package org.apache.tomcat.util.net.openssl;

import io.netty.handler.ssl.ApplicationProtocolNames;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLConf;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.res.StringManager;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.68.jar:org/apache/tomcat/util/net/openssl/OpenSSLContext.class */
public class OpenSSLContext implements SSLContext {
    private static final String defaultProtocol = "TLS";
    private static final String BEGIN_KEY = "-----BEGIN PRIVATE KEY-----\n";
    static final CertificateFactory X509_CERT_FACTORY;
    private final SSLHostConfig sslHostConfig;
    private final SSLHostConfigCertificate certificate;
    private final List<String> negotiableProtocols;
    protected final long cctx;
    protected final long ctx;
    private OpenSSLSessionContext sessionContext;
    private X509TrustManager x509TrustManager;
    private String enabledProtocol;
    private static final Log log = LogFactory.getLog((Class<?>) OpenSSLContext.class);
    private static final StringManager netSm = StringManager.getManager((Class<?>) AbstractEndpoint.class);
    private static final StringManager sm = StringManager.getManager((Class<?>) OpenSSLContext.class);
    private static final Object END_KEY = "\n-----END PRIVATE KEY-----";
    private final AtomicInteger aprPoolDestroyed = new AtomicInteger(0);
    private boolean initialized = false;
    private final long aprPool = Pool.create(0);

    public OpenSSLContext(SSLHostConfigCertificate sSLHostConfigCertificate, List<String> list) throws SSLException {
        this.sslHostConfig = sSLHostConfigCertificate.getSSLHostConfig();
        this.certificate = sSLHostConfigCertificate;
        try {
            try {
                if (this.sslHostConfig.getOpenSslConf() != null) {
                    try {
                        if (log.isDebugEnabled()) {
                            log.debug(sm.getString("openssl.makeConf"));
                        }
                        this.cctx = SSLConf.make(this.aprPool, 58);
                    } catch (Exception e) {
                        throw new SSLException(sm.getString("openssl.errMakeConf"), e);
                    }
                } else {
                    this.cctx = 0L;
                }
                this.sslHostConfig.setOpenSslConfContext(Long.valueOf(this.cctx));
                int i = 0;
                for (String str : this.sslHostConfig.getEnabledProtocols()) {
                    if (!"SSLv2Hello".equalsIgnoreCase(str)) {
                        if ("SSLv2".equalsIgnoreCase(str)) {
                            i |= 1;
                        } else if ("SSLv3".equalsIgnoreCase(str)) {
                            i |= 2;
                        } else if ("TLSv1".equalsIgnoreCase(str)) {
                            i |= 4;
                        } else if ("TLSv1.1".equalsIgnoreCase(str)) {
                            i |= 8;
                        } else if ("TLSv1.2".equalsIgnoreCase(str)) {
                            i |= 16;
                        } else if ("TLSv1.3".equalsIgnoreCase(str)) {
                            i |= 32;
                        } else {
                            if (!"all".equalsIgnoreCase(str)) {
                                throw new Exception(netSm.getString("endpoint.apr.invalidSslProtocol", str));
                            }
                            i |= SSL.SSL_PROTOCOL_ALL;
                        }
                    }
                }
                try {
                    this.ctx = org.apache.tomcat.jni.SSLContext.make(this.aprPool, i, 1);
                    this.negotiableProtocols = list;
                    if (1 == 0) {
                        destroy();
                    }
                } catch (Exception e2) {
                    throw new Exception(netSm.getString("endpoint.apr.failSslContextMake"), e2);
                }
            } catch (Exception e3) {
                throw new SSLException(sm.getString("openssl.errorSSLCtxInit"), e3);
            }
        } catch (Throwable th) {
            if (0 == 0) {
                destroy();
            }
            throw th;
        }
    }

    public String getEnabledProtocol() {
        return this.enabledProtocol;
    }

    public void setEnabledProtocol(String str) {
        this.enabledProtocol = str == null ? "TLS" : str;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public synchronized void destroy() {
        if (this.aprPoolDestroyed.compareAndSet(0, 1)) {
            if (this.ctx != 0) {
                org.apache.tomcat.jni.SSLContext.free(this.ctx);
            }
            if (this.cctx != 0) {
                SSLConf.free(this.cctx);
            }
            if (this.aprPool != 0) {
                Pool.destroy(this.aprPool);
            }
        }
    }

