package org.apache.tomcat.util.net;

import ch.qos.logback.core.net.ssl.SSL;
import com.hazelcast.config.JavaKeyStoreSecureStoreConfig;
import com.hazelcast.internal.nio.ConnectionType;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.DomainLoadStoreParameter;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathParameters;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.net.jsse.PEMFile;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.security.KeyStoreUtil;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.36.jar:org/apache/tomcat/util/net/SSLUtilBase.class */
public abstract class SSLUtilBase implements SSLUtil {
    private static final Log log = LogFactory.getLog((Class<?>) SSLUtilBase.class);
    private static final StringManager sm = StringManager.getManager((Class<?>) SSLUtilBase.class);
    public static final String DEFAULT_KEY_ALIAS = "tomcat";
    protected final SSLHostConfig sslHostConfig;
    protected final SSLHostConfigCertificate certificate;
    private final String[] enabledProtocols;
    private final String[] enabledCiphers;

    /* JADX INFO: Access modifiers changed from: protected */
    public SSLUtilBase(SSLHostConfigCertificate sSLHostConfigCertificate) {
        this(sSLHostConfigCertificate, true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SSLUtilBase(SSLHostConfigCertificate sSLHostConfigCertificate, boolean z) {
        this.certificate = sSLHostConfigCertificate;
        this.sslHostConfig = sSLHostConfigCertificate.getSSLHostConfig();
        Set<String> protocols = this.sslHostConfig.getProtocols();
        Set<String> implementedProtocols = getImplementedProtocols();
        if (!implementedProtocols.contains("TLSv1.3") && !this.sslHostConfig.isExplicitlyRequestedProtocol("TLSv1.3")) {
            protocols.remove("TLSv1.3");
        }
        if (!implementedProtocols.contains("SSLv2Hello") && !this.sslHostConfig.isExplicitlyRequestedProtocol("SSLv2Hello")) {
            protocols.remove("SSLv2Hello");
        }
        List enabled = getEnabled("protocols", getLog(), z, protocols, implementedProtocols);
        if (enabled.contains("SSLv3")) {
            log.warn(sm.getString("sslUtilBase.ssl3"));
        }
        this.enabledProtocols = (String[]) enabled.toArray(new String[0]);
        if (enabled.contains("TLSv1.3") && this.sslHostConfig.getCertificateVerification().isOptional() && !isTls13RenegAuthAvailable() && z) {
            log.warn(sm.getString("sslUtilBase.tls13.auth"));
        }
        this.sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
        if (this.sslHostConfig.getCiphers().startsWith("PROFILE=")) {
            this.enabledCiphers = new String[0];
        } else {
            this.enabledCiphers = (String[]) getEnabled("ciphers", getLog(), !this.sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS), this.sslHostConfig.getJsseCipherNames(), getImplementedCiphers()).toArray(new String[0]);
        }
    }

