package org.springframework.boot.web.embedded.tomcat;

import ch.qos.logback.core.net.ssl.SSL;
import java.io.FileNotFoundException;
import java.util.function.Supplier;
import org.apache.catalina.connector.Connector;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
import org.apache.coyote.http11.Http11NioProtocol;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.SslStoreProvider;
import org.springframework.boot.web.server.WebServerException;
import org.springframework.security.config.http.PortMappingsBeanDefinitionParser;
import org.springframework.util.Assert;
import org.springframework.util.ResourceUtils;
import org.springframework.util.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/spring-boot-2.7.18.jar:org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.class */
public class SslConnectorCustomizer implements TomcatConnectorCustomizer {
    private final Ssl ssl;
    private final SslStoreProvider sslStoreProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslConnectorCustomizer(Ssl ssl, SslStoreProvider sslStoreProvider) {
        Assert.notNull(ssl, "Ssl configuration should not be null");
        this.ssl = ssl;
        this.sslStoreProvider = sslStoreProvider;
    }

    @Override // org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer
    public void customize(Connector connector) {
        ProtocolHandler protocolHandler = connector.getProtocolHandler();
        Assert.state(protocolHandler instanceof AbstractHttp11JsseProtocol, "To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass");
        configureSsl((AbstractHttp11JsseProtocol) protocolHandler, this.ssl, this.sslStoreProvider);
        connector.setScheme(PortMappingsBeanDefinitionParser.ATT_HTTPS_PORT);
        connector.setSecure(true);
    }

    protected void configureSsl(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, Ssl ssl, SslStoreProvider sslStoreProvider) {
        abstractHttp11JsseProtocol.setSSLEnabled(true);
        SSLHostConfig sSLHostConfig = new SSLHostConfig();
        sSLHostConfig.setHostName(abstractHttp11JsseProtocol.getDefaultSSLHostConfigName());
        sSLHostConfig.setSslProtocol(ssl.getProtocol());
        abstractHttp11JsseProtocol.addSslHostConfig(sSLHostConfig);
        configureSslClientAuth(sSLHostConfig, ssl);
        SSLHostConfigCertificate sSLHostConfigCertificate = new SSLHostConfigCertificate(sSLHostConfig, SSLHostConfigCertificate.Type.UNDEFINED);
        if (ssl.getKeyStorePassword() != null) {
            sSLHostConfigCertificate.setCertificateKeystorePassword(ssl.getKeyStorePassword());
        }
        if (ssl.getKeyPassword() != null) {
            sSLHostConfigCertificate.setCertificateKeyPassword(ssl.getKeyPassword());
        }
        if (ssl.getKeyAlias() != null) {
            sSLHostConfigCertificate.setCertificateKeyAlias(ssl.getKeyAlias());
        }
        sSLHostConfig.addCertificate(sSLHostConfigCertificate);
        String arrayToCommaDelimitedString = StringUtils.arrayToCommaDelimitedString(ssl.getCiphers());
        if (StringUtils.hasText(arrayToCommaDelimitedString)) {
            sSLHostConfig.setCiphers(arrayToCommaDelimitedString);
        }
        configureEnabledProtocols(abstractHttp11JsseProtocol, ssl);
        if (sslStoreProvider == null) {
            configureSslKeyStore(sSLHostConfigCertificate, ssl);
            configureSslTrustStore(sSLHostConfig, ssl);
            return;
        }
        configureSslStoreProvider(abstractHttp11JsseProtocol, sSLHostConfig, sSLHostConfigCertificate, sslStoreProvider);
        String keyPassword = sslStoreProvider.getKeyPassword();
        if (keyPassword != null) {
            sSLHostConfigCertificate.setCertificateKeyPassword(keyPassword);
        }
    }

    private void configureEnabledProtocols(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, Ssl ssl) {
        if (ssl.getEnabledProtocols() != null) {
            for (SSLHostConfig sSLHostConfig : abstractHttp11JsseProtocol.findSslHostConfigs()) {
                sSLHostConfig.setProtocols(StringUtils.arrayToDelimitedString(ssl.getEnabledProtocols(), "+"));
            }
        }
    }

    private void configureSslClientAuth(SSLHostConfig sSLHostConfig, Ssl ssl) {
        if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
            sSLHostConfig.setCertificateVerification("required");
        } else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
            sSLHostConfig.setCertificateVerification("optional");
        }
    }

    protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, SSLHostConfig sSLHostConfig, SSLHostConfigCertificate sSLHostConfigCertificate, SslStoreProvider sslStoreProvider) {
        Assert.isInstanceOf((Class<?>) Http11NioProtocol.class, abstractHttp11JsseProtocol, "SslStoreProvider can only be used with Http11NioProtocol");
        try {
            if (sslStoreProvider.getKeyStore() != null) {
                sSLHostConfigCertificate.setCertificateKeystore(sslStoreProvider.getKeyStore());
            }
            if (sslStoreProvider.getTrustStore() != null) {
                sSLHostConfig.setTrustStore(sslStoreProvider.getTrustStore());
            }
        } catch (Exception e) {
            throw new WebServerException("Could not load store: " + e.getMessage(), e);
        }
    }

    private void configureSslKeyStore(SSLHostConfigCertificate sSLHostConfigCertificate, Ssl ssl) {
        String keyStoreType = ssl.getKeyStoreType() != null ? ssl.getKeyStoreType() : SSL.DEFAULT_KEYSTORE_TYPE;
        String keyStore = ssl.getKeyStore();
        if (keyStoreType.equalsIgnoreCase("PKCS11")) {
            Assert.state(!StringUtils.hasText(keyStore), (Supplier<String>) () -> {
                return "Keystore location '" + keyStore + "' must be empty or null for PKCS11 key stores";
            });
        } else {
            try {
                sSLHostConfigCertificate.setCertificateKeystoreFile(ResourceUtils.getURL(keyStore).toString());
            } catch (Exception e) {
                throw new WebServerException("Could not load key store '" + keyStore + "'", e);
            }
        }
        sSLHostConfigCertificate.setCertificateKeystoreType(keyStoreType);
        if (ssl.getKeyStoreProvider() != null) {
            sSLHostConfigCertificate.setCertificateKeystoreProvider(ssl.getKeyStoreProvider());
        }
    }

    private void configureSslTrustStore(SSLHostConfig sSLHostConfig, Ssl ssl) {
        if (ssl.getTrustStore() != null) {
            try {
                sSLHostConfig.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString());
            } catch (FileNotFoundException e) {
                throw new WebServerException("Could not load trust store: " + e.getMessage(), e);
            }
        }
        if (ssl.getTrustStorePassword() != null) {
            sSLHostConfig.setTruststorePassword(ssl.getTrustStorePassword());
        }
        if (ssl.getTrustStoreType() != null) {
            sSLHostConfig.setTruststoreType(ssl.getTrustStoreType());
        }
        if (ssl.getTrustStoreProvider() != null) {
            sSLHostConfig.setTruststoreProvider(ssl.getTrustStoreProvider());
        }
    }
}
