package org.apache.tomcat.util.net.jsse;

import java.io.IOException;
import java.io.InputStream;
import java.security.Key;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathParameters;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JreVendor;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtilBase;
import org.apache.tomcat.util.res.StringManager;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-8.5.29.jar:org/apache/tomcat/util/net/jsse/JSSEUtil.class */
public class JSSEUtil extends SSLUtilBase {
    private static final Log log = LogFactory.getLog((Class<?>) JSSEUtil.class);
    private static final StringManager sm = StringManager.getManager((Class<?>) JSSEUtil.class);
    private static final Set<String> implementedProtocols;
    private static final Set<String> implementedCiphers;
    private final SSLHostConfig sslHostConfig;

    public JSSEUtil(SSLHostConfigCertificate sSLHostConfigCertificate) {
        super(sSLHostConfigCertificate);
        this.sslHostConfig = sSLHostConfigCertificate.getSSLHostConfig();
    }

    @Override // org.apache.tomcat.util.net.SSLUtilBase
    protected Log getLog() {
        return log;
    }

    @Override // org.apache.tomcat.util.net.SSLUtilBase
    protected Set<String> getImplementedProtocols() {
        return implementedProtocols;
    }

    @Override // org.apache.tomcat.util.net.SSLUtilBase
    protected Set<String> getImplementedCiphers() {
        return implementedCiphers;
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public SSLContext createSSLContext(List<String> list) throws NoSuchAlgorithmException {
        return new JSSESSLContext(this.sslHostConfig.getSslProtocol());
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public KeyManager[] getKeyManagers() throws Exception {
        String certificateKeyAlias = this.certificate.getCertificateKeyAlias();
        String keyManagerAlgorithm = this.sslHostConfig.getKeyManagerAlgorithm();
        String certificateKeyPassword = this.certificate.getCertificateKeyPassword();
        if (certificateKeyPassword == null) {
            certificateKeyPassword = this.certificate.getCertificateKeystorePassword();
        }
        KeyStore certificateKeystore = this.certificate.getCertificateKeystore();
        KeyStore keyStore = certificateKeystore;
        char[] charArray = certificateKeyPassword.toCharArray();
        if (certificateKeystore == null) {
            if (this.certificate.getCertificateFile() == null) {
                throw new IOException(sm.getString("jsse.noCertFile"));
            }
            PEMFile pEMFile = new PEMFile(SSLHostConfig.adjustRelativePath(this.certificate.getCertificateKeyFile() != null ? this.certificate.getCertificateKeyFile() : this.certificate.getCertificateFile()), certificateKeyPassword);
            PEMFile pEMFile2 = new PEMFile(SSLHostConfig.adjustRelativePath(this.certificate.getCertificateFile()));
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(pEMFile2.getCertificates());
            if (this.certificate.getCertificateChainFile() != null) {
                arrayList.addAll(new PEMFile(SSLHostConfig.adjustRelativePath(this.certificate.getCertificateChainFile())).getCertificates());
            }
            if (certificateKeyAlias == null) {
                certificateKeyAlias = "tomcat";
            }
            keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
            keyStore.setKeyEntry(certificateKeyAlias, pEMFile.getPrivateKey(), certificateKeyPassword.toCharArray(), (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]));
        } else {
            if (certificateKeyAlias != null && !certificateKeystore.isKeyEntry(certificateKeyAlias)) {
                throw new IOException(sm.getString("jsse.alias_no_key_entry", certificateKeyAlias));
            }
            if (certificateKeyAlias == null) {
                Enumeration<String> aliases = certificateKeystore.aliases();
                if (!aliases.hasMoreElements()) {
                    throw new IOException(sm.getString("jsse.noKeys"));
                }
                while (aliases.hasMoreElements() && certificateKeyAlias == null) {
                    certificateKeyAlias = aliases.nextElement();
                    if (!certificateKeystore.isKeyEntry(certificateKeyAlias)) {
                        certificateKeyAlias = null;
                    }
                }
                if (certificateKeyAlias == null) {
                    throw new IOException(sm.getString("jsse.alias_no_key_entry", (Object) null));
                }
            }
            Key key = certificateKeystore.getKey(certificateKeyAlias, charArray);
            if (key != null && "PKCS#8".equalsIgnoreCase(key.getFormat())) {
                String certificateKeystoreProvider = this.certificate.getCertificateKeystoreProvider();
                keyStore = certificateKeystoreProvider == null ? KeyStore.getInstance(this.certificate.getCertificateKeystoreType()) : KeyStore.getInstance(this.certificate.getCertificateKeystoreType(), certificateKeystoreProvider);
                keyStore.load(null, null);
                keyStore.setKeyEntry(certificateKeyAlias, key, charArray, certificateKeystore.getCertificateChain(certificateKeyAlias));
            }
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(keyManagerAlgorithm);
        keyManagerFactory.init(keyStore, charArray);
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        if (keyManagers != null && keyStore == certificateKeystore) {
            String str = certificateKeyAlias;
            if ("JKS".equals(this.certificate.getCertificateKeystoreType())) {
                str = str.toLowerCase(Locale.ENGLISH);
            }
            for (int i = 0; i < keyManagers.length; i++) {
                keyManagers[i] = new JSSEKeyManager((X509KeyManager) keyManagers[i], str);
            }
        }
        return keyManagers;
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public TrustManager[] getTrustManagers() throws Exception {
        String trustManagerClassName = this.sslHostConfig.getTrustManagerClassName();
        if (trustManagerClassName != null && trustManagerClassName.length() > 0) {
            Class<?> loadClass = getClass().getClassLoader().loadClass(trustManagerClassName);
            if (TrustManager.class.isAssignableFrom(loadClass)) {
                return new TrustManager[]{(TrustManager) loadClass.getConstructor(new Class[0]).newInstance(new Object[0])};
            }
            throw new InstantiationException(sm.getString("jsse.invalidTrustManagerClassName", trustManagerClassName));
        }
        TrustManager[] trustManagerArr = null;
        KeyStore truststore = this.sslHostConfig.getTruststore();
        if (truststore != null) {
            checkTrustStoreEntries(truststore);
            String truststoreAlgorithm = this.sslHostConfig.getTruststoreAlgorithm();
            String certificateRevocationListFile = this.sslHostConfig.getCertificateRevocationListFile();
            boolean revocationEnabled = this.sslHostConfig.getRevocationEnabled();
            if ("PKIX".equalsIgnoreCase(truststoreAlgorithm)) {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(truststoreAlgorithm);
                trustManagerFactory.init(new CertPathTrustManagerParameters(getParameters(certificateRevocationListFile, truststore, revocationEnabled)));
                trustManagerArr = trustManagerFactory.getTrustManagers();
            } else {
                TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(truststoreAlgorithm);
                trustManagerFactory2.init(truststore);
                trustManagerArr = trustManagerFactory2.getTrustManagers();
                if (certificateRevocationListFile != null && certificateRevocationListFile.length() > 0) {
                    throw new CRLException(sm.getString("jsseUtil.noCrlSupport", truststoreAlgorithm));
                }
                if (this.sslHostConfig.isCertificateVerificationDepthConfigured()) {
                    log.warn(sm.getString("jsseUtil.noVerificationDepth", truststoreAlgorithm));
                }
            }
        }
        return trustManagerArr;
    }