    static <T> List<T> getEnabled(String str, Log log2, boolean z, Collection<T> collection, Collection<T> collection2) {
        ArrayList arrayList = new ArrayList();
        if (collection2.size() == 0) {
            arrayList.addAll(collection);
        } else {
            arrayList.addAll(collection);
            arrayList.retainAll(collection2);
            if (arrayList.isEmpty()) {
                throw new IllegalArgumentException(sm.getString("sslUtilBase.noneSupported", str, collection));
            }
            if (log2.isDebugEnabled()) {
                log2.debug(sm.getString("sslUtilBase.active", str, arrayList));
            }
            if ((log2.isDebugEnabled() || z) && arrayList.size() != collection.size()) {
                ArrayList arrayList2 = new ArrayList(collection);
                arrayList2.removeAll(arrayList);
                String string = sm.getString("sslUtilBase.skipped", str, arrayList2);
                if (z) {
                    log2.warn(string);
                } else {
                    log2.debug(string);
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore getStore(String str, String str2, String str3, String str4, String str5) throws IOException {
        String str6;
        InputStream inputStream = null;
        try {
            try {
                try {
                    KeyStore keyStore = str2 == null ? KeyStore.getInstance(str) : KeyStore.getInstance(str, str2);
                    if ("DKS".equalsIgnoreCase(str)) {
                        keyStore.load(new DomainLoadStoreParameter(ConfigFileLoader.getSource().getURI(str3), Collections.emptyMap()));
                    } else {
                        if (!"PKCS11".equalsIgnoreCase(str) && !str3.isEmpty() && !ConnectionType.NONE.equalsIgnoreCase(str3)) {
                            inputStream = ConfigFileLoader.getSource().getResource(str3).getInputStream();
                        }
                        char[] cArr = null;
                        if (str5 != null) {
                            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(ConfigFileLoader.getSource().getResource(str5).getInputStream(), StandardCharsets.UTF_8));
                            try {
                                str6 = bufferedReader.readLine();
                                bufferedReader.close();
                            } catch (Throwable th) {
                                try {
                                    bufferedReader.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                                throw th;
                            }
                        } else {
                            str6 = str4;
                        }
                        if (str6 != null && (!"".equals(str6) || SSL.DEFAULT_KEYSTORE_TYPE.equalsIgnoreCase(str) || JavaKeyStoreSecureStoreConfig.DEFAULT_KEYSTORE_TYPE.equalsIgnoreCase(str))) {
                            cArr = str6.toCharArray();
                        }
                        KeyStoreUtil.load(keyStore, inputStream, cArr);
                    }
                    if (inputStream != null) {
                        try {
                            inputStream.close();
                        } catch (IOException e) {
                        }
                    }
                    return keyStore;
                } catch (IOException e2) {
                    throw e2;
                }
            } catch (Exception e3) {
                String string = sm.getString("sslUtilBase.keystore_load_failed", str, str3, e3.getMessage());
                log.error(string, e3);
                throw new IOException(string);
            }
        } catch (Throwable th3) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e4) {
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public final SSLContext createSSLContext(List<String> list) throws Exception {
        SSLContext createSSLContextInternal = createSSLContextInternal(list);
        createSSLContextInternal.init(getKeyManagers(), getTrustManagers(), null);
        SSLSessionContext serverSessionContext = createSSLContextInternal.getServerSessionContext();
        if (serverSessionContext != null) {
            configureSessionContext(serverSessionContext);
        }
        return createSSLContextInternal;
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public void configureSessionContext(SSLSessionContext sSLSessionContext) {
        if (this.sslHostConfig.getSessionCacheSize() >= 0) {
            sSLSessionContext.setSessionCacheSize(this.sslHostConfig.getSessionCacheSize());
        }
        if (this.sslHostConfig.getSessionTimeout() >= 0) {
            sSLSessionContext.setSessionTimeout(this.sslHostConfig.getSessionTimeout());
        }
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public KeyManager[] getKeyManagers() throws Exception {
        String str;
        String certificateKeyAlias = this.certificate.getCertificateKeyAlias();
        String keyManagerAlgorithm = this.sslHostConfig.getKeyManagerAlgorithm();
        String certificateKeyPasswordFile = this.certificate.getCertificateKeyPasswordFile();
        String certificateKeyPassword = this.certificate.getCertificateKeyPassword();
        if (certificateKeyPasswordFile == null) {
            certificateKeyPasswordFile = this.certificate.getCertificateKeystorePasswordFile();
        }
        if (certificateKeyPassword == null) {
            certificateKeyPassword = this.certificate.getCertificateKeystorePassword();
        }
        KeyStore certificateKeystore = this.certificate.getCertificateKeystore();
        KeyStore keyStore = certificateKeystore;
        if (certificateKeyPasswordFile != null) {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(ConfigFileLoader.getSource().getResource(certificateKeyPasswordFile).getInputStream(), StandardCharsets.UTF_8));
            try {
                str = bufferedReader.readLine();
                bufferedReader.close();
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } else {
            str = certificateKeyPassword;
        }
        char[] charArray = str != null ? str.toCharArray() : null;
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(keyManagerAlgorithm);
        if (keyManagerFactory.getProvider().getInfo().contains("FIPS")) {
