package org.eclipse.jetty.util.ssl;

import defpackage.f04;
import defpackage.fh0;
import defpackage.xz3;
import defpackage.yz3;
import defpackage.zz3;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import java.util.regex.Pattern;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
import org.eclipse.jetty.util.annotation.ManagedObject;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.component.Dumpable;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.security.CertificateValidator;
import org.eclipse.jetty.util.security.Password;

@ManagedObject
/* loaded from: classes4.dex */
public class SslContextFactory extends AbstractLifeCycle implements Dumpable {
    public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
    public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
    public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
    public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
    public static final TrustManager[] TRUST_ALL_CERTS = {new a()};
    public static final Logger g0;
    public static final Logger h0;
    public static final String[] i0;
    public static final String[] j0;
    public String A;
    public String B;
    public boolean C;
    public boolean D;
    public Password E;
    public Password F;
    public Password G;
    public String H;
    public String I;
    public String J;
    public String K;
    public String L;
    public boolean M;
    public boolean N;
    public int O;
    public String P;
    public boolean Q;
    public boolean R;
    public String S;
    public KeyStore T;
    public KeyStore U;
    public boolean V;
    public int W;
    public int X;
    public SSLContext Y;
    public String Z;
    public boolean a0;
    public boolean b0;
    public int c0;
    public c d0;
    public PKIXCertPathChecker e0;
    public HostnameVerifier f0;
    public final Set k;
    public final Set l;
    public final Set m;
    public final List n;
    public final Map o;
    public final Map p;
    public final Map q;
    public String[] r;
    public boolean s;
    public Comparator t;
    public String[] u;
    public Resource v;
    public String w;
    public String x;
    public String y;
    public Resource z;

    /* loaded from: classes4.dex */
    public static class Client extends SslContextFactory {
        public Client() {
            this(false);
        }

        public Client(boolean z) {
            super(z);
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public void checkConfiguration() {
            checkTrustAll();
            checkEndPointIdentificationAlgorithm();
            super.checkConfiguration();
        }
    }

    /* loaded from: classes4.dex */
    public static class Server extends SslContextFactory {
        public Server() {
            setEndpointIdentificationAlgorithm(null);
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public boolean getNeedClientAuth() {
            return super.getNeedClientAuth();
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public boolean getWantClientAuth() {
            return super.getWantClientAuth();
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public void setNeedClientAuth(boolean z) {
            super.setNeedClientAuth(z);
        }

        @Override // org.eclipse.jetty.util.ssl.SslContextFactory
        public void setWantClientAuth(boolean z) {
            super.setWantClientAuth(z);
        }
    }

    /* loaded from: classes4.dex */
    public class a implements X509TrustManager {
        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    /* loaded from: classes4.dex */
    public class b extends SNIMatcher {
        public String a;
        public X509 b;

        public b() {
            super(0);
        }

        public String a() {
            return this.a;
        }

        public X509 b() {
            return this.b;
        }

        @Override // javax.net.ssl.SNIMatcher
        public boolean matches(SNIServerName sNIServerName) {
            int indexOf;
            if (SslContextFactory.g0.isDebugEnabled()) {
                SslContextFactory.g0.debug("SNI matching for {}", sNIServerName);
            }
            if (xz3.a(sNIServerName)) {
                String a = zz3.a(yz3.a(sNIServerName));
                this.a = a;
                String asciiToLowerCase = StringUtil.asciiToLowerCase(a);
                X509 x509 = (X509) SslContextFactory.this.p.get(asciiToLowerCase);
                this.b = x509;
                if (x509 == null) {
                    X509 x5092 = (X509) SslContextFactory.this.q.get(asciiToLowerCase);
                    this.b = x5092;
                    if (x5092 == null && (indexOf = asciiToLowerCase.indexOf(46)) >= 0) {
                        this.b = (X509) SslContextFactory.this.q.get(asciiToLowerCase.substring(indexOf + 1));
                    }
                }
                if (SslContextFactory.g0.isDebugEnabled()) {
                    SslContextFactory.g0.debug("SNI matched {}->{}", asciiToLowerCase, this.b);
                }
            } else if (SslContextFactory.g0.isDebugEnabled()) {
                SslContextFactory.g0.debug("SNI no match for {}", sNIServerName);
            }
            return true;
        }
    }

    /* loaded from: classes4.dex */
    public class c {
        public final KeyStore a;
        public final KeyStore b;
        public final SSLContext c;

        public c(KeyStore keyStore, KeyStore keyStore2, SSLContext sSLContext) {
            this.a = keyStore;
            this.b = keyStore2;
            this.c = sSLContext;
        }
    }

    static {
        Logger logger = Log.getLogger((Class<?>) SslContextFactory.class);
        g0 = logger;
        h0 = logger.getLogger("config");
        DEFAULT_KEYMANAGERFACTORY_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
        DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
        i0 = new String[]{"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
        j0 = new String[]{"^.*_(MD5|SHA|SHA1)$", "^TLS_RSA_.*$", "^SSL_.*$", "^.*_NULL_.*$", "^.*_anon_.*$"};
    }

