package org.eclipse.jetty.util.ssl;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.regex.Pattern;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIMatcher;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.component.Dumpable;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.security.CertificateValidator;
import org.eclipse.jetty.util.security.Password;

/* JADX WARN: Classes with same name are omitted:
  input_file:rest-management-private-classpath/org/eclipse/jetty/util/ssl/SslContextFactory.class_terracotta
 */
/* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory.class */
public class SslContextFactory extends AbstractLifeCycle implements Dumpable {
    public static final TrustManager[] TRUST_ALL_CERTS = {new X509TrustManager() { // from class: org.eclipse.jetty.util.ssl.SslContextFactory.1
        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }
    }};
    private static final Logger LOG = Log.getLogger((Class<?>) SslContextFactory.class);
    public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
    public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
    public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
    public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
    private final Set<String> _excludeProtocols;
    private final Set<String> _includeProtocols;
    private final Set<String> _excludeCipherSuites;
    private final List<String> _includeCipherSuites;
    private final Map<String, X509> _aliasX509;
    private final Map<String, X509> _certHosts;
    private final Map<String, X509> _certWilds;
    private String[] _selectedProtocols;
    private boolean _useCipherSuitesOrder;
    private Comparator<String> _cipherComparator;
    private String[] _selectedCipherSuites;
    private Resource _keyStoreResource;
    private String _keyStoreProvider;
    private String _keyStoreType;
    private String _certAlias;
    private Resource _trustStoreResource;
    private String _trustStoreProvider;
    private String _trustStoreType;
    private boolean _needClientAuth;
    private boolean _wantClientAuth;
    private Password _keyStorePassword;
    private Password _keyManagerPassword;
    private Password _trustStorePassword;
    private String _sslProvider;
    private String _sslProtocol;
    private String _secureRandomAlgorithm;
    private String _keyManagerFactoryAlgorithm;
    private String _trustManagerFactoryAlgorithm;
    private boolean _validateCerts;
    private boolean _validatePeerCerts;
    private int _maxCertPathLength;
    private String _crlPath;
    private boolean _enableCRLDP;
    private boolean _enableOCSP;
    private String _ocspResponderURL;
    private KeyStore _setKeyStore;
    private KeyStore _setTrustStore;
    private boolean _sessionCachingEnabled;
    private int _sslSessionCacheSize;
    private int _sslSessionTimeout;
    private SSLContext _setContext;
    private String _endpointIdentificationAlgorithm;
    private boolean _trustAll;
    private boolean _renegotiationAllowed;
    private int _renegotiationLimit;
    private Factory _factory;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$AliasSNIMatcher.class */
    public class AliasSNIMatcher extends SNIMatcher {
        private String _host;
        private X509 _x509;

        AliasSNIMatcher() {
            super(0);
        }

        @Override // javax.net.ssl.SNIMatcher
        public boolean matches(SNIServerName sNIServerName) {
            int indexOf;
            if (SslContextFactory.LOG.isDebugEnabled()) {
                SslContextFactory.LOG.debug("SNI matching for {}", sNIServerName);
            }
            if (!(sNIServerName instanceof SNIHostName)) {
                if (!SslContextFactory.LOG.isDebugEnabled()) {
                    return true;
                }
                SslContextFactory.LOG.debug("SNI no match for {}", sNIServerName);
                return true;
            }
            String asciiName = ((SNIHostName) sNIServerName).getAsciiName();
            this._host = asciiName;
            String asciiToLowerCase = StringUtil.asciiToLowerCase(asciiName);
            this._x509 = (X509) SslContextFactory.this._certHosts.get(asciiToLowerCase);
            if (this._x509 == null) {
                this._x509 = (X509) SslContextFactory.this._certWilds.get(asciiToLowerCase);
                if (this._x509 == null && (indexOf = asciiToLowerCase.indexOf(46)) >= 0) {
                    this._x509 = (X509) SslContextFactory.this._certWilds.get(asciiToLowerCase.substring(indexOf + 1));
                }
            }
            if (!SslContextFactory.LOG.isDebugEnabled()) {
                return true;
            }
            SslContextFactory.LOG.debug("SNI matched {}->{}", asciiToLowerCase, this._x509);
            return true;
        }

        public String getHost() {
            return this._host;
        }

        public X509 getX509() {
            return this._x509;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/eclipse/jetty/util/ssl/SslContextFactory$Factory.class */
    public class Factory {
        private final KeyStore _keyStore;
        private final KeyStore _trustStore;
        private final SSLContext _context;

