package org.eclipse.jetty.util.ssl;

import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

/* loaded from: classes.dex */
public final class SslContextFactory extends AbstractLifeCycle {
    private static final String[] DEFAULT_EXCLUDED_CIPHER_SUITES;
    private static final String[] DEFAULT_EXCLUDED_PROTOCOLS;
    public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
    public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
    private static final Logger LOG;
    private static final Logger LOG_CONFIG;
    public static final TrustManager[] TRUST_ALL_CERTS = {new Object()};
    private final HashMap _aliasX509;
    private final HashMap _certHosts;
    private final HashMap _certWilds;
    private String _endpointIdentificationAlgorithm;
    private final LinkedHashSet _excludeCipherSuites;
    private final LinkedHashSet _excludeProtocols;
    private Factory _factory;
    private final ArrayList _includeCipherSuites;
    private final LinkedHashSet _includeProtocols;
    private boolean _renegotiationAllowed;
    private int _renegotiationLimit;
    private String[] _selectedCipherSuites;
    private String[] _selectedProtocols;
    private boolean _sessionCachingEnabled;
    private String _sslProtocol;
    private int _sslSessionCacheSize;
    private int _sslSessionTimeout;
    private boolean _trustAll;
    private boolean _useCipherSuitesOrder;

    /* renamed from: org.eclipse.jetty.util.ssl.SslContextFactory$1, reason: invalid class name */
    /* loaded from: classes.dex */
    final class AnonymousClass1 implements X509TrustManager {
        @Override // javax.net.ssl.X509TrustManager
        public final void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public final X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public class AliasSNIMatcher extends SNIMatcher {
        private X509 _x509;

        AliasSNIMatcher() {
            super(0);
        }

        @Override // javax.net.ssl.SNIMatcher
        public final boolean matches(SNIServerName sNIServerName) {
            int indexOf;
            if (SslContextFactory.LOG.isDebugEnabled()) {
                SslContextFactory.LOG.debug("SNI matching for {}", sNIServerName);
            }
            if (sNIServerName instanceof SNIHostName) {
                String asciiToLowerCase = StringUtil.asciiToLowerCase(((SNIHostName) sNIServerName).getAsciiName());
                SslContextFactory sslContextFactory = SslContextFactory.this;
                X509 x509 = (X509) sslContextFactory._certHosts.get(asciiToLowerCase);
                this._x509 = x509;
                if (x509 == null) {
                    X509 x5092 = (X509) sslContextFactory._certWilds.get(asciiToLowerCase);
                    this._x509 = x5092;
                    if (x5092 == null && (indexOf = asciiToLowerCase.indexOf(46)) >= 0) {
                        this._x509 = (X509) sslContextFactory._certWilds.get(asciiToLowerCase.substring(indexOf + 1));
                    }
                }
                if (SslContextFactory.LOG.isDebugEnabled()) {
                    SslContextFactory.LOG.debug("SNI matched {}->{}", asciiToLowerCase, this._x509);
                }
            } else if (SslContextFactory.LOG.isDebugEnabled()) {
                SslContextFactory.LOG.debug("SNI no match for {}", sNIServerName);
            }
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public class Factory {
        private final SSLContext _context;

        Factory(SSLContext sSLContext) {
            this._context = sSLContext;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    static {
        String str = Log.__logClass;
        Logger logger = Log.getLogger(SslContextFactory.class.getName());
        LOG = logger;
        LOG_CONFIG = logger.getLogger("config");
        DEFAULT_KEYMANAGERFACTORY_ALGORITHM = Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? KeyManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.KeyManagerFactory.algorithm");
        DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? TrustManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.TrustManagerFactory.algorithm");
        DEFAULT_EXCLUDED_PROTOCOLS = new String[]{"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
        DEFAULT_EXCLUDED_CIPHER_SUITES = new String[]{"^.*_(MD5|SHA|SHA1)$", "^TLS_RSA_.*$", "^SSL_.*$", "^.*_NULL_.*$", "^.*_anon_.*$"};
    }