    @Deprecated
    public SslContextFactory() {
        this(false);
    }

    @Deprecated
    public SslContextFactory(String str) {
        this(false, str);
    }

    @Deprecated
    public SslContextFactory(boolean z) {
        this(z, null);
    }

    public SslContextFactory(boolean z, String str) {
        this.k = new LinkedHashSet();
        this.l = new LinkedHashSet();
        this.m = new LinkedHashSet();
        this.n = new ArrayList();
        this.o = new HashMap();
        this.p = new HashMap();
        this.q = new HashMap();
        this.s = true;
        this.x = "JKS";
        this.C = false;
        this.D = false;
        this.I = "TLS";
        this.K = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
        this.L = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
        this.O = -1;
        this.Q = false;
        this.R = false;
        this.V = true;
        this.W = -1;
        this.X = -1;
        this.Z = "HTTPS";
        this.b0 = true;
        this.c0 = 5;
        setTrustAll(z);
        setExcludeProtocols(i0);
        setExcludeCipherSuites(j0);
        if (str != null) {
            setKeyStorePath(str);
        }
    }

    public static int deduceKeyLength(String str) {
        if (str == null) {
            return 0;
        }
        if (str.contains("WITH_AES_256_")) {
            return 256;
        }
        if (str.contains("WITH_RC4_128_") || str.contains("WITH_AES_128_")) {
            return 128;
        }
        if (str.contains("WITH_RC4_40_")) {
            return 40;
        }
        if (str.contains("WITH_3DES_EDE_CBC_")) {
            return 168;
        }
        if (str.contains("WITH_IDEA_CBC_")) {
            return 128;
        }
        if (str.contains("WITH_RC2_CBC_40_") || str.contains("WITH_DES40_CBC_")) {
            return 40;
        }
        return str.contains("WITH_DES_CBC_") ? 56 : 0;
    }

    public static X509Certificate[] getCertChain(SSLSession sSLSession) {
        return l(null, sSLSession);
    }

    public static X509Certificate[] l(SslContextFactory sslContextFactory, SSLSession sSLSession) {
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates != null && peerCertificates.length != 0) {
                int length = peerCertificates.length;
                X509Certificate[] x509CertificateArr = new X509Certificate[length];
                CertificateFactory certificateFactoryInstance = sslContextFactory != null ? sslContextFactory.getCertificateFactoryInstance("X.509") : CertificateFactory.getInstance("X.509");
                for (int i = 0; i < length; i++) {
                    x509CertificateArr[i] = (X509Certificate) certificateFactoryInstance.generateCertificate(new ByteArrayInputStream(peerCertificates[i].getEncoded()));
                }
                return x509CertificateArr;
            }
            return null;
        } catch (SSLPeerUnverifiedException unused) {
            return null;
        } catch (Exception e) {
            g0.warn(Log.EXCEPTION, e);
            return null;
        }
    }

    public void addExcludeCipherSuites(String... strArr) {
        this.m.addAll(Arrays.asList(strArr));
    }

    public void addExcludeProtocols(String... strArr) {
        this.k.addAll(Arrays.asList(strArr));
    }

    public void checkCiphers(SSLParameters sSLParameters) {
        for (String str : sSLParameters.getCipherSuites()) {
            for (String str2 : j0) {
                if (str.matches(str2)) {
                    h0.warn("Weak cipher suite {} enabled for {}", str, this);
                }
            }
        }
    }

    public void checkConfiguration() {
        SSLEngine createSSLEngine = this.d0.c.createSSLEngine();
        customize(createSSLEngine);
        SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
        checkProtocols(sSLParameters);
        checkCiphers(sSLParameters);
    }

    public void checkEndPointIdentificationAlgorithm() {
        if (getEndpointIdentificationAlgorithm() == null) {
            h0.warn("No Client EndPointIdentificationAlgorithm configured for {}", this);
        }
    }

    public void checkProtocols(SSLParameters sSLParameters) {
        for (String str : sSLParameters.getProtocols()) {
            for (String str2 : i0) {
                if (str2.equals(str)) {
                    h0.warn("Protocol {} not excluded for {}", str, this);
                }
            }
        }
    }

    public void checkTrustAll() {
        if (isTrustAll()) {
            h0.warn("Trusting all certificates configured for {}", this);
        }
    }