        Factory(KeyStore keyStore, KeyStore keyStore2, SSLContext sSLContext) {
            this._keyStore = keyStore;
            this._trustStore = keyStore2;
            this._context = sSLContext;
        }
    }

    public SslContextFactory() {
        this(false);
    }

    public SslContextFactory(boolean z) {
        this(z, null);
    }

    public SslContextFactory(String str) {
        this(false, str);
    }

    private SslContextFactory(boolean z, String str) {
        this._excludeProtocols = new LinkedHashSet();
        this._includeProtocols = new LinkedHashSet();
        this._excludeCipherSuites = new LinkedHashSet();
        this._includeCipherSuites = new ArrayList();
        this._aliasX509 = new HashMap();
        this._certHosts = new HashMap();
        this._certWilds = new HashMap();
        this._useCipherSuitesOrder = true;
        this._keyStoreType = "JKS";
        this._trustStoreType = "JKS";
        this._needClientAuth = false;
        this._wantClientAuth = false;
        this._sslProtocol = LdapConnectionConfig.DEFAULT_SSL_PROTOCOL;
        this._keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
        this._trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
        this._maxCertPathLength = -1;
        this._enableCRLDP = false;
        this._enableOCSP = false;
        this._sessionCachingEnabled = true;
        this._sslSessionCacheSize = -1;
        this._sslSessionTimeout = -1;
        this._endpointIdentificationAlgorithm = null;
        this._renegotiationAllowed = true;
        this._renegotiationLimit = 5;
        setTrustAll(z);
        addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
        setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
        if (str != null) {
            setKeyStorePath(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStart() throws Exception {
        super.doStart();
        synchronized (this) {
            load();
        }
    }