    public SslContextFactory() {
        this(0);
    }

    public SslContextFactory(int i) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        this._excludeProtocols = linkedHashSet;
        this._includeProtocols = new LinkedHashSet();
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        this._excludeCipherSuites = linkedHashSet2;
        this._includeCipherSuites = new ArrayList();
        this._aliasX509 = new HashMap();
        this._certHosts = new HashMap();
        this._certWilds = new HashMap();
        this._useCipherSuitesOrder = true;
        this._sslProtocol = "TLS";
        this._sessionCachingEnabled = true;
        this._sslSessionCacheSize = -1;
        this._sslSessionTimeout = -1;
        this._endpointIdentificationAlgorithm = null;
        this._renegotiationAllowed = true;
        this._renegotiationLimit = 5;
        this._trustAll = false;
        linkedHashSet.clear();
        linkedHashSet.addAll(Arrays.asList(DEFAULT_EXCLUDED_PROTOCOLS));
        linkedHashSet2.clear();
        linkedHashSet2.addAll(Arrays.asList(DEFAULT_EXCLUDED_CIPHER_SUITES));
    }

    private void load() throws Exception {
        TrustManager[] trustManagerArr;
        String str = this._sslProtocol;
        boolean z = this._trustAll;
        Logger logger = LOG;
        if (z) {
            if (logger.isDebugEnabled()) {
                logger.debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!", new Object[0]);
            }
            trustManagerArr = TRUST_ALL_CERTS;
        } else {
            trustManagerArr = null;
        }
        SSLContext sSLContext = SSLContext.getInstance(str);
        sSLContext.init(null, trustManagerArr, null);
        SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
        if (serverSessionContext != null) {
            int i = this._sslSessionCacheSize;
            if (i > -1) {
                serverSessionContext.setSessionCacheSize(i);
            }
            int i2 = this._sslSessionTimeout;
            if (i2 > -1) {
                serverSessionContext.setSessionTimeout(i2);
            }
        }
        SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
        SSLParameters supportedSSLParameters = sSLContext.getSupportedSSLParameters();
        String[] cipherSuites = defaultSSLParameters.getCipherSuites();
        String[] cipherSuites2 = supportedSSLParameters.getCipherSuites();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = this._includeCipherSuites;
        if (arrayList2.isEmpty()) {
            arrayList.addAll(Arrays.asList(cipherSuites));
        } else {
            Iterator it = arrayList2.iterator();
            while (it.hasNext()) {
                String str2 = (String) it.next();
                Pattern compile = Pattern.compile(str2);
                boolean z2 = false;
                for (String str3 : cipherSuites2) {
                    if (compile.matcher(str3).matches()) {
                        arrayList.add(str3);
                        z2 = true;
                    }
                }
                if (!z2) {
                    logger.info("No Cipher matching '{}' is supported", str2);
                }
            }
        }
        Iterator it2 = this._excludeCipherSuites.iterator();
        while (it2.hasNext()) {
            Pattern compile2 = Pattern.compile((String) it2.next());
            Iterator it3 = arrayList.iterator();
            while (it3.hasNext()) {
                if (compile2.matcher((String) it3.next()).matches()) {
                    it3.remove();
                }
            }
        }
        if (arrayList.isEmpty()) {
            logger.warn("No supported ciphers from {}", Arrays.asList(cipherSuites2));
        }
        this._selectedCipherSuites = (String[]) arrayList.toArray(new String[0]);
        String[] protocols = defaultSSLParameters.getProtocols();
        String[] protocols2 = supportedSSLParameters.getProtocols();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        LinkedHashSet<String> linkedHashSet2 = this._includeProtocols;
        if (linkedHashSet2.isEmpty()) {
            linkedHashSet.addAll(Arrays.asList(protocols));
        } else {
            for (String str4 : linkedHashSet2) {
                if (Arrays.asList(protocols2).contains(str4)) {
                    linkedHashSet.add(str4);
                } else {
                    logger.info("Protocol {} not supported in {}", str4, Arrays.asList(protocols2));
                }
            }
        }
        linkedHashSet.removeAll(this._excludeProtocols);
        if (linkedHashSet.isEmpty()) {
            logger.warn("No selected protocols from {}", Arrays.asList(protocols2));
        }
        this._selectedProtocols = (String[]) linkedHashSet.toArray(new String[0]);
        this._factory = new Factory(sSLContext);
        if (logger.isDebugEnabled()) {
            logger.debug("Selected Protocols {} of {}", Arrays.asList(this._selectedProtocols), Arrays.asList(supportedSSLParameters.getProtocols()));
            logger.debug("Selected Ciphers   {} of {}", Arrays.asList(this._selectedCipherSuites), Arrays.asList(supportedSSLParameters.getCipherSuites()));
        }
    }

