package org.springframework.boot.web.embedded.jetty;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.function.Supplier;
import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.http2.HTTP2Cipher;
import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.springframework.boot.web.server.Http2;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.SslConfigurationValidator;
import org.springframework.boot.web.server.SslStoreProvider;
import org.springframework.boot.web.server.WebServerException;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.ObjectUtils;
import org.springframework.util.ResourceUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-boot-2.3.6.RELEASE.jar:org/springframework/boot/web/embedded/jetty/SslServerCustomizer.class */
public class SslServerCustomizer implements JettyServerCustomizer {
    private final InetSocketAddress address;
    private final Ssl ssl;
    private final SslStoreProvider sslStoreProvider;
    private final Http2 http2;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/spring-boot-2.3.6.RELEASE.jar:org/springframework/boot/web/embedded/jetty/SslServerCustomizer$SslValidatingServerConnector.class */
    public static class SslValidatingServerConnector extends ServerConnector {
        private final SslContextFactory sslContextFactory;
        private final String keyAlias;

        /* JADX WARN: Multi-variable type inference failed */
        SslValidatingServerConnector(Server server, SslContextFactory sslContextFactory, String str, SslConnectionFactory sslConnectionFactory, HttpConnectionFactory httpConnectionFactory) {
            super(server, new ConnectionFactory[]{sslConnectionFactory, httpConnectionFactory});
            this.sslContextFactory = sslContextFactory;
            this.keyAlias = str;
        }

        SslValidatingServerConnector(Server server, SslContextFactory sslContextFactory, String str, ConnectionFactory... connectionFactoryArr) {
            super(server, connectionFactoryArr);
            this.sslContextFactory = sslContextFactory;
            this.keyAlias = str;
        }

        protected void doStart() throws Exception {
            super.doStart();
            SslConfigurationValidator.validateKeyAlias(this.sslContextFactory.getKeyStore(), this.keyAlias);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslServerCustomizer(InetSocketAddress inetSocketAddress, Ssl ssl, SslStoreProvider sslStoreProvider, Http2 http2) {
        this.address = inetSocketAddress;
        this.ssl = ssl;
        this.sslStoreProvider = sslStoreProvider;
        this.http2 = http2;
    }

    @Override // org.springframework.boot.web.embedded.jetty.JettyServerCustomizer
    public void customize(Server server) {
        SslContextFactory.Server server2 = new SslContextFactory.Server();
        server2.setEndpointIdentificationAlgorithm((String) null);
        configureSsl(server2, this.ssl, this.sslStoreProvider);
        server.setConnectors(new Connector[]{createConnector(server, server2, this.address)});
    }

    private ServerConnector createConnector(Server server, SslContextFactory.Server server2, InetSocketAddress inetSocketAddress) {
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.setSendServerVersion(false);
        httpConfiguration.setSecureScheme("https");
        httpConfiguration.setSecurePort(inetSocketAddress.getPort());
        httpConfiguration.addCustomizer(new SecureRequestCustomizer());
        ServerConnector createServerConnector = createServerConnector(server, server2, httpConfiguration);
        createServerConnector.setPort(inetSocketAddress.getPort());
        createServerConnector.setHost(inetSocketAddress.getHostString());
        return createServerConnector;
    }

    private ServerConnector createServerConnector(Server server, SslContextFactory.Server server2, HttpConfiguration httpConfiguration) {
        if (this.http2 == null || !this.http2.isEnabled()) {
            return createHttp11ServerConnector(server, httpConfiguration, server2);
        }
        Assert.state(isJettyAlpnPresent(), (Supplier<String>) () -> {
            return "An 'org.eclipse.jetty:jetty-alpn-*-server' dependency is required for HTTP/2 support.";
        });
        Assert.state(isJettyHttp2Present(), (Supplier<String>) () -> {
            return "The 'org.eclipse.jetty.http2:http2-server' dependency is required for HTTP/2 support.";
        });
        return createHttp2ServerConnector(server, httpConfiguration, server2);
    }

    private ServerConnector createHttp11ServerConnector(Server server, HttpConfiguration httpConfiguration, SslContextFactory.Server server2) {
        HttpConnectionFactory httpConnectionFactory = new HttpConnectionFactory(httpConfiguration);
        return new SslValidatingServerConnector(server, server2, this.ssl.getKeyAlias(), new SslConnectionFactory(server2, HttpVersion.HTTP_1_1.asString()), httpConnectionFactory);
    }

    private boolean isJettyAlpnPresent() {
        return ClassUtils.isPresent("org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory", null);
    }

    private boolean isJettyHttp2Present() {
        return ClassUtils.isPresent("org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory", null);
    }

