package com.typesafe.sslconfig.akka;

import akka.actor.ActorSystem;
import akka.actor.ExtendedActorSystem;
import akka.actor.Extension;
import akka.event.LogSource$;
import akka.event.Logging$;
import akka.event.LoggingAdapter;
import com.typesafe.sslconfig.akka.util.AkkaLoggerFactory;
import com.typesafe.sslconfig.ssl.AlgorithmChecker;
import com.typesafe.sslconfig.ssl.AlgorithmConstraintsParser$;
import com.typesafe.sslconfig.ssl.Ciphers$;
import com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder;
import com.typesafe.sslconfig.ssl.DefaultKeyManagerFactoryWrapper;
import com.typesafe.sslconfig.ssl.DefaultTrustManagerFactoryWrapper;
import com.typesafe.sslconfig.ssl.DisabledComplainingHostnameVerifier;
import com.typesafe.sslconfig.ssl.KeyManagerFactoryWrapper;
import com.typesafe.sslconfig.ssl.Protocols$;
import com.typesafe.sslconfig.ssl.SSLConfigSettings;
import com.typesafe.sslconfig.ssl.TrustManagerFactoryWrapper;
import java.security.KeyStore;
import java.util.Collections;
import java.util.function.Function;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import scala.Function1;
import scala.MatchError;
import scala.None$;
import scala.Predef$;
import scala.Some;
import scala.collection.TraversableOnce;
import scala.collection.immutable.Nil$;
import scala.collection.immutable.Seq;
import scala.reflect.ClassTag$;
import scala.reflect.ScalaSignature;