    public SSLParameters customize(SSLParameters sSLParameters) {
        sSLParameters.setEndpointIdentificationAlgorithm(getEndpointIdentificationAlgorithm());
        sSLParameters.setUseCipherSuitesOrder(isUseCipherSuitesOrder());
        if (!this.p.isEmpty() || !this.q.isEmpty()) {
            sSLParameters.setSNIMatchers(Collections.singletonList(new b()));
        }
        String[] strArr = this.u;
        if (strArr != null) {
            sSLParameters.setCipherSuites(strArr);
        }
        String[] strArr2 = this.r;
        if (strArr2 != null) {
            sSLParameters.setProtocols(strArr2);
        }
        if (!(this instanceof Client)) {
            if (getWantClientAuth()) {
                sSLParameters.setWantClientAuth(true);
            }
            if (getNeedClientAuth()) {
                sSLParameters.setNeedClientAuth(true);
            }
        }
        return sSLParameters;
    }

    public void customize(SSLEngine sSLEngine) {
        Logger logger = g0;
        if (logger.isDebugEnabled()) {
            logger.debug("Customize {}", sSLEngine);
        }
        sSLEngine.setSSLParameters(customize(sSLEngine.getSSLParameters()));
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStart() throws Exception {
        super.doStart();
        synchronized (this) {
            m();
        }
        checkConfiguration();
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStop() throws Exception {
        synchronized (this) {
            n();
        }
        super.doStop();
    }

    @Override // org.eclipse.jetty.util.component.Dumpable
    public String dump() {
        return fh0.c(this);
    }

    @Override // org.eclipse.jetty.util.component.Dumpable
    public void dump(Appendable appendable, String str) throws IOException {
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            fh0.e(appendable, str, this, "trustAll=" + this.a0, new f04("Protocol", createSSLEngine.getSupportedProtocols(), createSSLEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols()), new f04("Cipher Suite", createSSLEngine.getSupportedCipherSuites(), createSSLEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites()));
        } catch (NoSuchAlgorithmException e) {
            g0.ignore(e);
        }
    }

    @Override // org.eclipse.jetty.util.component.Dumpable
    public /* synthetic */ String dumpSelf() {
        return fh0.b(this);
    }

    public Set<String> getAliases() {
        return Collections.unmodifiableSet(this.o.keySet());
    }

    @ManagedAttribute("The certificate alias")
    public String getCertAlias() {
        return this.y;
    }

    public CertStore getCertStoreInstance(Collection<? extends CRL> collection) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
        String provider = getProvider();
        if (provider != null) {
            try {
                return CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection), provider);
            } catch (Throwable th) {
                Logger logger = g0;
                logger.info("Unable to get CertStore instance for type [{}] on provider [{}], using default", "Collection", provider);
                if (logger.isDebugEnabled()) {
                    logger.debug(th);
                }
            }
        }
        return CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection));
    }

    public CertificateFactory getCertificateFactoryInstance(String str) throws CertificateException {
        String provider = getProvider();
        if (provider != null) {
            try {
                return CertificateFactory.getInstance(str, provider);
            } catch (Throwable th) {
                g0.info("Unable to get CertificateFactory instance for type [{}] on provider [{}], using default", str, provider);
                if (g0.isDebugEnabled()) {
                    g0.debug(th);
                }
            }
        }
        return CertificateFactory.getInstance(str);
    }

    public Comparator<String> getCipherComparator() {
        return this.t;
    }

    @ManagedAttribute("The path to the certificate revocation list file")
    public String getCrlPath() {
        return this.P;
    }

    @ManagedAttribute("The endpoint identification algorithm")
    public String getEndpointIdentificationAlgorithm() {
        return this.Z;
    }

    @ManagedAttribute("The excluded cipher suites")
    public String[] getExcludeCipherSuites() {
        return (String[]) this.m.toArray(new String[0]);
    }

    @ManagedAttribute("The excluded TLS protocols")
    public String[] getExcludeProtocols() {
        return (String[]) this.k.toArray(new String[0]);
    }

    public HostnameVerifier getHostnameVerifier() {
        return this.f0;
    }

    @ManagedAttribute("The included cipher suites")
    public String[] getIncludeCipherSuites() {
        return (String[]) this.n.toArray(new String[0]);
    }

    @ManagedAttribute("The included TLS protocols")
    public String[] getIncludeProtocols() {
        return (String[]) this.l.toArray(new String[0]);
    }

    @ManagedAttribute("The KeyManagerFactory algorithm")
    public String getKeyManagerFactoryAlgorithm() {
        return this.K;
    }

    public KeyManagerFactory getKeyManagerFactoryInstance() throws NoSuchAlgorithmException {
        String keyManagerFactoryAlgorithm = getKeyManagerFactoryAlgorithm();
        String provider = getProvider();
        if (provider != null) {
            try {
                return KeyManagerFactory.getInstance(keyManagerFactoryAlgorithm, provider);
            } catch (Throwable th) {
                g0.info("Unable to get KeyManagerFactory instance for algorithm [{}] on provider [{}], using default", keyManagerFactoryAlgorithm, provider);
                if (g0.isDebugEnabled()) {
                    g0.debug(th);
                }
            }
        }
        return KeyManagerFactory.getInstance(keyManagerFactoryAlgorithm);
    }