    private void load() throws Exception {
        SSLContext sSLContext = this._setContext;
        KeyStore keyStore = this._setKeyStore;
        KeyStore keyStore2 = this._setTrustStore;
        if (sSLContext == null) {
            if (keyStore == null && this._keyStoreResource == null && keyStore2 == null && this._trustStoreResource == null) {
                TrustManager[] trustManagerArr = null;
                if (isTrustAll()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!", new Object[0]);
                    }
                    trustManagerArr = TRUST_ALL_CERTS;
                }
                String secureRandomAlgorithm = getSecureRandomAlgorithm();
                SecureRandom secureRandom = secureRandomAlgorithm == null ? null : SecureRandom.getInstance(secureRandomAlgorithm);
                sSLContext = this._sslProvider == null ? SSLContext.getInstance(this._sslProtocol) : SSLContext.getInstance(this._sslProtocol, this._sslProvider);
                sSLContext.init(null, trustManagerArr, secureRandom);
            } else {
                if (keyStore == null) {
                    keyStore = loadKeyStore(this._keyStoreResource);
                }
                if (keyStore2 == null) {
                    keyStore2 = loadTrustStore(this._trustStoreResource);
                }
                Collection<? extends CRL> loadCRL = loadCRL(getCrlPath());
                if (keyStore != null) {
                    Iterator it = Collections.list(keyStore.aliases()).iterator();
                    while (it.hasNext()) {
                        String str = (String) it.next();
                        Certificate certificate = keyStore.getCertificate(str);
                        if (certificate != null && "X.509".equals(certificate.getType())) {
                            X509Certificate x509Certificate = (X509Certificate) certificate;
                            if (!X509.isCertSign(x509Certificate)) {
                                X509 x509 = new X509(str, x509Certificate);
                                this._aliasX509.put(str, x509);
                                if (isValidateCerts()) {
                                    CertificateValidator certificateValidator = new CertificateValidator(keyStore2, loadCRL);
                                    certificateValidator.setMaxCertPathLength(getMaxCertPathLength());
                                    certificateValidator.setEnableCRLDP(isEnableCRLDP());
                                    certificateValidator.setEnableOCSP(isEnableOCSP());
                                    certificateValidator.setOcspResponderURL(getOcspResponderURL());
                                    certificateValidator.validate(keyStore, x509Certificate);
                                }
                                LOG.info("x509={} for {}", x509, this);
                                Iterator<String> it2 = x509.getHosts().iterator();
                                while (it2.hasNext()) {
                                    this._certHosts.put(it2.next(), x509);
                                }
                                Iterator<String> it3 = x509.getWilds().iterator();
                                while (it3.hasNext()) {
                                    this._certWilds.put(it3.next(), x509);
                                }
                            } else if (LOG.isDebugEnabled()) {
                                LOG.debug("Skipping " + x509Certificate, new Object[0]);
                            }
                        }
                    }
                }
                KeyManager[] keyManagers = getKeyManagers(keyStore);
                TrustManager[] trustManagers = getTrustManagers(keyStore2, loadCRL);
                SecureRandom secureRandom2 = this._secureRandomAlgorithm == null ? null : SecureRandom.getInstance(this._secureRandomAlgorithm);
                sSLContext = this._sslProvider == null ? SSLContext.getInstance(this._sslProtocol) : SSLContext.getInstance(this._sslProtocol, this._sslProvider);
                sSLContext.init(keyManagers, trustManagers, secureRandom2);
            }
        }
        SSLSessionContext serverSessionContext = sSLContext.getServerSessionContext();
        if (serverSessionContext != null) {
            if (getSslSessionCacheSize() > -1) {
                serverSessionContext.setSessionCacheSize(getSslSessionCacheSize());
            }
            if (getSslSessionTimeout() > -1) {
                serverSessionContext.setSessionTimeout(getSslSessionTimeout());
            }
        }
        SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
        SSLParameters supportedSSLParameters = sSLContext.getSupportedSSLParameters();
        selectCipherSuites(defaultSSLParameters.getCipherSuites(), supportedSSLParameters.getCipherSuites());
        selectProtocols(defaultSSLParameters.getProtocols(), supportedSSLParameters.getProtocols());
        this._factory = new Factory(keyStore, keyStore2, sSLContext);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Selected Protocols {} of {}", Arrays.asList(this._selectedProtocols), Arrays.asList(supportedSSLParameters.getProtocols()));
            LOG.debug("Selected Ciphers   {} of {}", Arrays.asList(this._selectedCipherSuites), Arrays.asList(supportedSSLParameters.getCipherSuites()));
        }
    }

    @Override // org.eclipse.jetty.util.component.Dumpable
    public String dump() {
        return ContainerLifeCycle.dump(this);
    }

    @Override // org.eclipse.jetty.util.component.Dumpable
    public void dump(Appendable appendable, String str) throws IOException {
        appendable.append(String.valueOf(this)).append(" trustAll=").append(Boolean.toString(this._trustAll)).append(System.lineSeparator());
        try {
            SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
            ArrayList arrayList = new ArrayList();
            arrayList.add(new SslSelectionDump("Protocol", createSSLEngine.getSupportedProtocols(), createSSLEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols()));
            arrayList.add(new SslSelectionDump("Cipher Suite", createSSLEngine.getSupportedCipherSuites(), createSSLEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites()));
            ContainerLifeCycle.dump(appendable, str, arrayList);
        } catch (NoSuchAlgorithmException e) {
            LOG.ignore(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStop() throws Exception {
        synchronized (this) {
            unload();
        }
        super.doStop();
    }

    private void unload() {
        this._factory = null;
        this._selectedProtocols = null;
        this._selectedCipherSuites = null;
        this._aliasX509.clear();
        this._certHosts.clear();
        this._certWilds.clear();
    }

    public String[] getSelectedProtocols() {
        return (String[]) Arrays.copyOf(this._selectedProtocols, this._selectedProtocols.length);
    }

    public String[] getSelectedCipherSuites() {
        return (String[]) Arrays.copyOf(this._selectedCipherSuites, this._selectedCipherSuites.length);
    }