    protected static boolean checkConf(OpenSSLConf openSSLConf, long j) throws Exception {
        boolean z = true;
        for (OpenSSLConfCmd openSSLConfCmd : openSSLConf.getCommands()) {
            String name = openSSLConfCmd.getName();
            String value = openSSLConfCmd.getValue();
            if (name == null) {
                log.error(sm.getString("opensslconf.noCommandName", value));
                z = false;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("opensslconf.checkCommand", name, value));
                }
                try {
                    int check = SSLConf.check(j, name, value);
                    if (check <= 0) {
                        log.error(sm.getString("opensslconf.failedCommand", name, value, Integer.toString(check)));
                        z = false;
                    } else if (log.isDebugEnabled()) {
                        log.debug(sm.getString("opensslconf.resultCommand", name, value, Integer.toString(check)));
                    }
                } catch (Exception e) {
                    log.error(sm.getString("opensslconf.checkFailed"));
                    return false;
                }
            }
        }
        if (!z) {
            log.error(sm.getString("opensslconf.checkFailed"));
        }
        return z;
    }

    protected static boolean applyConf(OpenSSLConf openSSLConf, long j, long j2) throws Exception {
        boolean z = true;
        SSLConf.assign(j, j2);
        for (OpenSSLConfCmd openSSLConfCmd : openSSLConf.getCommands()) {
            String name = openSSLConfCmd.getName();
            String value = openSSLConfCmd.getValue();
            if (name == null) {
                log.error(sm.getString("opensslconf.noCommandName", value));
                z = false;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("opensslconf.applyCommand", name, value));
                }
                try {
                    int apply = SSLConf.apply(j, name, value);
                    if (apply <= 0) {
                        log.error(sm.getString("opensslconf.failedCommand", name, value, Integer.toString(apply)));
                        z = false;
                    } else if (log.isDebugEnabled()) {
                        log.debug(sm.getString("opensslconf.resultCommand", name, value, Integer.toString(apply)));
                    }
                } catch (Exception e) {
                    log.error(sm.getString("opensslconf.applyFailed"));
                    return false;
                }
            }
        }
        int finish = SSLConf.finish(j);
        if (finish <= 0) {
            log.error(sm.getString("opensslconf.finishFailed", Integer.toString(finish)));
            z = false;
        }
        if (!z) {
            log.error(sm.getString("opensslconf.applyFailed"));
        }
        return z;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public synchronized void init(KeyManager[] keyManagerArr, TrustManager[] trustManagerArr, SecureRandom secureRandom) {
        OpenSSLConf openSslConf;
        if (this.initialized) {
            log.warn(sm.getString("openssl.doubleInit"));
            return;
        }
        try {
            if (this.sslHostConfig.getInsecureRenegotiation()) {
                org.apache.tomcat.jni.SSLContext.setOptions(this.ctx, 262144);
            } else {
                org.apache.tomcat.jni.SSLContext.clearOptions(this.ctx, 262144);
            }
            if (this.sslHostConfig.getHonorCipherOrder()) {
                org.apache.tomcat.jni.SSLContext.setOptions(this.ctx, 4194304);
            } else {
                org.apache.tomcat.jni.SSLContext.clearOptions(this.ctx, 4194304);
            }
            if (this.sslHostConfig.getDisableCompression()) {
                org.apache.tomcat.jni.SSLContext.setOptions(this.ctx, 131072);
            } else {
                org.apache.tomcat.jni.SSLContext.clearOptions(this.ctx, 131072);
            }
            if (this.sslHostConfig.getDisableSessionTickets()) {
                org.apache.tomcat.jni.SSLContext.setOptions(this.ctx, 16384);
            } else {
                org.apache.tomcat.jni.SSLContext.clearOptions(this.ctx, 16384);
            }
            org.apache.tomcat.jni.SSLContext.setCipherSuite(this.ctx, this.sslHostConfig.getCiphers());
            if (this.certificate.getCertificateFile() == null) {
                this.certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(keyManagerArr));
            }
            addCertificate(this.certificate);
            int i = 0;
            switch (this.sslHostConfig.getCertificateVerification()) {
                case NONE:
                    i = 0;
                    break;
                case OPTIONAL:
                    i = 1;
                    break;
                case OPTIONAL_NO_CA:
                    i = 3;
                    break;
                case REQUIRED:
                    i = 2;
                    break;
            }
            org.apache.tomcat.jni.SSLContext.setVerify(this.ctx, i, this.sslHostConfig.getCertificateVerificationDepth());
            if (trustManagerArr != null) {
                this.x509TrustManager = chooseTrustManager(trustManagerArr);
                org.apache.tomcat.jni.SSLContext.setCertVerifyCallback(this.ctx, new CertificateVerifier() { // from class: org.apache.tomcat.util.net.openssl.OpenSSLContext.1
                    @Override // org.apache.tomcat.jni.CertificateVerifier
                    public boolean verify(long j, byte[][] bArr, String str) {
                        try {
                            OpenSSLContext.this.x509TrustManager.checkClientTrusted(OpenSSLContext.certificates(bArr), str);
                            return true;
                        } catch (Exception e) {
                            OpenSSLContext.log.debug(OpenSSLContext.sm.getString("openssl.certificateVerificationFailed"), e);
                            return false;
                        }
                    }
                });
                for (X509Certificate x509Certificate : this.x509TrustManager.getAcceptedIssuers()) {
                    org.apache.tomcat.jni.SSLContext.addClientCACertificateRaw(this.ctx, x509Certificate.getEncoded());
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("openssl.addedClientCaCert", x509Certificate.toString()));
                    }
                }
            } else {
                org.apache.tomcat.jni.SSLContext.setCACertificate(this.ctx, SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCaCertificateFile()), SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCaCertificatePath()));
            }
            if (this.negotiableProtocols != null && this.negotiableProtocols.size() > 0) {
                ArrayList arrayList = new ArrayList(this.negotiableProtocols);
                arrayList.add(ApplicationProtocolNames.HTTP_1_1);
                org.apache.tomcat.jni.SSLContext.setAlpnProtos(this.ctx, (String[]) arrayList.toArray(new String[0]), 0);
            }
            openSslConf = this.sslHostConfig.getOpenSslConf();
        } catch (Exception e) {
            log.warn(sm.getString("openssl.errorSSLCtxInit"), e);
            destroy();
            return;
        }
        if (openSslConf != null && this.cctx != 0) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("openssl.checkConf"));
            }
            try {
                if (!checkConf(openSslConf, this.cctx)) {
                    log.error(sm.getString("openssl.errCheckConf"));
                    throw new Exception(sm.getString("openssl.errCheckConf"));
                }
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("openssl.applyConf"));
                }
                try {
                    if (!applyConf(openSslConf, this.cctx, this.ctx)) {
                        log.error(sm.getString("openssl.errApplyConf"));
                        throw new SSLException(sm.getString("openssl.errApplyConf"));
                    }
                    int options = org.apache.tomcat.jni.SSLContext.getOptions(this.ctx);
                    ArrayList arrayList2 = new ArrayList();
                    arrayList2.add("SSLv2Hello");
                    if ((options & SSL.SSL_OP_NO_TLSv1) == 0) {
                        arrayList2.add("TLSv1");
                    }
                    if ((options & 268435456) == 0) {
                        arrayList2.add("TLSv1.1");
                    }
                    if ((options & 134217728) == 0) {
                        arrayList2.add("TLSv1.2");
                    }
                    if ((options & 16777216) == 0) {
                        arrayList2.add("SSLv2");
                    }
                    if ((options & 33554432) == 0) {
                        arrayList2.add("SSLv3");
                    }
                    this.sslHostConfig.setEnabledProtocols((String[]) arrayList2.toArray(new String[0]));
                    this.sslHostConfig.setEnabledCiphers(org.apache.tomcat.jni.SSLContext.getCiphers(this.ctx));
                } catch (Exception e2) {
                    throw new SSLException(sm.getString("openssl.errApplyConf"), e2);
                }
            } catch (Exception e3) {
                throw new Exception(sm.getString("openssl.errCheckConf"), e3);
            }
            log.warn(sm.getString("openssl.errorSSLCtxInit"), e);
            destroy();
            return;
        }
        this.sessionContext = new OpenSSLSessionContext(this);
        this.sessionContext.setSessionIdContext(org.apache.tomcat.jni.SSLContext.DEFAULT_SESSION_ID_CONTEXT);
        this.sslHostConfig.setOpenSslContext(Long.valueOf(this.ctx));
        this.initialized = true;
    }

