package org.openziti.springboot.client.web.config;

import java.io.IOException;
import java.net.Socket;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import lombok.Generated;
import org.apache.hc.client5.http.config.TlsConfig;
import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
import org.apache.hc.client5.http.ssl.HostnameVerificationPolicy;
import org.apache.hc.core5.http.URIScheme;
import org.apache.hc.core5.http.protocol.HttpContext;
import org.apache.hc.core5.http.ssl.TLS;
import org.apache.hc.core5.http.ssl.TlsCiphers;
import org.apache.hc.core5.io.Closer;
import org.apache.hc.core5.util.Timeout;
import org.openziti.Ziti;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openziti/springboot/client/web/config/ZitiTlsSocketStrategy.class */
public class ZitiTlsSocketStrategy extends DefaultClientTlsStrategy {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(ZitiTlsSocketStrategy.class);
    private SSLSocketFactory zitiSslSocketFactory;
    private final SSLContext sslContext;
    private final HostnameVerificationPolicy hostnameVerificationPolicy;

    public ZitiTlsSocketStrategy(SSLContext sSLContext, HostnameVerificationPolicy hostnameVerificationPolicy, HostnameVerifier hostnameVerifier) {
        super(sSLContext, hostnameVerificationPolicy, hostnameVerifier);
        this.sslContext = sSLContext;
        this.hostnameVerificationPolicy = hostnameVerificationPolicy;
    }

    public ZitiTlsSocketStrategy(SSLContext sSLContext) {
        super(sSLContext);
        this.sslContext = sSLContext;
        this.hostnameVerificationPolicy = HostnameVerificationPolicy.BOTH;
    }

    public SSLSocket upgrade(Socket socket, String str, int i, Object obj, HttpContext httpContext) throws IOException {
        SSLSocket sSLSocket = (SSLSocket) getZitiSslSocketFactory().createSocket(socket, str, i, true);
        try {
            executeHandshake(sSLSocket, str, obj);
            return sSLSocket;
        } catch (IOException | RuntimeException e) {
            Closer.closeQuietly(sSLSocket);
            throw e;
        }
    }

    private void executeHandshake(SSLSocket sSLSocket, String str, Object obj) throws IOException {
        TlsConfig tlsConfig = obj instanceof TlsConfig ? (TlsConfig) obj : TlsConfig.DEFAULT;
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setProtocols(TLS.excludeWeak(sSLSocket.getEnabledProtocols()));
        sSLParameters.setCipherSuites(TlsCiphers.excludeWeak(sSLSocket.getEnabledCipherSuites()));
        if (this.hostnameVerificationPolicy == HostnameVerificationPolicy.BUILTIN || this.hostnameVerificationPolicy == HostnameVerificationPolicy.BOTH) {
            sSLParameters.setEndpointIdentificationAlgorithm(URIScheme.HTTPS.id);
        }
        sSLSocket.setSSLParameters(sSLParameters);
        Timeout handshakeTimeout = tlsConfig.getHandshakeTimeout();
        if (handshakeTimeout != null) {
            sSLSocket.setSoTimeout(handshakeTimeout.toMillisecondsIntBound());
        }
        initializeSocket(sSLSocket);
        if (log.isDebugEnabled()) {
            log.debug("Enabled protocols: {}", sSLSocket.getEnabledProtocols());
            log.debug("Enabled cipher suites: {}", sSLSocket.getEnabledCipherSuites());
            log.debug("Starting handshake ({})", handshakeTimeout);
        }
        sSLSocket.startHandshake();
        verifySession(str, sSLSocket.getSession());
    }

    protected SSLSocketFactory getZitiSslSocketFactory() {
        if (this.zitiSslSocketFactory == null) {
            synchronized (this) {
                if (this.zitiSslSocketFactory == null) {
                    this.zitiSslSocketFactory = Ziti.getSSLSocketFactory(this.sslContext);
                }
            }
        }
        return this.zitiSslSocketFactory;
    }
}