    public Comparator<String> getCipherComparator() {
        return this._cipherComparator;
    }

    public void setCipherComparator(Comparator<String> comparator) {
        if (comparator != null) {
            setUseCipherSuitesOrder(true);
        }
        this._cipherComparator = comparator;
    }

    public Set<String> getAliases() {
        return Collections.unmodifiableSet(this._aliasX509.keySet());
    }

    public X509 getX509(String str) {
        return this._aliasX509.get(str);
    }

    public String[] getExcludeProtocols() {
        return (String[]) this._excludeProtocols.toArray(new String[0]);
    }

    public void setExcludeProtocols(String... strArr) {
        this._excludeProtocols.clear();
        this._excludeProtocols.addAll(Arrays.asList(strArr));
    }

    public void addExcludeProtocols(String... strArr) {
        this._excludeProtocols.addAll(Arrays.asList(strArr));
    }

    public String[] getIncludeProtocols() {
        return (String[]) this._includeProtocols.toArray(new String[0]);
    }

    public void setIncludeProtocols(String... strArr) {
        this._includeProtocols.clear();
        this._includeProtocols.addAll(Arrays.asList(strArr));
    }

    public String[] getExcludeCipherSuites() {
        return (String[]) this._excludeCipherSuites.toArray(new String[0]);
    }

    public void setExcludeCipherSuites(String... strArr) {
        this._excludeCipherSuites.clear();
        this._excludeCipherSuites.addAll(Arrays.asList(strArr));
    }

    public void addExcludeCipherSuites(String... strArr) {
        this._excludeCipherSuites.addAll(Arrays.asList(strArr));
    }

    public String[] getIncludeCipherSuites() {
        return (String[]) this._includeCipherSuites.toArray(new String[0]);
    }

    public void setIncludeCipherSuites(String... strArr) {
        this._includeCipherSuites.clear();
        this._includeCipherSuites.addAll(Arrays.asList(strArr));
    }

    public boolean isUseCipherSuitesOrder() {
        return this._useCipherSuitesOrder;
    }

    public void setUseCipherSuitesOrder(boolean z) {
        this._useCipherSuitesOrder = z;
    }

    public String getKeyStorePath() {
        return this._keyStoreResource.toString();
    }

    public void setKeyStorePath(String str) {
        try {
            this._keyStoreResource = Resource.newResource(str);
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    public String getKeyStoreProvider() {
        return this._keyStoreProvider;
    }

    public void setKeyStoreProvider(String str) {
        this._keyStoreProvider = str;
    }

    public String getKeyStoreType() {
        return this._keyStoreType;
    }

    public void setKeyStoreType(String str) {
        this._keyStoreType = str;
    }

    public String getCertAlias() {
        return this._certAlias;
    }

    public void setCertAlias(String str) {
        this._certAlias = str;
    }

    public void setTrustStorePath(String str) {
        try {
            this._trustStoreResource = Resource.newResource(str);
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    public String getTrustStoreProvider() {
        return this._trustStoreProvider;
    }

    public void setTrustStoreProvider(String str) {
        this._trustStoreProvider = str;
    }

    public String getTrustStoreType() {
        return this._trustStoreType;
    }

    public void setTrustStoreType(String str) {
        this._trustStoreType = str;
    }

    public boolean getNeedClientAuth() {
        return this._needClientAuth;
    }

    public void setNeedClientAuth(boolean z) {
        this._needClientAuth = z;
    }

    public boolean getWantClientAuth() {
        return this._wantClientAuth;
    }

    public void setWantClientAuth(boolean z) {
        this._wantClientAuth = z;
    }

    public boolean isValidateCerts() {
        return this._validateCerts;
    }

    public void setValidateCerts(boolean z) {
        this._validateCerts = z;
    }

    public boolean isValidatePeerCerts() {
        return this._validatePeerCerts;
    }

    public void setValidatePeerCerts(boolean z) {
        this._validatePeerCerts = z;
    }

    public void setKeyStorePassword(String str) {
        if (str != null) {
            this._keyStorePassword = newPassword(str);
        } else if (this._keyStoreResource != null) {
            this._keyStorePassword = getPassword("org.eclipse.jetty.ssl.password");
        } else {
            this._keyStorePassword = null;
        }
    }