            if (certificateKeyAlias != null) {
                log.warn(sm.getString("sslUtilBase.aliasIgnored", certificateKeyAlias));
            }
            keyManagerFactory.init(keyStore, charArray);
            return keyManagerFactory.getKeyManagers();
        }
        if (certificateKeystore == null) {
            if (this.certificate.getCertificateFile() == null) {
                throw new IOException(sm.getString("sslUtilBase.noCertFile"));
            }
            PEMFile pEMFile = new PEMFile(this.certificate.getCertificateKeyFile() != null ? this.certificate.getCertificateKeyFile() : this.certificate.getCertificateFile(), certificateKeyPassword, certificateKeyPasswordFile, (String) null);
            ArrayList arrayList = new ArrayList(new PEMFile(this.certificate.getCertificateFile()).getCertificates());
            if (this.certificate.getCertificateChainFile() != null) {
                arrayList.addAll(new PEMFile(this.certificate.getCertificateChainFile()).getCertificates());
            }
            if (certificateKeyAlias == null) {
                certificateKeyAlias = DEFAULT_KEY_ALIAS;
            }
            keyStore = KeyStore.getInstance(SSL.DEFAULT_KEYSTORE_TYPE);
            keyStore.load(null, null);
            keyStore.setKeyEntry(certificateKeyAlias, pEMFile.getPrivateKey(), charArray, (Certificate[]) arrayList.toArray(new Certificate[0]));
        } else {
            if (certificateKeyAlias != null && !certificateKeystore.isKeyEntry(certificateKeyAlias)) {
                throw new IOException(sm.getString("sslUtilBase.alias_no_key_entry", certificateKeyAlias));
            }
            if (certificateKeyAlias == null) {
                Enumeration<String> aliases = certificateKeystore.aliases();
                if (!aliases.hasMoreElements()) {
                    throw new IOException(sm.getString("sslUtilBase.noKeys"));
                }
                while (aliases.hasMoreElements() && certificateKeyAlias == null) {
                    certificateKeyAlias = aliases.nextElement();
                    if (!certificateKeystore.isKeyEntry(certificateKeyAlias)) {
                        certificateKeyAlias = null;
                    }
                }
                if (certificateKeyAlias == null) {
                    throw new IOException(sm.getString("sslUtilBase.alias_no_key_entry", null));
                }
            }
            Key key = certificateKeystore.getKey(certificateKeyAlias, charArray);
            if (key != null && !"DKS".equalsIgnoreCase(this.certificate.getCertificateKeystoreType()) && "PKCS#8".equalsIgnoreCase(key.getFormat())) {
                String certificateKeystoreProvider = this.certificate.getCertificateKeystoreProvider();
                keyStore = certificateKeystoreProvider == null ? KeyStore.getInstance(this.certificate.getCertificateKeystoreType()) : KeyStore.getInstance(this.certificate.getCertificateKeystoreType(), certificateKeystoreProvider);
                keyStore.load(null, null);
                keyStore.setKeyEntry(certificateKeyAlias, key, charArray, certificateKeystore.getCertificateChain(certificateKeyAlias));
            }
        }
        keyManagerFactory.init(keyStore, charArray);
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        if (keyManagers != null && keyStore == certificateKeystore) {
            String str2 = certificateKeyAlias;
            if (SSL.DEFAULT_KEYSTORE_TYPE.equals(this.certificate.getCertificateKeystoreType())) {
                str2 = str2.toLowerCase(Locale.ENGLISH);
            }
            for (int i = 0; i < keyManagers.length; i++) {
                keyManagers[i] = new JSSEKeyManager((X509KeyManager) keyManagers[i], str2);
            }
        }
        return keyManagers;
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public String[] getEnabledProtocols() {
        return this.enabledProtocols;
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public String[] getEnabledCiphers() {
        return this.enabledCiphers;
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public TrustManager[] getTrustManagers() throws Exception {
        String trustManagerClassName = this.sslHostConfig.getTrustManagerClassName();
        if (trustManagerClassName != null && trustManagerClassName.length() > 0) {
            Class<?> loadClass = getClass().getClassLoader().loadClass(trustManagerClassName);
            if (TrustManager.class.isAssignableFrom(loadClass)) {
                return new TrustManager[]{(TrustManager) loadClass.getConstructor(new Class[0]).newInstance(new Object[0])};
            }
            throw new InstantiationException(sm.getString("sslUtilBase.invalidTrustManagerClassName", trustManagerClassName));
        }
        TrustManager[] trustManagerArr = null;
        KeyStore truststore = this.sslHostConfig.getTruststore();
        if (truststore != null) {
            checkTrustStoreEntries(truststore);
            String truststoreAlgorithm = this.sslHostConfig.getTruststoreAlgorithm();
            String certificateRevocationListFile = this.sslHostConfig.getCertificateRevocationListFile();
            boolean revocationEnabled = this.sslHostConfig.getRevocationEnabled();
            if ("PKIX".equalsIgnoreCase(truststoreAlgorithm)) {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(truststoreAlgorithm);
                trustManagerFactory.init(new CertPathTrustManagerParameters(getParameters(certificateRevocationListFile, truststore, revocationEnabled)));
                trustManagerArr = trustManagerFactory.getTrustManagers();
            } else {
                TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(truststoreAlgorithm);
                trustManagerFactory2.init(truststore);
                trustManagerArr = trustManagerFactory2.getTrustManagers();
                if (certificateRevocationListFile != null && certificateRevocationListFile.length() > 0) {
                    throw new CRLException(sm.getString("sslUtilBase.noCrlSupport", truststoreAlgorithm));
                }
                if (this.sslHostConfig.isCertificateVerificationDepthConfigured()) {
                    log.warn(sm.getString("sslUtilBase.noVerificationDepth", truststoreAlgorithm));
                }
            }
        }
        return trustManagerArr;
    }