/* compiled from: AkkaSSLConfig.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005%v!B\u0001\u0003\u0011\u0003Y\u0011!D!lW\u0006\u001c6\u000bT\"p]\u001aLwM\u0003\u0002\u0004\t\u0005!\u0011m[6b\u0015\t)a!A\u0005tg2\u001cwN\u001c4jO*\u0011q\u0001C\u0001\tif\u0004Xm]1gK*\t\u0011\"A\u0002d_6\u001c\u0001\u0001\u0005\u0002\r\u001b5\t!AB\u0003\u000f\u0005!\u0005qBA\u0007BW.\f7k\u0015'D_:4\u0017nZ\n\u0006\u001bA1\u0012q\u000e\t\u0003#Qi\u0011A\u0005\u0006\u0002'\u0005)1oY1mC&\u0011QC\u0005\u0002\u0007\u0003:L(+\u001a4\u0011\u0007]YR$D\u0001\u0019\u0015\tI\"$A\u0003bGR|'OC\u0001\u0004\u0013\ta\u0002DA\u0006FqR,gn]5p]&#\u0007C\u0001\u0007\u001f\r\u0011q!AA\u0010\u0014\u0007y\u0001\u0002\u0005\u0005\u0002\u0018C%\u0011!\u0005\u0007\u0002\n\u000bb$XM\\:j_:D\u0001\u0002\n\u0010\u0003\u0002\u0003\u0006I!J\u0001\u0007gf\u001cH/Z7\u0011\u0005]1\u0013BA\u0014\u0019\u0005M)\u0005\u0010^3oI\u0016$\u0017i\u0019;peNK8\u000f^3n\u0011!IcD!b\u0001\n\u0003Q\u0013AB2p]\u001aLw-F\u0001,!\tas&D\u0001.\u0015\tqC!A\u0002tg2L!\u0001M\u0017\u0003#M\u001bFjQ8oM&<7+\u001a;uS:<7\u000f\u0003\u00053=\t\u0005\t\u0015!\u0003,\u0003\u001d\u0019wN\u001c4jO\u0002BQ\u0001\u000e\u0010\u0005\u0002U\na\u0001P5oSRtDcA\u000f7o!)Ae\ra\u0001K!)\u0011f\ra\u0001W!9\u0011H\bb\u0001\n\u0013Q\u0014\u0001C7l\u0019><w-\u001a:\u0016\u0003m\u0002\"\u0001P \u000e\u0003uR!A\u0010\u0002\u0002\tU$\u0018\u000e\\\u0005\u0003\u0001v\u0012\u0011#Q6lC2{wmZ3s\r\u0006\u001cGo\u001c:z\u0011\u0019\u0011e\u0004)A\u0005w\u0005IQn\u001b'pO\u001e,'\u000f\t\u0005\b\tz\u0011\r\u0011\"\u0003F\u0003\rawnZ\u000b\u0002\rB\u0011qIS\u0007\u0002\u0011*\u0011\u0011JG\u0001\u0006KZ,g\u000e^\u0005\u0003\u0017\"\u0013a\u0002T8hO&tw-\u00113baR,'\u000f\u0003\u0004N=\u0001\u0006IAR\u0001\u0005Y><\u0007\u0005C\u0003P=\u0011\u0005\u0001+\u0001\u0007xSRD7+\u001a;uS:<7\u000f\u0006\u0002\u001e#\")!K\u0014a\u0001W\u0005\t1\rC\u0003U=\u0011\u0005Q+A\u0006nCB\u001cV\r\u001e;j]\u001e\u001cHCA\u000fW\u0011\u001596\u000b1\u0001Y\u0003\u00051\u0007\u0003B\tZW-J!A\u0017\n\u0003\u0013\u0019+hn\u0019;j_:\f\u0004\"\u0002/\u001f\t\u0003i\u0016aD2p]Z,'\u000f^*fiRLgnZ:\u0015\u0005uq\u0006\"B,\\\u0001\u0004y\u0006\u0003\u00021gW-j\u0011!\u0019\u0006\u0003E\u000e\f\u0001BZ;oGRLwN\u001c\u0006\u0003}\u0011T\u0011!Z\u0001\u0005U\u00064\u0018-\u0003\u0002hC\nAa)\u001e8di&|g\u000eC\u0004j=\t\u0007I\u0011\u00016\u0002!!|7\u000f\u001e8b[\u00164VM]5gS\u0016\u0014X#A6\u0011\u00051\u0014X\"A7\u000b\u00059r'BA8q\u0003\rqW\r\u001e\u0006\u0002c\u0006)!.\u0019<bq&\u00111/\u001c\u0002\u0011\u0011>\u001cHO\\1nKZ+'/\u001b4jKJDa!\u001e\u0010!\u0002\u0013Y\u0017!\u00055pgRt\u0017-\\3WKJLg-[3sA!9qO\bb\u0001\n\u0003A\u0018!F:tY\u0016sw-\u001b8f\u0007>tg-[4ve\u0006$xN]\u000b\u0002sB\u0011AB_\u0005\u0003w\n\u0011A\u0004R3gCVdGoU*M\u000b:<\u0017N\\3D_:4\u0017nZ;sCR|'\u000f\u0003\u0004~=\u0001\u0006I!_\u0001\u0017gNdWI\\4j]\u0016\u001cuN\u001c4jOV\u0014\u0018\r^8sA!1qP\bC\u0001\u0003\u0003\taCY;jY\u0012\\U-_'b]\u0006<WM\u001d$bGR|'/\u001f\u000b\u0005\u0003\u0007\tI\u0001E\u0002-\u0003\u000bI1!a\u0002.