    public void setKeyManagerPassword(String str) {
        if (str != null) {
            this._keyManagerPassword = newPassword(str);
        } else if (System.getProperty("org.eclipse.jetty.ssl.keypassword") != null) {
            this._keyManagerPassword = getPassword("org.eclipse.jetty.ssl.keypassword");
        } else {
            this._keyManagerPassword = null;
        }
    }

    public void setTrustStorePassword(String str) {
        if (str != null) {
            this._trustStorePassword = newPassword(str);
        } else if (this._trustStoreResource == null || this._trustStoreResource.equals(this._keyStoreResource)) {
            this._trustStorePassword = null;
        } else {
            this._trustStorePassword = getPassword("org.eclipse.jetty.ssl.password");
        }
    }

    public String getProvider() {
        return this._sslProvider;
    }

    public void setProvider(String str) {
        this._sslProvider = str;
    }

    public String getProtocol() {
        return this._sslProtocol;
    }

    public void setProtocol(String str) {
        this._sslProtocol = str;
    }

    public String getSecureRandomAlgorithm() {
        return this._secureRandomAlgorithm;
    }

    public void setSecureRandomAlgorithm(String str) {
        this._secureRandomAlgorithm = str;
    }

    public String getKeyManagerFactoryAlgorithm() {
        return this._keyManagerFactoryAlgorithm;
    }

    public void setKeyManagerFactoryAlgorithm(String str) {
        this._keyManagerFactoryAlgorithm = str;
    }

    public String getTrustManagerFactoryAlgorithm() {
        return this._trustManagerFactoryAlgorithm;
    }

    public boolean isTrustAll() {
        return this._trustAll;
    }

    public void setTrustAll(boolean z) {
        this._trustAll = z;
        if (z) {
            setEndpointIdentificationAlgorithm(null);
        }
    }

    public void setTrustManagerFactoryAlgorithm(String str) {
        this._trustManagerFactoryAlgorithm = str;
    }

    public boolean isRenegotiationAllowed() {
        return this._renegotiationAllowed;
    }

    public void setRenegotiationAllowed(boolean z) {
        this._renegotiationAllowed = z;
    }

    public int getRenegotiationLimit() {
        return this._renegotiationLimit;
    }

    public void setRenegotiationLimit(int i) {
        this._renegotiationLimit = i;
    }

    public String getCrlPath() {
        return this._crlPath;
    }

    public void setCrlPath(String str) {
        this._crlPath = str;
    }

    public int getMaxCertPathLength() {
        return this._maxCertPathLength;
    }

    public void setMaxCertPathLength(int i) {
        this._maxCertPathLength = i;
    }

    public SSLContext getSslContext() {
        SSLContext sSLContext;
        if (!isStarted()) {
            return this._setContext;
        }
        synchronized (this) {
            sSLContext = this._factory._context;
        }
        return sSLContext;
    }

    public void setSslContext(SSLContext sSLContext) {
        this._setContext = sSLContext;
    }

    public String getEndpointIdentificationAlgorithm() {
        return this._endpointIdentificationAlgorithm;
    }

    public void setEndpointIdentificationAlgorithm(String str) {
        this._endpointIdentificationAlgorithm = str;
    }

    protected KeyStore loadKeyStore(Resource resource) throws Exception {
        return CertificateUtils.getKeyStore(resource, getKeyStoreType(), getKeyStoreProvider(), this._keyStorePassword == null ? null : this._keyStorePassword.toString());
    }

    protected KeyStore loadTrustStore(Resource resource) throws Exception {
        String trustStoreType = getTrustStoreType();
        String trustStoreProvider = getTrustStoreProvider();
        String password = this._trustStorePassword == null ? null : this._trustStorePassword.toString();
        if (resource == null || resource.equals(this._keyStoreResource)) {
            resource = this._keyStoreResource;
            if (trustStoreType == null) {
                trustStoreType = this._keyStoreType;
            }
            if (trustStoreProvider == null) {
                trustStoreProvider = this._keyStoreProvider;
            }
            if (password == null) {
                password = this._keyStorePassword == null ? null : this._keyStorePassword.toString();
            }
        }
        return CertificateUtils.getKeyStore(resource, trustStoreType, trustStoreProvider, password);
    }

    protected Collection<? extends CRL> loadCRL(String str) throws Exception {
        return CertificateUtils.loadCRL(str);
    }

