package org.springframework.boot.web.embedded.tomcat;

import java.io.FileNotFoundException;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
import org.apache.coyote.http11.Http11NioProtocol;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.SslStoreProvider;
import org.springframework.boot.web.server.WebServerException;
import org.springframework.util.Assert;
import org.springframework.util.ResourceUtils;
import org.springframework.util.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-boot-2.6.0-SNAPSHOT.jar:org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.class */
public class SslConnectorCustomizer implements TomcatConnectorCustomizer {
    private final Ssl ssl;
    private final SslStoreProvider sslStoreProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslConnectorCustomizer(Ssl ssl, SslStoreProvider sslStoreProvider) {
        Assert.notNull(ssl, "Ssl configuration should not be null");
        this.ssl = ssl;
        this.sslStoreProvider = sslStoreProvider;
    }

    @Override // org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer
    public void customize(Connector connector) {
        ProtocolHandler protocolHandler = connector.getProtocolHandler();
        Assert.state(protocolHandler instanceof AbstractHttp11JsseProtocol, "To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass");
        configureSsl((AbstractHttp11JsseProtocol) protocolHandler, this.ssl, this.sslStoreProvider);
        connector.setScheme("https");
        connector.setSecure(true);
    }

    protected void configureSsl(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, Ssl ssl, SslStoreProvider sslStoreProvider) {
        abstractHttp11JsseProtocol.setSSLEnabled(true);
        abstractHttp11JsseProtocol.setSslProtocol(ssl.getProtocol());
        configureSslClientAuth(abstractHttp11JsseProtocol, ssl);
        if (ssl.getKeyStorePassword() != null) {
            abstractHttp11JsseProtocol.setKeystorePass(ssl.getKeyStorePassword());
        }
        if (ssl.getKeyPassword() != null) {
            abstractHttp11JsseProtocol.setKeyPass(ssl.getKeyPassword());
        }
        abstractHttp11JsseProtocol.setKeyAlias(ssl.getKeyAlias());
        String arrayToCommaDelimitedString = StringUtils.arrayToCommaDelimitedString(ssl.getCiphers());
        if (StringUtils.hasText(arrayToCommaDelimitedString)) {
            abstractHttp11JsseProtocol.setCiphers(arrayToCommaDelimitedString);
        }
        if (ssl.getEnabledProtocols() != null) {
            for (SSLHostConfig sSLHostConfig : abstractHttp11JsseProtocol.findSslHostConfigs()) {
                sSLHostConfig.setProtocols(StringUtils.arrayToCommaDelimitedString(ssl.getEnabledProtocols()));
            }
        }
        if (sslStoreProvider != null) {
            configureSslStoreProvider(abstractHttp11JsseProtocol, sslStoreProvider);
        } else {
            configureSslKeyStore(abstractHttp11JsseProtocol, ssl);
            configureSslTrustStore(abstractHttp11JsseProtocol, ssl);
        }
    }

    private void configureSslClientAuth(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, Ssl ssl) {
        if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
            abstractHttp11JsseProtocol.setClientAuth(Boolean.TRUE.toString());
        } else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
            abstractHttp11JsseProtocol.setClientAuth("want");
        }
    }

    protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, SslStoreProvider sslStoreProvider) {
        Assert.isInstanceOf((Class<?>) Http11NioProtocol.class, abstractHttp11JsseProtocol, "SslStoreProvider can only be used with Http11NioProtocol");
        TomcatURLStreamHandlerFactory.getInstance().addUserFactory(new SslStoreProviderUrlStreamHandlerFactory(sslStoreProvider));
        try {
            if (sslStoreProvider.getKeyStore() != null) {
                abstractHttp11JsseProtocol.setKeystorePass("");
                abstractHttp11JsseProtocol.setKeystoreFile("springbootssl:keyStore");
            }
            if (sslStoreProvider.getTrustStore() != null) {
                abstractHttp11JsseProtocol.setTruststorePass("");
                abstractHttp11JsseProtocol.setTruststoreFile("springbootssl:trustStore");
            }
        } catch (Exception e) {
            throw new WebServerException("Could not load store: " + e.getMessage(), e);
        }
    }

    private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, Ssl ssl) {
        try {
            abstractHttp11JsseProtocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
            if (ssl.getKeyStoreType() != null) {
                abstractHttp11JsseProtocol.setKeystoreType(ssl.getKeyStoreType());
            }
            if (ssl.getKeyStoreProvider() != null) {
                abstractHttp11JsseProtocol.setKeystoreProvider(ssl.getKeyStoreProvider());
            }
        } catch (Exception e) {
            throw new WebServerException("Could not load key store '" + ssl.getKeyStore() + "'", e);
        }
    }

    private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> abstractHttp11JsseProtocol, Ssl ssl) {
        if (ssl.getTrustStore() != null) {
            try {
                abstractHttp11JsseProtocol.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString());
            } catch (FileNotFoundException e) {
                throw new WebServerException("Could not load trust store: " + e.getMessage(), e);
            }
        }
        if (ssl.getTrustStorePassword() != null) {
            abstractHttp11JsseProtocol.setTruststorePass(ssl.getTrustStorePassword());
        }
        if (ssl.getTrustStoreType() != null) {
            abstractHttp11JsseProtocol.setTruststoreType(ssl.getTrustStoreType());
        }
        if (ssl.getTrustStoreProvider() != null) {
            abstractHttp11JsseProtocol.setTruststoreProvider(ssl.getTrustStoreProvider());
        }
    }
}
