package org.opensearch.transport.netty4.ssl;

import io.netty.buffer.ByteBuf;
import java.nio.ByteOrder;
import java.security.NoSuchAlgorithmException;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.opensearch.OpenSearchSecurityException;

/* loaded from: input_file:org/opensearch/transport/netty4/ssl/SslUtils.class */
public class SslUtils {
    private static final String[] DEFAULT_SSL_PROTOCOLS = {"TLSv1.3", "TLSv1.2", "TLSv1.1"};
    private static final int SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC = 20;
    private static final int SSL_CONTENT_TYPE_ALERT = 21;
    private static final int SSL_CONTENT_TYPE_HANDSHAKE = 22;
    private static final int SSL_CONTENT_TYPE_APPLICATION_DATA = 23;
    private static final int SSL_CONTENT_TYPE_EXTENSION_HEARTBEAT = 24;
    private static final int SSL_RECORD_HEADER_LENGTH = 5;

    private SslUtils() {
    }

    public static SSLEngine createDefaultServerSSLEngine() {
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            createSSLEngine.setEnabledProtocols(DEFAULT_SSL_PROTOCOLS);
            createSSLEngine.setUseClientMode(false);
            return createSSLEngine;
        } catch (NoSuchAlgorithmException e) {
            throw new OpenSearchSecurityException("Unable to initialize default server SSL engine", e, new Object[0]);
        }
    }

    public static SSLEngine createDefaultClientSSLEngine() {
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            createSSLEngine.setEnabledProtocols(DEFAULT_SSL_PROTOCOLS);
            createSSLEngine.setUseClientMode(true);
            return createSSLEngine;
        } catch (NoSuchAlgorithmException e) {
            throw new OpenSearchSecurityException("Unable to initialize default client SSL engine", e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isTLS(ByteBuf byteBuf) {
        boolean z;
        int readerIndex = byteBuf.readerIndex();
        switch (byteBuf.getUnsignedByte(readerIndex)) {
            case SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC /* 20 */:
            case SSL_CONTENT_TYPE_ALERT /* 21 */:
            case SSL_CONTENT_TYPE_HANDSHAKE /* 22 */:
            case SSL_CONTENT_TYPE_APPLICATION_DATA /* 23 */:
            case SSL_CONTENT_TYPE_EXTENSION_HEARTBEAT /* 24 */:
                z = true;
                break;
            default:
                z = false;
                break;
        }
        if (z) {
            if (byteBuf.getUnsignedByte(readerIndex + 1) != 3) {
                z = false;
            } else if (unsignedShortBE(byteBuf, readerIndex + 3) + SSL_RECORD_HEADER_LENGTH <= SSL_RECORD_HEADER_LENGTH) {
                z = false;
            }
        }
        return z;
    }

    private static int unsignedShortBE(ByteBuf byteBuf, int i) {
        return byteBuf.order() == ByteOrder.BIG_ENDIAN ? byteBuf.getUnsignedShort(i) : byteBuf.getUnsignedShortLE(i);
    }
}