    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception {
        KeyManager[] keyManagerArr = null;
        if (keyStore != null) {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(getKeyManagerFactoryAlgorithm());
            keyManagerFactory.init(keyStore, this._keyManagerPassword == null ? this._keyStorePassword == null ? null : this._keyStorePassword.toString().toCharArray() : this._keyManagerPassword.toString().toCharArray());
            keyManagerArr = keyManagerFactory.getKeyManagers();
            if (keyManagerArr != null) {
                String certAlias = getCertAlias();
                if (certAlias != null) {
                    for (int i = 0; i < keyManagerArr.length; i++) {
                        if (keyManagerArr[i] instanceof X509ExtendedKeyManager) {
                            keyManagerArr[i] = new AliasedX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagerArr[i], certAlias);
                        }
                    }
                }
                if (!this._certHosts.isEmpty() || !this._certWilds.isEmpty()) {
                    for (int i2 = 0; i2 < keyManagerArr.length; i2++) {
                        if (keyManagerArr[i2] instanceof X509ExtendedKeyManager) {
                            keyManagerArr[i2] = new SniX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagerArr[i2]);
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("managers={} for {}", keyManagerArr, this);
        }
        return keyManagerArr;
    }

    protected TrustManager[] getTrustManagers(KeyStore keyStore, Collection<? extends CRL> collection) throws Exception {
        TrustManager[] trustManagerArr = null;
        if (keyStore != null) {
            if (isValidatePeerCerts() && "PKIX".equalsIgnoreCase(getTrustManagerFactoryAlgorithm())) {
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
                pKIXBuilderParameters.setMaxPathLength(this._maxCertPathLength);
                pKIXBuilderParameters.setRevocationEnabled(true);
                if (collection != null && !collection.isEmpty()) {
                    pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
                }
                if (this._enableCRLDP) {
                    System.setProperty("com.sun.security.enableCRLDP", "true");
                }
                if (this._enableOCSP) {
                    Security.setProperty("ocsp.enable", "true");
                    if (this._ocspResponderURL != null) {
                        Security.setProperty("ocsp.responderURL", this._ocspResponderURL);
                    }
                }
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(this._trustManagerFactoryAlgorithm);
                trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
                trustManagerArr = trustManagerFactory.getTrustManagers();
            } else {
                TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(this._trustManagerFactoryAlgorithm);
                trustManagerFactory2.init(keyStore);
                trustManagerArr = trustManagerFactory2.getTrustManagers();
            }
        }
        return trustManagerArr;
    }

    public void selectProtocols(String[] strArr, String[] strArr2) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (this._includeProtocols.isEmpty()) {
            linkedHashSet.addAll(Arrays.asList(strArr));
        } else {
            for (String str : this._includeProtocols) {
                if (Arrays.asList(strArr2).contains(str)) {
                    linkedHashSet.add(str);
                } else {
                    LOG.info("Protocol {} not supported in {}", str, Arrays.asList(strArr2));
                }
            }
        }
        linkedHashSet.removeAll(this._excludeProtocols);
        if (linkedHashSet.isEmpty()) {
            LOG.warn("No selected protocols from {}", Arrays.asList(strArr2));
        }
        this._selectedProtocols = (String[]) linkedHashSet.toArray(new String[0]);
    }

    protected void selectCipherSuites(String[] strArr, String[] strArr2) {
        ArrayList arrayList = new ArrayList();
        if (this._includeCipherSuites.isEmpty()) {
            arrayList.addAll(Arrays.asList(strArr));
        } else {
            processIncludeCipherSuites(strArr2, arrayList);
        }
        removeExcludedCipherSuites(arrayList);
        if (arrayList.isEmpty()) {
            LOG.warn("No supported ciphers from {}", Arrays.asList(strArr2));
        }
        Comparator<String> cipherComparator = getCipherComparator();
        if (cipherComparator != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sorting selected ciphers with {}", cipherComparator);
            }
            Collections.sort(arrayList, cipherComparator);
        }
        this._selectedCipherSuites = (String[]) arrayList.toArray(new String[0]);
    }