    public KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception {
        KeyManager[] keyManagerArr = null;
        if (keyStore != null) {
            KeyManagerFactory keyManagerFactoryInstance = getKeyManagerFactoryInstance();
            Password password = this.F;
            keyManagerFactoryInstance.init(keyStore, (password == null && (password = this.E) == null) ? null : password.toString().toCharArray());
            keyManagerArr = keyManagerFactoryInstance.getKeyManagers();
            if (keyManagerArr != null) {
                String certAlias = getCertAlias();
                if (certAlias != null) {
                    for (int i = 0; i < keyManagerArr.length; i++) {
                        if (keyManagerArr[i] instanceof X509ExtendedKeyManager) {
                            keyManagerArr[i] = new AliasedX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagerArr[i], certAlias);
                        }
                    }
                }
                if (!this.q.isEmpty() || this.p.size() > 1 || (this.p.size() == 1 && this.o.size() > 1)) {
                    for (int i2 = 0; i2 < keyManagerArr.length; i2++) {
                        if (keyManagerArr[i2] instanceof X509ExtendedKeyManager) {
                            keyManagerArr[i2] = new SniX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagerArr[i2]);
                        }
                    }
                }
            }
        }
        Logger logger = g0;
        if (logger.isDebugEnabled()) {
            logger.debug("managers={} for {}", keyManagerArr, this);
        }
        return keyManagerArr;
    }

    public KeyStore getKeyStore() {
        KeyStore keyStore;
        if (!isStarted()) {
            return this.T;
        }
        synchronized (this) {
            keyStore = this.d0.a;
        }
        return keyStore;
    }

    @ManagedAttribute("The keyStore path")
    public String getKeyStorePath() {
        return Objects.toString(this.v, null);
    }

    @ManagedAttribute("The keyStore provider name")
    public String getKeyStoreProvider() {
        return this.w;
    }

    public Resource getKeyStoreResource() {
        return this.v;
    }

    @ManagedAttribute("The keyStore type")
    public String getKeyStoreType() {
        return this.x;
    }

    @ManagedAttribute("The maximum number of intermediate certificates")
    public int getMaxCertPathLength() {
        return this.O;
    }

    @ManagedAttribute("Whether client authentication is needed")
    @Deprecated
    public boolean getNeedClientAuth() {
        return this.C;
    }

    @ManagedAttribute("The online certificate status protocol URL")
    public String getOcspResponderURL() {
        return this.S;
    }

    public Password getPassword(String str) {
        return Password.getPassword(str, null, null);
    }

    public PKIXCertPathChecker getPkixCertPathChecker() {
        return this.e0;
    }

    @ManagedAttribute("The TLS protocol")
    public String getProtocol() {
        return this.I;
    }

    @ManagedAttribute("The provider name")
    public String getProvider() {
        return this.H;
    }

    @ManagedAttribute("The max number of renegotiations allowed")
    public int getRenegotiationLimit() {
        return this.c0;
    }

    public SSLContext getSSLContextInstance() throws NoSuchAlgorithmException {
        String protocol = getProtocol();
        String provider = getProvider();
        if (provider != null) {
            try {
                return SSLContext.getInstance(protocol, provider);
            } catch (Throwable th) {
                g0.info("Unable to get SSLContext instance for protocol [{}] on provider [{}], using default", protocol, provider);
                if (g0.isDebugEnabled()) {
                    g0.debug(th);
                }
            }
        }
        return SSLContext.getInstance(protocol);
    }

    @ManagedAttribute("The SecureRandom algorithm")
    public String getSecureRandomAlgorithm() {
        return this.J;
    }

    public SecureRandom getSecureRandomInstance() throws NoSuchAlgorithmException {
        String secureRandomAlgorithm = getSecureRandomAlgorithm();
        if (secureRandomAlgorithm == null) {
            return null;
        }
        String provider = getProvider();
        if (provider != null) {
            try {
                return SecureRandom.getInstance(secureRandomAlgorithm, provider);
            } catch (Throwable th) {
                g0.info("Unable to get SecureRandom instance for algorithm [{}] on provider [{}], using default", secureRandomAlgorithm, provider);
                if (g0.isDebugEnabled()) {
                    g0.debug(th);
                }
            }
        }
        return SecureRandom.getInstance(secureRandomAlgorithm);
    }

    @ManagedAttribute(readonly = true, value = "The selected cipher suites")
    public String[] getSelectedCipherSuites() {
        String[] strArr = this.u;
        return (String[]) Arrays.copyOf(strArr, strArr.length);
    }

    @ManagedAttribute(readonly = true, value = "The selected TLS protocol versions")
    public String[] getSelectedProtocols() {
        String[] strArr = this.r;
        return (String[]) Arrays.copyOf(strArr, strArr.length);
    }

    public SSLContext getSslContext() {
        SSLContext sSLContext;
        if (!isStarted()) {
            return this.Y;
        }
        synchronized (this) {
            sSLContext = this.d0.c;
        }
        return sSLContext;
    }