\u0005aYU-_'b]\u0006<WM\u001d$bGR|'/_,sCB\u0004XM\u001d\u0005\u0006]y\u0004\ra\u000b\u0005\b\u0003\u001bqB\u0011AA\b\u0003a\u0011W/\u001b7e)J,8\u000f^'b]\u0006<WM\u001d$bGR|'/\u001f\u000b\u0005\u0003#\t9\u0002E\u0002-\u0003'I1!!\u0006.\u0005i!&/^:u\u001b\u0006t\u0017mZ3s\r\u0006\u001cGo\u001c:z/J\f\u0007\u000f]3s\u0011\u0019q\u00131\u0002a\u0001W!9\u00111\u0004\u0010\u0005\u0002\u0005u\u0011!\u00062vS2$\u0007j\\:u]\u0006lWMV3sS\u001aLWM\u001d\u000b\u0004W\u0006}\u0001bBA\u0011\u00033\u0001\raK\u0001\u0005G>tg\rC\u0004\u0002&y!\t!a\n\u00027Y\fG.\u001b3bi\u0016$UMZ1vYR$&/^:u\u001b\u0006t\u0017mZ3s)\u0011\tI#a\f\u0011\u0007E\tY#C\u0002\u0002.I\u0011A!\u00168ji\"9\u0011\u0011GA\u0012\u0001\u0004Y\u0013!C:tY\u000e{gNZ5h\u0011\u001d\t)D\bC\u0001\u0003o\t!cY8oM&<WO]3Qe>$xnY8mgR1\u0011\u0011HA'\u0003#\u0002R!EA\u001e\u0003\u007fI1!!\u0010\u0013\u0005\u0015\t%O]1z!\u0011\t\t%a\u0012\u000f\u0007E\t\u0019%C\u0002\u0002FI\ta\u0001\u0015:fI\u00164\u0017\u0002BA%\u0003\u0017\u0012aa\u0015;sS:<'bAA#%!A\u0011qJA\u001a\u0001\u0004\tI$A\tfq&\u001cH/\u001b8h!J|Go\\2pYNDq!!\r\u00024\u0001\u00071\u0006C\u0004\u0002Vy!\t!a\u0016\u0002+\r|gNZ5hkJ,7)\u001b9iKJ\u001cV/\u001b;fgR1\u0011\u0011HA-\u0003;B\u0001\"a\u0017\u0002T\u0001\u0007\u0011\u0011H\u0001\u0010KbL7\u000f^5oO\u000eK\u0007\u000f[3sg\"9\u0011\u0011GA*\u0001\u0004Y\u0003bBA1=\u0011%\u00111M\u0001\u0010Y>|7/\u001a#jg\u0006\u0014G.Z*O\u0013R!\u0011\u0011FA3\u0011!\t9'a\u0018A\u0002\u0005%\u0014!\u00043fM\u0006,H\u000e\u001e)be\u0006l7\u000fE\u0002m\u0003WJ1!!\u001cn\u00055\u00196\u000b\u0014)be\u0006lW\r^3sgB\u0019q#!\u001d\n\u0007\u0005M\u0004DA\nFqR,gn]5p]&#\u0007K]8wS\u0012,'\u000f\u0003\u00045\u001b\u0011\u0005\u0011q\u000f\u000b\u0002\u0017!9\u00111P\u0007\u0005B\u0005u\u0014aA4fiR\u0019Q$a \t\u000f\u0011\nI\b1\u0001\u0002\u0002B\u0019q#a!\n\u0007\u0005\u0015\u0005DA\u0006BGR|'oU=ti\u0016l\u0007bBAE\u001b\u0011\u0005\u00111R\u0001\u0006CB\u0004H.\u001f\u000b\u0003\u0003\u001b#2!HAH\u0011\u001d!\u0013q\u0011a\u0002\u0003\u0003Cq!a%\u000e\t\u0003\n)*\u0001\u0004m_>\\W\u000f\u001d\u000b\u0003\u0003/s!\u0001\u0004\u0001\t\u000f\u0005mU\u0002\"\u0011\u0002\u001e\u0006y1M]3bi\u0016,\u0005\u0010^3og&|g\u000eF\u0002\u001e\u0003?Ca\u0001JAM\u0001\u0004)\u0003bBAR\u001b\u0011\u0005\u0011QU\u0001\u0019I\u00164\u0017-\u001e7u'Nc5i\u001c8gS\u001e\u001cV\r\u001e;j]\u001e\u001cHcA\u0016\u0002(\"9A%!)A\u0002\u0005\u0005\u0005")
/* loaded from: input_file:com/typesafe/sslconfig/akka/AkkaSSLConfig.class */
public final class AkkaSSLConfig implements Extension {
    public final ExtendedActorSystem com$typesafe$sslconfig$akka$AkkaSSLConfig$$system;
    private final SSLConfigSettings config;
    private final AkkaLoggerFactory com$typesafe$sslconfig$akka$AkkaSSLConfig$$mkLogger;
    private final LoggingAdapter com$typesafe$sslconfig$akka$AkkaSSLConfig$$log;
    private final HostnameVerifier hostnameVerifier;
    private final DefaultSSLEngineConfigurator sslEngineConfigurator;