    protected void processIncludeCipherSuites(String[] strArr, List<String> list) {
        for (String str : this._includeCipherSuites) {
            Pattern compile = Pattern.compile(str);
            boolean z = false;
            for (String str2 : strArr) {
                if (compile.matcher(str2).matches()) {
                    z = true;
                    list.add(str2);
                }
            }
            if (!z) {
                LOG.info("No Cipher matching '{}' is supported", str);
            }
        }
    }

    protected void removeExcludedCipherSuites(List<String> list) {
        Iterator<String> it = this._excludeCipherSuites.iterator();
        while (it.hasNext()) {
            Pattern compile = Pattern.compile(it.next());
            Iterator<String> it2 = list.iterator();
            while (it2.hasNext()) {
                if (compile.matcher(it2.next()).matches()) {
                    it2.remove();
                }
            }
        }
    }

    private void checkIsStarted() {
        if (!isStarted()) {
            throw new IllegalStateException("!STARTED: " + this);
        }
    }

    public boolean isEnableCRLDP() {
        return this._enableCRLDP;
    }

    public void setEnableCRLDP(boolean z) {
        this._enableCRLDP = z;
    }

    public boolean isEnableOCSP() {
        return this._enableOCSP;
    }

    public void setEnableOCSP(boolean z) {
        this._enableOCSP = z;
    }

    public String getOcspResponderURL() {
        return this._ocspResponderURL;
    }

    public void setOcspResponderURL(String str) {
        this._ocspResponderURL = str;
    }

    public void setKeyStore(KeyStore keyStore) {
        this._setKeyStore = keyStore;
    }

    public KeyStore getKeyStore() {
        KeyStore keyStore;
        if (!isStarted()) {
            return this._setKeyStore;
        }
        synchronized (this) {
            keyStore = this._factory._keyStore;
        }
        return keyStore;
    }

    public void setTrustStore(KeyStore keyStore) {
        this._setTrustStore = keyStore;
    }

    public KeyStore getTrustStore() {
        KeyStore keyStore;
        if (!isStarted()) {
            return this._setTrustStore;
        }
        synchronized (this) {
            keyStore = this._factory._trustStore;
        }
        return keyStore;
    }

    public void setKeyStoreResource(Resource resource) {
        this._keyStoreResource = resource;
    }

    public Resource getKeyStoreResource() {
        return this._keyStoreResource;
    }

    public void setTrustStoreResource(Resource resource) {
        this._trustStoreResource = resource;
    }

    public Resource getTrustStoreResource() {
        return this._trustStoreResource;
    }

    public boolean isSessionCachingEnabled() {
        return this._sessionCachingEnabled;
    }

    public void setSessionCachingEnabled(boolean z) {
        this._sessionCachingEnabled = z;
    }

    public int getSslSessionCacheSize() {
        return this._sslSessionCacheSize;
    }

    public void setSslSessionCacheSize(int i) {
        this._sslSessionCacheSize = i;
    }

    public int getSslSessionTimeout() {
        return this._sslSessionTimeout;
    }

    public void setSslSessionTimeout(int i) {
        this._sslSessionTimeout = i;
    }

    protected Password getPassword(String str) {
        return Password.getPassword(str, null, null);
    }

    public Password newPassword(String str) {
        return new Password(str);
    }

    public SSLServerSocket newSslServerSocket(String str, int i, int i2) throws IOException {
        checkIsStarted();
        SSLServerSocketFactory serverSocketFactory = getSslContext().getServerSocketFactory();
        SSLServerSocket sSLServerSocket = (SSLServerSocket) (str == null ? serverSocketFactory.createServerSocket(i, i2) : serverSocketFactory.createServerSocket(i, i2, InetAddress.getByName(str)));
        sSLServerSocket.setSSLParameters(customize(sSLServerSocket.getSSLParameters()));
        return sSLServerSocket;
    }