    @ManagedAttribute("The maximum TLS session cache size")
    public int getSslSessionCacheSize() {
        return this.W;
    }

    @ManagedAttribute("The TLS session cache timeout, in seconds")
    public int getSslSessionTimeout() {
        return this.X;
    }

    @ManagedAttribute("The TrustManagerFactory algorithm")
    public String getTrustManagerFactoryAlgorithm() {
        return this.L;
    }

    public TrustManagerFactory getTrustManagerFactoryInstance() throws NoSuchAlgorithmException {
        String trustManagerFactoryAlgorithm = getTrustManagerFactoryAlgorithm();
        String provider = getProvider();
        if (provider != null) {
            try {
                return TrustManagerFactory.getInstance(trustManagerFactoryAlgorithm, provider);
            } catch (Throwable th) {
                g0.info("Unable to get TrustManagerFactory instance for algorithm [{}] on provider [{}], using default", trustManagerFactoryAlgorithm, provider);
                if (g0.isDebugEnabled()) {
                    g0.debug(th);
                }
            }
        }
        return TrustManagerFactory.getInstance(trustManagerFactoryAlgorithm);
    }

    public TrustManager[] getTrustManagers(KeyStore keyStore, Collection<? extends CRL> collection) throws Exception {
        if (keyStore == null) {
            return null;
        }
        if (!isValidatePeerCerts() || !"PKIX".equalsIgnoreCase(getTrustManagerFactoryAlgorithm())) {
            TrustManagerFactory trustManagerFactoryInstance = getTrustManagerFactoryInstance();
            trustManagerFactoryInstance.init(keyStore);
            return trustManagerFactoryInstance.getTrustManagers();
        }
        PKIXBuilderParameters newPKIXBuilderParameters = newPKIXBuilderParameters(keyStore, collection);
        TrustManagerFactory trustManagerFactoryInstance2 = getTrustManagerFactoryInstance();
        trustManagerFactoryInstance2.init(new CertPathTrustManagerParameters(newPKIXBuilderParameters));
        return trustManagerFactoryInstance2.getTrustManagers();
    }

    public KeyStore getTrustStore() {
        KeyStore keyStore;
        if (!isStarted()) {
            return this.U;
        }
        synchronized (this) {
            keyStore = this.d0.b;
        }
        return keyStore;
    }

    @ManagedAttribute("The trustStore path")
    public String getTrustStorePath() {
        return Objects.toString(this.z, null);
    }

    @ManagedAttribute("The trustStore provider name")
    public String getTrustStoreProvider() {
        return this.A;
    }

    public Resource getTrustStoreResource() {
        return this.z;
    }

    @ManagedAttribute("The trustStore type")
    public String getTrustStoreType() {
        return this.B;
    }

    @ManagedAttribute("Whether client authentication is wanted")
    @Deprecated
    public boolean getWantClientAuth() {
        return this.D;
    }

    public X509 getX509(String str) {
        return (X509) this.o.get(str);
    }

    public X509Certificate[] getX509CertChain(SSLSession sSLSession) {
        return l(this, sSLSession);
    }

    @ManagedAttribute("Whether certificate revocation list distribution points is enabled")
    public boolean isEnableCRLDP() {
        return this.Q;
    }

    @ManagedAttribute("Whether online certificate status protocol support is enabled")
    public boolean isEnableOCSP() {
        return this.R;
    }

    @ManagedAttribute("Whether renegotiation is allowed")
    public boolean isRenegotiationAllowed() {
        return this.b0;
    }

    @ManagedAttribute("Whether TLS session caching is enabled")
    public boolean isSessionCachingEnabled() {
        return this.V;
    }

    @ManagedAttribute("Whether certificates should be trusted even if they are invalid")
    public boolean isTrustAll() {
        return this.a0;
    }

    @ManagedAttribute("Whether to respect the cipher suites order")
    public boolean isUseCipherSuitesOrder() {
        return this.s;
    }

    @ManagedAttribute("Whether certificates are validated")
    public boolean isValidateCerts() {
        return this.M;
    }