    private void checkTrustStoreEntries(KeyStore keyStore) throws Exception {
        Enumeration<String> aliases = keyStore.aliases();
        if (aliases != null) {
            Date date = new Date();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if (certificate instanceof X509Certificate) {
                        try {
                            ((X509Certificate) certificate).checkValidity(date);
                        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                            String string = sm.getString("sslUtilBase.trustedCertNotValid", nextElement, ((X509Certificate) certificate).getSubjectX500Principal(), e.getMessage());
                            if (log.isDebugEnabled()) {
                                log.warn(string, e);
                            } else {
                                log.warn(string);
                            }
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug(sm.getString("sslUtilBase.trustedCertNotChecked", nextElement));
                    }
                }
            }
        }
    }

    protected CertPathParameters getParameters(String str, KeyStore keyStore, boolean z) throws Exception {
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        if (str == null || str.length() <= 0) {
            pKIXBuilderParameters.setRevocationEnabled(z);
        } else {
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs(str))));
            pKIXBuilderParameters.setRevocationEnabled(true);
        }
        pKIXBuilderParameters.setMaxPathLength(this.sslHostConfig.getCertificateVerificationDepth());
        return pKIXBuilderParameters;
    }

    protected Collection<? extends CRL> getCRLs(String str) throws IOException, CRLException, CertificateException {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream inputStream = ConfigFileLoader.getSource().getResource(str).getInputStream();
            try {
                Collection<? extends CRL> generateCRLs = certificateFactory.generateCRLs(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                return generateCRLs;
            } finally {
            }
        } catch (IOException | CRLException | CertificateException e) {
            throw e;
        }
    }

    protected abstract Set<String> getImplementedProtocols();

    protected abstract Set<String> getImplementedCiphers();

    protected abstract Log getLog();

    protected abstract boolean isTls13RenegAuthAvailable();

    protected abstract SSLContext createSSLContextInternal(List<String> list) throws Exception;
}
