package com.newrelic.agent.transport.apache;

import com.newrelic.agent.Agent;
import com.newrelic.agent.config.DataSenderConfig;
import com.newrelic.agent.deps.com.google.common.collect.ImmutableList;
import com.newrelic.agent.deps.org.apache.http.ssl.SSLContextBuilder;
import com.newrelic.agent.deps.org.apache.http.ssl.TrustStrategy;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.LinkedList;
import java.util.logging.Level;
import javax.net.ssl.SSLContext;

/* loaded from: input_file:com/newrelic/agent/transport/apache/ApacheSSLManager.class */
public class ApacheSSLManager {
    private static final String NEW_RELIC_CERTS_PATH = "META-INF/certs/";
    private static final Collection<String> NEW_RELIC_CERTS = ImmutableList.of("newrelic-com.pem", "eu-newrelic-com.pem", "eu01-nr-data-net.pem");

    public static SSLContext createSSLContext(DataSenderConfig dataSenderConfig) {
        SSLContextBuilder sSLContextBuilder = new SSLContextBuilder();
        try {
            if (dataSenderConfig.getCaBundlePath() != null) {
                if (dataSenderConfig.getUsePrivateSSL()) {
                    Agent.LOG.log(Level.FINE, "Ignoring use_private_ssl config. Using SSL certificates provided by ca_bundle_path.");
                }
                sSLContextBuilder.loadTrustMaterial(getKeyStore(dataSenderConfig.getCaBundlePath()), (TrustStrategy) null);
            } else if (dataSenderConfig.getUsePrivateSSL()) {
                addNewRelicCertToTrustStore(sSLContextBuilder);
            }
            return sSLContextBuilder.build();
        } catch (Exception e) {
            Agent.LOG.log(Level.WARNING, e, "Unable to create SSL context");
            return null;
        }
    }

    private static void addNewRelicCertToTrustStore(SSLContextBuilder sSLContextBuilder) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            for (String str : NEW_RELIC_CERTS) {
                URL resource = ApacheSSLManager.class.getClassLoader().getResource(NEW_RELIC_CERTS_PATH + str);
                if (resource != null) {
                    try {
                        InputStream openStream = resource.openStream();
                        Throwable th = null;
                        try {
                            try {
                                X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(openStream);
                                if (isSslCertValid(x509Certificate)) {
                                    logIfExpiringSoon(x509Certificate.getNotAfter());
                                    String str2 = str.split("\\.pem")[0];
                                    keyStore.setCertificateEntry(str2, x509Certificate);
                                    Agent.LOG.log(Level.FINEST, "Installed New Relic ssl certificate at alias: " + str2);
                                    Agent.LOG.log(Level.FINEST, "SSL Certificate expires on: {0}", x509Certificate.getNotAfter());
                                }
                                if (openStream != null) {
                                    if (0 != 0) {
                                        try {
                                            openStream.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        openStream.close();
                                    }
                                }
                            } catch (Throwable th3) {
                                th = th3;
                                throw th3;
                            }
                        } catch (Throwable th4) {
                            if (openStream != null) {
                                if (th != null) {
                                    try {
                                        openStream.close();
                                    } catch (Throwable th5) {
                                        th.addSuppressed(th5);
                                    }
                                } else {
                                    openStream.close();
                                }
                            }
                            throw th4;
                        }
                    } catch (IOException e) {
                        Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", (Throwable) e);
                    }
                } else {
                    Agent.LOG.log(Level.INFO, "Unable to find bundled New Relic ssl certificates.");
                }
            }
            sSLContextBuilder.loadTrustMaterial(keyStore, (TrustStrategy) null);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", e2);
        }
    }

    private static void logIfExpiringSoon(Date date) {
        Calendar calendar = Calendar.getInstance();
        calendar.add(2, 3);
        if (calendar.getTime().compareTo(date) > 0) {
            Agent.LOG.log(Level.WARNING, "New Relic ssl certificate expire on {0}.\nApplications using a custom Truststore may need to update the agent or provide a valid certificate using the ca_bundle_path config", date);
        }
    }

    private static boolean isSslCertValid(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
            return true;
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            Agent.LOG.log(Level.WARNING, "New Relic ssl certificate has expired.\nApplications using a custom Truststore may need to update the agent or provide a valid certificate using the ca_bundle_path config", e);
            return false;
        }
    }

    private static KeyStore getKeyStore(String str) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        Agent.LOG.finer("SSL Keystore Provider: " + keyStore.getProvider().getName());
        LinkedList<X509Certificate> linkedList = new LinkedList();
        if (str != null) {
            Agent.LOG.log(Level.FINEST, "Checking ca_bundle_path at: {0}", str);
            BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(str));
            Throwable th = null;
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                while (bufferedInputStream.available() > 0) {
                    try {
                        linkedList.add((X509Certificate) certificateFactory.generateCertificate(bufferedInputStream));
                    } catch (Throwable th2) {
                        Agent.LOG.log(Level.SEVERE, "Unable to generate ca_bundle_path certificate. Will not process further certs.", th2);
                    }
                }
                Agent.LOG.log(linkedList.size() > 0 ? Level.INFO : Level.SEVERE, "Read ca_bundle_path {0} and found {1} certificates.", str, Integer.valueOf(linkedList.size()));
                keyStore.load(null, null);
                int i = 1;
                for (X509Certificate x509Certificate : linkedList) {
                    if (x509Certificate != null) {
                        String str2 = "ca_bundle_path_" + i;
                        keyStore.setCertificateEntry(str2, x509Certificate);
                        Agent.LOG.log(Level.FINEST, "Installed certificate {0} at alias: {1}", Integer.valueOf(i), str2);
                        if (Agent.isDebugEnabled()) {
                            Agent.LOG.log(Level.FINEST, "Installed certificate {0} at alias: {1}", x509Certificate, str2);
                        }
                    }
                    i++;
                }
            } finally {
                if (bufferedInputStream != null) {
                    if (0 != 0) {
                        try {
                            bufferedInputStream.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        bufferedInputStream.close();
                    }
                }
            }
        }
        return keyStore;
    }
}