    public final void customize(SSLEngine sSLEngine) {
        Logger logger = LOG;
        if (logger.isDebugEnabled()) {
            logger.debug("Customize {}", sSLEngine);
        }
        SSLParameters sSLParameters = sSLEngine.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm(this._endpointIdentificationAlgorithm);
        sSLParameters.setUseCipherSuitesOrder(this._useCipherSuitesOrder);
        if (!this._certHosts.isEmpty() || !this._certWilds.isEmpty()) {
            sSLParameters.setSNIMatchers(Collections.singletonList(new AliasSNIMatcher()));
        }
        String[] strArr = this._selectedCipherSuites;
        if (strArr != null) {
            sSLParameters.setCipherSuites(strArr);
        }
        String[] strArr2 = this._selectedProtocols;
        if (strArr2 != null) {
            sSLParameters.setProtocols(strArr2);
        }
        sSLEngine.setSSLParameters(sSLParameters);
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    protected final void doStart() throws Exception {
        synchronized (this) {
            load();
        }
        boolean z = this._trustAll;
        Logger logger = LOG_CONFIG;
        if (z) {
            logger.warn("Trusting all certificates configured for {}", this);
        }
        if (this._endpointIdentificationAlgorithm == null) {
            logger.warn("No Client EndPointIdentificationAlgorithm configured for {}", this);
        }
        SSLEngine createSSLEngine = this._factory._context.createSSLEngine();
        customize(createSSLEngine);
        SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
        for (String str : sSLParameters.getProtocols()) {
            for (String str2 : DEFAULT_EXCLUDED_PROTOCOLS) {
                if (str2.equals(str)) {
                    logger.warn("Protocol {} not excluded for {}", str, this);
                }
            }
        }
        for (String str3 : sSLParameters.getCipherSuites()) {
            for (String str4 : DEFAULT_EXCLUDED_CIPHER_SUITES) {
                if (str3.matches(str4)) {
                    logger.warn("Weak cipher suite {} enabled for {}", str3, this);
                }
            }
        }
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    protected final void doStop() throws Exception {
        synchronized (this) {
            this._factory = null;
            this._selectedProtocols = null;
            this._selectedCipherSuites = null;
            this._aliasX509.clear();
            this._certHosts.clear();
            this._certWilds.clear();
        }
    }

    public final int getRenegotiationLimit() {
        return this._renegotiationLimit;
    }

    public final boolean isRenegotiationAllowed() {
        return this._renegotiationAllowed;
    }

    public final SSLEngine newSSLEngine() {
        SSLContext sSLContext;
        if (!isStarted()) {
            throw new IllegalStateException("!STARTED: " + this);
        }
        if (isStarted()) {
            synchronized (this) {
                sSLContext = this._factory._context;
            }
        } else {
            sSLContext = null;
        }
        SSLEngine createSSLEngine = sSLContext.createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public final SSLEngine newSSLEngine(int i, String str) {
        SSLContext sSLContext;
        if (!isStarted()) {
            throw new IllegalStateException("!STARTED: " + this);
        }
        if (isStarted()) {
            synchronized (this) {
                sSLContext = this._factory._context;
            }
        } else {
            sSLContext = null;
        }
        SSLEngine createSSLEngine = this._sessionCachingEnabled ? sSLContext.createSSLEngine(str, i) : sSLContext.createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public final void setEndpointIdentificationAlgorithm() {
        this._endpointIdentificationAlgorithm = "HTTPS";
    }

    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public final String toString() {
        return String.format("%s@%x[provider=%s,keyStore=%s,trustStore=%s]", "SslContextFactory", Integer.valueOf(hashCode()), null, null, null);
    }
}