    public void addCertificate(SSLHostConfigCertificate sSLHostConfigCertificate) throws Exception {
        if (sSLHostConfigCertificate.getCertificateFile() != null) {
            org.apache.tomcat.jni.SSLContext.setCertificate(this.ctx, SSLHostConfig.adjustRelativePath(sSLHostConfigCertificate.getCertificateFile()), SSLHostConfig.adjustRelativePath(sSLHostConfigCertificate.getCertificateKeyFile()), sSLHostConfigCertificate.getCertificateKeyPassword(), getCertificateIndex(sSLHostConfigCertificate));
            org.apache.tomcat.jni.SSLContext.setCertificateChainFile(this.ctx, SSLHostConfig.adjustRelativePath(sSLHostConfigCertificate.getCertificateChainFile()), false);
            org.apache.tomcat.jni.SSLContext.setCARevocation(this.ctx, SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCertificateRevocationListFile()), SSLHostConfig.adjustRelativePath(this.sslHostConfig.getCertificateRevocationListPath()));
            return;
        }
        String certificateKeyAlias = sSLHostConfigCertificate.getCertificateKeyAlias();
        X509KeyManager certificateKeyManager = sSLHostConfigCertificate.getCertificateKeyManager();
        if (certificateKeyAlias == null) {
            certificateKeyAlias = "tomcat";
        }
        X509Certificate[] certificateChain = certificateKeyManager.getCertificateChain(certificateKeyAlias);
        if (certificateChain == null) {
            certificateKeyAlias = findAlias(certificateKeyManager, sSLHostConfigCertificate);
            certificateChain = certificateKeyManager.getCertificateChain(certificateKeyAlias);
        }
        org.apache.tomcat.jni.SSLContext.setCertificateRaw(this.ctx, certificateChain[0].getEncoded(), (BEGIN_KEY + Base64.getMimeEncoder(64, new byte[]{10}).encodeToString(certificateKeyManager.getPrivateKey(certificateKeyAlias).getEncoded()) + END_KEY).getBytes(StandardCharsets.US_ASCII), getCertificateIndex(sSLHostConfigCertificate));
        for (int i = 1; i < certificateChain.length; i++) {
            org.apache.tomcat.jni.SSLContext.addChainCertificateRaw(this.ctx, certificateChain[i].getEncoded());
        }
    }