    private ServerConnector createHttp2ServerConnector(Server server, HttpConfiguration httpConfiguration, SslContextFactory.Server server2) {
        ConnectionFactory httpConnectionFactory = new HttpConnectionFactory(httpConfiguration);
        ConnectionFactory hTTP2ServerConnectionFactory = new HTTP2ServerConnectionFactory(httpConfiguration);
        ConnectionFactory createAlpnServerConnectionFactory = createAlpnServerConnectionFactory();
        server2.setCipherComparator(HTTP2Cipher.COMPARATOR);
        if (isConscryptPresent()) {
            server2.setProvider("Conscrypt");
        }
        return new SslValidatingServerConnector(server, server2, this.ssl.getKeyAlias(), new SslConnectionFactory(server2, createAlpnServerConnectionFactory.getProtocol()), createAlpnServerConnectionFactory, hTTP2ServerConnectionFactory, httpConnectionFactory);
    }

    private ALPNServerConnectionFactory createAlpnServerConnectionFactory() {
        try {
            return new ALPNServerConnectionFactory(new String[0]);
        } catch (IllegalStateException e) {
            throw new IllegalStateException("An 'org.eclipse.jetty:jetty-alpn-*-server' dependency is required for HTTP/2 support.", e);
        }
    }

    private boolean isConscryptPresent() {
        return ClassUtils.isPresent("org.conscrypt.Conscrypt", null) && ClassUtils.isPresent("org.eclipse.jetty.alpn.conscrypt.server.ConscryptServerALPNProcessor", null);
    }

    protected void configureSsl(SslContextFactory.Server server, Ssl ssl, SslStoreProvider sslStoreProvider) {
        server.setProtocol(ssl.getProtocol());
        configureSslClientAuth(server, ssl);
        configureSslPasswords(server, ssl);
        server.setCertAlias(ssl.getKeyAlias());
        if (!ObjectUtils.isEmpty((Object[]) ssl.getCiphers())) {
            server.setIncludeCipherSuites(ssl.getCiphers());
            server.setExcludeCipherSuites(new String[0]);
        }
        if (ssl.getEnabledProtocols() != null) {
            server.setIncludeProtocols(ssl.getEnabledProtocols());
        }
        if (sslStoreProvider == null) {
            configureSslKeyStore(server, ssl);
            configureSslTrustStore(server, ssl);
        } else {
            try {
                server.setKeyStore(sslStoreProvider.getKeyStore());
                server.setTrustStore(sslStoreProvider.getTrustStore());
            } catch (Exception e) {
                throw new IllegalStateException("Unable to set SSL store", e);
            }
        }
    }

    private void configureSslClientAuth(SslContextFactory.Server server, Ssl ssl) {
        if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
            server.setNeedClientAuth(true);
            server.setWantClientAuth(true);
        } else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
            server.setWantClientAuth(true);
        }
    }

    private void configureSslPasswords(SslContextFactory.Server server, Ssl ssl) {
        if (ssl.getKeyStorePassword() != null) {
            server.setKeyStorePassword(ssl.getKeyStorePassword());
        }
        if (ssl.getKeyPassword() != null) {
            server.setKeyManagerPassword(ssl.getKeyPassword());
        }
    }

    private void configureSslKeyStore(SslContextFactory.Server server, Ssl ssl) {
        try {
            server.setKeyStoreResource(Resource.newResource(ResourceUtils.getURL(ssl.getKeyStore())));
            if (ssl.getKeyStoreType() != null) {
                server.setKeyStoreType(ssl.getKeyStoreType());
            }
            if (ssl.getKeyStoreProvider() != null) {
                server.setKeyStoreProvider(ssl.getKeyStoreProvider());
            }
        } catch (Exception e) {
            throw new WebServerException("Could not load key store '" + ssl.getKeyStore() + "'", e);
        }
    }

    private void configureSslTrustStore(SslContextFactory.Server server, Ssl ssl) {
        if (ssl.getTrustStorePassword() != null) {
            server.setTrustStorePassword(ssl.getTrustStorePassword());
        }
        if (ssl.getTrustStore() != null) {
            try {
                server.setTrustStoreResource(Resource.newResource(ResourceUtils.getURL(ssl.getTrustStore())));
            } catch (IOException e) {
                throw new WebServerException("Could not find trust store '" + ssl.getTrustStore() + "'", e);
            }
        }
        if (ssl.getTrustStoreType() != null) {
            server.setTrustStoreType(ssl.getTrustStoreType());
        }
        if (ssl.getTrustStoreProvider() != null) {
            server.setTrustStoreProvider(ssl.getTrustStoreProvider());
        }
    }
}