    @ManagedAttribute("Whether peer certificates are validated")
    public boolean isValidatePeerCerts() {
        return this.N;
    }

    public final void k() {
        if (isStarted()) {
            return;
        }
        throw new IllegalStateException("!STARTED: " + this);
    }

    public Collection<? extends CRL> loadCRL(String str) throws Exception {
        return CertificateUtils.loadCRL(str);
    }

    public KeyStore loadKeyStore(Resource resource) throws Exception {
        return CertificateUtils.getKeyStore(resource, getKeyStoreType(), getKeyStoreProvider(), Objects.toString(this.E, null));
    }

    public KeyStore loadTrustStore(Resource resource) throws Exception {
        String objects = Objects.toString(getTrustStoreType(), getKeyStoreType());
        String objects2 = Objects.toString(getTrustStoreProvider(), getKeyStoreProvider());
        Password password = this.G;
        if (resource == null || resource.equals(this.v)) {
            resource = this.v;
            if (password == null) {
                password = this.E;
            }
        }
        return CertificateUtils.getKeyStore(resource, objects, objects2, Objects.toString(password, null));
    }

    public final void m() {
        SSLContext sSLContextInstance;
        TrustManager[] trustManagerArr;
        SSLContext sSLContext = this.Y;
        KeyStore keyStore = this.T;
        KeyStore keyStore2 = this.U;
        if (sSLContext == null) {
            if (keyStore == null && this.v == null && keyStore2 == null && this.z == null) {
                if (isTrustAll()) {
                    Logger logger = g0;
                    if (logger.isDebugEnabled()) {
                        logger.debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!", new Object[0]);
                    }
                    trustManagerArr = TRUST_ALL_CERTS;
                } else {
                    trustManagerArr = null;
                }
                sSLContextInstance = getSSLContextInstance();
                sSLContextInstance.init(null, trustManagerArr, getSecureRandomInstance());
            } else {
                if (keyStore == null) {
                    keyStore = loadKeyStore(this.v);
                }
                if (keyStore2 == null) {
                    keyStore2 = loadTrustStore(this.z);
                }
                Collection<? extends CRL> loadCRL = loadCRL(getCrlPath());
                if (keyStore != null) {
                    Iterator it = Collections.list(keyStore.aliases()).iterator();
                    while (it.hasNext()) {
                        String str = (String) it.next();
                        Certificate certificate = keyStore.getCertificate(str);
                        if (certificate != null && "X.509".equals(certificate.getType())) {
                            X509Certificate x509Certificate = (X509Certificate) certificate;
                            if (X509.isCertSign(x509Certificate)) {
                                Logger logger2 = g0;
                                if (logger2.isDebugEnabled()) {
                                    logger2.debug("Skipping " + x509Certificate, new Object[0]);
                                }
                            } else {
                                X509 x509 = new X509(str, x509Certificate);
                                this.o.put(str, x509);
                                if (isValidateCerts()) {
                                    CertificateValidator certificateValidator = new CertificateValidator(keyStore2, loadCRL);
                                    certificateValidator.setMaxCertPathLength(getMaxCertPathLength());
                                    certificateValidator.setEnableCRLDP(isEnableCRLDP());
                                    certificateValidator.setEnableOCSP(isEnableOCSP());
                                    certificateValidator.setOcspResponderURL(getOcspResponderURL());
                                    certificateValidator.validate(keyStore, x509Certificate);
                                }
                                g0.info("x509={} for {}", x509, this);
                                Iterator<String> it2 = x509.getHosts().iterator();
                                while (it2.hasNext()) {
                                    this.p.put(it2.next(), x509);
                                }
                                Iterator<String> it3 = x509.getWilds().iterator();
                                while (it3.hasNext()) {
                                    this.q.put(it3.next(), x509);
                                }
                            }
                        }
                    }
                }
                KeyManager[] keyManagers = getKeyManagers(keyStore);
                TrustManager[] trustManagers = getTrustManagers(keyStore2, loadCRL);
                sSLContextInstance = getSSLContextInstance();
                sSLContextInstance.init(keyManagers, trustManagers, getSecureRandomInstance());
            }
            sSLContext = sSLContextInstance;
        }
        SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
        if (serverSessionContext != null) {
            if (getSslSessionCacheSize() > -1) {
                serverSessionContext.setSessionCacheSize(getSslSessionCacheSize());
            }
            if (getSslSessionTimeout() > -1) {
                serverSessionContext.setSessionTimeout(getSslSessionTimeout());
            }
        }
        SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
        SSLParameters supportedSSLParameters = sSLContext.getSupportedSSLParameters();
        selectCipherSuites(defaultSSLParameters.getCipherSuites(), supportedSSLParameters.getCipherSuites());
        selectProtocols(defaultSSLParameters.getProtocols(), supportedSSLParameters.getProtocols());
        this.d0 = new c(keyStore, keyStore2, sSLContext);
        Logger logger3 = g0;
        if (logger3.isDebugEnabled()) {
            logger3.debug("Selected Protocols {} of {}", Arrays.asList(this.r), Arrays.asList(supportedSSLParameters.getProtocols()));
            logger3.debug("Selected Ciphers   {} of {}", Arrays.asList(this.u), Arrays.asList(supportedSSLParameters.getCipherSuites()));
        }
    }

    public final void n() {
        this.d0 = null;
        this.r = null;
        this.u = null;
        this.o.clear();
        this.p.clear();
        this.q.clear();
    }