    private static int getCertificateIndex(SSLHostConfigCertificate sSLHostConfigCertificate) {
        return (sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.RSA || sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.UNDEFINED) ? 0 : sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.EC ? 3 : sSLHostConfigCertificate.getType() == SSLHostConfigCertificate.Type.DSA ? 1 : 4;
    }

    private static String findAlias(X509KeyManager x509KeyManager, SSLHostConfigCertificate sSLHostConfigCertificate) {
        SSLHostConfigCertificate.Type type = sSLHostConfigCertificate.getType();
        String str = null;
        ArrayList arrayList = new ArrayList();
        if (SSLHostConfigCertificate.Type.UNDEFINED.equals(type)) {
            arrayList.addAll(Arrays.asList(SSLHostConfigCertificate.Type.values()));
            arrayList.remove(SSLHostConfigCertificate.Type.UNDEFINED);
        } else {
            arrayList.add(type);
        }
        Iterator it = arrayList.iterator();
        while (str == null && it.hasNext()) {
            str = x509KeyManager.chooseServerAlias(((SSLHostConfigCertificate.Type) it.next()).toString(), null, null);
        }
        return str;
    }

    private static X509TrustManager chooseTrustManager(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException(sm.getString("openssl.trustManagerMissing"));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static X509Certificate[] certificates(byte[][] bArr) {
        X509Certificate[] x509CertificateArr = new X509Certificate[bArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr[i] = new OpenSSLX509Certificate(bArr[i]);
        }
        return x509CertificateArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public long getSSLContextID() {
        return this.ctx;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLSessionContext getServerSessionContext() {
        return this.sessionContext;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLEngine createSSLEngine() {
        return new OpenSSLEngine(this.ctx, "TLS", false, this.sessionContext, this.negotiableProtocols != null && this.negotiableProtocols.size() > 0, this.initialized, this.sslHostConfig.getCertificateVerificationDepth(), this.sslHostConfig.getCertificateVerification() == SSLHostConfig.CertificateVerification.OPTIONAL_NO_CA);
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLServerSocketFactory getServerSocketFactory() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public SSLParameters getSupportedSSLParameters() {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public X509Certificate[] getCertificateChain(String str) {
        X509Certificate[] x509CertificateArr = null;
        X509KeyManager certificateKeyManager = this.certificate.getCertificateKeyManager();
        if (certificateKeyManager != null) {
            if (str == null) {
                str = "tomcat";
            }
            x509CertificateArr = certificateKeyManager.getCertificateChain(str);
            if (x509CertificateArr == null) {
                x509CertificateArr = certificateKeyManager.getCertificateChain(findAlias(certificateKeyManager, this.certificate));
            }
        }
        return x509CertificateArr;
    }

    @Override // org.apache.tomcat.util.net.SSLContext
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = null;
        if (this.x509TrustManager != null) {
            x509CertificateArr = this.x509TrustManager.getAcceptedIssuers();
        }
        return x509CertificateArr;
    }

    protected void finalize() throws Throwable {
        try {
            destroy();
        } finally {
            super.finalize();
        }
    }

    static {
        try {
            X509_CERT_FACTORY = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new IllegalStateException(sm.getString("openssl.X509FactoryError"), e);
        }
    }
}