    public static SSLConfigSettings defaultSSLConfigSettings(ActorSystem actorSystem) {
        return AkkaSSLConfig$.MODULE$.defaultSSLConfigSettings(actorSystem);
    }

    public static AkkaSSLConfig createExtension(ExtendedActorSystem extendedActorSystem) {
        return AkkaSSLConfig$.MODULE$.m1276createExtension(extendedActorSystem);
    }

    public static AkkaSSLConfig$ lookup() {
        return AkkaSSLConfig$.MODULE$.m1277lookup();
    }

    public static AkkaSSLConfig apply(ActorSystem actorSystem) {
        return AkkaSSLConfig$.MODULE$.m1278apply(actorSystem);
    }

    public static AkkaSSLConfig get(ActorSystem actorSystem) {
        return AkkaSSLConfig$.MODULE$.m1279get(actorSystem);
    }

    public SSLConfigSettings config() {
        return this.config;
    }

    public AkkaLoggerFactory com$typesafe$sslconfig$akka$AkkaSSLConfig$$mkLogger() {
        return this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$mkLogger;
    }

    public LoggingAdapter com$typesafe$sslconfig$akka$AkkaSSLConfig$$log() {
        return this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$log;
    }

    public AkkaSSLConfig withSettings(SSLConfigSettings sSLConfigSettings) {
        return new AkkaSSLConfig(this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$system, sSLConfigSettings);
    }

    public AkkaSSLConfig mapSettings(Function1<SSLConfigSettings, SSLConfigSettings> function1) {
        return new AkkaSSLConfig(this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$system, (SSLConfigSettings) function1.apply(config()));
    }

    public AkkaSSLConfig convertSettings(Function<SSLConfigSettings, SSLConfigSettings> function) {
        return new AkkaSSLConfig(this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$system, function.apply(config()));
    }

    public HostnameVerifier hostnameVerifier() {
        return this.hostnameVerifier;
    }

    public DefaultSSLEngineConfigurator sslEngineConfigurator() {
        return this.sslEngineConfigurator;
    }

    public KeyManagerFactoryWrapper buildKeyManagerFactory(SSLConfigSettings sSLConfigSettings) {
        return new DefaultKeyManagerFactoryWrapper(sSLConfigSettings.keyManagerConfig().algorithm());
    }

    public TrustManagerFactoryWrapper buildTrustManagerFactory(SSLConfigSettings sSLConfigSettings) {
        return new DefaultTrustManagerFactoryWrapper(sSLConfigSettings.trustManagerConfig().algorithm());
    }

    public HostnameVerifier buildHostnameVerifier(SSLConfigSettings sSLConfigSettings) {
        Class<? extends HostnameVerifier> hostnameVerifierClass = config().loose().disableHostnameVerification() ? DisabledComplainingHostnameVerifier.class : config().hostnameVerifierClass();
        HostnameVerifier hostnameVerifier = (HostnameVerifier) this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$system.dynamicAccess().createInstanceFor(hostnameVerifierClass, Nil$.MODULE$, ClassTag$.MODULE$.apply(HostnameVerifier.class)).orElse(new AkkaSSLConfig$$anonfun$1(this, hostnameVerifierClass)).getOrElse(new AkkaSSLConfig$$anonfun$2(this, hostnameVerifierClass));
        com$typesafe$sslconfig$akka$AkkaSSLConfig$$log().debug("buildHostnameVerifier: created hostname verifier: {}", hostnameVerifier);
        return hostnameVerifier;
    }

    public void validateDefaultTrustManager(SSLConfigSettings sSLConfigSettings) {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        Predef$.MODULE$.refArrayOps(((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).getAcceptedIssuers()).foreach(new AkkaSSLConfig$$anonfun$validateDefaultTrustManager$1(this, new AlgorithmChecker(com$typesafe$sslconfig$akka$AkkaSSLConfig$$mkLogger(), Predef$.MODULE$.Set().apply(Nil$.MODULE$), ((TraversableOnce) AlgorithmConstraintsParser$.MODULE$.parseAll(AlgorithmConstraintsParser$.MODULE$.line(), sSLConfigSettings.disabledKeyAlgorithms().mkString(",")).get()).toSet())));
    }

