {
                    throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Could not load client" + str3 + " keystore from " + str2, e6, exceptionInterceptor));
                }
            }
            InputStream inputStream2 = null;
            try {
                try {
                    try {
                        try {
                            try {
                                try {
                                    KeyStore keyStore2 = null;
                                    if (!StringUtils.isNullOrEmpty(str5) && !StringUtils.isNullOrEmpty(str6)) {
                                        char[] charArray2 = str7 == null ? new char[0] : str7.toCharArray();
                                        inputStream2 = new URL(str5).openStream();
                                        keyStore2 = KeyStore.getInstance(str6);
                                        keyStore2.load(inputStream2, charArray2);
                                    }
                                    if (keyStore2 != null || (z2 && z)) {
                                        trustManagerFactory.init(keyStore2);
                                        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                                            arrayList.add(trustManager instanceof X509TrustManager ? new X509TrustManagerWrapper((X509TrustManager) trustManager, z2, str) : trustManager);
                                        }
                                    }
                                    if (inputStream2 != null) {
                                        try {
                                            inputStream2.close();
                                        } catch (IOException e7) {
                                        }
                                    }
                                    if (arrayList.size() == 0) {
                                        arrayList.add(new X509TrustManagerWrapper(z2, str));
                                    }
                                    try {
                                        SSLContext sSLContext = SSLContext.getInstance(SSLSocketFactory.TLS);
                                        sSLContext.init(keyManagerArr, (TrustManager[]) arrayList.toArray(new TrustManager[arrayList.size()]), null);
                                        return sSLContext;
                                    } catch (KeyManagementException e8) {
                                        throw new SSLParamsException("KeyManagementException: " + e8.getMessage(), e8);
                                    } catch (NoSuchAlgorithmException e9) {
                                        throw new SSLParamsException("TLS is not a valid SSL protocol.", e9);
                                    }
                                } catch (MalformedURLException e10) {
                                    throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, str5 + " does not appear to be a valid URL.", e10, exceptionInterceptor));
                                }
                            } catch (CertificateException e11) {
                                throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Could not load trust" + str6 + " keystore from " + str5, e11, exceptionInterceptor));
                            }
                        } catch (IOException e12) {
                            throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Cannot open " + str5 + " [" + e12.getMessage() + Tokens.T_RIGHTBRACKET, e12, exceptionInterceptor));
                        }
                    } finally {
                        if (inputStream2 != null) {
                            try {
                                inputStream2.close();
                            } catch (IOException e13) {
                            }
                        }
                    }
                } catch (KeyStoreException e14) {
                    throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Could not create KeyStore instance [" + e14.getMessage() + Tokens.T_RIGHTBRACKET, e14, exceptionInterceptor));
                }
            } catch (NoSuchAlgorithmException e15) {
                throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Unsupported keystore algorithm [" + e15.getMessage() + Tokens.T_RIGHTBRACKET, e15, exceptionInterceptor));
            }
        } catch (NoSuchAlgorithmException e16) {
            throw ((SSLParamsException) ExceptionFactory.createException(SSLParamsException.class, "Default algorithm definitions for TrustManager and/or KeyManager are invalid.  Check java security properties file.", e16, exceptionInterceptor));
        }
    }

    public static boolean isSSLEstablished(Socket socket) {
        if (socket == null) {
            return false;
        }
        return SSLSocket.class.isAssignableFrom(socket.getClass());
    }

    public static RSAPublicKey decodeRSAPublicKey(String str) throws RSAException {
        if (str == null) {
            throw ((RSAException) ExceptionFactory.createException(RSAException.class, "Key parameter is null"));
        }
        int indexOf = str.indexOf("\n") + 1;
        try {
            return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64Decoder.decode(str.getBytes(), indexOf, str.indexOf("-----END PUBLIC KEY-----") - indexOf)));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw ((RSAException) ExceptionFactory.createException(RSAException.class, "Unable to decode public key", e));
        }
    }

    public static byte[] encryptWithRSAPublicKey(byte[] bArr, RSAPublicKey rSAPublicKey, String str) throws RSAException {
        try {
            Cipher cipher = Cipher.getInstance(str);
            cipher.init(1, rSAPublicKey);
            return cipher.doFinal(bArr);
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw ((RSAException) ExceptionFactory.createException(RSAException.class, e.getMessage(), e));
        }
    }

    public static byte[] encryptWithRSAPublicKey(byte[] bArr, RSAPublicKey rSAPublicKey) throws RSAException {
        return encryptWithRSAPublicKey(bArr, rSAPublicKey, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
    }

    static {
        try {
            Properties properties = new Properties();
            properties.load(ExportControlled.class.getResourceAsStream(TLS_SETTINGS_RESOURCE));
            Arrays.stream(properties.getProperty("TLSCiphers.Mandatory").split("\\s*,\\s*")).forEach(str -> {
                ALLOWED_CIPHERS.add(str.trim());
            });
            Arrays.stream(properties.getProperty("TLSCiphers.Approved").split("\\s*,\\s*")).forEach(str2 -> {
                ALLOWED_CIPHERS.add(str2.trim());
            });
            Arrays.stream(properties.getProperty("TLSCiphers.Deprecated").split("\\s*,\\s*")).forEach(str3 -> {
                ALLOWED_CIPHERS.add(str3.trim());
            });
            Arrays.stream(properties.getProperty("TLSCiphers.Unacceptable.Mask").split("\\s*,\\s*")).forEach(str4 -> {
                RESTRICTED_CIPHER_SUBSTR.add(str4.trim());
            });
        } catch (IOException e) {
            throw ExceptionFactory.createException("Unable to load TlsSettings.properties");
        }
    }
}