    private void checkTrustStoreEntries(KeyStore keyStore) throws Exception {
        Enumeration<String> aliases = keyStore.aliases();
        if (aliases != null) {
            Date date = new Date();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if (certificate instanceof X509Certificate) {
                        try {
                            ((X509Certificate) certificate).checkValidity(date);
                        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                            String string = sm.getString("jsseUtil.trustedCertNotValid", nextElement, ((X509Certificate) certificate).getSubjectDN(), e.getMessage());
                            if (log.isDebugEnabled()) {
                                log.debug(string, e);
                            } else {
                                log.warn(string);
                            }
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug(sm.getString("jsseUtil.trustedCertNotChecked", nextElement));
                    }
                }
            }
        }
    }

    @Override // org.apache.tomcat.util.net.SSLUtil
    public void configureSessionContext(SSLSessionContext sSLSessionContext) {
        sSLSessionContext.setSessionCacheSize(this.sslHostConfig.getSessionCacheSize());
        sSLSessionContext.setSessionTimeout(this.sslHostConfig.getSessionTimeout());
    }

    protected CertPathParameters getParameters(String str, KeyStore keyStore, boolean z) throws Exception {
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        if (str == null || str.length() <= 0) {
            pKIXBuilderParameters.setRevocationEnabled(z);
        } else {
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs(str))));
            pKIXBuilderParameters.setRevocationEnabled(true);
        }
        pKIXBuilderParameters.setMaxPathLength(this.sslHostConfig.getCertificateVerificationDepth());
        return pKIXBuilderParameters;
    }

    protected Collection<? extends CRL> getCRLs(String str) throws IOException, CRLException, CertificateException {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream inputStream = ConfigFileLoader.getInputStream(str);
            Throwable th = null;
            try {
                try {
                    Collection<? extends CRL> generateCRLs = certificateFactory.generateCRLs(inputStream);
                    if (inputStream != null) {
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStream.close();
                        }
                    }
                    return generateCRLs;
                } finally {
                }
            } catch (Throwable th3) {
                if (inputStream != null) {
                    if (th != null) {
                        try {
                            inputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        inputStream.close();
                    }
                }
                throw th3;
            }
        } catch (IOException e) {
            throw e;
        } catch (CRLException e2) {
            throw e2;
        } catch (CertificateException e3) {
            throw e3;
        }
    }

    static {
        try {
            JSSESSLContext jSSESSLContext = new JSSESSLContext(Constants.SSL_PROTO_TLS);
            jSSESSLContext.init(null, null, null);
            String[] protocols = jSSESSLContext.getSupportedSSLParameters().getProtocols();
            implementedProtocols = new HashSet(protocols.length);
            for (String str : protocols) {
                String upperCase = str.toUpperCase(Locale.ENGLISH);
                if ("SSLV2HELLO".equals(upperCase) || "SSLV3".equals(upperCase) || !upperCase.contains("SSL")) {
                    implementedProtocols.add(str);
                } else {
                    log.debug(sm.getString("jsse.excludeProtocol", str));
                }
            }
            if (implementedProtocols.size() == 0) {
                log.warn(sm.getString("jsse.noDefaultProtocols"));
            }
            String[] cipherSuites = jSSESSLContext.getSupportedSSLParameters().getCipherSuites();
            if (!JreVendor.IS_IBM_JVM) {
                implementedCiphers = new HashSet(cipherSuites.length);
                implementedCiphers.addAll(Arrays.asList(cipherSuites));
                return;
            }
            implementedCiphers = new HashSet(cipherSuites.length * 2);
            for (String str2 : cipherSuites) {
                implementedCiphers.add(str2);
                if (str2.startsWith("SSL")) {
                    implementedCiphers.add(Constants.SSL_PROTO_TLS + str2.substring(3));
                }
            }
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