    public PKIXBuilderParameters newPKIXBuilderParameters(KeyStore keyStore, Collection<? extends CRL> collection) throws Exception {
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        pKIXBuilderParameters.setMaxPathLength(this.O);
        pKIXBuilderParameters.setRevocationEnabled(true);
        PKIXCertPathChecker pKIXCertPathChecker = this.e0;
        if (pKIXCertPathChecker != null) {
            pKIXBuilderParameters.addCertPathChecker(pKIXCertPathChecker);
        }
        if (collection != null && !collection.isEmpty()) {
            pKIXBuilderParameters.addCertStore(getCertStoreInstance(collection));
        }
        if (this.Q) {
            System.setProperty("com.sun.security.enableCRLDP", "true");
        }
        if (this.R) {
            Security.setProperty("ocsp.enable", "true");
            String str = this.S;
            if (str != null) {
                Security.setProperty("ocsp.responderURL", str);
            }
        }
        return pKIXBuilderParameters;
    }

    public Password newPassword(String str) {
        return new Password(str);
    }

    public SSLEngine newSSLEngine() {
        k();
        SSLEngine createSSLEngine = getSslContext().createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSSLEngine(String str, int i) {
        k();
        SSLContext sslContext = getSslContext();
        SSLEngine createSSLEngine = isSessionCachingEnabled() ? sslContext.createSSLEngine(str, i) : sslContext.createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSSLEngine(InetSocketAddress inetSocketAddress) {
        return inetSocketAddress == null ? newSSLEngine() : newSSLEngine(inetSocketAddress.getHostString(), inetSocketAddress.getPort());
    }

    public SSLServerSocket newSslServerSocket(String str, int i, int i2) throws IOException {
        SSLParameters sSLParameters;
        k();
        SSLServerSocketFactory serverSocketFactory = getSslContext().getServerSocketFactory();
        SSLServerSocket sSLServerSocket = (SSLServerSocket) (str == null ? serverSocketFactory.createServerSocket(i, i2) : serverSocketFactory.createServerSocket(i, i2, InetAddress.getByName(str)));
        sSLParameters = sSLServerSocket.getSSLParameters();
        sSLServerSocket.setSSLParameters(customize(sSLParameters));
        return sSLServerSocket;
    }

    public SSLSocket newSslSocket() throws IOException {
        k();
        SSLSocket sSLSocket = (SSLSocket) getSslContext().getSocketFactory().createSocket();
        sSLSocket.setSSLParameters(customize(sSLSocket.getSSLParameters()));
        return sSLSocket;
    }

    public void processIncludeCipherSuites(String[] strArr, List<String> list) {
        for (String str : this.n) {
            Pattern compile = Pattern.compile(str);
            boolean z = false;
            for (String str2 : strArr) {
                if (compile.matcher(str2).matches()) {
                    list.add(str2);
                    z = true;
                }
            }
            if (!z) {
                g0.info("No Cipher matching '{}' is supported", str);
            }
        }
    }

    public void reload(Consumer<SslContextFactory> consumer) throws Exception {
        synchronized (this) {
            consumer.accept(this);
            n();
            m();
        }
    }

    public void removeExcludedCipherSuites(List<String> list) {
        Iterator it = this.m.iterator();
        while (it.hasNext()) {
            Pattern compile = Pattern.compile((String) it.next());
            Iterator<String> it2 = list.iterator();
            while (it2.hasNext()) {
                if (compile.matcher(it2.next()).matches()) {
                    it2.remove();
                }
            }
        }
    }

    public void selectCipherSuites(String[] strArr, String[] strArr2) {
        ArrayList arrayList = new ArrayList();
        if (this.n.isEmpty()) {
            arrayList.addAll(Arrays.asList(strArr));
        } else {
            processIncludeCipherSuites(strArr2, arrayList);
        }
        removeExcludedCipherSuites(arrayList);
        if (arrayList.isEmpty()) {
            g0.warn("No supported ciphers from {}", Arrays.asList(strArr2));
        }
        Comparator<String> cipherComparator = getCipherComparator();
        if (cipherComparator != null) {
            Logger logger = g0;
            if (logger.isDebugEnabled()) {
                logger.debug("Sorting selected ciphers with {}", cipherComparator);
            }
            arrayList.sort(cipherComparator);
        }
        this.u = (String[]) arrayList.toArray(new String[0]);
    }

    public void selectProtocols(String[] strArr, String[] strArr2) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (this.l.isEmpty()) {
            linkedHashSet.addAll(Arrays.asList(strArr));
        } else {
            for (String str : this.l) {
                if (Arrays.asList(strArr2).contains(str)) {
                    linkedHashSet.add(str);
                } else {
                    g0.info("Protocol {} not supported in {}", str, Arrays.asList(strArr2));
                }
            }
        }
        linkedHashSet.removeAll(this.k);
        if (linkedHashSet.isEmpty()) {
            g0.warn("No selected protocols from {}", Arrays.asList(strArr2));
        }
        this.r = (String[]) linkedHashSet.toArray(new String[0]);
    }