    public String[] configureProtocols(String[] strArr, SSLConfigSettings sSLConfigSettings) {
        String[] strArr2;
        Some enabledProtocols = sSLConfigSettings.enabledProtocols();
        if (enabledProtocols instanceof Some) {
            strArr2 = (String[]) ((TraversableOnce) ((Seq) enabledProtocols.x()).filter(new AkkaSSLConfig$$anonfun$3(this, Predef$.MODULE$.refArrayOps(strArr)))).toArray(ClassTag$.MODULE$.apply(String.class));
        } else {
            if (!None$.MODULE$.equals(enabledProtocols)) {
                throw new MatchError(enabledProtocols);
            }
            strArr2 = (String[]) Predef$.MODULE$.refArrayOps(Protocols$.MODULE$.recommendedProtocols()).filter(new AkkaSSLConfig$$anonfun$4(this, Predef$.MODULE$.refArrayOps(strArr)));
        }
        String[] strArr3 = strArr2;
        if (!sSLConfigSettings.loose().allowWeakProtocols()) {
            Protocols$.MODULE$.deprecatedProtocols().foreach(new AkkaSSLConfig$$anonfun$configureProtocols$1(this, strArr3));
        }
        return strArr3;
    }

    public String[] configureCipherSuites(String[] strArr, SSLConfigSettings sSLConfigSettings) {
        String[] strArr2;
        Some enabledCipherSuites = sSLConfigSettings.enabledCipherSuites();
        if (enabledCipherSuites instanceof Some) {
            strArr2 = (String[]) ((TraversableOnce) ((Seq) enabledCipherSuites.x()).filter(new AkkaSSLConfig$$anonfun$5(this, strArr))).toArray(ClassTag$.MODULE$.apply(String.class));
        } else {
            if (!None$.MODULE$.equals(enabledCipherSuites)) {
                throw new MatchError(enabledCipherSuites);
            }
            strArr2 = (String[]) ((TraversableOnce) Ciphers$.MODULE$.recommendedCiphers().filter(new AkkaSSLConfig$$anonfun$6(this, strArr))).toArray(ClassTag$.MODULE$.apply(String.class));
        }
        String[] strArr3 = strArr2;
        if (!sSLConfigSettings.loose().allowWeakCiphers()) {
            Ciphers$.MODULE$.deprecatedCiphers().foreach(new AkkaSSLConfig$$anonfun$configureCipherSuites$1(this, strArr3));
        }
        return strArr3;
    }

    private void looseDisableSNI(SSLParameters sSLParameters) {
        if (config().loose().disableSNI()) {
            com$typesafe$sslconfig$akka$AkkaSSLConfig$$log().warning("You are using ssl-config.loose.disableSNI=true! It is strongly discouraged to disable Server Name Indication, as it is crucial to preventing man-in-the-middle attacks.");
            sSLParameters.setServerNames(Collections.emptyList());
            sSLParameters.setSNIMatchers(Collections.emptyList());
        }
    }

    public AkkaSSLConfig(ExtendedActorSystem extendedActorSystem, SSLConfigSettings sSLConfigSettings) {
        SSLContext build;
        this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$system = extendedActorSystem;
        this.config = sSLConfigSettings;
        this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$mkLogger = new AkkaLoggerFactory(extendedActorSystem);
        this.com$typesafe$sslconfig$akka$AkkaSSLConfig$$log = Logging$.MODULE$.apply(extendedActorSystem, getClass(), LogSource$.MODULE$.fromAnyClass());
        com$typesafe$sslconfig$akka$AkkaSSLConfig$$log().debug("Initializing AkkaSSLConfig extension...");
        this.hostnameVerifier = buildHostnameVerifier(sSLConfigSettings);
        if (sSLConfigSettings.m1335default()) {
            com$typesafe$sslconfig$akka$AkkaSSLConfig$$log().info("ssl-config.default is true, using the JDK's default SSLContext");
            validateDefaultTrustManager(sSLConfigSettings);
            build = SSLContext.getDefault();
        } else {
            build = new ConfigSSLContextBuilder(com$typesafe$sslconfig$akka$AkkaSSLConfig$$mkLogger(), sSLConfigSettings, buildKeyManagerFactory(sSLConfigSettings), buildTrustManagerFactory(sSLConfigSettings)).build();
        }
        SSLParameters defaultSSLParameters = build.getDefaultSSLParameters();
        String[] configureProtocols = configureProtocols(defaultSSLParameters.getProtocols(), sSLConfigSettings);
        String[] configureCipherSuites = configureCipherSuites(defaultSSLParameters.getCipherSuites(), sSLConfigSettings);
        looseDisableSNI(defaultSSLParameters);
        this.sslEngineConfigurator = new DefaultSSLEngineConfigurator(sSLConfigSettings, configureProtocols, configureCipherSuites);
    }
}