    public SSLSocket newSslSocket() throws IOException {
        checkIsStarted();
        SSLSocket sSLSocket = (SSLSocket) getSslContext().getSocketFactory().createSocket();
        sSLSocket.setSSLParameters(customize(sSLSocket.getSSLParameters()));
        return sSLSocket;
    }

    public SSLEngine newSSLEngine() {
        checkIsStarted();
        SSLEngine createSSLEngine = getSslContext().createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSSLEngine(String str, int i) {
        checkIsStarted();
        SSLContext sslContext = getSslContext();
        SSLEngine createSSLEngine = isSessionCachingEnabled() ? sslContext.createSSLEngine(str, i) : sslContext.createSSLEngine();
        customize(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSSLEngine(InetSocketAddress inetSocketAddress) {
        return inetSocketAddress == null ? newSSLEngine() : newSSLEngine(inetSocketAddress.getHostString(), inetSocketAddress.getPort());
    }

    public void customize(SSLEngine sSLEngine) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Customize {}", sSLEngine);
        }
        sSLEngine.setSSLParameters(customize(sSLEngine.getSSLParameters()));
    }

    public SSLParameters customize(SSLParameters sSLParameters) {
        sSLParameters.setEndpointIdentificationAlgorithm(getEndpointIdentificationAlgorithm());
        sSLParameters.setUseCipherSuitesOrder(isUseCipherSuitesOrder());
        if (!this._certHosts.isEmpty() || !this._certWilds.isEmpty()) {
            sSLParameters.setSNIMatchers(Collections.singletonList(new AliasSNIMatcher()));
        }
        if (this._selectedCipherSuites != null) {
            sSLParameters.setCipherSuites(this._selectedCipherSuites);
        }
        if (this._selectedProtocols != null) {
            sSLParameters.setProtocols(this._selectedProtocols);
        }
        if (getWantClientAuth()) {
            sSLParameters.setWantClientAuth(true);
        }
        if (getNeedClientAuth()) {
            sSLParameters.setNeedClientAuth(true);
        }
        return sSLParameters;
    }

    public void reload(Consumer<SslContextFactory> consumer) throws Exception {
        synchronized (this) {
            consumer.accept(this);
            unload();
            load();
        }
    }

    public static X509Certificate[] getCertChain(SSLSession sSLSession) {
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length == 0) {
                return null;
            }
            int length = peerCertificates.length;
            X509Certificate[] x509CertificateArr = new X509Certificate[length];
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            for (int i = 0; i < length; i++) {
                x509CertificateArr[i] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(peerCertificates[i].getEncoded()));
            }
            return x509CertificateArr;
        } catch (SSLPeerUnverifiedException e) {
            return null;
        } catch (Exception e2) {
            LOG.warn(Log.EXCEPTION, e2);
            return null;
        }
    }

    public static int deduceKeyLength(String str) {
        if (str == null) {
            return 0;
        }
        if (str.contains("WITH_AES_256_")) {
            return 256;
        }
        if (str.contains("WITH_RC4_128_") || str.contains("WITH_AES_128_")) {
            return 128;
        }
        if (str.contains("WITH_RC4_40_")) {
            return 40;
        }
        if (str.contains("WITH_3DES_EDE_CBC_")) {
            return 168;
        }
        if (str.contains("WITH_IDEA_CBC_")) {
            return 128;
        }
        if (str.contains("WITH_RC2_CBC_40_") || str.contains("WITH_DES40_CBC_")) {
            return 40;
        }
        return str.contains("WITH_DES_CBC_") ? 56 : 0;
    }

    public String toString() {
        return String.format("%s@%x(%s,%s)", getClass().getSimpleName(), Integer.valueOf(hashCode()), this._keyStoreResource, this._trustStoreResource);
    }

    static {
        DEFAULT_KEYMANAGERFACTORY_ALGORITHM = Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? KeyManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.KeyManagerFactory.algorithm");
        DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? TrustManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.TrustManagerFactory.algorithm");
    }
}