    public void setCertAlias(String str) {
        this.y = str;
    }

    public void setCipherComparator(Comparator<String> comparator) {
        if (comparator != null) {
            setUseCipherSuitesOrder(true);
        }
        this.t = comparator;
    }

    public void setCrlPath(String str) {
        this.P = str;
    }

    public void setEnableCRLDP(boolean z) {
        this.Q = z;
    }

    public void setEnableOCSP(boolean z) {
        this.R = z;
    }

    public void setEndpointIdentificationAlgorithm(String str) {
        this.Z = str;
    }

    public void setExcludeCipherSuites(String... strArr) {
        this.m.clear();
        this.m.addAll(Arrays.asList(strArr));
    }

    public void setExcludeProtocols(String... strArr) {
        this.k.clear();
        this.k.addAll(Arrays.asList(strArr));
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        this.f0 = hostnameVerifier;
    }

    public void setIncludeCipherSuites(String... strArr) {
        this.n.clear();
        this.n.addAll(Arrays.asList(strArr));
    }

    public void setIncludeProtocols(String... strArr) {
        this.l.clear();
        this.l.addAll(Arrays.asList(strArr));
    }

    public void setKeyManagerFactoryAlgorithm(String str) {
        this.K = str;
    }

    public void setKeyManagerPassword(String str) {
        if (str != null) {
            this.F = newPassword(str);
        } else if (System.getProperty(KEYPASSWORD_PROPERTY) != null) {
            this.F = getPassword(KEYPASSWORD_PROPERTY);
        } else {
            this.F = null;
        }
    }

    public void setKeyStore(KeyStore keyStore) {
        this.T = keyStore;
    }

    public void setKeyStorePassword(String str) {
        if (str != null) {
            this.E = newPassword(str);
        } else if (this.v != null) {
            this.E = getPassword(PASSWORD_PROPERTY);
        } else {
            this.E = null;
        }
    }

    public void setKeyStorePath(String str) {
        try {
            this.v = Resource.newResource(str);
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    public void setKeyStoreProvider(String str) {
        this.w = str;
    }

    public void setKeyStoreResource(Resource resource) {
        this.v = resource;
    }

    public void setKeyStoreType(String str) {
        this.x = str;
    }

    public void setMaxCertPathLength(int i) {
        this.O = i;
    }

    @Deprecated
    public void setNeedClientAuth(boolean z) {
        this.C = z;
    }

    public void setOcspResponderURL(String str) {
        this.S = str;
    }

    public void setPkixCertPathChecker(PKIXCertPathChecker pKIXCertPathChecker) {
        this.e0 = pKIXCertPathChecker;
    }

    public void setProtocol(String str) {
        this.I = str;
    }

    public void setProvider(String str) {
        this.H = str;
    }

    public void setRenegotiationAllowed(boolean z) {
        this.b0 = z;
    }

    public void setRenegotiationLimit(int i) {
        this.c0 = i;
    }

    public void setSecureRandomAlgorithm(String str) {
        this.J = str;
    }

    public void setSessionCachingEnabled(boolean z) {
        this.V = z;
    }

    public void setSslContext(SSLContext sSLContext) {
        this.Y = sSLContext;
    }

    public void setSslSessionCacheSize(int i) {
        this.W = i;
    }

    public void setSslSessionTimeout(int i) {
        this.X = i;
    }

    public void setTrustAll(boolean z) {
        this.a0 = z;
        if (z) {
            setEndpointIdentificationAlgorithm(null);
        }
    }

    public void setTrustManagerFactoryAlgorithm(String str) {
        this.L = str;
    }

    public void setTrustStore(KeyStore keyStore) {
        this.U = keyStore;
    }

    public void setTrustStorePassword(String str) {
        if (str != null) {
            this.G = newPassword(str);
            return;
        }
        Resource resource = this.z;
        if (resource == null || resource.equals(this.v)) {
            this.G = null;
        } else {
            this.G = getPassword(PASSWORD_PROPERTY);
        }
    }

    public void setTrustStorePath(String str) {
        try {
            this.z = Resource.newResource(str);
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    public void setTrustStoreProvider(String str) {
        this.A = str;
    }

    public void setTrustStoreResource(Resource resource) {
        this.z = resource;
    }

    public void setTrustStoreType(String str) {
        this.B = str;
    }

    public void setUseCipherSuitesOrder(boolean z) {
        this.s = z;
    }

    public void setValidateCerts(boolean z) {
        this.M = z;
    }

    public void setValidatePeerCerts(boolean z) {
        this.N = z;
    }

    @Deprecated
    public void setWantClientAuth(boolean z) {
        this.D = z;
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public String toString() {
        return String.format("%s@%x[provider=%s,keyStore=%s,trustStore=%s]", getClass().getSimpleName(), Integer.valueOf(hashCode()), this.H, this.v, this.z);
    }
}
